.github/workflows/cicd.yml

name: Test, bygg, deploy
on:
  push:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * 1' # bygg nytt image hver mandag morgen


jobs:
  build:
    name: Bygg
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          registry-url: https://npm.pkg.github.com/
          cache: 'npm'

      - run: npm ci --omit=dev --omit=optional
        env:
          NODE_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
        working-directory: ./server

      - run: npm ci
        env:
          NODE_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
      - run: npm run test
      - run: npm run lint
      - run: npm run build

      - run: npx @cyclonedx/cyclonedx-npm --package-lock-only --ignore-npm-errors  --output-file sbom1.json
      - run: npx @cyclonedx/cyclonedx-npm --package-lock-only --omit dev --ignore-npm-errors  --output-file sbom2.json server/package.json
      - run: jq -s '.[0] * .[1]' sbom1.json sbom2.json > sbom.merged.json

      - uses: actions/upload-artifact@v4
        with:
          name: ${{ github.sha }}.bom.json
          path: sbom.merged.json

      - uses: nais/docker-build-push@v0
        id: gar-push
        with:
          team: fager
          salsa: false
          tag: ${{ github.sha }}
          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}

      - id: upload
        uses: nais/deploy/actions/cdn-upload/v2@master
        with:
          team: fager
          source: ./build/
          destination: '/min-side-arbeidsgiver'
          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}

    outputs:
      image: ${{ steps.gar-push.outputs.image }}
      digest: ${{ steps.gar-push.outputs.digest }}

  salsa:
    name: attest and sign image
    needs: [ build ]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - uses: nais/login@v0
        id: login
        with:
          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
          team: fager

      - uses: actions/download-artifact@v4
        with:
          name: ${{ github.sha }}.bom.json
          path: ./

      - uses: nais/attest-sign@v1
        with:
          image_ref: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
          sbom: sbom.merged.json

  deploy-dev-gcp:
    needs: [ build ]
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - name: Deploy til dev-gcp
        uses: nais/deploy/actions/deploy@v2
        env:
          CLUSTER: dev-gcp
          RESOURCE: nais/dev-gcp.yaml
          PRINT_PAYLOAD: true
          VAR: commit=${{ github.sha }},image=${{ needs.build.outputs.image }}

  deploy-prod-gcp:
    needs: [ build ]
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - name: Deploy til prod-gcp
        uses: nais/deploy/actions/deploy@v2
        env:
          CLUSTER: prod-gcp
          RESOURCE: nais/prod-gcp.yaml
          PRINT_PAYLOAD: true
          VAR: commit=${{ github.sha }},image=${{ needs.build.outputs.image }}

  deploy-prodlik-demo-gcp:
    needs: [ build ]
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - name: Deploy prodlik demo til dev-gcp
        uses: nais/deploy/actions/deploy@v2
        env:
          CLUSTER: dev-gcp
          RESOURCE: nais/demo-prodlik.yaml
          PRINT_PAYLOAD: true
          VAR: commit=${{ github.sha }},image=${{ needs.build.outputs.image }}

  deploy-devlik-demo-gcp:
    needs: [ build ]
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - name: Deploy dev-lik demo til dev-gcp
        uses: nais/deploy/actions/deploy@v2
        env:
          CLUSTER: dev-gcp
          RESOURCE: nais/demo-devlik.yaml
          PRINT_PAYLOAD: true
          VAR: commit=${{ github.sha }},image=${{ needs.build.outputs.image }}