.github/workflows/pipeline.yml

name: Pipeline

on:
  # Run on any branch receiving a push
  push:
  # Allow manual trigger of the workflow
  workflow_dispatch:

jobs:
  # Talisman Secrets Check
  talisman-check:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Detect secrets in incoming commits with Talisman
        uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb

  # Trivy Vulnerability Scan
  trivy-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write # upload-sarif
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
        with:
          scan-type: "fs"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"

      - name: Verify SARIF file exists
        run: ls -la trivy-results.sarif

      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi

      - name: Upload Trivy scan results to GitHub Security tab
        if: ${{ always() && github.ref == 'refs/heads/main' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

  # Deploy Storybook to GitHub Pages
  build-and-deploy-storybook:
    if: ${{ github.ref == 'refs/heads/main' }}
    needs:
      - talisman-check
      - trivy-scan
    permissions:
      contents: read
      pages: write
      id-token: write
    concurrency:
      group: "pages"
      cancel-in-progress: true
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: "20"

      - name: Install dependencies
        run: npm ci

      - name: Build Storybook
        run: npm run build:storybook

      - name: Setup Pages
        uses: actions/configure-pages@v2

      - name: Upload Storybook artifact
        uses: actions/upload-pages-artifact@v1
        with:
          path: ./storybook-static

      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v1