chore: remove unused donefunctions #14462
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: buildAppImage | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # Allow to run this workflow manually | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: ghcr.io | |
| jobs: | |
| code-quality: | |
| uses: ./.github/workflows/code-quality.yml | |
| secrets: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }} | |
| sonarcloud-scan: | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| runs-on: ubuntu-latest | |
| needs: [code-quality] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@v7 | |
| name: coverage | |
| - name: SonarQube Scan | |
| uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| get-content-file: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - id: fetchLatestImageContent | |
| run: ./docker.sh --contentFromImage && mv content_from_image.json content.json | |
| continue-on-error: true | |
| - if: steps.fetchLatestImageContent.outcome == 'failure' | |
| run: pnpm i && pnpm run build:localContent | |
| env: | |
| STRAPI_API: "${{ vars.STRAPI_API }}" | |
| STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}" | |
| - name: Calculate content checksum | |
| id: checksum | |
| run: echo "content_checksum=$(./docker.sh --contentHashFromImage)" >> $GITHUB_OUTPUT | |
| - name: Upload content.json | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: content-file | |
| path: content.json | |
| outputs: | |
| content_checksum: ${{ steps.checksum.outputs.content_checksum }} | |
| # integration-tests: | |
| # runs-on: ubuntu-latest | |
| # env: | |
| # STRAPI_API: "${{ vars.STRAPI_API }}" | |
| # STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}" | |
| # steps: | |
| # - uses: actions/checkout@v6 | |
| # - uses: ./.github/actions/cached-checkout-install | |
| # - run: pnpm run test:integration | |
| verify-local-e2e: | |
| needs: [get-content-file] | |
| uses: ./.github/workflows/e2e-test.yml | |
| with: | |
| require-published-app: false | |
| e2e-target: local | |
| secrets: | |
| GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }} | |
| build-app-image: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/cached-checkout-install | |
| - run: ./docker.sh --build app | |
| env: | |
| SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}" | |
| - name: Save Docker image to file | |
| if: github.ref == 'refs/heads/main' | |
| run: docker save ${{ env.REGISTRY }}/${{ github.repository }}-app:latest | gzip > image.tar.gz | |
| - name: Upload docker image to artifact | |
| if: github.ref == 'refs/heads/main' | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: docker-build | |
| path: image.tar.gz | |
| retention-days: 1 | |
| push-app-image: | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| needs: [code-quality, verify-local-e2e, build-app-image] | |
| permissions: | |
| id-token: write # for cosign w/ keyless signing | |
| packages: write # for updating cosign attestation | |
| security-events: write | |
| steps: | |
| - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/cached-checkout-install | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| with: | |
| cosign-release: "v2.6.1" # use latest 2.x release until Kyverno supports 3.x | |
| - uses: actions/download-artifact@v7 | |
| with: | |
| name: docker-build | |
| - name: Load Docker image | |
| run: docker load --input image.tar.gz | |
| - name: Push the app image | |
| run: ./docker.sh --push app | |
| - run: ./docker.sh --build prod | |
| - run: echo "PROD_IMAGE_TAG=$(./docker.sh --prodImageTag)" >> $GITHUB_ENV | |
| - name: Generate cosign vulnerability scan record for PROD image | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| env: | |
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }} | |
| format: "cosign-vuln" | |
| output: "vulnerabilities.json" | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| env: | |
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.PROD_IMAGE_TAG }} | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - run: ./docker.sh --push prod | |
| - run: ./docker.sh --sign | |
| - id: prod_image_tag | |
| run: echo "prod_image_tag=$(./docker.sh --prodImageTag)" >> $GITHUB_OUTPUT | |
| - name: Create SBOM | |
| uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 | |
| with: | |
| image_name: ${{ github.repository }}-app | |
