.github/workflows/pipeline.yml

name: "CI Pipeline"

on:
  push:
    branches: [main]
    paths-ignore:
      - "**/*.md"
  pull_request:
    # TODO: restrict later
    # branches: [main]
  # Allow to run this workflow manually
  workflow_dispatch:

env:
  RUN_ID: ${{ github.run_id }}
  CONTAINER_REGISTRY: ghcr.io
  CONTAINER_IMAGE_NAME: ${{ github.repository }}
  CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }}

jobs:
  ##############################################
  # jobs dispatched to separate workflow files #
  ##############################################

  frontend-jobs:
    uses: ./.github/workflows/frontend-jobs.yml
    secrets: inherit

  security-jobs:
    uses: ./.github/workflows/security-jobs.yml
    secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others
    permissions:
      contents: read
      security-events: write # trivy scan needs this

  frontend-build-image-and-scan:
    if: ${{ github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Build frontend image
        run: docker build --file prod.Dockerfile --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} .
      - name: Run Trivy vulnerability image scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
          format: "sarif"
          output: "trivy-results.sarif"
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
      - name: Run Trivy vulnerability file scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          scan-type: "fs"
          scan-ref: "./frontend"
          skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
          format: "sarif"
          output: "trivy-results.sarif"
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi
      - name: Upload Trivy file scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
          category: trivy-fs-scan
      - name: Generate cosign vulnerability scan record
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
          format: "cosign-vuln"
          output: "vuln-frontend.json"
      - name: Upload cosign vulnerability scan record
        uses: actions/upload-artifact@v4
        with:
          name: "vuln-frontend.json"
          path: "vuln-frontend.json"
          if-no-files-found: error
      - name: Save image
        run: |
          mkdir /tmp/images
          docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
      - uses: actions/cache@v4
        with:
          path: /tmp/images
          key: docker-frontend-images-cache-${{ env.RUN_ID }}
          restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
      - name: Send status to Slack
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
        if: ${{ failure() && github.ref == 'refs/heads/main' }}
        with:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

  push-frontend-image-to-registry:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
    needs:
      - frontend-jobs
      - frontend-build-image-and-scan
    permissions:
      contents: read
      id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
      packages: write
    outputs:
      version: ${{ steps.set-version.outputs.version }}
    steps:
      - uses: actions/cache@v4
        with:
          path: /tmp/images
          key: docker-frontend-images-cache-${{ env.RUN_ID }}
          restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
      - name: load image
        shell: bash
        run: docker load -i /tmp/images/frontend-image.tar
      - name: Log into container registry
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
        with:
          registry: ${{ env.CONTAINER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Publish backend container image
        run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
      - name: Install cosign
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
      - name: Sign the published Docker image
        run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
      - id: set-version
        run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
      - name: Send status to Slack
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
        if: ${{ failure() && github.ref == 'refs/heads/main' }}
        with:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

  deploy-staging:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' }}
    concurrency:
      group: deploy-staging
      cancel-in-progress: true
    environment: staging
    needs:
      - push-frontend-image-to-registry
    permissions:
      id-token: write # Enable OIDC for gitsign
    steps:
      - uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e
      - name: Deploy new images
        uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
        with:
          environment: staging
          #version: ${{ needs.push-backend-image-to-registry.outputs.version }}
          version: ${{ env.CONTAINER_IMAGE_VERSION }}
          deploying_repo: ${{ env.CONTAINER_IMAGE_NAME }}/frontend
          infra_repo: ris-adm-vwv-infra
          deploy_key: ${{ secrets.DEPLOY_KEY }}
          app: ris-adm-vwv-staging
          argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
          argocd_server: ${{ secrets.ARGOCD_SERVER }}
          argocd_sync_timeout: 300
      - name: Track deploy
        continue-on-error: true
        uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
        with:
          project: ris-adm-vwv
          environment: staging
          metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
          metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
      - name: Send status to Slack
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
        if: ${{ failure() }}
        with:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}