WIP: Use separate workflow and forward deploy key

digitalservicebund · May 8, 2024 · 8db4338 · 8db4338
1 parent d4937b6
commit 8db4338
Show file tree

Hide file tree

Showing 2 changed files with 118 additions and 115 deletions.
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -9,6 +9,9 @@ on:
       directory:
         required: true
         type: string
+      deploy_key:
+        required: true
+        type: string
 
 env:
   IMAGE_NAME: digitalservicebund/${{ inputs.name }}
@@ -87,7 +90,7 @@ jobs:
           version: ${{ github.sha }}
           deploying_repo: ${{ inputs.name }}
           infra_repo: ${{ github.event.repository.name }}-infra
-          deploy_key: ${{ secrets.DEPLOY_KEY }}
+          deploy_key: ${{ inputs.deploy_key }}
           app: ${{ inputs.name }}-production
           argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
           argocd_server: ${{ secrets.ARGOCD_SERVER }}

diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -167,117 +167,117 @@ jobs:
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
-  #  build-and-deploy:
-  #    needs:
-  #      - test
-  #      - audit-licenses
-  #      - vulnerability-scan
-  #    if: ${{ github.ref == 'refs/heads/main' }}
-  #    uses: ./.github/workflows/build-and-deploy.yml
-  #    strategy:
-  #      fail-fast: false
-  #      matrix:
-  #        packages:
-  #          - name: digitalcheck-dito
-  #            directory: packages/dito
-  #          - name: digitalcheck-tool-finder
-  #            directory: packages/tool-finder
-  #    with:
-  #      name: ${{ matrix.packages.name }}
-  #      directory: ${{ matrix.packages.directory }}
-
-  build-and-push-image:
-    runs-on: ubuntu-latest
-    if: ${{ github.ref == 'refs/heads/main' }}
-    needs:
-      - test
-      - audit-licenses
-      - vulnerability-scan
-    permissions:
-      contents: read
-      id-token: write # This is used to complete the identity challenge with sigstore/fulcio.
-      packages: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: validate github workflow files to have pinned versions
-        uses: digitalservicebund/github-actions-linter@dccac3ada437947aada4bc901daff08ceb87c3f1
-
-      - name: Build image from Dockerfile
-        run: |
-          docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . -f packages/tool-finder/Dockerfile --build-arg COMMIT_SHA=${{ github.sha }}
-
-      - name: Generate cosign vulnerability scan record
-        # Third-party action, pin to commit SHA!
-        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
-        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
-        with:
-          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          format: "cosign-vuln"
-          output: "vulnerabilities.json"
-
-      - name: Upload cosign vulnerability scan record
-        uses: actions/upload-artifact@v4
-        with:
-          name: "vulnerabilities.json"
-          path: "vulnerabilities.json"
-          if-no-files-found: error
-
-      - name: Install cosign
-        # Third-party action, pin to commit SHA!
-        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-
-      - name: Login to container registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
-        with:
-          registry: "ghcr.io"
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Push image
-        run: |
-          docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
-          docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }}
-
-      - name: Sign the published Docker image
-        run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
-
-      - name: Attest the vulnerability scan
-        run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
-
-      - name: Create SBOM
-        uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3
-        with:
-          image_name: ${{ github.repository }}:${{ github.sha }}
-
-  deploy:
-    needs: [build-and-push-image]
-    runs-on: ubuntu-latest
-    if: ${{ github.ref == 'refs/heads/main' }}
-    timeout-minutes: 10
-    permissions:
-      packages: read
-    environment: production
-    steps:
-      - name: Deploy latest container image
-        uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
-        with:
-          environment: production
-          version: ${{ github.sha }}
-          deploying_repo: digitalcheck-tool-finder
-          infra_repo: ${{ github.event.repository.name }}-infra
-          deploy_key: ${{ secrets.DEPLOY_KEY }}
-          app: digitalcheck-tool-finder-production
-          argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
-          argocd_server: ${{ secrets.ARGOCD_SERVER }}
-
-      - name: Report Deployment
-        uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0
-        with:
-          project: ${{ github.event.repository.name }}
-          environment: production
-          metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
-          metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
+    build-and-deploy:
+      needs:
+        - test
+        - audit-licenses
+        - vulnerability-scan
+      if: ${{ github.ref == 'refs/heads/main' }}
+      uses: ./.github/workflows/build-and-deploy.yml
+      #      strategy:
+      #        fail-fast: false
+      #        matrix:
+      #          packages:
+      #            - name: digitalcheck-dito
+      #              directory: packages/dito
+      #            - name: digitalcheck-tool-finder
+      #              directory: packages/tool-finder
+      with:
+        name: digitalcheck-tool-finder
+        directory: packages/tool-finder
+        deploy_key: ${{ secrets.DEPLOY_KEY }}
+#  build-and-push-image:
+#    runs-on: ubuntu-latest
+#    if: ${{ github.ref == 'refs/heads/main' }}
+#    needs:
+#      - test
+#      - audit-licenses
+#      - vulnerability-scan
+#    permissions:
+#      contents: read
+#      id-token: write # This is used to complete the identity challenge with sigstore/fulcio.
+#      packages: write
+#    steps:
+#      - name: Checkout code
+#        uses: actions/checkout@v4
+#
+#      - name: validate github workflow files to have pinned versions
+#        uses: digitalservicebund/github-actions-linter@dccac3ada437947aada4bc901daff08ceb87c3f1
+#
+#      - name: Build image from Dockerfile
+#        run: |
+#          docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . -f packages/tool-finder/Dockerfile --build-arg COMMIT_SHA=${{ github.sha }}
+#
+#      - name: Generate cosign vulnerability scan record
+#        # Third-party action, pin to commit SHA!
+#        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+#        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
+#        with:
+#          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+#          format: "cosign-vuln"
+#          output: "vulnerabilities.json"
+#
+#      - name: Upload cosign vulnerability scan record
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: "vulnerabilities.json"
+#          path: "vulnerabilities.json"
+#          if-no-files-found: error
+#
+#      - name: Install cosign
+#        # Third-party action, pin to commit SHA!
+#        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+#        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+#
+#      - name: Login to container registry
+#        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+#        with:
+#          registry: "ghcr.io"
+#          username: ${{ github.actor }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: Push image
+#        run: |
+#          docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}
+#          docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+#          docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }}
+#
+#      - name: Sign the published Docker image
+#        run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+#
+#      - name: Attest the vulnerability scan
+#        run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+#
+#      - name: Create SBOM
+#        uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3
+#        with:
+#          image_name: ${{ github.repository }}:${{ github.sha }}
+#
+#  deploy:
+#    needs: [build-and-push-image]
+#    runs-on: ubuntu-latest
+#    if: ${{ github.ref == 'refs/heads/main' }}
+#    timeout-minutes: 10
+#    permissions:
+#      packages: read
+#    environment: production
+#    steps:
+#      - name: Deploy latest container image
+#        uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
+#        with:
+#          environment: production
+#          version: ${{ github.sha }}
+#          deploying_repo: digitalcheck-tool-finder
+#          infra_repo: ${{ github.event.repository.name }}-infra
+#          deploy_key: ${{ secrets.DEPLOY_KEY }}
+#          app: digitalcheck-tool-finder-production
+#          argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
+#          argocd_server: ${{ secrets.ARGOCD_SERVER }}
+#
+#      - name: Report Deployment
+#        uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0
+#        with:
+#          project: ${{ github.event.repository.name }}
+#          environment: production
+#          metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
+#          metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}