| outputs: | |
| prod_image_tag: ${{ steps.prod_image_tag.outputs.prod_image_tag }} | |
| deploy-preview: | |
| if: github.ref == 'refs/heads/main' | |
| needs: [push-app-image] | |
| runs-on: ubuntu-latest | |
| environment: preview | |
| steps: | |
| - name: Deploy new preview image | |
| uses: digitalservicebund/argocd-deploy@4e758f584953506c571951ffcba33d6a6246e856 # v1.0.0 | |
| with: | |
| environment: preview | |
| version: ${{ needs.push-app-image.outputs.prod_image_tag }} | |
| deploying_repo: a2j-rechtsantragstelle | |
| infra_repo: a2j-rechtsantragstelle-infra | |
| github_app_id: ${{ secrets.GITOPS_A2J_APP_ID }} | |
| github_app_private_key: ${{ secrets.GITOPS_A2J_APP_PRIVATE_KEY }} | |
| app: a2j-rast-preview | |
| argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
| argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
| argocd_sync_timeout: 600 | |
| - name: Report Deployment | |
| uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
| with: | |
| project: a2j-rechtsantragstelle | |
| environment: preview | |
| metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
| metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
| verify-preview-e2e: | |
| needs: [deploy-preview] | |
| uses: ./.github/workflows/e2e-test.yml | |
| with: | |
| require-published-app: false | |
| use-existing-server: true | |
| e2e-target: preview | |
| deploy-staging: | |
| if: github.ref == 'refs/heads/main' | |
| needs: [push-app-image, deploy-preview] | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| steps: | |
| - name: Deploy new staging image | |
| uses: digitalservicebund/argocd-deploy@4e758f584953506c571951ffcba33d6a6246e856 # v1.0.0 | |
| with: | |
| environment: staging | |
| version: ${{ needs.push-app-image.outputs.prod_image_tag }} | |
| deploying_repo: a2j-rechtsantragstelle | |
| infra_repo: a2j-rechtsantragstelle-infra | |
| github_app_id: ${{ secrets.GITOPS_A2J_APP_ID }} | |
| github_app_private_key: ${{ secrets.GITOPS_A2J_APP_PRIVATE_KEY }} | |
| app: a2j-rast-staging | |
| argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
| argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
| argocd_sync_timeout: 600 | |
| - name: Report Deployment | |
| uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
| with: | |
| project: a2j-rechtsantragstelle | |
| environment: staging | |
| metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
| metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
| deploy-production: | |
| needs: [verify-preview-e2e, push-app-image] | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| environment: production | |
| steps: | |
| - name: Deploy new production image | |
| uses: digitalservicebund/argocd-deploy@4e758f584953506c571951ffcba33d6a6246e856 # v1.0.0 | |
| with: | |
| environment: production | |
| version: ${{ needs.push-app-image.outputs.prod_image_tag }} | |
| deploying_repo: a2j-rechtsantragstelle | |
| infra_repo: a2j-rechtsantragstelle-infra | |
| github_app_id: ${{ secrets.GITOPS_A2J_APP_ID }} | |
| github_app_private_key: ${{ secrets.GITOPS_A2J_APP_PRIVATE_KEY }} | |
| app: a2j-rast-production | |
| argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
| argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
| argocd_sync_timeout: 600 | |
| - name: Report Deployment | |
| uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0 | |
| with: | |
| project: a2j-rechtsantragstelle | |
| environment: production | |
| metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} | |
| metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} | |
| test-production-text: | |
| needs: [deploy-production] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: curl -s -v "https://service.justiz.de" | grep -q "Justiz-Services" | |
| alert-pipeline-failure: | |
| name: Send failure message to Slack | |
| needs: | |
| [ | |
| code-quality, | |
| get-content-file, | |
| verify-local-e2e, | |
| build-app-image, | |
| push-app-image, | |
| deploy-staging, | |
| deploy-preview, | |
| verify-preview-e2e, | |
| deploy-production, | |
| test-production-text, | |
| ] | |
| if: always() && failure() && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: digitalservicebund/notify-on-failure-gha@66c485757701f8d5dbee32f24df38d904ca693ba | |
| with: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |