From fccb7684574adc61b235c00a808ee88eb2c2057f Mon Sep 17 00:00:00 2001
From: remcosnijders <remco.snijders@ritense.com>
Date: Tue, 26 Nov 2024 14:36:34 +0100
Subject: [PATCH] Software supply chain security feature cosign added and
 workflows split

---
 .github/workflows/pull_request.yaml        | 110 +++++++++++++++++++++
 .github/workflows/{cicd.yaml => push.yaml} |   6 +-
 2 files changed, 113 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/pull_request.yaml
 rename .github/workflows/{cicd.yaml => push.yaml} (96%)

diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
new file mode 100644
index 0000000..3dbd733
--- /dev/null
+++ b/.github/workflows/pull_request.yaml
@@ -0,0 +1,110 @@
+name: Build and Push Docker Image on PR
+
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - closed
+    branches:
+      - 'development'
+      - 'rc/**'
+      - 'hotfix/**'
+
+env:
+  GITHUB_REGISTRY: ghcr.io
+  DOCKER_IMAGE_NAME: <docker_image_name>
+  GITHUB_NAMESPACE: valtimo-cloud
+
+jobs:
+  if_merged:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo "The PR was merged"
+  build:
+    runs-on: ubuntu-latest
+    needs: [ if_merged ]
+    outputs:
+      tagToDeploy: ${{ steps.prep.outputs.image_tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+            distribution: zulu
+            java-version: 17
+      - name: 'Generate unique docker tag to deploy'
+        id: prep
+        run: |
+          branch=${GITHUB_REF##*/}
+          sha=${GITHUB_SHA::8}
+          ts=$(date +'%Y%m%d%H%M')
+          echo "image_tag=${branch}-${ts}-${sha}" >> "$GITHUB_OUTPUT"
+      - name: Unit test
+        run: ./gradlew clean test
+      - name: Build artifacts
+        run: ./gradlew build
+      - name: Archive build folder
+        uses: actions/upload-artifact@v4
+        with:
+          name: valtimo-backend-build
+          path: build/
+  deploy:
+      runs-on: ubuntu-latest
+      needs: [ build ]
+      permissions:
+          contents: read
+          packages: write
+          id-token: write
+      steps:
+          -   name: Checkout code
+              uses: actions/checkout@v3.5.2
+              with:
+                  fetch-depth: 1
+          -   name: Install Cosign
+              uses: sigstore/cosign-installer@v3.5.0
+          -   name: Set up QEMU
+              uses: docker/setup-qemu-action@v2.1.0
+          -   name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2.5.0
+          -   name: Download dist artifact
+              uses: actions/download-artifact@v4
+              with:
+                  name: valtimo-backend-build
+          -   name: 'Login to github packages'
+              uses: docker/login-action@v1
+              with:
+                  registry: ${{ env.GITHUB_REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+          -   id: docker_meta
+              uses: docker/metadata-action@v4.4.0
+              with:
+                  images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}
+                  tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }}
+          -   name: Build and push Docker image
+              uses: docker/build-push-action@v4.0.0
+              id: build-and-push
+              with:
+                  file: Dockerfile
+                  context: .
+                  push: true
+                  tags: ${{ steps.docker_meta.outputs.tags }}
+          -   name: Sign the images with GitHub OIDC Token
+              env:
+                  DIGEST: ${{ steps.build-and-push.outputs.digest }}
+                  TAGS: ${{ steps.docker_meta.outputs.tags }}
+              run: |
+                  images=""
+                  for tag in ${TAGS}; do
+                    images+="${tag}@${DIGEST} "
+                  done
+                  cosign sign --yes ${images}
+          -   name: Verify the images
+              run: |
+                  branch=${GITHUB_REF##*/}
+                  cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \
+                     --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \
+                     --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
\ No newline at end of file
diff --git a/.github/workflows/cicd.yaml b/.github/workflows/push.yaml
similarity index 96%
rename from .github/workflows/cicd.yaml
rename to .github/workflows/push.yaml
index d9649d3..5215e93 100644
--- a/.github/workflows/cicd.yaml
+++ b/.github/workflows/push.yaml
@@ -1,6 +1,7 @@
-name: Build and Push Docker Image
+name: Build and Push Docker Image on Push
 
 on:
+    workflow_dispatch:
     push:
         branches:
             - 'feature/**'
@@ -10,7 +11,6 @@ on:
             - 'development'
             - 'rc/**'
             - 'hotfix/**'
-    workflow_dispatch:
 
 env:
     GITHUB_REGISTRY: ghcr.io
@@ -47,7 +47,7 @@ jobs:
               run: ./gradlew build
 
             - name: Archive build folder
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
               with:
                   name: valtimo-backend-build
                   path: build/