.github/workflows/cicd-pipeline.yml

name: CI/CD Pipeline

on: push

concurrency:
  group: ${{ github.ref }}
  cancel-in-progress: true

env:
  GITHUB_REGISTRY: ghcr.io
  ERICA_HOST: ${{ secrets.ERICA_HOST_STAGING }}

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Set up Python 3.11
        uses: actions/setup-python@v4
        with:
          python-version: "3.11"

      - name: Install build requirements
        run: |
          python -m pip install --upgrade pip
          pip install -r ./requirements.build.txt
        shell: bash

      - name: Cache dependencies
        uses: actions/cache@v3
        with:
          path: ~/.local/share/virtualenvs
          key: ${{ runner.os }}-erica-v${{ secrets.CACHE_VERSION }}-python-${{ steps.setup-python.outputs.python-version }}-pipenv-${{ hashFiles('Pipfile.lock') }}

      - name: Install dependencies
        env:
          SETUPTOOLS_USE_DISTUTILS: stdlib
        run: |
          pipenv install --dev
        shell: bash

      - name: Get Eric binaries
        env:
          ERICA_BUCKET_NAME: ${{ secrets.BUCKET_NAME }}
          AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
          ENDPOINT_URL: ${{ secrets.S3_ENDPOINT_URL }}
        run: |
          pipenv run python scripts/load_eric_binaries.py download-eric-cert-and-binaries

      - name: Update tax office list
        env:
          ERICA_ENV: testing
        run: |
          pipenv run python scripts/create_tax_office_lists.py create

      - name: Lint
        run: |
          pipenv run invoke --echo lint
        shell: bash

      - name: Test
        run: |
          pipenv run invoke --echo test | tee erica-test-report.log
        shell: bash

      - name: Archive test logs
        uses: actions/upload-artifact@v1
        with:
          name: erica-test-report.log
          path: erica-test-report.log

  build-staging:
    needs: [test]

    if: github.event_name == 'push' && github.ref == 'refs/heads/main'

    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      packages: write

    steps:
      - uses: actions/checkout@v3

      - name: Build docker images
        env:
          DOCKER_REGISTRY: ${{ env.GITHUB_REGISTRY }}/${{ github.repository }}
          DOCKER_TAG: ${{ github.run_number }}
          ERICA_BUCKET_NAME: ${{ secrets.BUCKET_NAME }}
          ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
          ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
          ENDPOINT_URL: ${{ secrets.S3_ENDPOINT_URL }}
          ELSTER_DATENLIEFERANT: ${{ secrets.ELSTER_DATENLIEFERANT }}
          ELSTER_HERSTELLER_ID: ${{ secrets.ELSTER_HERSTELLER_ID }}
        run: |
          docker-compose -f docker-compose.ci.yml build
          docker image ls
        shell: bash

      - name: Create SBOM
        uses: digitalservicebund/github-actions/create-sbom@40022b2843c5d9f9efba2c92d9421e19d3a1a3de
        with:
          repository: ${{ env.GITHUB_REGISTRY }}/${{ github.repository }}
          image_tag: erica_main:latest

      - name: Login to container repository
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
        with:
          registry: ${{ env.GITHUB_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push images
        run: |
          for IMAGE in $(docker image ls | grep erica_ | awk '{ print $1 }' | sort | uniq); do
            docker push ${IMAGE} --all-tags
          done
        shell: bash

      - name: Install cosign
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65

      - name: Sign the published Docker image
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: |
          for IMAGE in $(docker image ls | grep erica_ | awk '{ print $1 }' | sort | uniq); do
            cosign sign ${IMAGE}:${{ github.run_number }} --yes
          done
        shell: bash

  deploy-staging-otc:
    needs: [build-staging]

    if: github.event_name == 'push' && github.ref == 'refs/heads/main'

    uses: ./.github/workflows/reusable-deploy-otc.yml
    with:
      imageTag: ${{ github.run_number }}
      environment: staging
    secrets:
      DOCKER_REGISTRY: ${{ secrets.DOCKER_REGISTRY }}
      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
      REGISTRY_PWD: ${{ secrets.REGISTRY_PWD_GITHUB }}
      ERICA_SSH_KEY: ${{ secrets.CI_ERICA_SSH_KEY }}
      ERICA_HOST: ${{ secrets.ERICA_HOST_OTC_STAGING }}
      CERT_PIN: ${{ secrets.CERT_PIN_OTC_STAGING }}
      QUEUE_URL: ${{ secrets.QUEUE_URL_OTC_STAGING }}
      ERICA_DATABASE_URL: ${{ secrets.ERICA_DATABASE_URL_OTC_STAGING }}
      DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
      ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
      ARGOCD_PIPELINE_PASSWORD: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}

  track-deploy:
    needs: [deploy-staging-otc]

    runs-on: ubuntu-latest

    steps:
      - name: Track deploy
        uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88
        with:
          project: Erica
          environment: staging
          metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
          metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}