blw-ofag-ufag · Ti8m-BigA · Apr 2, 2026 · Apr 2, 2026
diff --git a/.github/examples/backend_default_workflow.yml b/.github/examples/backend_default_workflow.yml
@@ -0,0 +1,58 @@
+name: "backend default workflow"
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+  issues: write
+
+on:
+  pull_request:
+    branches: [ main, develop ]
+  push:
+    branches: [ main, develop ]
+  merge_group:
+    branches: [ main, develop ]
+jobs:
+  # maps the branch to an environment and sets it as output for the rest of the workflow
+  set-env:
+    runs-on: ubuntu-latest
+    outputs:
+      environment: ${{ steps.map-branch-to-env.outputs.environment }}
+
+    steps:
+      - id: map-branch-to-env
+        shell: bash
+        run: |
+          if [[ "${GITHUB_REF}" == "refs/heads/develop" ]]; then
+            echo "environment=dev" >> "$GITHUB_OUTPUT"
+          elif [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
+            echo "environment=int" >> "$GITHUB_OUTPUT"
+          else
+            echo "unable to set environment for ref ${GITHUB_REF}"
+          fi
+
+
+  backend-workflow:
+    name: "."
+    uses: ./.github/workflows/backend_workflow.yml
+    needs: [ set-env ]
+    secrets:
+      GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
+      LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+      SEMVER_PRIVATE_KEY: ${{secrets.SEMVER_PRIVATE_KEY}}
+      NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
+      DEPLOYMENT_APP_PRIVATE_KEY: ${{ secrets.PC_CORE_BLW_AGATE_DEV_DEPLOY_PRIVATE_KEY }}
+    with:
+      environment: ${{ needs.set-env.outputs.environment }}
+      semver-app-id: ${{vars.SEMVER_APP_ID}}
+      gitleaks-app-id: ${{ vars.GH_ORG_GITLEAKS_APP_ID }}
+      aws-region: ${{ vars.AWS_REGION }}
+      ecr-repository-name: 'agate-test-backend'
+      deployment-app-id: ${{ vars.PC_CORE_BLW_AGATE_DEV_DEPLOY_APP_ID}}
+      application-name: 'agate-test-backend'
+      infrastructure_repo: 'pc-core-blw-agate-dev'
+      github-organization: 'blw-ofag-ufag'
diff --git a/.github/examples/frontend_trigger_default_workflow.yml b/.github/examples/frontend_trigger_default_workflow.yml
@@ -55,7 +55,7 @@ jobs:
     uses: blw-ofag-ufag/atlas-code-github-workflows/.github/workflows/frontend_workflow.yml@v1.4.0
     needs: [set-env, resolve-env-vars]
     secrets:
-      GH_ORG_PRIVATE_KEY: ${{ secrets.GH_ORG_PRIVATE_KEY }}
+      SEMVER_PRIVATE_KEY: ${{ secrets.SEMVER_PRIVATE_KEY }}
       GH_ORG_GITLEAKS_PRIVATE_KEY: ${{ secrets.GH_ORG_GITLEAKS_PRIVATE_KEY }}
       LICENSE_KEY_GITLEAKS: ${{ secrets.LICENSE_KEY_GITLEAKS }}
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

diff --git a/.github/workflows/backend_build_push_image.yml b/.github/workflows/backend_build_push_image.yml
@@ -0,0 +1,133 @@
+name: Build and Push Backend Docker Image to ECR
+run-name: Build and Push to ECR - ${{ inputs.environment }} - ${{ inputs.version }}
+on:
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+        required: true
+        description: "environment to deploy to, used for selecting correct AWS credentials and CloudFront distribution based on environment specific secrets and variables"
+      aws-region:
+        type: string
+        required: true
+        description: "AWS region for deployment and AWS CLI commands"
+      ecr-repository-name:
+        required: true
+        type: string
+      version:
+        required: true
+        type: string
+        description: "Version tag for the Docker image"
+    secrets:
+      AWS_OIDC_ROLE_ARN:
+        description: "OIDC role ARN for AWS credentials"
+        required: true
+      AWS_DEPLOYMENT_ROLE_ARN:
+        description: "Deployment role ARN for AWS credentials"
+        required: true
+    outputs:
+      image:
+        value: ${{ jobs.build-push-image.outputs.image }}
+
+jobs:
+  build-push-image:
+    name: Build and push docker image
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    timeout-minutes: 5
+    outputs:
+      image: ${{ steps.push-image.outputs.image }}
+    env:
+      AWS_REGION: ${{ inputs.aws-region }}
+      ECR_REPOSITORY: ${{inputs.ecr-repository-name}}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Print GitHub Context Safely
+        run: |
+          echo "--- GitHub Context ---"
+          echo "${GITHUB_REPOSITORY}"
+          echo "${GITHUB_REF}"
+          echo "${GITHUB_SHA}"
+      - name: Validate deployment inputs
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          [[ "$VERSION" =~ ^[0-9]+(\.[0-9]+){2}([.-][0-9A-Za-z]+)*$ ]] || { echo "Invalid version"; exit 1; }
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ format('v{0}', inputs.version) }}
+
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: '25'
+          distribution: 'corretto'
+
+      - name: Restore Maven Cache
