Use correct log level #7361
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scan & Publish image and helm chart on push, deployment on push, delete deployment on branch deletion, scheduled trivy scanner | |
| name: "Dev Pipeline" | |
| # All triggers have to be in one file, so that the trivy results can be compared to identify introduced vulnerabilities | |
| # See DBP-340 | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| schedule: | |
| - cron: '0 2 * * *' | |
| delete: | |
| concurrency: | |
| group: dbildungs-iam-server-${{ github.event.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| codeql_analyze: | |
| name: "CodeQL" | |
| if: ${{ github.event_name == 'push' }} | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-codeql.yaml@5 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| nest_lint: | |
| name: "Linting" | |
| if: ${{ github.event_name == 'push' }} | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-lint.yaml@5 | |
| with: | |
| node_version: '18' | |
| permissions: | |
| contents: read | |
| tests_and_sonarcloud: | |
| name: "Tests and Sonarcloud" | |
| if: ${{ github.event_name == 'push' }} | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-test-sonarcloud.yaml@5 | |
| with: | |
| node_version: '18' | |
| deploy_stage: 'dev' | |
| timeout_minutes: 20 | |
| permissions: | |
| contents: read | |
| secrets: inherit | |
| build_image_on_push: | |
| name: "Publish image and scan with trivy" | |
| if: ${{ github.event_name == 'push' }} | |
| permissions: | |
| packages: write | |
| security-events: write | |
| contents: read | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@7 | |
| with: | |
| image_name: "dbildungs-iam-server" | |
| run_trivy_scan: true | |
| image_tag_generation: ${{ ( github.ref_name == 'main' || startsWith(github.ref_name,'dependabot/') ) && 'commit_hash' || 'ticket_from_branch' }} | |
| add_latest_tag: ${{ github.ref_name == 'main' }} | |
| container_registry: "ghcr.io" | |
| fail_on_vulnerabilites: false | |
| report_location: "Dockerfile" | |
| scan_helm: | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 | |
| permissions: | |
| contents: read | |
| select_helm_version_generation_and_image_tag_generation: | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| runs-on: ubuntu-latest | |
| outputs: | |
| SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} | |
| SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
| steps: | |
| - id: select_generation | |
| shell: bash | |
| run: | | |
| if ${{ github.ref_name == 'main' }}; then | |
| echo "SELECT_HELM_VERION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" | |
| echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT" | |
| echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT" | |
| fi | |
| release_helm: | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| needs: | |
| - select_helm_version_generation_and_image_tag_generation | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7 | |
| secrets: inherit | |
| with: | |
| chart_name: dbildungs-iam-server | |
| helm_chart_version_generation: ${{ needs. select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION }} | |
| image_tag_generation: ${{ needs. select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} | |
| wait_for_helm_chart_to_get_published: | |
| needs: | |
| - release_helm | |
| runs-on: ubuntu-latest | |
| steps: | |
| - shell: bash | |
| run: sleep 1m | |
| branch_meta: | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3 | |
| create_branch_identifier: | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| needs: | |
| - branch_meta | |
| uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 | |
| with: | |
| branch: ${{ needs.branch_meta.outputs.branch }} | |
| deploy: | |
| if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} | |
| needs: | |
| - branch_meta | |
| - create_branch_identifier | |
| - wait_for_helm_chart_to_get_published | |
| - build_image_on_push | |
| uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 | |
| with: | |
| dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} | |
| namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} | |
| secrets: inherit | |
| # On Delete | |
| create_branch_identifier_for_deletion: | |
| if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
| uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 | |
| with: | |
| branch: ${{ github.event.ref }} | |
| delete_namespace: | |
| if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} | |
| needs: | |
| - create_branch_identifier_for_deletion | |
| uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5 | |
| with: | |
| namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} | |
| secrets: | |
| SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} | |
| delete_successful: | |
| if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} | |
| needs: | |
| - delete_namespace | |
| - create_branch_identifier_for_deletion | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" | |
| # Scheduled | |
| scheduled_trivy_scan: | |
| name: "Scheduled trivy scan of latest image" | |
| if: ${{ github.event_name == 'schedule' }} | |
| permissions: | |
| packages: read | |
| security-events: write | |
| uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7 | |
| with: | |
| image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-server:latest' | |
| fail_on_vulnerabilites: false | |
| report_location: "Dockerfile" |