fix: owasp dependency check, image push to ECR

.github/examples/backend/.github/workflows/backend_default_workflow.yml

@@ -1,4 +1,4 @@
-name: "backend default workflow"
+name: "backend workflow"
 
 permissions:
   contents: write
@@ -44,6 +44,27 @@ jobs:
         run: |
           echo "resolving environment specific variables for environment ${{ needs.set-env.outputs.environment }}"
           echo "infrastructure_repo=${{ vars.INFRASTRUCTURE_REPO }}"
+          echo "infrastructure_repo=${{ vars.INFRASTRUCTURE_REPO }}" >> "$GITHUB_OUTPUT"
+
+  validate-secret-values:
+    runs-on: ubuntu-latest
+    needs: [ set-env, resolve-env-vars ]
+    environment:  ${{ needs.set-env.outputs.environment }}
+    steps:
+      - name: Validate secret values
+        env:
+          AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+          AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+        run: |
+          echo "Validating secret values for environment ${{ needs.set-env.outputs.environment }}"
+          AWS_ROLE_PATTERN='^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$'
+          echo "Roles should match pattern: $AWS_ROLE_PATTERN"
+          if [[ ! "$AWS_DEPLOYMENT_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_DEPLOYMENT_ROLE_ARN}"
+            exit 1
+          fi
+          echo "All secret values are valid"
 
   backend-workflow:
     name: "."
@@ -63,8 +84,8 @@ jobs:
       semver-app-id: ${{vars.SEMVER_APP_ID}}
       gitleaks-app-id: ${{ vars.GH_ORG_GITLEAKS_APP_ID }}
       aws-region: ${{ vars.AWS_REGION }}
-      ecr-repository-name: 'agate-test-backend'
+      ecr-repository-name: 'agate-test-backend' # CHANGEME
       deployment-app-id: ${{ vars.PC_CORE_BLW_AGATE_DEV_DEPLOY_APP_ID}}
-      application-name: 'agate-test-backend'
+      application-name: 'agate-test-backend' # CHANGEME
       infrastructure_repo: ${{ needs.resolve-env-vars.outputs.infrastructure_repo }}
       github-organization: 'blw-ofag-ufag'

.github/workflows/backend_build_push_image.yml

@@ -3,6 +3,11 @@ run-name: Build and Push to ECR - ${{ inputs.environment }} - ${{ inputs.version
 on:
   workflow_call:
     inputs:
+      enable:
+        description: "Enable or disable the build and push workflow. Defaults to true."
+        required: false
+        default: true
+        type: boolean
       environment:
         type: string
         required: true
@@ -30,8 +35,29 @@ on:
         value: ${{ jobs.build-push-image.outputs.image }}
 
 jobs:
+  # Validate secrets to match an expected regex pattern to facilitate debugging of misconfigured secrets.
+  validate-secret-values:
+    runs-on: ubuntu-latest
+    environment:  ${{ inputs.environment }}
+    steps:
+      - name: Validate secret values
+        env:
+          AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+          AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+        run: |
+          echo "Validating secret values for environment ${{ inputs.environment }}"
+          AWS_ROLE_PATTERN='^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$'
+          echo "Roles should match pattern: $AWS_ROLE_PATTERN"
+          if [[ ! "$AWS_DEPLOYMENT_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_DEPLOYMENT_ROLE_ARN}"
+            exit 1
+          fi
+          echo "All secret values are valid"
+
   build-push-image:
     name: "Build and push docker image to ECR  ${{ inputs.environment }} - ${{ inputs.version }}"
+    if: ${{ inputs.enable }}
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     timeout-minutes: 5
@@ -57,6 +83,7 @@ jobs:
           set -euo pipefail
           [[ "$VERSION" =~ ^[0-9]+(\.[0-9]+){2}([.-][0-9A-Za-z]+)*$ ]] || { echo "Invalid version"; exit 1; }
           echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+          [[ "${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}" =~ ^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$ ]] || { echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern ^arn:aws:iam::\d+:role\/[\w-]+$"; exit 1; }
       - name: Checkout
         uses: actions/checkout@v6
         with:
@@ -85,18 +112,9 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
-      # activate once blueprint is ready
-      #      - name: Assume deployment role
-      #        uses: aws-actions/configure-aws-credentials@v4
-      #        with:
-      #          role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
-      #          aws-region: ${{ env.AWS_REGION }}
-      #          role-chaining: true
-      #          role-skip-session-tagging: true
-
       - name: Login to AWS ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2

