chore(deps): update aquasecurity/trivy-action action to v0.25.0 #287
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Merge | |
| on: | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - ".github/ISSUE_TEMPLATE/*" | |
| - "**.md" | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: true | |
| jobs: | |
| vars: | |
| name: Set Variables | |
| outputs: | |
| pr: ${{ steps.pr.outputs.pr }} | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 1 | |
| steps: | |
| # Get PR number for squash merges to main | |
| - name: PR Number | |
| id: pr | |
| uses: bcgov-nr/action-get-pr@v0.0.1 | |
| images-test: | |
| name: Promote images to TEST | |
| needs: [vars] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| component: [backend, database, frontend, legacy, processor] | |
| steps: | |
| - uses: shrink/actions-docker-registry-tag@v4 | |
| with: | |
| registry: ghcr.io | |
| repository: ${{ github.repository }}/${{ matrix.component }} | |
| target: ${{ needs.vars.outputs.pr}} | |
| tags: test | |
| test-init: | |
| name: TEST Init | |
| needs: [images-test] | |
| env: | |
| ZONE: test | |
| URL: forestclient-tst.nrs.gov.bc.ca | |
| environment: test | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploys | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: common/openshift.init.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p ORACLEDB_USER=${{ secrets.ORACLEDB_USERNAME }} | |
| -p ORACLEDB_PASSWORD=${{ secrets.ORACLEDB_PASSWORD }} | |
| -p ORACLEDB_USER_W=${{ secrets.ORACLEDB_USERNAME_W }} | |
| -p ORACLEDB_PASSWORD_W=${{ secrets.ORACLEDB_PASSWORD_W }} | |
| -p ORACLEDB_DATABASE=${{ secrets.ORACLEDB_DATABASE }} | |
| -p ORACLEDB_HOST=${{ secrets.ORACLEDB_HOST }} | |
| -p ORACLEDB_SERVICENAME=${{ secrets.ORACLEDB_SERVICENAME }} | |
| -p ORACLEDB_SECRET=${{ secrets.ORACLEDB_SECRET }} | |
| -p BCREGISTRY_KEY='${{ secrets.BCREGISTRY_KEY }}' | |
| -p BCREGISTRY_ACCOUNT='${{ secrets.BCREGISTRY_ACCOUNT }}' | |
| -p CHES_CLIENT_ID=${{ secrets.CHES_CLIENT_ID }} | |
| -p CHES_CLIENT_SECRET=${{ secrets.CHES_CLIENT_SECRET }} | |
| -p ADDRESS_COMPLETE_KEY=${{ secrets.ADDRESS_COMPLETE_KEY }} | |
| -p DB_PASSWORD=${{ secrets.DB_PASSWORD }} | |
| -p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }} | |
| -p COGNITO_ENVIRONMENT=TEST | |
| -p CHES_MAIL_COPY=${{ secrets.CHES_MAIL_COPY }} | |
| - name: Conventional Changelog Update | |
| uses: TriPSs/conventional-changelog-action@v5 | |
| id: changelog | |
| continue-on-error: true | |
| with: | |
| github-token: ${{ github.token }} | |
| output-file: "CHANGELOG.md" | |
| skip-version-file: "true" | |
| skip-commit: "true" | |
| git-push: "true" | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v2 | |
| if: ${{ steps.changelog.outputs.tag != '' }} | |
| continue-on-error: true | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| with: | |
| token: ${{ github.token }} | |
| tag_name: ${{ steps.changelog.outputs.tag }} | |
| name: ${{ steps.changelog.outputs.tag }} | |
| body: ${{ steps.changelog.outputs.clean_changelog }} | |
| test-deploy: | |
| name: TEST Deployment | |
| needs: [test-init] | |
| env: | |
| URL: forestclient-tst.nrs.gov.bc.ca | |
| ZONE: test | |
| environment: test | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy Database Backup | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: database/openshift.backup.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/database:${{ env.ZONE }} | |
| - name: Backup database before update | |
| continue-on-error: true | |
| run: | | |
| oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }} | |
| oc project ${{ secrets.OC_NAMESPACE }} | |
| # Run a backup before deploying a new version | |
| oc create job --from=cronjob/${{ github.event.repository.name }}-${{ env.ZONE }}-database-backup ${{ github.event.repository.name }}-${{ env.ZONE }}-database-backup-$(date +%Y%m%d%H%M%S) | |
