diff --git a/.github/workflows/.build-frontend.yaml b/.github/workflows/.build-frontend.yaml new file mode 100644 index 00000000..7f325562 --- /dev/null +++ b/.github/workflows/.build-frontend.yaml @@ -0,0 +1,38 @@ +name: .build-frontend.yaml + +on: + workflow_call: + outputs: + image: + description: "Docker image url" + value: ${{ jobs.build-and-publish.outputs.image }} + +jobs: + build-and-publish: + name: Build & publish + runs-on: ubuntu-latest-8-cores + timeout-minutes: 10 + permissions: + contents: 'read' + id-token: 'write' + outputs: + image: ${{ steps.docker-build-push.outputs.image }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@v4 + + - name: Build and publish docker image + uses: nais/docker-build-push@v0 + id: docker-build-push + with: + team: etterlatte + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + dockerfile: docker/Dockerfile + docker_context: apps/${{ github.workflow }}/ + image_suffix: ${{ github.workflow }} + tag: ${{ env.GITHUB_REF_SLUG }} + - name: Print docker tag + run: echo 'Docker-tag er ${{ steps.docker-build-push.outputs.image }} ' >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/.build.yaml b/.github/workflows/.build.yaml new file mode 100644 index 00000000..5facfec4 --- /dev/null +++ b/.github/workflows/.build.yaml @@ -0,0 +1,48 @@ +name: .build.yaml + +on: + workflow_call: + outputs: + image: + description: "Docker image url" + value: ${{ jobs.build-and-publish.outputs.image }} + +jobs: + build-and-publish: + name: Build & publish + runs-on: ubuntu-latest-8-cores + timeout-minutes: 10 + permissions: + contents: 'read' + id-token: 'write' + outputs: + image: ${{ steps.docker-build-push.outputs.image }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Java v17.x + uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17.x + cache: gradle + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@v4 + - name: Gradle test and build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: ./gradlew :apps:${{ github.workflow }}:build + + - name: Build and publish docker image + uses: nais/docker-build-push@v0 + id: docker-build-push + with: + team: etterlatte + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + dockerfile: docker/Dockerfile + docker_context: apps/${{ github.workflow }}/ + image_suffix: ${{ github.workflow }} + tag: ${{ env.GITHUB_REF_SLUG }} + - name: Print docker tag + run: echo 'Docker-tag er ${{ steps.docker-build-push.outputs.image }} ' >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/.deploy.yaml b/.github/workflows/.deploy.yaml new file mode 100644 index 00000000..75f55398 --- /dev/null +++ b/.github/workflows/.deploy.yaml @@ -0,0 +1,47 @@ +name: .deploy.yaml + +on: + workflow_call: + inputs: + image: + description: 'Lenke til docker image' + required: true + type: string + cluster: + description: 'Cluster. gcp eller fss' + required: true + type: string + +jobs: + deploy-to-dev-cluster: + name: dev-cluster + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + - uses: nais/deploy/actions/deploy@v1 + env: + APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} + CLUSTER: dev-$${{ inputs.cluster }} + RESOURCE: apps/${{ github.workflow }}/.nais/dev.yaml + VAR: image=${{ inputs.image }} + + deploy-to-prod-cluster: + name: prod-cluster + if: ${{ github.ref == 'refs/heads/main' || github.event.inputs.deploy-prod == 'true' }} + needs: deploy-to-dev-cluster + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + - uses: andstor/file-existence-action@v2 + id: check_files + with: + files: "apps/${{ github.workflow }}/.nais/prod.yaml" + - uses: nais/deploy/actions/deploy@v1 + if: steps.check_files.outputs.files_exists == 'true' + env: + APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} + CLUSTER: prod-${{ inputs.cluster }} + RESOURCE: apps/${{ github.workflow }}/.nais/prod.yaml + VAR: image=${{ inputs.image }} diff --git a/.github/workflows/.test.yaml b/.github/workflows/.test.yaml new file mode 100644 index 00000000..149aa196 --- /dev/null +++ b/.github/workflows/.test.yaml @@ -0,0 +1,23 @@ +name: .build-backend.yaml + +on: + workflow_call: + +jobs: + test: + name: Verify pull request + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Java v17.x + uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17.x + cache: gradle + - name: Gradle test and build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: ./gradlew :apps:${{ github.workflow }}:test --stacktrace diff --git a/.github/workflows/app-etterlatte-proxy.yaml b/.github/workflows/app-etterlatte-proxy.yaml index f45eddb5..0e460ced 100644 --- a/.github/workflows/app-etterlatte-proxy.yaml +++ b/.github/workflows/app-etterlatte-proxy.yaml @@ -1,9 +1,5 @@ name: etterlatte-proxy -env: - IMAGE: ghcr.io/${{ github.repository }}/${{ github.workflow }}:${{ github.sha }} - APP_NAME: ${{ github.workflow }} - on: workflow_dispatch: # Allow manually triggered workflow run inputs: @@ -16,60 +12,31 @@ on: - main paths: - apps/etterlatte-proxy/** + pull_request: + branches: + - main + paths: + - apps/etterlatte-proxy/** jobs: - build-and-publish: - name: Build, test, and publish - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Setup Java v17.x - uses: actions/setup-java@v4 - with: - distribution: temurin - java-version: 17.x - cache: gradle - - name: Gradle test and build - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - chmod +x ./gradlew - ./gradlew :apps:${APP_NAME}:test :apps:${APP_NAME}:build - - name: Build and publish docker image - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - docker login ghcr.io -u ${GITHUB_REPOSITORY} -p ${GITHUB_TOKEN} - docker build --tag ${IMAGE} apps/${APP_NAME} - docker push ${IMAGE} + test: + if: github.event_name == 'pull_request' + uses: ./.github/workflows/.test.yaml + secrets: inherit - deploy-to-dev-fss: - name: Deploy to dev-fss - needs: build-and-publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-fss - RESOURCE: apps/${{ env.APP_NAME }}/.nais/dev.yaml + build: + if: github.event_name != 'pull_request' + uses: ./.github/workflows/.build.yaml + secrets: inherit + permissions: + contents: 'read' + id-token: 'write' - deploy-to-prod-fss: - name: Deploy to prod-fss - if: ${{ github.ref == 'refs/heads/main' || github.event.inputs.deploy-prod == 'true' }} - needs: deploy-to-dev-fss - runs-on: ubuntu-latest - timeout-minutes: 3 - continue-on-error: true - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-fss - RESOURCE: apps/${{ env.APP_NAME }}/.nais/prod.yaml + deploy: + if: github.event_name != 'pull_request' + needs: build + uses: ./.github/workflows/.deploy.yaml + with: + image: ${{ needs.build.outputs.image }} + cluster: 'fss' + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/app-ey-pdfgen.yaml b/.github/workflows/app-ey-pdfgen.yaml index c1f5599b..b58bf43c 100644 --- a/.github/workflows/app-ey-pdfgen.yaml +++ b/.github/workflows/app-ey-pdfgen.yaml @@ -1,9 +1,5 @@ name: ey-pdfgen -env: - IMAGE: ghcr.io/${{ github.repository }}/${{ github.workflow }}:${{ github.sha }} - APP_NAME: ${{ github.workflow }} - on: workflow_dispatch: # Allow manually triggered workflow run inputs: @@ -18,44 +14,19 @@ on: - apps/ey-pdfgen/** jobs: - build-and-publish: - name: Build, test, and publish - runs-on: ubuntu-latest + build: + if: github.event_name != 'pull_request' + uses: ./.github/workflows/.build-frontend.yaml + secrets: inherit permissions: - contents: read - packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Build and publish docker image - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - docker login ghcr.io -u ${GITHUB_REPOSITORY} -p ${GITHUB_TOKEN} - docker build --tag ${IMAGE} apps/${APP_NAME} - docker push ${IMAGE} - - deploy-to-dev-gcp: - name: Deploy to dev-gcp - needs: build-and-publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-gcp - RESOURCE: apps/${{ env.APP_NAME }}/.nais/dev.yaml + contents: 'read' + id-token: 'write' - deploy-to-prod-gcp: - name: Deploy to prod-gcp - if: ${{ github.ref == 'refs/heads/main' || github.event.inputs.deploy-prod == 'true' }} - needs: deploy-to-dev-gcp - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-gcp - RESOURCE: apps/${{ env.APP_NAME }}/.nais/prod.yaml + deploy: + if: github.event_name != 'pull_request' + needs: build + uses: ./.github/workflows/.deploy.yaml + with: + image: ${{ needs.build.outputs.image }} + cluster: 'gcp' + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/etterlatte-notifikasjoner.yaml b/.github/workflows/etterlatte-notifikasjoner.yaml