diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index cf0a944..47d49c8 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,168 +1,168 @@ -name: Build and deploy -on: push -jobs: - codeql-analysis: - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - uses: actions/checkout@v4 - - uses: github/codeql-action/init@v3 - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 +# name: Build and deploy +# on: push +# jobs: +# codeql-analysis: +# if: github.ref == 'refs/heads/main' +# runs-on: ubuntu-latest +# permissions: +# security-events: write +# steps: +# - uses: actions/checkout@v4 +# - uses: github/codeql-action/init@v3 +# - name: Autobuild +# uses: github/codeql-action/autobuild@v3 +# - name: Perform CodeQL Analysis +# uses: github/codeql-action/analyze@v3 - test: - name: 'Run bun tests' - runs-on: ubuntu-latest - steps: - - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main - with: - NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} - - uses: oven-sh/setup-bun@v1 - with: - bun-version: 1.1.22 - #- run: yarn test - - run: echo "Tests are skipped!" +# test: +# name: 'Run bun tests' +# runs-on: ubuntu-latest +# steps: +# - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main +# with: +# NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} +# - uses: oven-sh/setup-bun@v1 +# with: +# bun-version: 1.1.22 +# #- run: yarn test +# - run: echo "Tests are skipped!" - build-and-publish: - if: github.ref == 'refs/heads/main' - name: 'Prod: Bygg, test og push Docker image' - runs-on: ubuntu-latest - permissions: - packages: 'write' - contents: 'read' - id-token: 'write' - outputs: - image: ${{ steps.docker-build-push.outputs.image }} - steps: - - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main - with: - NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} - - run: yarn lint - - run: yarn build - env: - NEXT_PUBLIC_ENVIRONMENT: production - - name: Push docker image to GAR - uses: nais/docker-build-push@v0 - id: docker-build-push - with: - team: teamsykmelding - identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} - project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} - image_suffix: prod +# build-and-publish: +# if: github.ref == 'refs/heads/main' +# name: 'Prod: Bygg, test og push Docker image' +# runs-on: ubuntu-latest +# permissions: +# packages: 'write' +# contents: 'read' +# id-token: 'write' +# outputs: +# image: ${{ steps.docker-build-push.outputs.image }} +# steps: +# - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main +# with: +# NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} +# - run: yarn lint +# - run: yarn build +# env: +# NEXT_PUBLIC_ENVIRONMENT: production +# - name: Push docker image to GAR +# uses: nais/docker-build-push@v0 +# id: docker-build-push +# with: +# team: teamsykmelding +# identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} +# project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} +# image_suffix: prod - build-and-publish-dev: - if: github.actor != 'dependabot[bot]' - name: 'Dev: Bygg, test og push Docker image' - runs-on: ubuntu-latest - permissions: - packages: 'write' - contents: 'read' - id-token: 'write' - outputs: - image: ${{ steps.docker-build-push.outputs.image }} - steps: - - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main - with: - NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} - - run: yarn lint - - run: yarn build - env: - NEXT_PUBLIC_ENVIRONMENT: dev - - name: Push docker image to GAR - uses: nais/docker-build-push@v0 - id: docker-build-push - with: - team: teamsykmelding - identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} - project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} - image_suffix: dev +# build-and-publish-dev: +# if: github.actor != 'dependabot[bot]' +# name: 'Dev: Bygg, test og push Docker image' +# runs-on: ubuntu-latest +# permissions: +# packages: 'write' +# contents: 'read' +# id-token: 'write' +# outputs: +# image: ${{ steps.docker-build-push.outputs.image }} +# steps: +# - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main +# with: +# NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} +# - run: yarn lint +# - run: yarn build +# env: +# NEXT_PUBLIC_ENVIRONMENT: dev +# - name: Push docker image to GAR +# uses: nais/docker-build-push@v0 +# id: docker-build-push +# with: +# team: