-
Notifications
You must be signed in to change notification settings - Fork 0
112 lines (97 loc) · 3.25 KB
/
deploy-dev.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: deploy-dev
on:
push:
branches:
- main
- brukerpassbytte
jobs:
build:
name: Build app, docker image and push docker image
permissions:
contents: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: temurin
java-version: 17
cache: gradle
- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action@v1
- uses: gradle/[email protected]
env: # Eksluder test dependencies
DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: compileClasspath|runtimeClasspath
TESTCONTAINERS_RYUK_DISABLED: true
with:
dependency-graph: generate-and-submit
arguments: build
- name: Pre-deploy
uses: navikt/digihot-deploy/actions/pre-deploy@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push docker image
uses: nais/docker-build-push@v0
id: docker-build-push
with:
byosbom: dependency-graph-reports/deploy-dev-build.json
team: teamdigihot
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
tag: ${{ env.VERSION_TAG }}
- name: Deploy to dev-gcp
uses: nais/deploy/actions/deploy@v1
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: dev-gcp
RESOURCE: nais/nais-dev.yaml,nais/alerts-dev.yaml
IMAGE: ${{steps.docker-build-push.outputs.image}}
- name: post-deploy
if: github.ref == 'refs/heads/main'
uses: navikt/digihot-deploy/actions/post-deploy@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: draft release
if: github.ref == 'refs/heads/main'
uses: actions/create-release@latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ env.VERSION_TAG }}
release_name: ${{ env.APPLICATION }} ${{ env.VERSION_TAG }}
body: ${{ env.CHANGE_LOG }}
draft: true
prerelease: false
outputs:
image: ${{ steps.docker-build-push.outputs.image }}
trivy-imagescan:
name: Scan dockerimage with Trivy
needs: build
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
id-token: write
steps:
- uses: nais/login@v0
with:
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
team: teamdigihot
- name: Run Trivy vulnerability scanner on docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ needs.build.outputs.image }}
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'