-
Notifications
You must be signed in to change notification settings - Fork 0
159 lines (150 loc) · 6 KB
/
backend_workflow.yml
File metadata and controls
159 lines (150 loc) · 6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: "backend workflow that builds, tests, scans for vulnerabilities, creates a release, pushes a docker image to ECR, and updates infrastructure as code with the new image tag"
run-name: "backend workflow for environment: ${{ inputs.environment }}"
permissions:
contents: write
pull-requests: write
id-token: write
issues: write
on:
workflow_call:
inputs:
semver-app-id:
description: "GitHub App ID used for semantic versioning, must have write permissions to the repo"
required: true
type: string
environment:
description: "Deployment environment used to resolve secrets (e.g., dev, int)"
required: true
type: string
aws-region:
type: string
required: true
description: "AWS region for deployment and AWS CLI commands"
ecr-repository-name:
type: string
required: true
description: "ECR repository name for pushing built images"
gitleaks-app-id:
description: "GitHub App ID used by gitleaks to authenticate with the GitHub API (must have read permissions to the repo and prs"
required: true
type: string
deployment-app-id:
description: "GitHub App ID used for deployment authentication, must have permissions to create PRs on the infrastructure repository"
required: true
type: string
application-name:
description: "Name of the application being built and deployed, used for tagging docker images and identifying the correct infrastructure as code to update in the infrastructure repository"
required: true
type: string
github-organization:
description: 'GitHub organization that owns the infrastructure repository'
required: true
type: string
infrastructure_repo:
description: 'Name Infrastructure repository'
required: true
type: string
infrastructure_base_branch:
description: 'Base branch for PR'
required: false
default: 'main'
type: string
secrets:
SEMVER_PRIVATE_KEY:
description: "GitHub App private key matching the semantic-release-app-id input, used for semantic-release authentication"
required: true
AWS_OIDC_ROLE_ARN:
description: "OIDC role ARN for AWS credentials"
required: true
AWS_DEPLOYMENT_ROLE_ARN:
description: "Deployment role ARN for AWS credentials"
required: true
GH_ORG_GITLEAKS_PRIVATE_KEY:
description: "GitHub App private key matching the gitleaks-app-id input, used for gitleaks authentication"
required: true
LICENSE_KEY_GITLEAKS:
description: "Gitleaks license key"
required: true
SONAR_TOKEN:
description: "SonarQube authentication token"
required: true
NIST_OWASP_API_KEY:
description: "API Key for the national vulnerability database used by OWASP Dependency Check"
required: true
DEPLOYMENT_APP_PRIVATE_KEY:
description: "GitHub App private key matching the deployment-app-id input, used for deployment authentication and creating PRs on the infrastructure repository"
required: true
jobs:
checkstyle:
name: "."
uses: ./.github/workflows/backend_checkstyle.yml
gitleaks:
name: '.'
uses: ./.github/workflows/gitleaks.yml
secrets:
GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
with:
gitleaks-app-id: ${{ inputs.gitleaks-app-id }}
owasp-dependency-check:
name: "."
uses: ./.github/workflows/backend_owasp_dependency_check.yml
needs: [ checkstyle, gitleaks ]
secrets:
NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
unit-test-sonarqube:
name: "."
uses: ./.github/workflows/backend_unit_test_sonarqube.yml
needs: [ checkstyle, gitleaks ]
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
trivy-scan:
name: "."
uses: ./.github/workflows/trivy_scan.yml
needs: [ checkstyle, gitleaks ]
semantic-release:
name: '.'
needs: [ checkstyle, gitleaks, owasp-dependency-check, unit-test-sonarqube, trivy-scan ]
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
uses: ./.github/workflows/semantic_release.yml
secrets:
SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY}}
with:
app-id: ${{ inputs.semver-app-id}}
build-and-push:
name: '.'
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
uses: ./.github/workflows/backend_build_push_image.yml
needs: [ semantic-release ]
with:
aws-region: ${{ inputs.aws-region }}
ecr-repository-name: ${{ inputs.ecr-repository-name }}
environment: ${{ inputs.environment }}
version: ${{needs.semantic-release.outputs.version }}
secrets:
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
update-infrastructure:
name: Update Infrastructure
needs: [ semantic-release, build-and-push ]
if: needs.build-and-push.result == 'success'
uses: ./.github/workflows/update_infrastructure.yml
with:
image_tag: ${{ needs.semantic-release.outputs.version }}
application_name: ${{inputs.application-name}}
infrastructure_repo: ${{inputs.infrastructure_repo}}
tfvars_path: 'terraform/terraform.auto.tfvars.json'
base_branch: ${{inputs.infrastructure_base_branch}}
app-id: ${{inputs.deployment-app-id}}
github-organization: 'blw-ofag-ufag'
secrets:
GH_APP_PRIVATE_KEY: ${{ secrets.DEPLOYMENT_APP_PRIVATE_KEY }}
merge-main-develop:
name: '.'
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
uses: ./.github/workflows/merge_main_develop.yml
needs: [ semantic-release ]
secrets:
SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY }}
with:
app-id: ${{ inputs.app-id }}