Legger inn reusable workflow for bygg på master, direkte etter eksempel (#2970)

Author: mbolstad

.github/workflows/build-master.yaml

@@ -1,110 +1,68 @@
-name: Build Master
-
+name: Build
 on:
   push:
     branches:
       - master
     paths-ignore:
       - '**.md'
+      - '**.MD'
       - '.gitignore'
       - 'LICENSE'
       - 'CODEOWNERS'
-      - 'nais/alerts/**'
-      - '.github/workflows/deploy-alerts.yml'
-
-env:
-  BASE_IMAGE: ghcr.io/${{ github.repository }}
 
 jobs:
-  Build:
-
-    runs-on: ubuntu-latest
+  codeql:
+    uses: navikt/sif-gha-workflows/.github/workflows/gradle-codeql.yml@main
     permissions:
-      packages: write
-      contents: write # for gradle dep submission
-      issues: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-java@v4
-        with:
-          java-version: 21
-          distribution: temurin
-          cache: gradle
-
-      - name: Setup Gradle to generate and submit dependency graphs
-        uses: gradle/gradle-build-action@v3
-        with:
-          dependency-graph: generate-and-submit
-
-      - name: Run a build, generating the dependency graph snapshot which will be submitted
-        run: ./gradlew build
-        env:
-          GITHUB_TOKEN: ${{ secrets.READER_TOKEN }}
-
-      - name: Kjør tester & bygg JAR
-        run: ./gradlew test shadowjar
-        env:
-          GITHUB_TOKEN: ${{ secrets.READER_TOKEN }}
-
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.REPOSITORY_OWNER }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      actions: read
+      contents: read
+      pull-requests: read
+      security-events: write
+    secrets: inherit
+    with:
+      readertoken: false
+      package-command: './gradlew clean build -x test'
+      branch: master
 
-      - name: Sett tag for docker image
-        run: echo "TAG=$(date "+%Y.%m.%d")-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-      - name: Bygg & last opp Docker image
-        run: |
-          docker build --pull --tag ${BASE_IMAGE}:${TAG} --tag ${BASE_IMAGE}:latest .
-          docker push ${BASE_IMAGE} --all-tags
-
-      - name: Sett image for nais deploy
-        run: echo "IMAGE=${BASE_IMAGE}:${TAG}" >> $GITHUB_ENV
-
-      - name: Lukk gamle issues
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: ['deployment']
-            }).then(response => {
-              response.data.forEach(issue => {
-                github.rest.issues.update({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: issue.number,
-                  state: 'closed'
-                });
-              });
-            });
+  test:
+    uses: navikt/sif-gha-workflows/.github/workflows/gradle-test.yml@main
+    permissions:
+      contents: read
+    secrets: inherit
+    with:
+      readertoken: false
 
-      -  name: Opprett deployment issue
-         id: createdeployissue
-         if: success()
-         uses: actions/github-script@v7
-         with:
-           github-token: ${{secrets.GITHUB_TOKEN}}
-           script: |
-               github.rest.issues.create( {
-                 owner: context.issue.owner,
-                 repo: context.issue.repo,
-                 labels: ['deployment'],
-                 body: '${{ github.sha }}',
-                 title: 'Deploy av ${{ env.TAG }}'})
-               .then(response => {
-                       core.setOutput('number', response.data.number);
-                });
+  build:
+    uses: navikt/sif-gha-workflows/.github/workflows/gradle-build.yml@main
+    permissions:
+      contents: write
+      id-token: write
+    secrets: inherit
+    with:
+      team: k9saksbehandling
+      dockercontext: .
+      readertoken: false
 
-      - name: Deploy til preprod
-        uses: nais/deploy/actions/deploy@v2
-        env:
-          APIKEY: ${{ secrets.DEPLOY_KEY }}
-          CLUSTER: dev-fss
-          RESOURCE: nais/dev-fss.yml
+  trivy:
+    needs: [ build ]
+    uses: navikt/sif-gha-workflows/.github/workflows/trivy.yml@main
+    permissions:
+      contents: write
+      security-events: write
+      id-token: write
+      actions: read
+    secrets: inherit
+    with:
+      image: ${{ needs.build.outputs.image }}
+      team: k9saksbehandling
 
+  deploy:
+    needs: [ test, build ]
+    uses: navikt/sif-gha-workflows/.github/workflows/gradle-deploy.yml@main
+    permissions:
+      contents: read
+    secrets: inherit
+    with:
+      image: ${{ needs.build.outputs.image }}
+      environment: fss
+      deploy-prod: ${{ startsWith(github.ref, 'refs/heads/master') }}