| - name: Deploy Database | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: database/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: false | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/database:${{ env.ZONE }} | |
| - name: Deploy Legacy | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: legacy/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| verification_path: health | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/legacy:${{ env.ZONE }} | |
| -p ENVIRONMENT=${{ secrets.OC_NAMESPACE }} | |
| - name: Deploy Processor | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: processor/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| verification_path: health | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/processor:${{ env.ZONE }} | |
| -p BCREGISTRY_URI='https://bcregistry-prod.apigee.net' | |
| - name: Deploy Backend ConfigMap | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: backend/openshift.configmap.test.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} | |
| - name: Deploy Backend | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: backend/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| verification_path: health | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/backend:${{ env.ZONE }} | |
| -p CHES_TOKEN_URL='https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token' | |
| -p CHES_API_URL='https://ches.api.gov.bc.ca/api/v1' | |
| -p BCREGISTRY_URI='https://bcregistry-prod.apigee.net' | |
| -p COGNITO_REGION=ca-central-1 | |
| -p FRONTEND_URL=${{ env.URL }} | |
| - name: Dev data replacement | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: database/openshift.dev.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| - name: Deploy Frontend ConfigMap | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: frontend/openshift.configmap.test.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} | |
| - name: Deploy Frontend | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: frontend/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/frontend:${{ env.ZONE }} | |
| -p GREEN_DOMAIN=${{ secrets.GREEN_DOMAIN }} | |
| -p VITE_NODE_ENV=openshift-${{ env.ZONE }} | |
| -p URL=${{ env.URL }} | |
| -p COGNITO_REGION=${{ secrets.COGNITO_REGION }} | |
| -p COGNITO_CLIENT_ID=${{ secrets.COGNITO_CLIENT_ID }} | |
| -p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }} | |
| -p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }} | |
| -p COGNITO_ENVIRONMENT=TEST | |
| -p LANDING_URL='${{ secrets.COGNITO_LOGOUT_URI }}' | |
| -p FRONTEND_URL=${{ env.URL }} | |
| documentation: | |
| name: Generating Documentation | |
| uses: ./.github/workflows/reusable-doc-gen.yml | |
| images-prod: | |
| name: Promote images to PROD | |
| needs: [test-deploy] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| component: [backend, frontend, legacy, database, processor] | |
| steps: | |
| - uses: shrink/actions-docker-registry-tag@v4 | |
| with: | |
| registry: ghcr.io | |
| repository: ${{ github.repository }}/${{ matrix.component }} | |
| target: test | |
| tags: prod | |
| prod-init: | |
| name: PROD Init | |
| needs: [images-prod] | |
| env: | |
| URL: forestclient.nrs.gov.bc.ca | |
| ZONE: prod | |
| environment: prod | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploys | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: common/openshift.init.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p ORACLEDB_USER=${{ secrets.ORACLEDB_USERNAME }} | |
| -p ORACLEDB_PASSWORD=${{ secrets.ORACLEDB_PASSWORD }} | |
| -p ORACLEDB_USER_W=${{ secrets.ORACLEDB_USERNAME_W }} | |
| -p ORACLEDB_PASSWORD_W=${{ secrets.ORACLEDB_PASSWORD_W }} | |
| -p ORACLEDB_DATABASE=${{ secrets.ORACLEDB_DATABASE }} | |
| -p ORACLEDB_HOST=${{ secrets.ORACLEDB_HOST }} | |
| -p ORACLEDB_SERVICENAME=${{ secrets.ORACLEDB_SERVICENAME }} | |
| -p ORACLEDB_SECRET=${{ secrets.ORACLEDB_SECRET }} | |
| -p BCREGISTRY_KEY='${{ secrets.BCREGISTRY_KEY }}' | |
