correct var name #1099
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Scan & Publish image and helm chart on push, deployment on push, delete deployment on branch deletion, scheduled trivy scanner | |
name: "Dev Pipeline" | |
# All triggers have to be in one file, so that the trivy results can be compared to identify introduced vulnerabilities | |
# See DBP-340 | |
on: | |
push: | |
branches: | |
- "*" | |
schedule: | |
- cron: '0 2 * * *' | |
delete: | |
concurrency: | |
group: dbildungs-iam-keycloak-${{ github.event.ref }} | |
cancel-in-progress: true | |
jobs: | |
check-merge-clearance: | |
name: "PR labels" | |
runs-on: ubuntu-latest | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
outputs: | |
merge_clearance: ${{ steps.determine_merge_clearance.merge_clearance }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Get PR number | |
id: get_pr_number | |
run: | | |
PR_NUMBER=$(gh pr list --state open --head ${{ github.ref_name }} --json number --jq '.[0].number') | |
if [ -z "$PR_NUMBER" ]; then | |
echo "No existing PR found for ${{ github.ref_name }} " | |
else | |
echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV | |
fi | |
- name: Get PR labels | |
id: get_pr_labels | |
if: ${{ env.PR_NUMBER != '' }} | |
run: | | |
PR_LABELS=$(gh pr view ${{ env.PR_NUMBER }} --json labels --jq '.labels | map(.name) | join(",")') | |
echo "PR_LABELS=$PR_LABELS" >> $GITHUB_ENV | |
- name: Determine merge clearance | |
id: determine_merge_clearance | |
run: | | |
if [ -z "env.PR_NUMBER" ]; then | |
echo "merge_clearance=true" >> "$GITHUB_OUTPUT" | |
else | |
if [[ "${{ contains(env.PR_LABELS, 'prevent_merge') }}" == "true" ]]; then | |
echo "merge_clearance=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "merge_clearance=true" >> "$GITHUB_OUTPUT" | |
fi | |
fi | |
codeql_analyze: | |
name: "CodeQL" | |
if: ${{ github.event_name == 'push' }} | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-codeql.yaml@5 | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
build_image_on_push: | |
name: "Publish image and scan with trivy" | |
if: ${{ github.event_name == 'push' }} | |
permissions: | |
packages: write | |
security-events: write | |
contents: read | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@7 | |
with: | |
image_name: "dbildungs-iam-keycloak" | |
run_trivy_scan: true | |
image_tag_generation: ${{ github.ref_name == 'main' && 'commit_hash' || 'ticket_from_branch' }} | |
add_latest_tag: ${{ github.ref_name == 'main' }} | |
container_registry: "ghcr.io" | |
fail_on_vulnerabilites: false | |
report_location: "Dockerfile" | |
target: "deployment" | |
scan_helm: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 | |
permissions: | |
contents: read | |
select_helm_version_generation_and_image_tag_generation: | |
needs: | |
- check-merge-clearance | |
if: ${{ github.event_name == 'push' && needs.check-merge-clearance.outputs.merge_clearance == 'true' }} | |
runs-on: ubuntu-latest | |
outputs: | |
SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} | |
SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
steps: | |
- id: select_generation | |
shell: bash | |
run: | | |
if ${{ github.ref_name == 'main' }}; then | |
echo "SELECT_HELM_VERION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" | |
echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" | |
else | |
echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT" | |
echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT" | |
fi | |
release_helm: | |
needs: | |
- select_helm_version_generation_and_image_tag_generation | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7 | |
secrets: inherit | |
with: | |
chart_name: dbildungs-iam-keycloak | |
image_tag_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
helm_chart_version_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION }} | |
wait_for_helm_chart_to_get_published: | |
needs: | |
- release_helm | |
runs-on: ubuntu-latest | |
steps: | |
- shell: bash | |
run: sleep 1m | |
branch_meta: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3 | |
create_branch_identifier: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
needs: | |
- branch_meta | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 | |
with: | |
branch: ${{ needs.branch_meta.outputs.branch }} | |
deploy: | |
if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
needs: | |
- branch_meta | |
- create_branch_identifier | |
- wait_for_helm_chart_to_get_published | |
- build_image_on_push | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 | |
with: | |
dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} | |
schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} | |
dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} | |
dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} | |
namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} | |
secrets: inherit | |
# On Delete | |
create_branch_identifier_for_deletion: | |
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 | |
with: | |
branch: ${{ github.event.ref }} | |
delete_namespace: | |
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} | |
needs: | |
- create_branch_identifier_for_deletion | |
uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5 | |
with: | |
namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} | |
secrets: | |
SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} | |
delete_successful: | |
if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
needs: | |
- delete_namespace | |
- create_branch_identifier_for_deletion | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" | |
# Scheduled | |
scheduled_trivy_scan: | |
name: "Scheduled trivy scan of latest image" | |
if: ${{ github.event_name == 'schedule' }} | |
permissions: | |
packages: read | |
security-events: write | |
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7 | |
with: | |
image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-keycloak:latest' | |
fail_on_vulnerabilites: false | |
report_location: "Dockerfile" |