Skip to content

Category import

Category import #15738

Workflow file for this run

name: Pipeline
on:
push:
branches: [ main ]
paths-ignore:
- '**/*.md'
pull_request:
branches: [ main ]
schedule:
- cron: "0 18 * * *" # Every day at 8pm
# Allow to run this workflow manually
workflow_dispatch:
env:
RUN_ID: ${{ github.run_id }}
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }} # Use PR head SHA if available
GH_PACKAGES_REPOSITORY_USER: ${{ secrets.GH_PACKAGES_REPOSITORY_USER }} # Secrets must not start with "GITHUB_".
GH_PACKAGES_REPOSITORY_TOKEN: ${{ secrets.GH_PACKAGES_REPOSITORY_TOKEN }}
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
REPORTS_REPOSITORY: digitalservicebund/ris-reports
jobs:
backend-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b
with:
java-version: "21.0"
distribution: "temurin"
- name: Setup Gradle
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
with:
gradle-version: ${{ env.GRADLE_VERSION }}
- name: Run backend tests
working-directory: ./backend
run: ./gradlew build --profile -x integrationTest -x test
- name: Upload build performance report
uses: actions/upload-artifact@v4
with:
name: performance-report
path: backend/build/reports/profile/profile*.html
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
backend-checks:
uses: ./.github/workflows/backend-checks.yml
secrets: inherit
backend-build-image-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b
with:
java-version: "21.0"
distribution: "temurin"
- name: Setup Gradle
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
with:
gradle-version: ${{ env.GRADLE_VERSION }}
- name: Build backend image
working-directory: ./backend
run: ./gradlew bootBuildImage
- name: Run Trivy vulnerability image scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
# Todo: Remove this step
- name: Upload Trivy scan results
uses: actions/upload-artifact@v4
with:
name: "trivy-results-backend.sarif"
path: "trivy-results.sarif"
if-no-files-found: error
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln-backend.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "vuln-backend.json"
path: "vuln-backend.json"
if-no-files-found: error
- name: Save image
run: |
mkdir /tmp/images
docker save -o /tmp/images/backend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-images-cache-${{ env.RUN_ID }}
restore-keys: docker-images-cache-${{ env.RUN_ID }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
frontend-checks:
uses: ./.github/workflows/frontend-checks.yml
secrets: inherit
audit-licenses-backend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b
with:
java-version: "21.0"
distribution: "temurin"
cache: gradle
- name: Grant execute permission for gradlew
working-directory: ./backend
run: chmod +x gradlew
- name: Run license scanner
working-directory: ./backend
run: ./gradlew checkLicense
- name: Upload licence report
uses: actions/upload-artifact@v4
with:
name: licence-reports-backend
retention-days: 3
path: backend/build/reports/dependency-license/backend-licence-report.csv
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
audit-licenses-frontend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./frontend/package.json
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Install dependencies
run: npm ci
working-directory: ./frontend
- name: Run license scanner
run: npm run audit:licences
working-directory: ./frontend
- name: Upload licence report
uses: actions/upload-artifact@v4
with:
name: licence-reports-frontend
retention-days: 3
path: frontend/frontend-licence-report.csv
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
frontend-build-image-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Build frontend image
run: docker build --file frontend/Dockerfile.prod --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} ./frontend
- name: Run Trivy vulnerability image scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Run Trivy vulnerability file scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: "fs"
scan-ref: "./frontend"
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy file scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-fs-scan
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln-frontend.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "vuln-frontend.json"
path: "vuln-frontend.json"
if-no-files-found: error
- name: Save image
run: |
mkdir /tmp/images
docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
push-backend-image-to-registry:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- backend-build
- backend-checks
- backend-build-image-and-scan
- audit-licenses-backend
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-images-cache-${{ env.RUN_ID }}
restore-keys: docker-images-cache-${{ env.RUN_ID }}
- name: load image
shell: bash
run: docker load -i /tmp/images/backend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
- name: Sign the published Docker image
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
push-frontend-image-to-registry:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- frontend-checks
- frontend-build-image-and-scan
- audit-licenses-frontend
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-images-cache-${{ env.RUN_ID }}
- name: load image
shell: bash
run: docker load -i /tmp/images/frontend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
- name: Sign the published Docker image
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
deploy-staging:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
concurrency:
group: deploy-staging
cancel-in-progress: true
