Skip to content
CI Pipeline

Bump chainguard-dev/actions from 1.5.12 to 1.5.14 #6884

Sign in to view logs

Bump chainguard-dev/actions from 1.5.12 to 1.5.14

Bump chainguard-dev/actions from 1.5.12 to 1.5.14 #6884

Workflow file for this run

.github/workflows/pipeline.yml at a5b7102
name: "CI Pipeline"
on:
push:
branches: [main]
paths-ignore:
- "**/*.md"
schedule:
# once per night, cron uses UTC
# Note: scheduled run runs e2e tests across all browsers, cf. ./e2e-tests.yml for details
- cron: "0 6 * * *"
pull_request:
types: [opened, synchronize, reopened]
# Allow to run this workflow manually
workflow_dispatch:
jobs:
########################################
# Security
########################################
security-jobs:
uses: ./.github/workflows/security-jobs.yml
secrets:
CONFIRM_SECRET_SCANNING_PUSH_PROTECTION: ${{ secrets.CONFIRM_SECRET_SCANNING_PUSH_PROTECTION }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
permissions:
contents: read
security-events: write # trivy scan needs this
##############
# Backend jobs
##############
backend-checks:
if: ${{ github.event_name != 'schedule' }}
uses: ./.github/workflows/backend-checks.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
backend-build-image-and-scan:
if: ${{ github.event_name != 'schedule' }}
uses: ./.github/workflows/backend-build-image-and-scan.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
permissions:
contents: read
security-events: write
with:
run-id: ${{ github.run_id }}
image-ref: ghcr.io/${{ github.repository }}-backend:${{ github.event.pull_request.head.sha || github.sha }}
container-registry: ghcr.io
backend-push-image-to-registry:
if: ${{ github.event_name != 'schedule' && ( github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env')) }}
# For PR releases, labels could be used like this:
# if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- security-jobs
- backend-checks
- backend-build-image-and-scan
uses: ./.github/workflows/backend-push-image-to-registry.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
with:
run-id: ${{ github.run_id }}
container-registry: ghcr.io
image-ref: ghcr.io/${{ github.repository }}-backend:${{ github.event.pull_request.head.sha || github.sha }}
###############
# Frontend jobs
###############
frontend-checks:
if: ${{ github.event_name != 'schedule' }}
uses: ./.github/workflows/frontend-checks.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
frontend-build-image-and-scan:
if: ${{ github.event_name != 'schedule' }}
uses: ./.github/workflows/frontend-build-image-and-scan.yml
secrets:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
permissions:
contents: read
security-events: write
with:
run-id: ${{ github.run_id }}
image-ref: ghcr.io/${{ github.repository }}-frontend:${{ github.event.pull_request.head.sha || github.sha }}
frontend-push-image-to-registry:
if: ${{ github.event_name != 'schedule' && ( github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env')) }}
# For PR releases, labels could be used like this:
# if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
uses: ./.github/workflows/frontend-push-image-to-registry.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
with:
run-id: ${{ github.run_id }}
container-registry: ghcr.io
image-ref: ghcr.io/${{ github.repository }}-frontend:${{ github.event.pull_request.head.sha || github.sha }}
#######################################
# Push backend and frontend reports to ris-reports
#######################################
push-backend-and-frontend-reports-to-ris-reports:
if: ${{ github.event_name != 'schedule' && !cancelled() && github.ref == 'refs/heads/main' }}
needs:
- backend-checks
- frontend-checks
uses: ./.github/workflows/push-backend-and-frontend-reports-to-ris-reports.yml
secrets:
RIS_REPORTS_DEPLOY_PRIVATE_KEY: ${{ secrets.RIS_REPORTS_DEPLOY_PRIVATE_KEY }}
#######################################
# e2e tests (frontend & backend)
#######################################
e2e-tests: # we may need to split off the report handling in order to avoid pushing two reports at once
uses: ./.github/workflows/e2e-tests.yml
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
e2e-compile-html-report-and-push-to-ris-reports:
if: ${{ github.event_name != 'schedule' && !cancelled() && github.ref == 'refs/heads/main' }}
needs:
- e2e-tests
- push-backend-and-frontend-reports-to-ris-reports
uses: ./.github/workflows/e2e-compile-html-report-and-push-to-ris-reports.yml
secrets:
RIS_REPORTS_DEPLOY_PRIVATE_KEY: ${{ secrets.RIS_REPORTS_DEPLOY_PRIVATE_KEY }}
#######################################
# Automerge if dependabot branch and all tests passing
#######################################
dependabot-auto-merge:
runs-on: ubuntu-latest
# the ${{ success() }} is required for the "if" not to override the "needs" below
# (we did run into this problem and saw auto-merges even as "frontend-checks" failed)
if: ${{ github.event_name != 'schedule' && success() && github.actor == 'dependabot[bot]' && !cancelled() && github.ref != 'refs/heads/main' }}
permissions: write-all
needs:
- frontend-checks
- backend-checks
- e2e-tests
steps:
- name: Dependabot metadata
continue-on-error: true
id: metadata
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Auto-merge Dependabot PRs except major version updates
continue-on-error: true
if: steps.metadata.outputs.update-type != 'version-update:semver-major'
run: gh pr merge --squash "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
#################
# Deployment jobs
#################
deploy-staging:
if: ${{ github.event_name != 'schedule' && github.ref == 'refs/heads/main' }}
needs:
- security-jobs
- e2e-tests
- frontend-checks
- frontend-build-image-and-scan
- frontend-push-image-to-registry
- backend-checks
- backend-build-image-and-scan
- backend-push-image-to-registry
uses: ./.github/workflows/deploy-staging.yml
permissions:
id-token: write
secrets:
GITOPS_NEURIS_APP_ID: ${{ secrets.GITOPS_NEURIS_APP_ID }}
GITOPS_NEURIS_APP_PRIVATE_KEY: ${{ secrets.GITOPS_NEURIS_APP_PRIVATE_KEY }}
ARGOCD_PIPELINE_PASSWORD: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
METRICS_DEPLOYMENT_WEBHOOK_URL: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
METRICS_WEBHOOK_TOKEN: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
with:
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}