feat(init): adds initial gitlab workflows

Author: Ti8m-BigA

.gitattributes

@@ -0,0 +1,3 @@
+# Shell scripts always LF
+*.sh text eol=lf
+* text=auto eol=lf

.github/workflows/check_single_commit.yml

@@ -0,0 +1,30 @@
+on:
+  workflow_call:
+
+jobs:
+  check-single-commit:
+    name: Check Single Commit
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Check number of commits in PR
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pr = context.payload.pull_request;
+             if (!pr &&  !(github.head_ref == 'develop' && github.base_ref == 'main')) {
+                console.log("Not a pull request event. Skipping commit check.");
+                return;
+            }
+            const commits = await github.rest.pulls.listCommits({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr.number,
+            });
+            const count = commits.data.length;
+            if (count > 1) {
+              core.setFailed(`PR has ${count} commits. Please squash to a single commit.`);
+            } else {
+              console.log("PR has a single commit. ✅");
+            }

.github/workflows/frontend_build_deploy_s3.yml

@@ -0,0 +1,102 @@
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+        description: "Version of the application being deployed, used for versioned S3 paths and cache invalidation"
+      environment:
+        type: string
+        required: true
+        description: "environment to deploy to, used for selecting correct AWS credentials and CloudFront distribution based on environment specific secrets and variables"
+    secrets:
+      AWS_OIDC_ROLE_ARN:
+        description: "OIDC role ARN for AWS credentials"
+        required: true
+      AWS_DEPLOYMENT_ROLE_ARN:
+        description: "Deployment role ARN for AWS credentials"
+        required: true
+
+jobs:
+  # todo push to versioned s3 path / dont invalidate cache / instead create PR on Infrastructure repo to update origin path or copy the directory
+  build-push-s3:
+    name: Build and push application to S3 bucket
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    timeout-minutes: 5
+    # todo activate once requried
+    #FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Print GitHub Context Safely
+        run: |
+          echo "--- GitHub Context ---"
+          echo "${GITHUB_REPOSITORY}"
+          echo "${GITHUB_REF}"
+          echo "${GITHUB_SHA}"
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ format('v{0}', inputs.version) }}
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: pnpm install
+        run: pnpm install --frozen-lockfile --ignore-scripts
+
+      - name: Build
+        # todo maybe adjust with env specific config eg: pnpm build -- --configuration=${{ steps.resolve-inputs.outputs.configuration }}
+        run: pnpm build
+
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Assume deployment role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+          role-chaining: true
+          role-skip-session-tagging: true
+
+      - name: Deploy to S3 bucket
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+
+          # Allowlist validation (adjust to your conventions)
+          [[ "$VERSION"   =~ ^[0-9]+(\.[0-9]+){2}([.-][0-9A-Za-z]+)*$ ]] || { echo "Invalid version"; exit 1; }
+
+
+          echo "Deploying version: v${VERSION}"
+
+          aws s3 sync "dist/atlas-agate-frontend/browser/" "s3://${{vars.FRONTEND_S3_BUCKET}}/" \
+            --region "$AWS_REGION" \
+            --delete
+
+      - name: Invalidate CloudFront cache
+        run: |
+          echo "Creating CloudFront invalidation for distribution: ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}"
+          aws cloudfront create-invalidation \
+            --distribution-id ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }} \
+            --paths "/*"
+
+      - name: Display deployment URL
+        run: |
+          echo "✅ Deployment complete!"
+          echo "🌐 Your application is available at: https://www.blw-agate-dev.pc-core.isceco.admin.ch"

.github/workflows/frontend_unit_test_sonarqube.yml

@@ -0,0 +1,47 @@
+on:
+  workflow_call:
+    secrets:
+      SONAR_TOKEN:
+        description: "SonarQube authentication token"
+        required: true
+jobs:
+  unit-test-sonarqube:
+    name: Unit Tests and SonarQube
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      #env:
+      #todo activate once needed
+      #FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile --ignore-scripts
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Run unit tests
+        run: pnpm test
+
+      - name: Run SonarQube Analysis
+        uses: SonarSource/sonarqube-scan-action@v7
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          projectBaseDir: .

