feat: move to new CI flow #2107

Workflow file for this run

.github/workflows/ci-pipeline.yml at 6435768

	name: buildAppImage
	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	# Allow to run this workflow manually
	workflow_dispatch:

	env:
	REGISTRY: ghcr.io

	jobs:
	code-quality:
	uses: ./.github/workflows/npm-checks.yml
	secrets:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

	get-content-file:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- run: ./docker.sh --contentFromImage && mv content_from_image.json content.json
	continue-on-error: true
	- if: failure()
	run: npm ci && npm run dumpCmsToFile
	env:
	STRAPI_API: "${{ secrets.STRAPI_API }}"
	STRAPI_ACCESS_KEY: "${{ secrets.STRAPI_ACCESS_KEY }}"
	- name: Calculate content checksum
	id: checksum
	run: echo "content_checksum=$(./docker.sh --contentHashFromImage)" >> $GITHUB_OUTPUT
	- name: Upload content.json
	uses: actions/upload-artifact@v4
	with:
	name: content-file
	path: content.json
	outputs:
	content_checksum: ${{ steps.checksum.outputs.content_checksum }}

	verify-local-e2e:
	needs: [get-content-file]
	uses: ./.github/workflows/e2e-test.yml
	secrets:
	GERICHTSFINDER_ENCRYPTION_KEY: ${{ secrets.GERICHTSFINDER_ENCRYPTION_KEY }}

	build-push-app-image:
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	needs: [code-quality, verify-local-e2e]
	steps:
	- uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- uses: actions/checkout@v4
	- uses: ./.github/actions/cached-checkout-install
	- run: ./docker.sh --build app
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
	with:
	image-ref: "${{ env.REGISTRY }}/${{ github.repository }}"
	format: "sarif"
	output: "trivy-results.sarif"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@81b419c908d540ec4c7da9bfb4b5d941fca8f624
	with:
	sarif_file: "trivy-results.sarif"
	- run: ./docker.sh --push app

	deploy-staging:
	needs: [build-push-app-image, get-content-file]
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	environment: staging
	steps:
	- name: Report Deployment
	uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88
	with:
	project: a2j-rechtsantragstelle
	environment: staging
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}

	- name: Deploy new staging image
	uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
	with:
	environment: staging
	version: ${{ env.IMAGE_VERSION }}-${{ needs.get-content-file.outputs.content_checksum }}
	deploying_repo: a2j-rechtsantragstelle
	infra_repo: a2j-rechtsantragstelle-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: a2j-rast-staging
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300

	deploy-preview:
	needs: [build-push-app-image, get-content-file]
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	environment: preview
	steps:
	- name: Report Deployment
	uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88
	with:
	project: a2j-rechtsantragstelle
	environment: preview
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}

	- name: Deploy new preview image
	uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
	with:
	environment: preview
	version: ${{ env.IMAGE_VERSION }}-${{ needs.get-content-file.outputs.content_checksum }}
	deploying_repo: a2j-rechtsantragstelle
	infra_repo: a2j-rechtsantragstelle-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: a2j-rast-preview
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300

	verify-preview-e2e:
	needs: [deploy-preview]
	uses: ./.github/workflows/e2e-test.yml
	secrets:
	BASE_URL: a2j-preview.dev.ds4g.net
	with:
	USE_EXISTING_SERVER: true

	deploy-production:
	needs: [verify-preview-e2e, get-content-file]
	if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	environment: production
	steps:
	- name: Report Deployment
	uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88
	with:
	project: a2j-rechtsantragstelle
	environment: production
	metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
	metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}

	- name: Deploy new production image
	uses: digitalservicebund/github-actions/argocd-deploy@a223a68bc5982e5175beb73c708d99d8f9ba7858
	with:
	environment: production
	version: ${{ env.IMAGE_VERSION }}-${{ needs.get-content-file.outputs.content_checksum }}
	deploying_repo: a2j-rechtsantragstelle
	infra_repo: a2j-rechtsantragstelle-infra
	deploy_key: ${{ secrets.DEPLOY_KEY }}
	app: a2j-rast-production
	argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
	argocd_server: ${{ secrets.ARGOCD_SERVER }}
	argocd_sync_timeout: 300

	test-production-text:
	needs: [deploy-production]
	permissions:
	packages: read
	runs-on: ubuntu-latest
	steps:
	- run: curl -s "https://service.justiz.de" \| grep -q "Justiz-Services"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: move to new CI flow #2107

Workflow file

feat: move to new CI flow #2107

Jobs

Run details

Workflow file for this run