Skip to content

Pipeline caching improvements #248

Pipeline caching improvements

Pipeline caching improvements #248

Workflow file for this run

name: Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: ${{ github.sha }}
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: .tool-versions
cache: npm
- name: Cache npm dependencies
id: cache-npm-deps
uses: actions/cache@v4
with:
path: |
**/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
if: steps.cache-npm-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Check build
run: npm run build
- name: Check format
run: npm run format:check
- name: Lint
run: npm run lint:check
- name: Run tests
run: npm test
- name: Cache Playwright dependencies
id: cache-playwright-deps
uses: actions/cache@v4
with:
path: ~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ hashFiles('**/package-lock.json') }}
restore-keys: ${{ runner.os }}-playwright-
- name: Install E2E & A11y test dependencies
if: steps.cache-playwright-deps.outputs.cache-hit != 'true'
run: npx --yes playwright install --with-deps
- name: Run E2E tests
run: npm run test:e2e
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: playwright-e2e-test-results
path: tests/e2e/playwright-report
- name: Run A11y tests
run: npm run test:a11y
env:
# Use a different port (from the one used with E2E tests) to workaround problem in CI/GitHub Actions,
# starting to occur with playwright/test 1.28.0:
# Error: http://localhost:4173 is already used ...
# See https://github.com/digitalservicebund/typescript-vite-application-template/actions/runs/3486985178/jobs/5834089375
VITE_PORT: 4183
- uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: playwright-a11y-test-results
path: tests/a11y/playwright-report
- name: Cache Docker image
id: cache-docker-image
uses: actions/cache@v4
with:
path: |
/tmp/.docker-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
restore-keys:
| # If the exact cache can't be found, a partial match will still be useful here, since it will allow docker to reuse the layers from the cached image that are still valid.
${{ runner.os }}-docker-
- name: Build and cache image from Dockerfile
if: steps.cache-docker-image.outputs.cache-hit != 'true'
run: |
mkdir -p /tmp/.docker-cache/${{ env.IMAGE_NAME }}
docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
docker save ${{ env.IMAGE_NAME }}:${{ github.sha }} -o /tmp/.docker-cache/${{ env.IMAGE_NAME }}_${{ github.sha }}.tar
echo "Docker image saved to: /tmp/.docker-cache/${{ env.IMAGE_NAME }}_${{ github.sha }}.tar"
- name: Send failure to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
audit-licenses:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: .tool-versions
cache: npm
- name: Cache npm dependencies
id: cache-npm-deps
uses: actions/cache@v4
with:
path: |
**/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
if: steps.cache-npm-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Audit used licences
run: npm run audit:licences
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
vulnerability-scan:
uses: ./.github/workflows/scan.yml
secrets: inherit
build-and-push-image:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- build
- audit-licenses
- vulnerability-scan
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Restore Docker image cache
uses: actions/cache@v4
with:
path: |
/tmp/.docker-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
- name: Load cached Docker image
id: load-docker-image
run: |
IMAGE_PATH="/tmp/.docker-cache/${{ env.IMAGE_NAME }}_${{ github.sha }}.tar"
if docker load -i $IMAGE_PATH; then
echo "docker-image-load-successful=true" >> $GITHUB_ENV
echo "::set-output name=docker-image-load-successful::true"
echo "Docker image loaded from cache: $IMAGE_PATH"
else
echo "docker-image-load-successful=false" >> $GITHUB_ENV
echo "::set-output name=docker-image-load-successful::false"
echo "Docker image not found in cache: $IMAGE_PATH"
fi
- name: Build image from Dockerfile in case no cached image was found
if: steps.load-docker-image.outputs.docker-image-load-successful != 'true'
run: |
docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
# specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
scanners: "vuln"
format: "cosign-vuln"
output: "vulnerabilities.json"
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Login to container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}
docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }}
- name: Create SBOM
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 # v1.2.1
with:
image_name: ${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Sign the published Docker image
run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Attest the vulnerability scan
run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
deploy-staging:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
environment: staging
needs: build-and-push-image # Will only run if the build and push job succeded
steps:
- name: Deploy latest container image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: staging
version: ${{ env.CONTAINER_IMAGE_VERSION }}
deploying_repo: ${{ github.event.repository.name }}
infra_repo: ${{ github.event.repository.name }}-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ${{ github.event.repository.name }}-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}