From ac69ff88cd1245a8cb609d00dad1d6aeef9c49e6 Mon Sep 17 00:00:00 2001
From: Sanny Nguyen Hung <sanny.nguyen@digitalservice.bund.de>
Date: Fri, 13 Oct 2023 15:11:49 +0200
Subject: [PATCH] Create new action for testing environment

---
 .github/workflows/testing-ci-pipeline.yml | 105 ++++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 .github/workflows/testing-ci-pipeline.yml

diff --git a/.github/workflows/testing-ci-pipeline.yml b/.github/workflows/testing-ci-pipeline.yml
new file mode 100644
index 00000000..05252de5
--- /dev/null
+++ b/.github/workflows/testing-ci-pipeline.yml
@@ -0,0 +1,105 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  # Allow to run this workflow manually
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  test-app:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup Node
+        uses: actions/setup-node@v2
+        with:
+          node-version: "16.13.0"
+          cache: "npm"
+
+      - run: npm install
+
+      - name: Set up playwright
+        run: npx playwright install
+
+      - name: Check format
+        run: npm run lint
+
+      - name: Run unit tests
+        run: npm test
+
+  build-push-image:
+    needs: [test-app]
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      security-events: write
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t ${{ env.IMAGE_NAME }}:testing .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.IMAGE_NAME }}:testing"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-results.sarif"
+
+      - name: Login to container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
+        run: |
+          docker tag ${{ env.IMAGE_NAME }}:testing ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          docker tag ${{ env.IMAGE_NAME }}:testing ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
+          docker push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+  deploy:
+    needs: [build-push-image]
+    if: github.ref !== 'refs/heads/main'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      packages: read
+    environment: staging
+    steps:
+      - name: Deploy new image
+        uses: digitalservicebund/github-actions/argocd-deploy@9b15fba0ce0e874d9af5be33ebeea7d476f808d0
+        with:
+          environment: staging
+          version: testing
+          deploying_repo: achill
+          infra_repo: achill-infra
+          deploy_key: ${{ secrets.DEPLOY_KEY }}
+          app: achill-staging
+          argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
+          argocd_server: ${{ secrets.ARGOCD_SERVER }}
+          argocd_sync_timeout: 300