environment: staging
needs:
- push-frontend-image-to-registry
- push-backend-image-to-registry
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@0c26ac0ebfc8e53f8c2debe657cc2c5f6fe26663
- name: Deploy new images
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: staging
version: ${{ needs.push-backend-image-to-registry.outputs.version }}
deploying_repo: ris-backend-service,ris-backend-service/frontend
infra_repo: neuris-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Track deploy
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: RIS
environment: staging
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
prep-playwright-tests:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./frontend/package.json
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Get Playwright version
working-directory: ./frontend
run: echo "PLAYWRIGHT_VERSION=$(jq -r '.packages["node_modules/@playwright/test"].version' package-lock.json)" >> $GITHUB_ENV
- name: Cache browser binaries
id: cache-browser-binaries
uses: actions/cache@v4
with:
path: ~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ env.PLAYWRIGHT_VERSION }}
- name: Install browsers
if: steps.cache-browser-binaries.outputs.cache-hit != 'true'
run: |
npx --yes playwright install --with-deps chromium firefox
working-directory: ./frontend
e2e-tests:
if: ${{ github.ref == 'refs/heads/main' }}
concurrency:
group: deploy-staging
cancel-in-progress: true
needs: [ deploy-staging, prep-playwright-tests ]
# We do not include the matrix directly, so that the concurrency group does not apply to each matrix job individually
uses: ./.github/workflows/e2e_matrix.yml
secrets: inherit
query-performance-tests:
if: ${{ github.ref == 'refs/heads/main' }}
concurrency:
group: deploy-staging
cancel-in-progress: true
needs: [ e2e-tests, prep-playwright-tests ]
uses: ./.github/workflows/_playwright-test.yml
with:
subproject: "all"
browser: "queries" # uses the 'queries' project
mode: "queries"
runs: 1
workers: 1
secrets: inherit
generate-test-reports:
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
needs: [ e2e-tests ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./frontend/package.json
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Cache node_modules
uses: actions/cache@v4
id: node-modules-cache
with:
path: |
./frontend/node_modules
key: modules-${{ hashFiles('./frontend/package-lock.json') }}
- name: Install dependencies
if: steps.node-modules-cache.outputs.cache-hit != 'true'
run: |
npm ci
working-directory: ./frontend
- name: Download blob reports from artifacts
uses: actions/download-artifact@v4
with:
path: ./frontend/all-blob-reports
pattern: test-results-blob-*
- name: Prepare test reports for merge
working-directory: ./frontend/all-blob-reports
run: |
for DIR in test-results-blob-*; do
unzip -o "$DIR/test-report.zip" -d "$DIR"
rm "$DIR/test-report.zip"
ZIP_FILE="../$(basename "$DIR").zip"
(cd "$DIR" && zip -r "$ZIP_FILE" ./*.jsonl)
rm -rf "$DIR"
done
shell: bash
- name: Merge into html report
run: npx playwright merge-reports --reporter html ./all-blob-reports
working-directory: ./frontend
- name: Upload html report to artifacts
uses: actions/upload-artifact@v4
with:
name: html-test-report
path: ./frontend/playwright-report
check-latest-deploy-tag:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- e2e-tests
runs-on: ubuntu-latest
outputs:
should_deploy: ${{ steps.compare-tags.outputs.should_deploy }}
environment: production
steps:
- name: Checkout infra repository
uses: actions/checkout@v4
with:
repository: digitalservicebund/neuris-infra
ssh-key: ${{ secrets.DEPLOY_KEY }}
path: infra
- name: Checkout main repository
uses: actions/checkout@v4
with:
fetch-depth: 0
path: main
- name: compare image tags
id: compare-tags
run: |
set -x
CURRENT_TAG=${{ env.CONTAINER_IMAGE_VERSION }}
DEPLOYED_TAG=$(yq '.images[0] | .newTag' infra/manifests/overlays/production/kustomization.yaml)
cd main
if git merge-base --is-ancestor $CURRENT_TAG $DEPLOYED_TAG; then
echo "should_deploy=false" >> "$GITHUB_OUTPUT"
else
echo "should_deploy=true" >> "$GITHUB_OUTPUT"
fi
deploy-production:
runs-on: ubuntu-latest
if: |
github.ref == 'refs/heads/main' &&
needs.check-latest-deploy-tag.outputs.should_deploy == 'true'
concurrency: deploy-production
environment: production
needs:
- push-frontend-image-to-registry
- push-backend-image-to-registry
- e2e-tests
- check-latest-deploy-tag
- backend-checks
- frontend-checks
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@0c26ac0ebfc8e53f8c2debe657cc2c5f6fe26663
- name: Deploy new images
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: production
version: ${{ needs.push-backend-image-to-registry.outputs.version }}
deploying_repo: ris-backend-service,ris-backend-service/frontend
infra_repo: neuris-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-production
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Track deploy
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: RIS
environment: production
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
deploy-uat:
runs-on: ubuntu-latest
if: |
github.ref == 'refs/heads/main'
concurrency: deploy-uat
environment: uat
needs:
- push-frontend-image-to-registry
- push-backend-image-to-registry
- e2e-tests
- deploy-production
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@0c26ac0ebfc8e53f8c2debe657cc2c5f6fe26663
- name: Deploy new images
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: uat
version: ${{ needs.push-backend-image-to-registry.outputs.version }}
deploying_repo: ris-backend-service,ris-backend-service/frontend
