Skip to content

Lisätään maksatushakuun käyttöikeustarkastus ja audit-lokitus #13250

Lisätään maksatushakuun käyttöikeustarkastus ja audit-lokitus

Lisätään maksatushakuun käyttöikeustarkastus ja audit-lokitus #13250

Workflow file for this run

# SPDX-FileCopyrightText: 2017-2023 City of Espoo
#
# SPDX-License-Identifier: LGPL-2.1-or-later
name: Build
on:
pull_request:
push:
branches:
- master
workflow_dispatch:
inputs:
push:
required: false
default: 'true'
playwright_tag:
required: true
default: 'master'
env:
AWS_REGION: eu-west-1
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
id-token: write
contents: read
packages: write
actions: read
jobs:
cache-bust:
runs-on: ubuntu-latest
steps:
- name: "Cache bust"
id: cache-bust
run: echo "cache-bust=$(date '+%Y-%V')" >> "$GITHUB_OUTPUT"
outputs:
cache-bust: ${{ steps.cache-bust.outputs.cache-bust }}
lint-shell:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: espoon-voltti/voltti-actions/shellcheck@v1
check-licenses:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Reuse Compliance Check
uses: fsfe/reuse-action@v5
keycloak:
runs-on: ubuntu-latest
needs:
- cache-bust
steps:
- uses: actions/checkout@v4
- name: Setup Docker building
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: setup
uses: espoon-voltti/voltti-actions/docker-setup@master
with:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE: ${{ secrets.AWS_ROLE }}
- name: Build keycloak image
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: build
uses: espoon-voltti/voltti-actions/docker-build-registry@master
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/keycloak
path: ./keycloak
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
- name: Docker cleanup
if: always()
uses: espoon-voltti/voltti-actions/docker-cleanup@master
outputs:
image: ${{ steps.build.outputs.image }}
frontend-common:
runs-on: ubuntu-latest
needs:
- cache-bust
steps:
- uses: actions/checkout@v4
- name: Setup Docker building
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: setup
uses: espoon-voltti/voltti-actions/docker-setup@master
with:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS: false
- name: Build frontend image
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: build
with:
registry: ghcr.io/espoon-voltti
name: evaka/frontend-common
path: ./frontend
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
SENTRY_PUBLISH_ENABLED=false
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
ICONS=free
build-contexts:
customizations=frontend/src/lib-customizations/espoo
- name: Build frontend image builder
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: builder
with:
registry: ghcr.io/espoon-voltti
name: evaka/frontend-common-builder
cache_from: ${{ steps.build.outputs.image_cache }}
path: ./frontend
target: builder
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
SENTRY_PUBLISH_ENABLED=false
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
ICONS=free
build-contexts:
customizations=frontend/src/lib-customizations/espoo
- name: Docker cleanup
if: always()
uses: espoon-voltti/voltti-actions/docker-cleanup@master
outputs:
image: ${{ steps.build.outputs.image }}
image_name: ${{ steps.build.outputs.image_name }}
builder_image: ${{ steps.builder.outputs.image }}
builder_image_name: ${{ steps.builder.outputs.image_name }}
frontend:
runs-on: ubuntu-latest
needs:
- cache-bust
steps:
- uses: actions/checkout@v4
- name: Cache fortawesome
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: fortawesome
uses: actions/cache@v4
with:
path: frontend/node_modules
key: fortawesome-${{ hashFiles('frontend/setup-pro-icons.sh') }}
- uses: actions/setup-node@v4
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork && steps.fortawesome.outputs.cache-hit != 'true' }}
with:
node-version: 18
- name: Install fortawesome
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork && steps.fortawesome.outputs.cache-hit != 'true' }}
run: |
cat << EOF > frontend/.npmrc
@fortawesome:registry=https://npm.fontawesome.com/
//npm.fontawesome.com/:_authToken="${{ secrets.FONTAWESOME_TOKEN }}"
EOF
./frontend/setup-pro-icons.sh
rm frontend/.npmrc
- name: Setup Docker building
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: setup
uses: espoon-voltti/voltti-actions/docker-setup@master
with:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE: ${{ secrets.AWS_ROLE }}
- name: Build frontend image