.github/workflows/backend_owasp_dependency_check.yml

@@ -2,6 +2,12 @@ name: OWASP Dependency Check ensure no vulnerable dependencies
 run-name: OWASP Dependency Check
 on:
   workflow_call:
+    inputs:
+      enable:
+        description: 'Enable OWASP dependency check'
+        required: false
+        default: true
+        type: boolean
     secrets:
       NIST_OWASP_API_KEY:
         description: "API Key for the national vulnerability database used by OWASP Dependency Check"
@@ -23,44 +29,53 @@ jobs:
           java-version: '25'
           distribution: 'corretto'
 
-      - name: Get Date for OWASP Cache
-        id: get-cache-date
-        run: |
-          echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
-        shell: bash
-
-      - name: check NIST key length
-        env:
-          NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
-        run: |
-          echo "Key length: ${#NIST_OWASP_API_KEY}"
-
       - name: Restore Maven Cache
         uses: actions/cache/restore@v5
         with:
           path: ~/.m2/repository
-          # Using date in cache key as OWASP database may change, without the pom changing
-          key: ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
-            ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}
-            ${{ runner.os }}-owasp-
+            ${{ runner.os }}-maven-
 
       - name: Maven install
         run: mvn -B install -DskipTests -T 1C
 
+      - name: Get Date for OWASP Cache
+        id: get-cache-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%m%d%H")" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Restore Dependency-Check Cache
+        if: inputs.enable
+        uses: actions/cache/restore@v5
+        with:
+          path: ${{ github.workspace }}/.dependency-check
+          key: ${{ runner.os }}-dependency-check-${{ steps.get-cache-date.outputs.date }}
+          restore-keys: |
+            ${{ runner.os }}-dependency-check-
+
       - name: Run OWASP Dependency Check
+        if: inputs.enable
         run: |
           mvn org.owasp:dependency-check-maven:check \
+            -DdataDirectory="${{ github.workspace }}/.dependency-check" \
             -DossindexAnalyzerEnabled=false \
             -DnvdApiKey=${{ secrets.NIST_OWASP_API_KEY }} \
-            -DossindexAnalyzerEnabled=false \
             -DpnpmAuditAnalyzerEnabled=false \
             -DnodeAuditAnalyzerEnabled=false \
             -DyarnAuditAnalyzerEnabled=false
 
+      - name: Save Dependency-Check Cache
+        uses: actions/cache/save@v5
+        if: inputs.enable
+        with:
+          path: ${{ github.workspace }}/.dependency-check
+          key: ${{ runner.os }}-dependency-check-${{ steps.get-cache-date.outputs.date }}
+
       - name: Save Maven Cache
         uses: actions/cache/save@v5
-        if: always()
+        if: success()
         with:
           path: ~/.m2/repository
-          key: ${{ runner.os }}-owasp-${{ steps.get-cache-date.outputs.date }}-${{ hashFiles('**/pom.xml') }}
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/backend_workflow.yml

@@ -49,6 +49,21 @@ on:
         required: false
         default: 'main'
         type: string
+      enable-owasp-check:
+        description: 'Enable OWASP dependency check'
+        required: false
+        default: true
+        type: boolean
+      enable-build-push:
+        description: 'Enable backend build and push'
+        required: false
+        default: true
+        type: boolean
+      enable-infrastructure-update:
+        description: 'Enable infrastructure update'
+        required: false
+        default: true
+        type: boolean
     secrets:
       SEMVER_PRIVATE_KEY:
         description: "GitHub App private key matching the semantic-release-app-id input, used for semantic-release authentication"
@@ -75,6 +90,45 @@ on:
         description: "GitHub App private key matching the deployment-app-id input, used for deployment authentication and creating PRs on the infrastructure repository"
         required: true
 jobs:
+  set-flags-from-commit:
+    name: Set flags from commit message
+    runs-on: ubuntu-latest
+    outputs:
+      enable-owasp-check: ${{ steps.set-flags.outputs.enable_owasp_check }}
+      enable-build-push: ${{ steps.set-flags.outputs.enable_build_push }}
+      enable-infrastructure-update: ${{ steps.set-flags.outputs.enable_infrastructure_update }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Get commit message
+        id: get-commit
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "::set-output name=msg::$(git log -1 --pretty=%B ${{ github.event.pull_request.head.sha }})"
+          else
+            echo "::set-output name=msg::$(git log -1 --pretty=%B ${{ github.sha }})"
+          fi
+      - name: Set flags
+        id: set-flags
+        run: |
+          msg="${{ steps.get-commit.outputs.msg }}"
+          echo "Commit message: $msg"
+          if echo "$msg" | grep -iq '\[skip owasp\]'; then
+            echo "enable_owasp_check=false" >> $GITHUB_OUTPUT
+          else
+            echo "enable_owasp_check=${{ inputs.enable-owasp-check }}" >> $GITHUB_OUTPUT
+          fi
+          if echo "$msg" | grep -iq '\[skip build-push\]'; then
+            echo "enable_build_push=false" >> $GITHUB_OUTPUT
+          else
+            echo "enable_build_push=${{ inputs.enable-build-push }}" >> $GITHUB_OUTPUT
+          fi
+          if echo "$msg" | grep -iq '\[skip infra-update\]'; then
+            echo "enable_infrastructure_update=false" >> $GITHUB_OUTPUT
+          else
+            echo "enable_infrastructure_update=${{ inputs.enable-infrastructure-update }}" >> $GITHUB_OUTPUT
+          fi
   checkstyle:
     name: "."
     uses: ./.github/workflows/backend_checkstyle.yml
@@ -91,14 +145,16 @@ jobs:
   owasp-dependency-check:
     name: "."
     uses: ./.github/workflows/backend_owasp_dependency_check.yml
-    needs: [ checkstyle, gitleaks ]
+    needs: [ checkstyle, gitleaks, set-flags-from-commit ]
+    with:
+      enable: ${{ needs.set-flags-from-commit.outputs.enable-owasp-check == 'true' }}
     secrets:
       NIST_OWASP_API_KEY: ${{ secrets.NIST_OWASP_API_KEY }}
 
