.github/workflows/deploy.yml

name: Build & deploy

on: [ push, workflow_dispatch ]

permissions:
  contents: read
  id-token: write

jobs:
  call-build-java-gradlew:
    uses: navikt/toi-github-actions-workflows/.github/workflows/build-java-gradlew.yaml@main
    with:
      java-version: '21'
    permissions:
      contents: read
      id-token: write
    secrets: inherit

  deploy-to-dev:
    name: Deploy to dev
    needs: call-build-java-gradlew
    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/oppgrader-avhengigheter'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: nais/deploy/actions/deploy@v2
        env:
          CLUSTER: dev-fss
          VAR: version=${{ needs.call-build-java-gradlew.outputs.image }}
          RESOURCE: nais/nais-dev.yaml

  deploy-to-prod:
    name: Deploy to prod
    needs:
      - deploy-to-dev
      - call-build-java-gradlew
    if: github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: nais/deploy/actions/deploy@v2
        env:
          CLUSTER: prod-fss
          VAR: version=${{ needs.call-build-java-gradlew.outputs.image }}
          RESOURCE: nais/nais-prod.yaml,nais/alerts.yml

  call-trivy-security-scan:
    needs: call-build-java-gradlew
    uses: navikt/toi-github-actions-workflows/.github/workflows/trivy-security-scan.yaml@main
    with:
      image: ${{ needs.call-build-java-gradlew.outputs.image }}
    permissions:
      id-token: write
      security-events: write
    secrets: inherit