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: build
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/frontend
path: ./frontend
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
SENTRY_PUBLISH_ENABLED=${{ github.ref_name == 'master' && 'true' || 'false' }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
ICONS=pro
SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
build-contexts:
customizations=frontend/src/lib-customizations/espoo
- name: Docker cleanup
if: always()
uses: espoon-voltti/voltti-actions/docker-cleanup@master
outputs:
image: ${{ steps.build.outputs.image }}
image_name: ${{ steps.build.outputs.image_name }}
frontend-test:
needs:
- frontend-common
- frontend
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Container Registry
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Lint
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
run: docker run --rm "${{ needs.frontend-common.outputs.builder_image }}" yarn lint
- name: Type check
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
run: docker run --rm "${{ needs.frontend-common.outputs.builder_image }}" yarn type-check
- name: Test
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
run: docker run --rm "${{ needs.frontend-common.outputs.builder_image }}" yarn test --maxWorkers=2
- name: Build and test fork
id: fork
if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }}
run: |
cd ./frontend
./build-docker.sh test
- name: Docker cleanup
if: always()
uses: espoon-voltti/voltti-actions/docker-cleanup@master
api-gateway:
runs-on: ubuntu-latest
needs:
- cache-bust
steps:
- uses: actions/checkout@v4
- name: Setup Docker building
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: setup
uses: espoon-voltti/voltti-actions/docker-setup@master
with:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE: ${{ secrets.AWS_ROLE }}
- name: Build and run API-gateway tests
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: test
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/api-gateway-test
path: ./apigw
push: false
load: true
target: test
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
- name: Build API-gateway image
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: build
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/api-gateway
path: ./apigw
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
- name: Build docker tests and image on fork
if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }}
run: |
cd ./apigw
./build-docker.sh test
./build-docker.sh
outputs:
image: ${{ steps.build.outputs.image }}
service:
runs-on: ubuntu-latest
needs:
- cache-bust
steps:
- uses: actions/checkout@v4
- name: Setup Docker building
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: setup
uses: espoon-voltti/voltti-actions/docker-setup@master
with:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE: ${{ secrets.AWS_ROLE }}
- name: Build Evaka Service image
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: build
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/service
path: .
dockerfile: service/Dockerfile
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
- name: Build Evaka Service builder image
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: builder
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/service-builder
target: builder
cache_from: ${{ steps.build.outputs.image_cache }}
path: .
dockerfile: service/Dockerfile
push: ${{ inputs.push || 'true' }}
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
- name: Docker cleanup
if: always()
uses: espoon-voltti/voltti-actions/docker-cleanup@master
outputs:
image: ${{ steps.build.outputs.image }}
image_name: ${{ steps.build.outputs.image_name }}
builder_image: ${{ steps.builder.outputs.image }}
builder_image_name: ${{ steps.builder.outputs.image_name }}
service-test:
needs:
- cache-bust
- service
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Docker building
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: setup
uses: espoon-voltti/voltti-actions/docker-setup@master
with:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE: ${{ secrets.AWS_ROLE }}
- name: Build and run Evaka Service tests
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: espoon-voltti/voltti-actions/docker-build-registry@master
id: build
with:
registry: ${{ steps.setup.outputs.ecr_registry }}
name: evaka/service-test
path: .