+        uses: actions/cache/restore@v5
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Maven package
+        run: mvn -B clean package -DskipTests -T 1C
+
+      - name: Set image tag to GITHUB_ENV
+        run: echo "IMAGE_TAG=${VERSION}" >> $GITHUB_ENV
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      # activate once blueprint is ready
+      #      - name: Assume deployment role
+      #        uses: aws-actions/configure-aws-credentials@v4
+      #        with:
+      #          role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+      #          aws-region: ${{ env.AWS_REGION }}
+      #          role-chaining: true
+      #          role-skip-session-tagging: true
+
+      - name: Login to AWS ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Generate Docker metadata
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}
+          tags: |
+            type=raw,value=${{ env.VERSION  }}
+            type=sha
+
+      - name: Build and push to ECR
+        id: build
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          # Caching makes subsequent builds much faster
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: false
+          sbom: true
+
diff --git a/.github/workflows/backend_checkstyle.yml b/.github/workflows/backend_checkstyle.yml
@@ -0,0 +1,39 @@
+name: Backend Checkstyle ensures correct style and formatting of the codebase
+run-name: Checkstyle
+on:
+  workflow_call:
+
+jobs:
+  checkstyle:
+    name: Checkstyle
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v5
+        with:
+          java-version: '25'
+          distribution: 'corretto'
+
+      - name: Restore Maven Cache
+        uses: actions/cache/restore@v5
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Run Checkstyle
+        run: mvn checkstyle:check
+
+      - name: Save Maven Cache
+        uses: actions/cache/save@v5
+        if: success()
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/backend_owasp_dependency_check.yml b/.github/workflows/backend_owasp_dependency_check.yml
@@ -0,0 +1,65 @@
+name: OWASP Dependency Check ensure no vulnerable dependencies
+run-name: OWASP Dependency Check
+on:
+  workflow_call:
+    secrets:
+      NIST_OWASP_API_KEY:
+        description: "API Key for the national vulnerability database used by OWASP Dependency Check"
+        required: true
+jobs:
+  owasp-dependency-check:
+    name: OWASP Dependency Check
+    runs-on: ubuntu-latest
+    timeout-minutes: 100
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v5
+        with:
+          java-version: '25'
+          distribution: 'corretto'
+
+      - name: Get Date for OWASP Cache
+        id: get-cache-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: check NIST key length
+        env:
+          NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
+        run: |
+          echo "Key length: ${#NIST_OWASP_API_KEY}"
+
+      - name: Restore Maven Cache
+        uses: actions/cache/restore@v5
+        with:
+          path: ~/.m2/repository
+          # Using date in cache key as OWASP database may change, without the pom changing
+          key: ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}
+            ${{ runner.os }}-owasp-
+
+
+
+      - name: Run OWASP Dependency Check
+        run: |
+          mvn org.owasp:dependency-check-maven:check \
+            -DossindexAnalyzerEnabled=false \
+            -DnvdApiKey=${{ secrets.NIST_OWASP_API_KEY }} \
+            -DossindexAnalyzerEnabled=false \
+            -DpnpmAuditAnalyzerEnabled=false \
+            -DnodeAuditAnalyzerEnabled=false \
+            -DyarnAuditAnalyzerEnabled=false
+
+      - name: Save Maven Cache
+        uses: actions/cache/save@v5
+        if: always()
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/backend_unit_test_sonarqube.yml b/.github/workflows/backend_unit_test_sonarqube.yml
@@ -0,0 +1,48 @@
+name: Unit Tests and SonarQube analysis for Java backend
+run-name: Unit Tests and SonarQube
+on:
+  workflow_call:
+    secrets:
+      SONAR_TOKEN:
+        description: "SonarQube authentication token"
+        required: true
+jobs:
+  unit-test-sonarqube:
+    name: Unit Tests and SonarQube
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v5
+        with:
+          java-version: '25'
+          distribution: 'corretto'
+
+      - name: Restore Maven Cache
+        uses: actions/cache/restore@v5
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Run Unit Tests
+        run: mvn -B test -T 1C
+
+      - name: Run SonarQube Analysis
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          mvn -T 1C sonar:sonar -Dsonar.coverage.jacoco.xmlReportPaths=target/jacoco-report/jacoco.xml
+
+      - name: Save Maven Cache
+        uses: actions/cache/save@v5
+        if: success()
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}