index 2ef63783..5d610f80 100644 --- a/.github/workflows/etterlatte-notifikasjoner.yaml +++ b/.github/workflows/etterlatte-notifikasjoner.yaml @@ -1,9 +1,5 @@ name: etterlatte-notifikasjoner -env: - IMAGE: ghcr.io/${{ github.repository }}/${{ github.workflow }}:${{ github.sha }} - APP_NAME: ${{ github.workflow }} - on: workflow_dispatch: # Allow manually triggered workflow run inputs: @@ -16,58 +12,31 @@ on: - main paths: - apps/etterlatte-notifikasjoner/** + pull_request: + branches: + - main + paths: + - apps/etterlatte-notifikasjoner/** jobs: - build-and-publish: - name: Build, test, and publish - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Setup Java v17.x - uses: actions/setup-java@v4 - with: - distribution: temurin - java-version: 17.x - cache: gradle - - name: Gradle test and build - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - chmod +x ./gradlew - ./gradlew :apps:${APP_NAME}:test :apps:${APP_NAME}:build - - name: Build and publish docker image - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - docker login ghcr.io -u ${GITHUB_REPOSITORY} -p ${GITHUB_TOKEN} - docker build --tag ${IMAGE} apps/${APP_NAME} - docker push ${IMAGE} + test: + if: github.event_name == 'pull_request' + uses: ./.github/workflows/.test.yaml + secrets: inherit - deploy-to-dev-gcp: - name: Deploy to dev-gcp - needs: build-and-publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-gcp - RESOURCE: apps/${{ env.APP_NAME }}/.nais/dev.yaml + build: + if: github.event_name != 'pull_request' + uses: ./.github/workflows/.build.yaml + secrets: inherit + permissions: + contents: 'read' + id-token: 'write' - deploy-to-prod-gcp: - name: Deploy to prod-gcp - if: ${{ github.ref == 'refs/heads/main' || github.event.inputs.deploy-prod == 'true' }} - needs: deploy-to-dev-gcp - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-gcp - RESOURCE: apps/${{ env.APP_NAME }}/.nais/prod.yaml + deploy: + if: github.event_name != 'pull_request' + needs: build + uses: ./.github/workflows/.deploy.yaml + with: + image: ${{ needs.build.outputs.image }} + cluster: 'gcp' + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/ey-slackbot.yaml b/.github/workflows/ey-slackbot.yaml index 38fbbb4d..ac5f98c3 100644 --- a/.github/workflows/ey-slackbot.yaml +++ b/.github/workflows/ey-slackbot.yaml @@ -1,9 +1,5 @@ name: ey-slackbot -env: - IMAGE: ghcr.io/${{ github.repository }}/${{ github.workflow }}:${{ github.sha }} - APP_NAME: ${{ github.workflow }} - on: workflow_dispatch: # Allow manually triggered workflow run push: @@ -13,30 +9,19 @@ on: - apps/ey-slackbot/** jobs: - build-and-publish: - name: Build & publish - runs-on: ubuntu-latest + build: + if: github.event_name != 'pull_request' + uses: ./.github/workflows/.build-frontend.yaml + secrets: inherit permissions: - packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Build and publish docker image - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - docker login ghcr.io -u ${GITHUB_REPOSITORY} -p ${GITHUB_TOKEN} - docker build --tag ${IMAGE} apps/${APP_NAME} - docker push ${IMAGE} + contents: 'read' + id-token: 'write' deploy: - name: Deploy - needs: build-and-publish - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-gcp - RESOURCE: apps/${{ env.APP_NAME }}/.nais/dev.yaml + if: github.event_name != 'pull_request' + needs: build + uses: ./.github/workflows/.deploy.yaml + with: + image: ${{ needs.build.outputs.image }} + cluster: 'gcp' + secrets: inherit diff --git a/apps/etterlatte-notifikasjoner/Dockerfile b/apps/etterlatte-notifikasjoner/Dockerfile index aff94e25..86de5667 100644 --- a/apps/etterlatte-notifikasjoner/Dockerfile +++ b/apps/etterlatte-notifikasjoner/Dockerfile @@ -1,3 +1,7 @@ -FROM navikt/java:17 +FROM gcr.io/distroless/java17 +ENV TZ="Europe/Oslo" +WORKDIR /app COPY build/libs/*.jar ./ - +EXPOSE 8080 +USER nonroot +CMD ["app.jar"] \ No newline at end of file diff --git a/apps/etterlatte-proxy/Dockerfile b/apps/etterlatte-proxy/Dockerfile index cbf36d73..9491c248 100644 --- a/apps/etterlatte-proxy/Dockerfile +++ b/apps/etterlatte-proxy/Dockerfile @@ -1,4 +1,4 @@ -FROM navikt/java:17 +FROM ghcr.io/navikt/baseimages/temurin:17 COPY import-vault-token.sh /init-scripts COPY build/libs/*.jar ./