infra_repo: neuris-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-uat
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
generate-entity-relationship-diagram:
runs-on: ubuntu-latest
if: ${{ false && github.ref == 'refs/heads/main' }}
env:
POSTGRES_DB: ris-erd
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
services:
postgres:
image: postgres:14-alpine
env:
POSTGRES_DB: ris-erd
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
--name postgres
ports:
- 5432:5432
steps:
- uses: actions/checkout@v4
- name: Install uuid-ossp extension
run: docker exec postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";'
- name: Apply incremental migration structure
run: docker exec -i postgres psql -d ${{ env.POSTGRES_DB }} -U ${{ env.POSTGRES_USER }} < ./backend/src/test/resources/db/create_migration_scheme_and_extensions.sql
- name: Get Gradle version
working-directory: ./backend
run: |
echo "GRADLE_VERSION=$(sed -n 's/.*gradle-\([0-9]*\(\.[0-9]*\)*\)-.*/\1/p' ./gradle/wrapper/gradle-wrapper.properties)" >> $GITHUB_ENV
- name: Set up JDK
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b
with:
java-version: "21.0"
distribution: "temurin"
cache: gradle
- name: Setup Gradle
uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
with:
gradle-version: ${{ env.GRADLE_VERSION }}
- name: Migrate database for Entity–relationship model
working-directory: ./backend
run: ./gradlew migrateDatabaseForERD
env:
DB_URL: jdbc:postgresql://localhost:5432/${{ env.POSTGRES_DB }}
DB_USER: ${{ env.POSTGRES_USER }}
DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
- name: Generate mermaid ER-diagram
uses: digitalservicebund/export-entity-relationship-diagram@c022c18a7a9e4fce71cece7ff907a952ba5c11c8
with:
configFile: ./backend/mermerd.config.yaml
connectionString: postgresql://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }}
outputFile: latest.mmd
flags: --debug
version: 0.9.0
- name: Upload mermaid ER-diagram
uses: actions/upload-artifact@v4
with:
name: erdiagram
retention-days: 3
path: latest.mmd
generate-backend-code-documentation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b
with:
java-version: "21.0"
distribution: "temurin"
cache: gradle
- name: Grant execute permission for gradlew
working-directory: ./backend
run: chmod +x gradlew
- name: Run Javadoc
working-directory: ./backend
run: ./gradlew javadoc
- name: Upload documentation
uses: actions/upload-artifact@v4
with:
name: backend-code-documentation
retention-days: 3
path: backend/build/docs/javadoc/
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
push-reports:
runs-on: ubuntu-latest
needs:
# - generate-entity-relationship-diagram
- backend-build
- audit-licenses-backend
- audit-licenses-frontend
- e2e-tests
- generate-backend-code-documentation
- generate-test-reports
if: ${{ github.ref == 'refs/heads/main' }}
steps:
# Setup
- uses: actions/checkout@v4
with:
repository: ${{ env.REPORTS_REPOSITORY }}
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }}
- name: Setup git config
run: |
git config user.name "${{ github.repository }}"
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# ER-diagram
# - name: ER-diagram - Download artifact
# uses: actions/download-artifact@v4
# with:
# name: erdiagram
# path: tmp/erdiagram-reports/
# - name: ER-diagram - git add report
# uses: digitalservicebund/add-ris-report@32770d369cf00a8154bb6a17005d11cf781bfba3
# with:
# filePath: tmp/erdiagram-reports/latest.mmd
# destinationDir: entity-relationship-diagrams/ris-backend-service
# Licence reports
- name: Licence reports - Download
uses: actions/download-artifact@v4
with:
pattern: licence-reports-*
path: tmp/licence-reports/
merge-multiple: true
- name: Frontend licence report - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/licence-reports/frontend-licence-report.csv
destinationDir: licence-reports/frontend/ris-backend-service
- name: Backend licence report - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/licence-reports/backend-licence-report.csv
destinationDir: licence-reports/backend/ris-backend-service
# Performance report
- name: Performance reports - Download
uses: actions/download-artifact@v4
with:
name: performance-report
path: tmp/performance-reports/
- run: mv tmp/performance-reports/profile*.html tmp/performance-reports/profile-report.html
- name: Performance report - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/performance-reports/profile-report.html
destinationDir: performance-reports/ris-backend-service
# Backend code documentation
- name: Backend Code Documentation - Download
uses: actions/download-artifact@v4
with:
name: backend-code-documentation
path: tmp/backend-code-documentation/
- name: Java - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/backend-code-documentation
destinationDir: backend-code-documentation/java
reportIsDirectory: true
# e2e test report
- name: E2E test reports - Download
uses: actions/download-artifact@v4
with:
name: html-test-report
path: tmp/html-test-report/
- name: E2E test reports - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/html-test-report/
destinationDir: test-reports/ris-backend-service
reportIsDirectory: true
# Push reports
- name: Push reports
# we use `toJSON(...)` below to escape double quotation marks
run: |
git diff-index --cached --quiet HEAD ||
git commit \
-m ${{ toJSON(github.event.head_commit.message) }} \
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" &&
git push origin main &&
echo "Pushed reports to ${{ github.server_url }}/${{ env.REPORTS_REPOSITORY }}" >> $GITHUB_STEP_SUMMARY