   unit-test-sonarqube:
     name: "."
     uses: ./.github/workflows/backend_unit_test_sonarqube.yml
-    needs: [ checkstyle, gitleaks ]
+    needs: [ checkstyle, gitleaks, owasp-dependency-check ]
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
@@ -120,10 +176,10 @@ jobs:
 
   build-and-push:
     name: '.'
-    if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') }}
     uses: ./.github/workflows/backend_build_push_image.yml
-    needs: [ semantic-release ]
+    needs: [ semantic-release, set-flags-from-commit ]
     with:
+      enable: ${{ needs.set-flags-from-commit.outputs.enable-build-push == 'true' }}
       aws-region: ${{ inputs.aws-region }}
       ecr-repository-name: ${{ inputs.ecr-repository-name }}
       environment: ${{ inputs.environment }}
@@ -134,10 +190,11 @@ jobs:
 
   update-infrastructure:
     name: Update Infrastructure
-    needs: [ semantic-release, build-and-push ]
+    needs: [ semantic-release, build-and-push, set-flags-from-commit ]
     if: needs.build-and-push.result == 'success'
     uses: ./.github/workflows/update_infrastructure.yml
     with:
+      enable: ${{ needs.set-flags-from-commit.outputs.enable-infrastructure-update == 'true' }}
       image_tag: ${{ needs.semantic-release.outputs.version }}
       application_name: ${{inputs.application-name}}
       infrastructure_repo: ${{inputs.infrastructure_repo}}

.github/workflows/update_infrastructure.yml

@@ -3,6 +3,11 @@ run-name: "Update Infrastructure for ${{ inputs.application_name }} to ${{ input
 on:
   workflow_call:
     inputs:
+      enable:
+        description: "Enable or disable the infrastructure update workflow. Defaults to true."
+        required: false
+        default: true
+        type: boolean
       image_tag:
         description: 'Docker image tag to deploy'
         required: true
@@ -41,6 +46,7 @@ on:
 jobs:
   update-infrastructure:
     name: Update Infrastructure Configuration
+    if: ${{ inputs.enable }}
     runs-on: ubuntu-latest
 
     steps:

.gitignore

@@ -1 +1,2 @@
 /.idea/
+/*.iml

docs/backend-workflow.md

@@ -35,9 +35,9 @@ The backend workflow (`backend_workflow.yml`) orchestrates the full CI/CD pipeli
 
 #### 🔐 Environment-specific Secrets
 
-| Secret | Description |
-|---|---|
-| `AWS_OIDC_ROLE_ARN` | ARN of the IAM Role for OIDC authentication (created in Terraform) |
+| Secret                    | Description                                                                                                                                                                             |
+|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `AWS_DEPLOYMENT_ROLE_ARN` | ARN of the IAM Role for OIDC authentication (created in Terraform in the backend blueprint after setting the repository for the application, search for "*-app-builder" in IAM > Roles) |
 
 #### 🤖 Required GitHub Apps