Skip to content

chore(deps): update chainguard-dev/actions digest to 141bf22 (#872) #6344

chore(deps): update chainguard-dev/actions digest to 141bf22 (#872)

chore(deps): update chainguard-dev/actions digest to 141bf22 (#872) #6344

Workflow file for this run

name: Pipeline
on:
# run on any branch receiving a push (not only on main)
push:
branches:
- main
pull_request:
branches:
- main
# also: allow to run this workflow manually
workflow_dispatch:
jobs:
#############################################
# jobs dispatched to a separate workflow file
#############################################
backend-jobs:
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/backend-jobs.yml
with:
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}
secrets: inherit # e.g. sonar token
frontend-jobs:
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/frontend-jobs.yml
with:
# It would be nicer if we used the env vars defined above (as not to duplicate information),
# however, env vars cannot be passed over to a reuseable workflow using "with"
# cf. https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations
# and the workaround is horrible
# cf. https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}
secrets: inherit # e.g. sonar token
ldml-extension-jobs:
uses: ./.github/workflows/ldml-extension-jobs.yml
secrets: inherit # e.g. sonar token
create-docker-image-job:
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/create-docker-image-job.yml
with:
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}
secrets: inherit # e.g. sonar token
push-docker-image-job:
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- backend-jobs
- frontend-jobs
- create-docker-image-job
- e2e-tests
permissions:
security-events: write # upload-sarif
packages: write
id-token: write
contents: read
uses: ./.github/workflows/push-docker-image-job.yml
with:
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}
secrets: inherit # e.g. sonar token
# ######################
# # Check time for automatic deployments
# # Should only deploy automatically outside the hours when migration job (1:00AM UTC) and publishing job run (2:00AM UTC),
# # meaning not between 0:30 AM UTC and 4:00AM UTC
# ######################
check-auto-deploy:
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
outputs:
should-auto-deploy: ${{ steps.check-time.outputs.should-auto-deploy }}
steps:
- id: check-time
run: |
current_time=$(TZ=UTC date "+%H:%M")
if [[ "$current_time" > "00:30" && "$current_time" < "04:00" ]]; then
echo "Should not deploy automatically. Current time is $current_time"
echo "should-auto-deploy=false" >> "$GITHUB_OUTPUT"
else
echo "Should deploy automatically. Current time is $current_time"
echo "should-auto-deploy=true" >> "$GITHUB_OUTPUT"
fi
# ######################
# # Deploy new versions to staging
# ######################
deploy-staging-job:
if: ${{ github.ref == 'refs/heads/main' && needs.check-auto-deploy.outputs.should-auto-deploy == 'true' }}
needs:
- check-auto-deploy
- frontend-jobs
- backend-jobs
- push-docker-image-job
- e2e-tests
permissions:
id-token: write
uses: ./.github/workflows/deploy-staging-job.yml
secrets: inherit
# ######################
# # Deploy new versions to uat
# ######################
deploy-uat-job:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- deploy-staging-job
permissions:
id-token: write
uses: ./.github/workflows/deploy-uat-job.yml
secrets: inherit
# ######################
# # Deploy new versions to production
# ######################
deploy-production-job:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- deploy-uat-job
permissions:
id-token: write
uses: ./.github/workflows/deploy-production-job.yml
secrets: inherit
# ########################
# # system test jobs
# ########################
e2e-tests:
strategy:
fail-fast: false
matrix:
browser: [chromium, firefox, msedge]
uses: ./.github/workflows/end-to-end-tests.yml
with:
browser: ${{ matrix.browser }}
secrets: inherit
################
# Security jobs
################
trivy-scan:
runs-on: ubuntu-latest
permissions:
security-events: write # upload-sarif
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: "fs"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH" #ignored by sarif report
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
talisman-check:
runs-on: ubuntu-latest
# Running on main only https://digitalservicebund.slack.com/archives/C046VD44ZEH/p1706516240974409
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect secrets in incoming commits with Talisman
uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb
- name: Send status to Slack
# only on failure and if on "main" branch
if: ${{ failure() && github.ref == 'refs/heads/main' }}
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
###################
# Generate reports
###################
generate-test-reports:
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
needs:
- e2e-tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./frontend/.node-version
cache: npm
cache-dependency-path: ./frontend/package-lock.json
- name: Cache node_modules
uses: actions/cache@v4
id: cache-npm-cache
with:
# The docs discourage caching `node-modules`, cf. https://github.com/actions/cache/blob/main/examples.md#node---npm
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./frontend/package-lock.json') }}
- name: Install node modules
run: npm ci
working-directory: ./frontend
- name: Download blob reports from artifacts
uses: actions/download-artifact@v4
with:
path: ./frontend/all-blob-reports
pattern: test-results-blob-*
- name: Prepare test reports for merge
working-directory: ./frontend/all-blob-reports
run: |
for DIR in test-results-blob-*; do
unzip -o "$DIR/test-report.zip" -d "$DIR"
rm "$DIR/test-report.zip"
ZIP_FILE="../$(basename "$DIR").zip"
(cd "$DIR" && zip -r "$ZIP_FILE" ./*.jsonl)
rm -rf "$DIR"
done
shell: bash
- name: Merge into html report
run: npx playwright merge-reports --reporter html ./all-blob-reports
working-directory: ./frontend
- name: Upload html report to artifacts
uses: actions/upload-artifact@v4
with:
name: html-test-report
path: ./frontend/playwright-report
push-reports:
runs-on: ubuntu-latest
env:
reports-repo: digitalservicebund/ris-reports
needs:
- generate-test-reports
- backend-jobs
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
repository: ${{ env.reports-repo }}
ssh-key: ${{ secrets.REPORTS_DEPLOY_KEY }}
- name: Setup git config
run: |
git config user.name "${{ github.repository }}"
# This email identifies the commit as GitHub Actions - see https://github.com/orgs/community/discussions/26560
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# Backend code documentation
- name: Backend Code Documentation - Download
uses: actions/download-artifact@v4
with:
name: backend-code-documentation
path: tmp/backend-code-documentation/
- name: Java - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/backend-code-documentation
destinationDir: norms-code-documentation/java
reportIsDirectory: true
# e2e test report
- name: E2E test reports - Download
uses: actions/download-artifact@v4
with:
name: html-test-report
path: tmp/html-test-report/
- name: E2E test reports - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/html-test-report/
destinationDir: test-reports/ris-norms
reportIsDirectory: true
# Licence reports
- name: Licence reports - Download
uses: actions/download-artifact@v4
with:
pattern: licence-reports-*
path: tmp/licence-reports/
merge-multiple: true
- name: Frontend licence report - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/licence-reports/frontend-licence-report.csv
destinationDir: licence-reports/frontend/ris-norms
- name: Backend licence report - git add report
uses: digitalservicebund/add-ris-report@c6c8735d23295c36a271c75e7dedc9b6b9a9ef5e
with:
filePath: tmp/licence-reports/backend-licence-report.csv
destinationDir: licence-reports/backend/ris-norms
# Push reports
- name: Push reports
run: |
git diff-index --cached --quiet HEAD ||
git commit \
-m ${{ toJSON(github.event.head_commit.message) }} \
-m "From commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" &&
git push origin main &&
echo "Pushed reports to ${{ github.server_url }}/${{ env.reports-repo }}" >> $GITHUB_STEP_SUMMARY
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}