-
Notifications
You must be signed in to change notification settings - Fork 0
216 lines (207 loc) · 8.34 KB
/
backend_workflow.yml
File metadata and controls
216 lines (207 loc) · 8.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
name: "backend workflow that builds, tests, scans for vulnerabilities, creates a release, pushes a docker image to ECR, and updates infrastructure as code with the new image tag"
run-name: "backend workflow for environment: ${{ inputs.environment }}"
permissions:
contents: write
pull-requests: write
id-token: write
issues: write
on:
workflow_call:
inputs:
semver-app-id:
description: "GitHub App ID used for semantic versioning, must have write permissions to the repo"
required: true
type: string
environment:
description: "Deployment environment used to resolve secrets (e.g., dev, int)"
required: true
type: string
aws-region:
type: string
required: true
description: "AWS region for deployment and AWS CLI commands"
ecr-repository-name:
type: string
required: true
description: "ECR repository name for pushing built images"
gitleaks-app-id:
description: "GitHub App ID used by gitleaks to authenticate with the GitHub API (must have read permissions to the repo and prs"
required: true
type: string
deployment-app-id:
description: "GitHub App ID used for deployment authentication, must have permissions to create PRs on the infrastructure repository"
required: true
type: string
application-name:
description: "Name of the application being built and deployed, used for tagging docker images and identifying the correct infrastructure as code to update in the infrastructure repository"
required: true
type: string
github-organization:
description: 'GitHub organization that owns the infrastructure repository'
required: true
type: string
infrastructure_repo:
description: 'Name Infrastructure repository'
required: true
type: string
infrastructure_base_branch:
description: 'Base branch for PR'
required: false
default: 'main'
type: string
enable-owasp-check:
description: 'Enable OWASP dependency check'
required: false
default: true
type: boolean
enable-build-push:
description: 'Enable backend build and push'
required: false
default: true
type: boolean
enable-infrastructure-update:
description: 'Enable infrastructure update'
required: false
default: true
type: boolean
secrets:
SEMVER_PRIVATE_KEY:
description: "GitHub App private key matching the semantic-release-app-id input, used for semantic-release authentication"
required: true
AWS_OIDC_ROLE_ARN:
description: "OIDC role ARN for AWS credentials"
required: true
AWS_DEPLOYMENT_ROLE_ARN:
description: "Deployment role ARN for AWS credentials"
required: true
GH_ORG_GITLEAKS_PRIVATE_KEY:
description: "GitHub App private key matching the gitleaks-app-id input, used for gitleaks authentication"
required: true
LICENSE_KEY_GITLEAKS:
description: "Gitleaks license key"
required: true
SONAR_TOKEN:
description: "SonarQube authentication token"
required: true
NIST_OWASP_API_KEY:
description: "API Key for the national vulnerability database used by OWASP Dependency Check"
required: true
DEPLOYMENT_APP_PRIVATE_KEY:
description: "GitHub App private key matching the deployment-app-id input, used for deployment authentication and creating PRs on the infrastructure repository"
required: true
jobs:
set-flags-from-commit:
name: Set flags from commit message
runs-on: ubuntu-latest
outputs:
enable-owasp-check: ${{ steps.set-flags.outputs.enable_owasp_check }}
enable-build-push: ${{ steps.set-flags.outputs.enable_build_push }}
enable-infrastructure-update: ${{ steps.set-flags.outputs.enable_infrastructure_update }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Get commit message
id: get-commit
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "::set-output name=msg::$(git log -1 --pretty=%B ${{ github.event.pull_request.head.sha }})"
else
echo "::set-output name=msg::$(git log -1 --pretty=%B ${{ github.sha }})"
fi
- name: Set flags
id: set-flags
run: |
msg="${{ steps.get-commit.outputs.msg }}"
echo "Commit message: $msg"
if echo "$msg" | grep -iq '\[skip owasp\]'; then
echo "enable_owasp_check=false" >> $GITHUB_OUTPUT
else
echo "enable_owasp_check=${{ inputs.enable-owasp-check }}" >> $GITHUB_OUTPUT
fi
if echo "$msg" | grep -iq '\[skip build-push\]'; then
echo "enable_build_push=false" >> $GITHUB_OUTPUT
else
echo "enable_build_push=${{ inputs.enable-build-push }}" >> $GITHUB_OUTPUT
fi
if echo "$msg" | grep -iq '\[skip infra-update\]'; then
echo "enable_infrastructure_update=false" >> $GITHUB_OUTPUT
else
echo "enable_infrastructure_update=${{ inputs.enable-infrastructure-update }}" >> $GITHUB_OUTPUT
fi
checkstyle:
name: "."
uses: ./.github/workflows/backend_checkstyle.yml
gitleaks:
name: '.'
uses: ./.github/workflows/gitleaks.yml
secrets:
GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
with:
gitleaks-app-id: ${{ inputs.gitleaks-app-id }}
owasp-dependency-check:
name: "."
uses: ./.github/workflows/backend_owasp_dependency_check.yml
needs: [ checkstyle, gitleaks, set-flags-from-commit ]
with:
enable: ${{ needs.set-flags-from-commit.outputs.enable-owasp-check == 'true' }}
secrets:
NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
unit-test-sonarqube:
name: "."
uses: ./.github/workflows/backend_unit_test_sonarqube.yml
needs: [ checkstyle, gitleaks, owasp-dependency-check ]
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
trivy-scan:
name: "."
uses: ./.github/workflows/trivy_scan.yml
needs: [ checkstyle, gitleaks ]
semantic-release:
name: '.'
needs: [ checkstyle, gitleaks, owasp-dependency-check, unit-test-sonarqube, trivy-scan ]
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
uses: ./.github/workflows/semantic_release.yml
secrets:
SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY}}
with:
app-id: ${{ inputs.semver-app-id}}
build-and-push:
name: '.'
uses: ./.github/workflows/backend_build_push_image.yml
needs: [ semantic-release, set-flags-from-commit ]
with:
enable: ${{ needs.set-flags-from-commit.outputs.enable-build-push == 'true' }}
aws-region: ${{ inputs.aws-region }}
ecr-repository-name: ${{ inputs.ecr-repository-name }}
environment: ${{ inputs.environment }}
version: ${{needs.semantic-release.outputs.version }}
secrets:
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
update-infrastructure:
name: Update Infrastructure
needs: [ semantic-release, build-and-push, set-flags-from-commit ]
if: needs.build-and-push.result == 'success'
uses: ./.github/workflows/update_infrastructure.yml
with:
enable: ${{ needs.set-flags-from-commit.outputs.enable-infrastructure-update == 'true' }}
image_tag: ${{ needs.semantic-release.outputs.version }}
application_name: ${{inputs.application-name}}
infrastructure_repo: ${{inputs.infrastructure_repo}}
tfvars_path: 'terraform/terraform.auto.tfvars.json'
base_branch: ${{inputs.infrastructure_base_branch}}
app-id: ${{inputs.deployment-app-id}}
github-organization: 'blw-ofag-ufag'
secrets:
GH_APP_PRIVATE_KEY: ${{ secrets.DEPLOYMENT_APP_PRIVATE_KEY }}
merge-main-develop:
name: '.'
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
uses: ./.github/workflows/merge_main_develop.yml
needs: [ semantic-release ]
secrets:
SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY }}
with:
app-id: ${{ inputs.app-id }}