Skip to content

ci: add pipeline to build and deploy test to aks-inn-cdn-nonprod-eno … #3

ci: add pipeline to build and deploy test to aks-inn-cdn-nonprod-eno …

ci: add pipeline to build and deploy test to aks-inn-cdn-nonprod-eno … #3

Workflow file for this run

name: Build and deploy
on: push
jobs:
codeql-analysis:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
test:
name: 'Run bun tests'
runs-on: ubuntu-latest
steps:
- uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main
with:
NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
- uses: oven-sh/setup-bun@v1
with:
bun-version: 1.1.22
#- run: yarn test
- run: echo "Tests are skipped!"
build-and-publish:
if: github.ref == 'refs/heads/main'
name: 'Prod: Bygg, test og push Docker image'
runs-on: ubuntu-latest
permissions:
packages: 'write'
contents: 'read'
id-token: 'write'
outputs:
image: ${{ steps.docker-build-push.outputs.image }}
steps:
- uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main
with:
NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
- run: yarn lint
- run: yarn build
env:
NEXT_PUBLIC_ENVIRONMENT: production
- name: Push docker image to GAR
uses: nais/docker-build-push@v0
id: docker-build-push
with:
team: teamsykmelding
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
image_suffix: prod
build-and-publish-dev:
if: github.actor != 'dependabot[bot]'
name: 'Dev: Bygg, test og push Docker image'
runs-on: ubuntu-latest
permissions:
packages: 'write'
contents: 'read'
id-token: 'write'
outputs:
image: ${{ steps.docker-build-push.outputs.image }}
steps:
- uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main
with:
NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
- run: yarn lint
- run: yarn build
env:
NEXT_PUBLIC_ENVIRONMENT: dev
- name: Push docker image to GAR
uses: nais/docker-build-push@v0
id: docker-build-push
with:
team: teamsykmelding
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
image_suffix: dev
build-for-dependabot:
if: github.actor == 'dependabot[bot]'
name: 'Build for dependabot'
runs-on: ubuntu-latest
permissions:
packages: 'write'
contents: 'read'
id-token: 'write'
outputs:
image: ${{ steps.docker-build-push.outputs.image }}
steps:
- uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main
with:
NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
- run: yarn lint
- run: yarn build
env:
NEXT_PUBLIC_ENVIRONMENT: dev
deploy-bot-to-gcp:
if: github.ref == 'refs/heads/main'
name: Deploy to prod
needs: [build-and-publish, codeql-analysis, test]
runs-on: ubuntu-latest
environment:
name: production
url: https://helsesjekk-bot.nav.no
steps:
- uses: actions/checkout@v4
- uses: nais/deploy/actions/deploy@v1
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: prod-gcp
RESOURCE: nais.yml
VAR: image=${{ needs.build-and-publish.outputs.image }}
deploy-bot-to-gcp-dev:
if: github.ref != 'refs/heads/main'
name: Deploy to dev
needs: [build-and-publish-dev, test]
runs-on: ubuntu-latest
environment:
name: development
url: https://helsesjekk-bot.intern.dev.nav.no
steps:
- uses: actions/checkout@v4
- uses: nais/deploy/actions/deploy@v1
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: dev-gcp
RESOURCE: nais-dev.yml
VAR: image=${{ needs.build-and-publish-dev.outputs.image }}
trivy-docker:
permissions:
contents: 'write'
id-token: 'write'
security-events: 'write'
name: Trivy docker
runs-on: ubuntu-latest
needs: [build-and-publish]
steps:
- run: touch me
- uses: nais/login@v0
with:
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
team: teamsykmelding
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
with:
image-ref: ${{ needs.build-and-publish.outputs.image }}
ignore-unfixed: true
vuln-type: 'os'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'