From 7dc2e72b953d71ba53b5ad90e9afa5566b88267b Mon Sep 17 00:00:00 2001 From: Hendrik Schmidt Date: Fri, 3 May 2024 12:11:30 +0200 Subject: [PATCH] Update pipeline with reusable workflow --- .github/workflows/build-and-deploy.yml | 99 +++++++++++++++++++++++ .github/workflows/pipeline.yml | 107 +++---------------------- 2 files changed, 112 insertions(+), 94 deletions(-) create mode 100644 .github/workflows/build-and-deploy.yml diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml new file mode 100644 index 00000000..bdd2d885 --- /dev/null +++ b/.github/workflows/build-and-deploy.yml @@ -0,0 +1,99 @@ +name: Build and Deploy + +on: + workflow_call: + inputs: + name: + required: true + type: string + directory: + required: true + type: string + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # This is used to complete the identity challenge with sigstore/fulcio. + packages: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build image from Dockerfile + working-directory: ${{ inputs.directory }} + run: | + docker build -t ${{ inputs.name }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }} + + - name: Generate cosign vulnerability scan record + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 + with: + image-ref: ${{ inputs.name }}:${{ github.sha }} + format: "cosign-vuln" + output: "vulnerabilities.json" + + - name: Upload cosign vulnerability scan record + uses: actions/upload-artifact@v4 + with: + name: "vulnerabilities.json" + path: "vulnerabilities.json" + if-no-files-found: error + + - name: Install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + + - name: Login to container registry + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + with: + registry: "ghcr.io" + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push image + run: | + docker tag ${{ inputs.name }}:${{ github.sha }} ghcr.io/${{ inputs.name }} + docker tag ${{ inputs.name }}:${{ github.sha }} ghcr.io/${{ inputs.name }}:${{ github.sha }} + docker push --all-tags ghcr.io/${{ inputs.name }} + + - name: Create SBOM + uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3 # v1.1.0 + with: + image_name: ${{ inputs.name }}:${{ github.sha }} + + - name: Sign the published Docker image + run: cosign sign --yes ghcr.io/${{ inputs.name }}:${{ github.sha }} + + - name: Attest the vulnerability scan + run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ inputs.name }}:${{ github.sha }} + + deploy: + needs: [build-and-push-image] + if: ${{ false }} # FIXME: Enable this job when the deployment is ready. + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + packages: read + environment: production # FIXME: Create environment. + steps: + - name: Deploy latest container image + uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 + with: + environment: production + version: ${{ github.sha }} + deploying_repo: ${{ github.event.repository.name }} + infra_repo: ${{ github.event.repository.name }}-infra + deploy_key: ${{ secrets.DEPLOY_KEY }} + app: ${{ github.event.repository.name }}-production + argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} + argocd_server: ${{ secrets.ARGOCD_SERVER }} + + - name: Report Deployment + uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0 + with: + project: ${{ github.event.repository.name }} + environment: production + metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} + metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index e8ff8065..f992a3cb 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -56,7 +56,7 @@ jobs: - name: Check types run: npm run typecheck - - name: Run tests + - name: Run unit tests run: npm test - name: Install E2E & A11y test dependencies @@ -162,101 +162,20 @@ jobs: with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - build-and-push-image: + build-and-deploy: + needs: + - test + - audit-licenses + - vulnerability-scan + if: ${{ github.ref == 'refs/heads/main' }} + uses: .github/workflows/build-and-deploy.yml@main strategy: matrix: packages: - name: digitalcheck-dito - dir: packages/dito + directory: packages/dito - name: digitalcheck-tool-finder - dir: packages/tool-finder - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - needs: - - test - - audit-licenses - - vulnerability-scan - permissions: - contents: read - id-token: write # This is used to complete the identity challenge with sigstore/fulcio. - packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build image from Dockerfile - working-directory: ${{ matrix.dir }} - run: | - docker build -t ${{ matrix.name }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }} - - - name: Generate cosign vulnerability scan record - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 - with: - image-ref: ${{ matrix.name }}:${{ github.sha }} - format: "cosign-vuln" - output: "vulnerabilities.json" - - - name: Upload cosign vulnerability scan record - uses: actions/upload-artifact@v4 - with: - name: "vulnerabilities.json" - path: "vulnerabilities.json" - if-no-files-found: error - - - name: Install cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - - name: Login to container registry - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 - with: - registry: "ghcr.io" - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push image - run: | - docker tag ${{ matrix.name }}:${{ github.sha }} ghcr.io/${{ matrix.name }} - docker tag ${{ matrix.name }}:${{ github.sha }} ghcr.io/${{ matrix.name }}:${{ github.sha }} - docker push --all-tags ghcr.io/${{ matrix.name }} - - - name: Create SBOM - uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3 # v1.1.0 - with: - image_name: ${{ matrix.name }}:${{ github.sha }} - - - name: Sign the published Docker image - run: cosign sign --yes ghcr.io/${{ matrix.name }}:${{ github.sha }} - - - name: Attest the vulnerability scan - run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ matrix.name }}:${{ github.sha }} - - deploy: - needs: [build-and-push-image] - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' && false }} - timeout-minutes: 10 - permissions: - packages: read - environment: production - steps: - - name: Deploy latest container image - uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 - with: - environment: production - version: ${{ github.sha }} - deploying_repo: ${{ github.event.repository.name }} - infra_repo: ${{ github.event.repository.name }}-infra - deploy_key: ${{ secrets.DEPLOY_KEY }} - app: ${{ github.event.repository.name }}-production - argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} - argocd_server: ${{ secrets.ARGOCD_SERVER }} - - - name: Report Deployment - uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0 - with: - project: ${{ github.event.repository.name }} - environment: production - metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} - metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} + directory: packages/tool-finder + with: + name: ${{ matrix.packages.name }} + directory: ${{ matrix.packages.directory }}