teamsykmelding +# identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} +# project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} +# image_suffix: dev - build-for-dependabot: - if: github.actor == 'dependabot[bot]' - name: 'Build for dependabot' - runs-on: ubuntu-latest - permissions: - packages: 'write' - contents: 'read' - id-token: 'write' - outputs: - image: ${{ steps.docker-build-push.outputs.image }} - steps: - - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main - with: - NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} - - run: yarn lint - - run: yarn build - env: - NEXT_PUBLIC_ENVIRONMENT: dev +# build-for-dependabot: +# if: github.actor == 'dependabot[bot]' +# name: 'Build for dependabot' +# runs-on: ubuntu-latest +# permissions: +# packages: 'write' +# contents: 'read' +# id-token: 'write' +# outputs: +# image: ${{ steps.docker-build-push.outputs.image }} +# steps: +# - uses: navikt/teamsykmelding-github-actions-workflows/actions/yarn-cached@main +# with: +# NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }} +# - run: yarn lint +# - run: yarn build +# env: +# NEXT_PUBLIC_ENVIRONMENT: dev - deploy-bot-to-gcp: - if: github.ref == 'refs/heads/main' - name: Deploy to prod - needs: [build-and-publish, codeql-analysis, test] - runs-on: ubuntu-latest - environment: - name: production - url: https://helsesjekk-bot.nav.no - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-gcp - RESOURCE: nais.yml - VAR: image=${{ needs.build-and-publish.outputs.image }} +# deploy-bot-to-gcp: +# if: github.ref == 'refs/heads/main' +# name: Deploy to prod +# needs: [build-and-publish, codeql-analysis, test] +# runs-on: ubuntu-latest +# environment: +# name: production +# url: https://helsesjekk-bot.nav.no +# steps: +# - uses: actions/checkout@v4 +# - uses: nais/deploy/actions/deploy@v1 +# env: +# APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} +# CLUSTER: prod-gcp +# RESOURCE: nais.yml +# VAR: image=${{ needs.build-and-publish.outputs.image }} - deploy-bot-to-gcp-dev: - if: github.ref != 'refs/heads/main' - name: Deploy to dev - needs: [build-and-publish-dev, test] - runs-on: ubuntu-latest - environment: - name: development - url: https://helsesjekk-bot.intern.dev.nav.no - steps: - - uses: actions/checkout@v4 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-gcp - RESOURCE: nais-dev.yml - VAR: image=${{ needs.build-and-publish-dev.outputs.image }} +# deploy-bot-to-gcp-dev: +# if: github.ref != 'refs/heads/main' +# name: Deploy to dev +# needs: [build-and-publish-dev, test] +# runs-on: ubuntu-latest +# environment: +# name: development +# url: https://helsesjekk-bot.intern.dev.nav.no +# steps: +# - uses: actions/checkout@v4 +# - uses: nais/deploy/actions/deploy@v1 +# env: +# APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} +# CLUSTER: dev-gcp +# RESOURCE: nais-dev.yml +# VAR: image=${{ needs.build-and-publish-dev.outputs.image }} - trivy-docker: - permissions: - contents: 'write' - id-token: 'write' - security-events: 'write' - name: Trivy docker - runs-on: ubuntu-latest - needs: [build-and-publish] - steps: - - run: touch me - - uses: nais/login@v0 - with: - project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} - identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} - team: teamsykmelding +# trivy-docker: +# permissions: +# contents: 'write' +# id-token: 'write' +# security-events: 'write' +# name: Trivy docker +# runs-on: ubuntu-latest +# needs: [build-and-publish] +# steps: +# - run: touch me +# - uses: nais/login@v0 +# with: +# project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} +# identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} +# team: teamsykmelding - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 - with: - image-ref: ${{ needs.build-and-publish.outputs.image }} - ignore-unfixed: true - vuln-type: 'os' - severity: 'CRITICAL,HIGH' - format: 'sarif' - output: 'trivy-results.sarif' - scanners: 'vuln' +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 +# with: +# image-ref: ${{ needs.build-and-publish.outputs.image }} +# ignore-unfixed: true +# vuln-type: 'os' +# severity: 'CRITICAL,HIGH' +# format: 'sarif' +# output: 'trivy-results.sarif' +# scanners: 'vuln' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# if: always() +# with: +# sarif_file: 'trivy-results.sarif'