dockerfile: service/test.Dockerfile
push: false
load: true
build-args: |
CACHE_BUST=${{ needs.cache-bust.outputs.cache-bust }}
build=${{ github.run_number }}
commit=${{ github.event.pull_request.head.sha || github.sha }}
BASE_IMAGE=${{ needs.service.outputs.builder_image }}
- name: Run service tests for fork
if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }}
shell: bash
run: |
cd ./service
./build-docker.sh test
- name: Docker cleanup
if: always()
uses: espoon-voltti/voltti-actions/docker-cleanup@master
owasp:
needs:
- service
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE }}
role-duration-seconds: 1200
- name: Login to Amazon ECR
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
id: ecr
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'
- name: Cache dependency check database
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: actions/cache@v4
with:
path: dependency-check-data
key: dependency-check-data-${{ github.run_id }}-${{ github.run_attempt }}
restore-keys: |
dependency-check-data-
- name: Run service OWASP tests
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
shell: bash
run: |
docker run --rm \
-e NVD_API_KEY=${{ secrets.NVD_API_KEY }} \
-v $(pwd)/dependency-check-data:/root/.gradle/dependency-check-data \
${{ needs.service.outputs.builder_image }} \
sh -c "./gradlew --no-daemon dependencyCheckUpdate && ./gradlew --no-daemon dependencyCheckAnalyze"
service-integration-test:
needs:
- keycloak
- service
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
test_chunk_number: [1, 2, 3, 4]
test_chunk_count: [4] # must max value of above list
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Container Registry
if: ${{ !github.event.pull_request.head.repo.fork }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run service integration tests
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
shell: bash
env:
TAG: "${{ github.event.pull_request.head.sha || github.sha }}"
BUILD: "false"
run: |
cd ./compose
mkdir -p test-results/
./compose-integration pull
./compose-integration run integration-test $(../bin/split-integration-tests.sh "${{ matrix.test_chunk_number }}" "${{ matrix.test_chunk_count }}")
./compose-integration logs db > test-results/db.log
- name: Run service integration tests for fork
if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }}
shell: bash
run: |
cd ./compose
./compose-integration run integration-test $(../bin/split-integration-tests.sh "${{ matrix.test_chunk_number }}" "${{ matrix.test_chunk_count }}")
- name: Store test results
uses: actions/upload-artifact@v4
if: always()
with:
name: integration-test-results-${{ matrix.test_chunk_number }}
path: ./compose/test-results/
retention-days: 2
e2e-split:
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ github.token }}
CHUNK_COUNT: 6 # must match the number of chunks in the e2e job
steps:
- uses: actions/checkout@v4
- name: Split e2e tests
run: |
./bin/timings.sh $CHUNK_COUNT e2e-test-chunk--{}.txt
- name: Upload test chunks
uses: actions/upload-artifact@v4
with:
name: e2e-test-chunks
path: e2e-test-chunk--*.txt
e2e:
needs:
- service
- api-gateway
- keycloak
- frontend-common
- frontend
- e2e-split
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# If you change the number of chunks, remember to update CHUNK_COUNT in e2e-split job
test_chunk_number: [1, 2, 3, 4, 5, 6]
env:
PLAYWRIGHT_TAG: "${{ inputs.playwright_tag || 'master' }}"
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download test chunks
uses: actions/download-artifact@v4
with:
name: e2e-test-chunks
- name: Run e2e tests
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
env:
TAG: "${{ github.event.pull_request.head.sha || github.sha }}"
BUILD: "false"
FRONTEND_IMAGE: "ghcr.io/espoon-voltti/evaka/frontend"
run: |
set -eo pipefail
cp e2e-test-chunk--${{ matrix.test_chunk_number }}.txt frontend/playwright-filenames.txt
echo "Tests to run:"
cat frontend/playwright-filenames.txt
cd ./compose
./test-e2e pull
./test-e2e run playwright | tee e2e.log
- name: Run e2e tests for fork
if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }}
run: |
set -eo pipefail
cp e2e-test-chunk--${{ matrix.test_chunk_number }}.txt frontend/playwright-filenames.txt
