Skip to content
Pipeline

Bump globals from 17.0.0 to 17.2.0 #4214

Sign in to view logs

Bump globals from 17.0.0 to 17.2.0

Bump globals from 17.0.0 to 17.2.0 #4214

Workflow file for this run

.github/workflows/pipeline.yml at a150b82
name: Pipeline
on:
push:
branches:
- main
- "staging/**"
schedule:
- cron: "0 0 * * 1" # Every Monday at Midnight UTC (docker images need not be older than 1 week)
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
permissions:
contents: read
env:
PACKAGE_NAME: digitalcheck-dito
IMAGE_NAME: digitalservicebund/digitalcheck-dito
ENVIRONMENT: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
jobs:
vulnerability-scan:
permissions:
contents: read
packages: read
security-events: write
uses: ./.github/workflows/scan.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
check-and-test:
uses: ./.github/workflows/check-and-test.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
run-e2e-a11y-tests:
uses: ./.github/workflows/run-e2e-a11y-tests.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
create-unified-test-report:
needs: [run-e2e-a11y-tests]
# Merge reports only if E2E/A11y test shards have failed
if: failure() && needs.run-e2e-a11y-tests.result == 'failure'
uses: ./.github/workflows/create-unified-test-report.yml
permissions:
contents: read
pages: write
id-token: write
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
build-and-push-image:
needs: [vulnerability-scan, check-and-test, run-e2e-a11y-tests]
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Login to GitHub Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Build and push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
push: true
tags: |
ghcr.io/${{ env.IMAGE_NAME }}
ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: COMMIT_SHA=${{ github.sha }}
sbom: true
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ghcr.io/${{ env.IMAGE_NAME }}
format: "cosign-vuln"
output: "${{ env.PACKAGE_NAME }}-vulnerabilities.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v6
with:
name: "${{ env.PACKAGE_NAME }}-vulnerabilities.json"
path: "${{ env.PACKAGE_NAME }}-vulnerabilities.json"
if-no-files-found: error
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
with:
cosign-release: "v2.6.0"
- name: Sign the published Docker image
run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Attest the vulnerability scan
run: cosign attest --yes --replace --predicate ${{ env.PACKAGE_NAME }}-vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Send failure to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: failure()
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
deploy-to-staging-stackit:
needs: [build-and-push-image]
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/staging/')
permissions:
packages: read
uses: ./.github/workflows/deploy.yml
concurrency: deploy
with:
environment_name: staging
environment_url: https://digitalcheck.dev.tech.digitalservice.dev
secrets:
GITOPS_DIGITALCHECK_APP_ID: ${{ secrets.GITOPS_DIGITALCHECK_APP_ID }}
GITOPS_DIGITALCHECK_APP_PRIVATE_KEY: ${{ secrets.GITOPS_DIGITALCHECK_APP_PRIVATE_KEY }}
ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
ARGOCD_SERVER_STACKIT: ${{ secrets.ARGOCD_SERVER_STACKIT }}
METRICS_DEPLOYMENT_WEBHOOK_URL: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
METRICS_WEBHOOK_TOKEN: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
deploy-to-production-stackit:
needs: [deploy-to-staging-stackit]
if: github.ref == 'refs/heads/main'
permissions:
packages: read
uses: ./.github/workflows/deploy.yml
concurrency: deploy
with:
environment_name: production
environment_url: https://digitalcheck.bund.de
secrets:
GITOPS_DIGITALCHECK_APP_ID: ${{ secrets.GITOPS_DIGITALCHECK_APP_ID }}
GITOPS_DIGITALCHECK_APP_PRIVATE_KEY: ${{ secrets.GITOPS_DIGITALCHECK_APP_PRIVATE_KEY }}
ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
ARGOCD_SERVER_STACKIT: ${{ secrets.ARGOCD_SERVER_STACKIT }}
METRICS_DEPLOYMENT_WEBHOOK_URL: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
METRICS_WEBHOOK_TOKEN: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}