RISDEV-5882 Add stage deployment

digitalservicebund · Dec 19, 2024 · 42af229 · 42af229
1 parent 6e7f8be
commit 42af229
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -174,6 +174,48 @@ jobs:
         # Third-party action, pin to commit SHA!
         # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
         uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
-        if: ${{ failure() }}
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+  deploy-staging:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/main' }}
+    concurrency:
+      group: deploy-staging
+      cancel-in-progress: true
+    environment: staging
+    needs:
+      - push-frontend-image-to-registry
+    permissions:
+      id-token: write # Enable OIDC for gitsign
+    steps:
+      - uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e
+      - name: Deploy new images
+        uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
+        with:
+          environment: staging
+          #version: ${{ needs.push-backend-image-to-registry.outputs.version }}
+          version: ${{ env.CONTAINER_IMAGE_VERSION }}
+          deploying_repo: ${{ env.CONTAINER_IMAGE_NAME }}/frontend
+          infra_repo: ris-adm-vwv-infra
+          deploy_key: ${{ secrets.DEPLOY_KEY }}
+          app: ris-adm-vwv-staging
+          argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
+          argocd_server: ${{ secrets.ARGOCD_SERVER }}
+          argocd_sync_timeout: 300
+      - name: Track deploy
+        continue-on-error: true
+        uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
+        with:
+          project: ris-adm-vwv
+          environment: staging
+          metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
+          metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
+      - name: Send status to Slack
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+        if: ${{ failure() }}
+        with:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.talismanrc b/.talismanrc
@@ -23,16 +23,21 @@ allowed_patterns:
   - "uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0"
   - "uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0"
   - "uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59"
+  - "uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e"
+  - "uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412"
+  - "uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a"
   - "dsn: 'https://[email protected]/4508482613084160'"
   # allow these specific patterns with the term "secret"
   - secrets-scan-with-talisman
   - "secrets: inherit"
   - "SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}"
   - "# scan for secrets that were published by mistake"
   - "password: \\$\\{\\{ secrets.GITHUB_TOKEN \\}\\}"
+  - "argocd_pipeline_password: \\$\\{\\{ secrets.ARGOCD_PIPELINE_PASSWORD \\}\\}"
   # allow these specific patterns with the term "key"
   - "key: modules-"
   - "key:.+runner.os"
   - "key[s]?: docker-frontend-images-cache"
   - "key: npm-cache"
   - "sonar.projectKey=digitalservicebund_ris-adm-vwv"
+  - "deploy_key: \\$\\{\\{ secrets.DEPLOY_KEY \\}\\}"