echo "Tests to run:"
cat frontend/playwright-filenames.txt
cd ./compose
./test-e2e run playwright | tee e2e.log
- name: Get logs
if: always()
run: |
cd compose
./test-e2e logs > e2e-all.log
- name: Store screenshots and logs
if: always()
uses: actions/upload-artifact@v4
with:
name: e2e-test-results-${{ matrix.test_chunk_number }}
path: |
frontend/screenshots/
frontend/traces/
compose/e2e.log
compose/e2e-all.log
retention-days: 2
frontend-s3:
if: ${{ github.ref == 'refs/heads/master' && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork && inputs.push != 'false' }}
needs:
- frontend
- frontend-test
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE }}
role-duration-seconds: 1200
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'
- name: Extract frontend files
run: |
rm -rf ./frontend-build/
docker create -ti --name frontend_instance "${{ needs.frontend.outputs.image }}" sh
docker cp frontend_instance:/static ./frontend-build
docker rm -f frontend_instance
- name: Configure AWS credentials
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE }}
role-duration-seconds: 1200
- name: Clean build from non-versioned files
run: |
cd ./frontend-build/
for filename in index.html service-worker.js service-worker.js.map; do
find . -name "$filename" -not -path "./maintenance-page/*" -type f -delete
done
aws s3 sync --exact-timestamps . s3://evaka-static/
tag:
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
needs:
- service-test
- service-integration-test
- e2e
- frontend-test
- lint-shell
- check-licenses
steps:
- name: Configure AWS credentials
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE }}
role-duration-seconds: 1200
- name: Login to GitHub Container Registry
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker metadata # Used to get the tag from DOCKER_METADATA_OUTPUT_VERSION
id: metadata
env:
DOCKER_METADATA_PR_HEAD_SHA: "true"
uses: docker/metadata-action@v5
with:
images: |
evaka/dummy
tags: |
type=ref,event=pr,prefix=pr-
type=ref,event=branch,prefix=
- name: Retag with branch
run: |
if test -z "$DOCKER_METADATA_OUTPUT_VERSION"; then
echo "Empty tag"
exit 1
fi
for repository in evaka/keycloak evaka/frontend evaka/frontend-common evaka/frontend-common-builder evaka/service evaka/service-builder evaka/api-gateway; do
ghcr_image_base="ghcr.io/espoon-voltti/${repository}"
ghcr_image="${ghcr_image_base}:${{ github.event.pull_request.head.sha || github.sha }}"
ghcr_target="${ghcr_image_base}:${DOCKER_METADATA_OUTPUT_VERSION}"
echo "Tagging GHCR with '${ghcr_target}'"
docker pull "$ghcr_image"
docker tag "$ghcr_image" "${ghcr_image_base}:${DOCKER_METADATA_OUTPUT_VERSION}"
docker push "${ghcr_image_base}:${DOCKER_METADATA_OUTPUT_VERSION}"
done
for repository in evaka/keycloak evaka/frontend evaka/service evaka/api-gateway; do
# ECR retag
MANIFEST=$(aws ecr batch-get-image --repository-name "$repository" --image-ids imageTag="${{ github.event.pull_request.head.sha || github.sha }}" --output json | jq --raw-output --join-output '.images[0].imageManifest')
aws ecr put-image --repository-name "$repository" --image-tag "${DOCKER_METADATA_OUTPUT_VERSION}" --image-manifest "$MANIFEST"
done
deploy:
if: ${{ github.ref == 'refs/heads/master' && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
env:
DEPLOY_REPO_OWNER: 'espoon-voltti'
DEPLOY_REPO_NAME: 'evaka-deploy'
DEPLOY_REPO_WORKFLOW: 'deploy.yml'
runs-on: ubuntu-latest
needs:
- tag
- frontend-s3
steps:
- uses: actions/github-script@v7
with:
github-token: '${{ secrets.EVAKA_PAT }}'
script: |
await github.rest.actions.createWorkflowDispatch({
owner: '${{ env.DEPLOY_REPO_OWNER }}',
repo: '${{ env.DEPLOY_REPO_NAME }}',
workflow_id: '${{ env.DEPLOY_REPO_WORKFLOW }}',
ref: 'master',
inputs: {
version: '${{ github.event.pull_request.head.sha || github.sha }}'
}
})
notify:
if: ${{ always() && contains(needs.*.result, 'failure') && github.ref == 'refs/heads/master' }}
runs-on: ubuntu-latest
needs:
- deploy
steps:
- name: Report failure
uses: espoon-voltti/voltti-actions/notify@master
with:
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
channel: "#evaka-alerts"
message: "CI job for master branch failed"