-
Notifications
You must be signed in to change notification settings - Fork 0
142 lines (126 loc) · 4.51 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: "CI Pipeline"
on:
push:
branches: [main]
paths-ignore:
- "**/*.md"
pull_request:
# Allow to run this workflow manually
workflow_dispatch:
jobs:
########################################
# Jobs operating on the whole repository
########################################
security-jobs:
uses: ./.github/workflows/security-jobs.yml
secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others
permissions:
contents: read
security-events: write # trivy scan needs this
##############
# Backend jobs
##############
backend-setup-gradle:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup and validate Gradle
uses: gradle/actions/setup-gradle@v4
backend-checks:
needs:
- backend-setup-gradle
uses: ./.github/workflows/backend-checks.yml
secrets: inherit
backend-build-image-and-scan:
uses: ./.github/workflows/backend-build-image-and-scan.yml
secrets: inherit
permissions:
contents: read
security-events: write
with:
run-id: ${{ github.run_id }}
image-ref: ghcr.io/${{ github.repository }}-backend:${{ github.event.pull_request.head.sha || github.sha }}
container-registry: ghcr.io
backend-push-image-to-registry:
if: ${{ github.ref == 'refs/heads/main' }}
# For PR releases, labels could be used like this:
# if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- security-jobs
- backend-checks
- backend-build-image-and-scan
uses: ./.github/workflows/backend-push-image-to-registry.yml
secrets: inherit
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
with:
run-id: ${{ github.run_id }}
container-registry: ghcr.io
image-ref: ghcr.io/${{ github.repository }}-backend:${{ github.event.pull_request.head.sha || github.sha }}
backend-push-reports-to-ris-reports:
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
needs:
- backend-checks
- frontend-push-reports-to-ris-reports # this is to avoid our reports jobs (backend/frontend) to cause each other to
uses: ./.github/workflows/backend-push-reports-to-ris-reports.yml
secrets: inherit
###############
# Frontend jobs
###############
frontend-checks:
uses: ./.github/workflows/frontend-checks.yml
secrets: inherit
frontend-build-image-and-scan:
uses: ./.github/workflows/frontend-build-image-and-scan.yml
secrets: inherit
permissions:
contents: read
security-events: write
with:
run-id: ${{ github.run_id }}
image-ref: ghcr.io/${{ github.repository }}-frontend:${{ github.event.pull_request.head.sha || github.sha }}
frontend-push-image-to-registry:
if: ${{ github.ref == 'refs/heads/main' }}
# For PR releases, labels could be used like this:
# if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
uses: ./.github/workflows/frontend-push-image-to-registry.yml
secrets: inherit
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
with:
run-id: ${{ github.run_id }}
container-registry: ghcr.io
image-ref: ghcr.io/${{ github.repository }}-frontend:${{ github.event.pull_request.head.sha || github.sha }}
frontend-push-reports-to-ris-reports:
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
needs:
- frontend-checks
uses: ./.github/workflows/frontend-push-reports-to-ris-reports.yml
secrets: inherit
#################
# Deployment jobs
#################
deploy-staging:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
- frontend-push-image-to-registry
- backend-checks
- backend-build-image-and-scan
- backend-push-image-to-registry
uses: ./.github/workflows/deploy-staging.yml
permissions:
id-token: write
secrets: inherit
with:
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}