.github/workflows/frontend_workflow.yml

@@ -0,0 +1,89 @@
+name: "frontend workflow"
+
+permissions:
+    contents: write
+    pull-requests: write
+    id-token: write
+    issues: write
+
+on:
+  workflow_call:
+    inputs:
+      app-id:
+        description: "GitHub App ID used for downstream workflows"
+        required: true
+        type: string
+    secrets:
+      GH_ORG_PRIVATE_KEY:
+        description: "GitHub App private key used for downstream workflows"
+        required: true
+      GH_ORG_GITLEAKS_PRIVATE_KEY:
+        description: "GitHub App private key used for gitleaks token"
+        required: true
+      LICENSE_KEY_GITLEAKS:
+        description: "Gitleaks license key"
+        required: true
+      SONAR_TOKEN:
+        description: "SonarQube authentication token"
+        required: true
+      AWS_OIDC_ROLE_ARN:
+        description: "OIDC role ARN for AWS credentials"
+        required: true
+      AWS_DEPLOYMENT_ROLE_ARN:
+        description: "Deployment role ARN for AWS credentials"
+        required: true
+
+jobs:
+  check-single-commit:
+    name: '.'
+    uses: ./.github/workflows/check_single_commit.yml
+
+  gitleaks:
+    name: '.'
+    uses: ./.github/workflows/gitleaks.yml
+    needs: check-single-commit
+    secrets:
+      GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
+      LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
+
+  vulnerability-scan:
+    name: '.'
+    uses: ./.github/workflows/vulnrability_scan.yml
+    needs: [ check-single-commit ]
+
+  unit-test-sonarqube:
+    name: '.'
+    uses: frontend_unit_test_sonarqube.yml
+    needs: [ vulnerability-scan, gitleaks ]
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  semantic-release:
+    name: '.'
+    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
+    uses: ./.github/workflows/semantic_release.yml
+    needs: [unit-test-sonarqube, vulnerability-scan]
+    secrets:
+      GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+    with:
+      app-id: ${{ inputs.app-id }}
+
+  build-and-push:
+    name: '.'
+    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
+    uses: ./.github/workflows/frontend_build_deploy_s3.yml
+    needs: [semantic-release ]
+    secrets:
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+    with:
+      version: ${{ needs.semantic-release.outputs.version }}
+      environment: ${{ github.ref == 'refs/heads/develop' && 'develop' || 'integration' }}
+
+  merge-main-develop:
+    name: '.'
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    uses: ./.github/workflows/merge_main_develop.yml
+    needs: [ semantic-release ]
+    secrets:
+      GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}

.github/workflows/gitleaks.yml

@@ -0,0 +1,38 @@
+on:
+  workflow_call:
+    secrets:
+      GH_ORG_GITLEAKS_PRIVATE_KEY:
+        description: "GitHub App private key used for gitleaks token"
+        required: true
+      LICENSE_KEY_GITLEAKS:
+        description: "Gitleaks license key"
+        required: true
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  git-leaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          clean: true
+
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_ORG_GITLEAKS_APP_ID }}
+          private-key: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
+
+      - name: Run Gitleaks Scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITLEAKS_LICENSE: ${{ secrets.LICENSE_KEY_GITLEAKS }}

.github/workflows/merge_main_develop.yml

@@ -0,0 +1,53 @@
+on:
+  workflow_call:
+    secrets:
+      GH_ORG_PRIVATE_KEY:
+        description: "GitHub App private key used to create the merge token"
+        required: true
+
+jobs:
+  merge-main-develop:
+    name: Merge main into develop
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_ORG_APP_ID }}
+          private-key: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+
+      - name: Set up Git user for GitHub App
+        run: |
+          git config --global user.name "semantic-release[bot]"
+          git config --global user.email "semantic-release[bot]@users.noreply.github.com"
+
+      - name: Sync main to develop
+        env:
+          # todo remove Fallback to GITHUB_TOKEN if app token is available
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -e
+
+          echo "🔄 Cloning repository..."
+          git clone https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }} repo
+          cd repo
+
+          echo "📦 Setting up remotes..."
+          git remote add app-origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}
+          git fetch app-origin
+
+          echo "🔀 Checking out 'develop' branch..."
+          git checkout develop
+
+          echo "🔁 Attempting fast-forward merge from 'main' to 'develop'..."
+          git merge --ff-only app-origin/main || echo "⚠️ Fast-forward not possible, continuing..."
+
+          echo "📊 Checking for changes after merge..."
+          if git diff --quiet app-origin/develop; then
+            echo "✅ No changes to push. Skipping push."
+            exit 0
+          fi
+
+          echo "🚀 Pushing changes to 'develop'..."
+          git push app-origin develop

.github/workflows/sample_frontend_default_workflow.yml

@@ -0,0 +1,29 @@
+name: "default workflow"
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+  issues: write
+
+on:
+  pull_request:
+    branches: [main, develop]
+  push:
+    branches: [main, develop]
+  merge_group:
+    branches: [main, develop]
+
+jobs:
+  frontend-workflow:
+    name: '.'
+    uses: ./.github/workflows/frontend_workflow.yml
+    secrets:
+      GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+      GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
+      LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+    with:
+      app-id: ${{ vars.GH_ORG_APP_ID }}