-
Notifications
You must be signed in to change notification settings - Fork 0
97 lines (91 loc) · 2.78 KB
/
release-image-and-helm-chart.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Release Image and Helm Chart
on:
workflow_call:
inputs:
release_tag:
type: string
description: "Provide the release tag"
required: true
image_name:
type: string
description: "Provide Image name"
required: true
helm_chart_name:
type: string
description: "Provide Helm Chart name"
required: true
node_project:
type: string
description: "Is it a node image? If yes, set to true. Default: false"
required: false
default: 'false'
node_version:
type: string
description: "Provide Node Version. Default: '18'"
required: false
default: '18'
deploy_stage:
type: string
description: "Provide Deploy Stage. Default: '' (empty)"
required: false
default: ""
jobs:
# GHRC Image
codeql_analyze:
name: "CodeQL"
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-codeql.yaml@5
permissions:
actions: read
contents: read
security-events: write
nest_lint:
name: "Linting"
"${{ inputs.node_project == 'true' }}"
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-lint.yaml@5
with:
node_version: "${{ inputs.node_version }}"
permissions:
contents: read
tests_and_sonarcloud:
name: "Tests and Sonarcloud"
if: "${{ inputs.node_project == 'true' }}"
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-test-sonarcloud.yaml@5
with:
node_version: "${{ inputs.node_version }}"
deploy_stage: "${{ inputs.deploy_stage }}"
permissions:
contents: read
secrets: inherit
release_image:
name: "Publish image and scan with trivy"
needs:
- codeql_analyze
- nest_lint
- tests_and_sonarcloud
permissions:
packages: write
security-events: write
contents: read
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@5
with:
image_name: "${{ inputs.image_name }}"
run_trivy_scan: true
image_tag_generation: version_git_tag
container_registry: "ghcr.io"
fail_on_vulnerabilites: true
report_location: "Dockerfile"
# Helm Chart
scan_helm:
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5
permissions:
contents: read
release_helm:
needs: scan_helm
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@5
secrets: inherit
with:
chart_name: "${{ inputs.helm_chart_name }}"
helm_chart_version_generation: specified
image_tag_generation: specified
helm_chart_version: "${{ inputs.release_tag }}"
image_tag: "${{ inputs.release_tag }}"