-
Notifications
You must be signed in to change notification settings - Fork 0
73 lines (65 loc) · 2.26 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: "CI Pipeline"
on:
push:
branches: [main]
paths-ignore:
- "**/*.md"
pull_request:
# Allow to run this workflow manually
workflow_dispatch:
jobs:
########################################
# Jobs operating on the whole repository
########################################
security-jobs:
uses: ./.github/workflows/security-jobs.yml
secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others
permissions:
contents: read
security-events: write # trivy scan needs this
###############
# Frontend jobs
###############
frontend-checks:
uses: ./.github/workflows/frontend-checks.yml
secrets: inherit
frontend-build-image-and-scan:
uses: ./.github/workflows/frontend-build-image-and-scan.yml
secrets: inherit
permissions:
contents: read
security-events: write
with:
run-id: ${{ github.run_id }}
image-ref: ghcr.io/${{ github.repository }}-frontend:${{ github.event.pull_request.head.sha || github.sha }}
frontend-push-image-to-registry:
if: ${{ github.ref == 'refs/heads/main' }}
# For PR releases, labels could be used like this:
# if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
uses: ./.github/workflows/frontend-push-image-to-registry.yml
secrets: inherit
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
with:
run-id: ${{ github.run_id }}
container-registry: ghcr.io
image-ref: ghcr.io/${{ github.repository }}-frontend:${{ github.event.pull_request.head.sha || github.sha }}
frontend-deploy-staging:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
- frontend-push-image-to-registry
uses: ./.github/workflows/frontend-deploy-staging.yml
permissions:
id-token: write
secrets: inherit
with:
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}