atlas-code-github-workflows/.github/workflows/frontend_workflow.yml at main · blw-ofag-ufag/atlas-code-github-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: "frontend workflow that scans for secrets, vulnerabilities and code quality issues, creates a release and deploys to s3 (if the push was on main or develop)"
run-name: "frontend workflow for environment: ${{ inputs.environment }}"
permissions:
  contents: write
  pull-requests: write
  id-token: write
  issues: write

on:
  workflow_call:
    inputs:
      app-id:
        description: "GitHub App ID used for downstream workflows (like semantic versioning), must have write permissions to the repo"
        required: true
        type: string
      gitleaks-app-id:
        description: "GitHub App ID used by gitleaks to authenticate with the GitHub API (must have read permissions to the repo and prs"
        required: true
        type: string
      aws-region:
        description: "AWS region for deployment"
        required: true
        type: string
      frontend-s3-bucket:
        description: "S3 bucket name for frontend deployment"
        required: true
        type: string
      cloudfront-distribution-id:
        description: "CloudFront distribution ID for cache invalidation"
        required: true
        type: string
      environment:
        description: "Deployment environment used to resolve secrets (e.g., dev, int)"
        required: true
        type: string
      enable-build-push:
        description: 'Enable build and deploy to S3'
        required: false
        default: true
        type: boolean
    secrets:
      SEMVER_PRIVATE_KEY:
        description: "GitHub App private key matching the app-id inputs"
        required: true
      GH_ORG_GITLEAKS_PRIVATE_KEY:
        description: "GitHub App private key matching the gitleaks-app-id input, used for gitleaks authentication"
        required: true
      LICENSE_KEY_GITLEAKS:
        description: "Gitleaks license key"
        required: true
      SONAR_TOKEN:
        description: "SonarQube authentication token"
        required: true
      AWS_OIDC_ROLE_ARN:
        description: "OIDC role ARN for AWS credentials"
        required: true
      AWS_DEPLOYMENT_ROLE_ARN:
        description: "Deployment role ARN for AWS credentials"
        required: true

jobs:
  gitleaks:
    name: '.'
    uses: ./.github/workflows/gitleaks.yml
    secrets:
      GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
      LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
    with:
      gitleaks-app-id: ${{ inputs.gitleaks-app-id }}

  npm-audit:
    name: '.'
    uses: ./.github/workflows/frontend_npm_audit.yml

  trivy-scan:
    name: "."
    uses: ./.github/workflows/trivy_scan.yml

  unit-test-sonarqube:
    name: '.'
    uses: ./.github/workflows/frontend_unit_test_sonarqube.yml
    needs: [ gitleaks, npm-audit, trivy-scan]
    secrets:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  semantic-release:
    name: '.'
    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
    uses: ./.github/workflows/semantic_release.yml
    needs: [ unit-test-sonarqube, gitleaks, npm-audit, trivy-scan ]
    secrets:
      SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY }}
    with:
      app-id: ${{ inputs.app-id }}

  build-and-push:
    name: '.'
    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
    uses: ./.github/workflows/frontend_build_deploy_s3.yml
    needs: [ semantic-release ]
    secrets:
      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
      AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
    with:
      enable: ${{ inputs.enable-build-push }}
      environment: ${{ inputs.environment }}
      build-configuration: ${{ github.ref == 'refs/heads/develop' && 'dev' || 'int' }}
      version: ${{needs.semantic-release.outputs.version }}
      aws-region: ${{ inputs.aws-region }}
      frontend-s3-bucket: ${{ inputs.frontend-s3-bucket }}
      cloudfront-distribution-id: ${{ inputs.cloudfront-distribution-id }}

  merge-main-develop:
    name: '.'
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
    uses: ./.github/workflows/merge_main_develop.yml
    needs: [ semantic-release ]
    secrets:
      SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY }}
    with:
      app-id: ${{ inputs.app-id }}