diff --git a/.github/workflows/frontend-push-image-to-registry.yml b/.github/workflows/frontend-push-image-to-registry.yml new file mode 100644 index 0000000..aea3195 --- /dev/null +++ b/.github/workflows/frontend-push-image-to-registry.yml @@ -0,0 +1,61 @@ +on: + workflow_call: + inputs: + container-registry: + required: true + type: string + container-image-name: + required: true + type: string + container-image-version: + required: true + type: string + run-id: + required: true + type: string + +jobs: + frontend-push-image-to-registry: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.set-version.outputs.version }} + steps: + - uses: actions/cache@v4 + with: + path: /tmp/images + key: docker-frontend-images-cache-${{ inputs.run-id }} + restore-keys: docker-frontend-images-cache-${{ inputs.run-id }} + - name: load image + shell: bash + run: docker load -i /tmp/images/frontend-image.tar + - name: Log into container registry + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0 + with: + registry: ${{ inputs.container-registry }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Publish backend container image + run: docker push ${{ inputs.container-registry }}/${{ inputs.container-image-name }}-frontend:${{ inputs.container-image-version }} + - name: Install cosign + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59 + - name: Sign the published Docker image + run: cosign sign --yes ${{ inputs.container-registry }}/${{ inputs.container-image-name }}-frontend:${{ inputs.container-image-version }} + - name: Download cosign vulnerability scan record + uses: actions/download-artifact@v4 + with: + name: "vuln-frontend.json" + - name: Attest vulnerability scan + run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ inputs.container-registry }}/${{ inputs.container-image-name }}-frontend:${{ inputs.container-image-version }} + - id: set-version + run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" + - name: Send status to Slack + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 + if: ${{ failure() && github.ref == 'refs/heads/main' }} + with: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 30833fa..a38a9eb 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -22,10 +22,6 @@ jobs: # jobs dispatched to separate workflow files # ############################################## - frontend-checks: - uses: ./.github/workflows/frontend-checks.yml - secrets: inherit - security-jobs: uses: ./.github/workflows/security-jobs.yml secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others @@ -33,6 +29,10 @@ jobs: contents: read security-events: write # trivy scan needs this + frontend-checks: + uses: ./.github/workflows/frontend-checks.yml + secrets: inherit + frontend-build-image-and-scan: if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} uses: ./.github/workflows/frontend-build-image-and-scan.yml @@ -46,74 +46,38 @@ jobs: container-image-name: ${{ github.repository }} container-image-version: ${{ github.event.pull_request.head.sha || github.sha }} - push-frontend-image-to-registry: - runs-on: ubuntu-latest + frontend-push-image-to-registry: if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} - needs: - - frontend-checks - - frontend-build-image-and-scan - - security-jobs + uses: ./.github/workflows/frontend-push-image-to-registry.yml + secrets: inherit permissions: contents: read id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. packages: write - outputs: - version: ${{ steps.set-version.outputs.version }} - steps: - - uses: actions/cache@v4 - with: - path: /tmp/images - key: docker-frontend-images-cache-${{ env.RUN_ID }} - restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }} - - name: load image - shell: bash - run: docker load -i /tmp/images/frontend-image.tar - - name: Log into container registry - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0 - with: - registry: ${{ env.CONTAINER_REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Publish backend container image - run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} - - name: Install cosign - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59 - - name: Sign the published Docker image - run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} - - name: Download cosign vulnerability scan record - uses: actions/download-artifact@v4 - with: - name: "vuln-frontend.json" - - name: Attest vulnerability scan - run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} - - id: set-version - run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT" - - name: Send status to Slack - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 - if: ${{ failure() && github.ref == 'refs/heads/main' }} - with: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - + needs: + - security-jobs + - frontend-checks + - frontend-build-image-and-scan + with: + run-id: ${{ github.run_id }} + container-registry: ghcr.io + container-image-name: ${{ github.repository }} + container-image-version: ${{ github.event.pull_request.head.sha || github.sha }} + # ###################### # # Deploy new versions to staging # ###################### frontend-deploy-staging: if: ${{ github.ref == 'refs/heads/main' }} + uses: ./.github/workflows/frontend-deploy-staging.yml needs: + - security-jobs - frontend-checks - frontend-build-image-and-scan - - security-jobs - - push-frontend-image-to-registry + - frontend-push-image-to-registry permissions: id-token: write - uses: ./.github/workflows/frontend-deploy-staging.yml secrets: inherit with: - version: ${{ needs.push-frontend-image-to-registry.outputs.version }} + version: ${{ needs.frontend-push-image-to-registry.outputs.version }}