| -p BCREGISTRY_ACCOUNT='${{ secrets.BCREGISTRY_ACCOUNT }}' | |
| -p CHES_CLIENT_ID=${{ secrets.CHES_CLIENT_ID }} | |
| -p CHES_CLIENT_SECRET=${{ secrets.CHES_CLIENT_SECRET }} | |
| -p ADDRESS_COMPLETE_KEY=${{ secrets.ADDRESS_COMPLETE_KEY }} | |
| -p DB_PASSWORD=${{ secrets.DB_PASSWORD }} | |
| -p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }} | |
| -p COGNITO_ENVIRONMENT=PROD | |
| -p CHES_MAIL_COPY=${{ secrets.CHES_MAIL_COPY }} | |
| prod-deploy: | |
| name: PROD Deployment | |
| needs: [prod-init] | |
| env: | |
| PREV: test | |
| ZONE: prod | |
| URL: forestclient.nrs.gov.bc.ca | |
| environment: prod | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy Database Backup | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: database/openshift.backup.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/database:${{ env.PREV }} | |
| - name: Install CLI tools from OpenShift Mirror | |
| uses: redhat-actions/openshift-tools-installer@v1 | |
| with: | |
| oc: "4.13" | |
| - name: Backup database before update | |
| continue-on-error: true | |
| run: | | |
| oc login --token=${{ secrets.OC_TOKEN }} --server=${{ secrets.OC_SERVER }} | |
| oc project ${{ secrets.OC_NAMESPACE }} # Safeguard! | |
| # Run a backup before deploying a new version | |
| oc create job --from=cronjob/${{ github.event.repository.name }}-${{ env.ZONE }}-database-backup ${{ github.event.repository.name }}-${{ env.ZONE }}-database-backup-$(date +%Y%m%d%H%M%S) | |
| - name: Deploy Database | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: database/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: false | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/database:${{ env.PREV }} | |
| - name: Deploy Legacy | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: legacy/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| verification_path: health | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/legacy:${{ env.PREV }} | |
| -p ENVIRONMENT=${{ secrets.OC_NAMESPACE }} | |
| - name: Deploy Processor | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: processor/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| verification_path: health | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/processor:${{ env.PREV }} | |
| -p BCREGISTRY_URI='https://bcregistry-prod.apigee.net' | |
| - name: Deploy Backend ConfigMap | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: backend/openshift.configmap.prod.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} | |
| - name: Deploy Backend | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: backend/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| verification_path: health | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/backend:${{ env.PREV }} | |
| -p CHES_TOKEN_URL='https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token' | |
| -p CHES_API_URL='https://ches.api.gov.bc.ca/api/v1' | |
| -p BCREGISTRY_URI='https://bcregistry-prod.apigee.net' | |
| -p COGNITO_REGION=ca-central-1 | |
| -p FRONTEND_URL=${{ env.URL }} | |
| - name: Deploy Frontend ConfigMap | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: frontend/openshift.configmap.prod.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} | |
| - name: Deploy Frontend | |
| uses: bcgov-nr/action-deployer-openshift@v3.0.1 | |
| with: | |
| file: frontend/openshift.deploy.yml | |
| oc_namespace: ${{ secrets.OC_NAMESPACE }} | |
| oc_server: ${{ secrets.OC_SERVER }} | |
| oc_token: ${{ secrets.OC_TOKEN }} | |
| oc_version: "4.13" | |
| overwrite: true | |
| parameters: | |
| -p ZONE=${{ env.ZONE }} -p NAME=${{ github.event.repository.name }} | |
| -p PROMOTE=${{ github.repository }}/frontend:${{ env.PREV }} | |
| -p GREEN_DOMAIN=${{ secrets.GREEN_DOMAIN }} | |
| -p VITE_NODE_ENV=openshift-${{ env.ZONE }} | |
| -p URL=${{ env.URL }} | |
| -p COGNITO_REGION=${{ secrets.COGNITO_REGION }} | |
| -p COGNITO_CLIENT_ID=${{ secrets.COGNITO_CLIENT_ID }} | |
| -p COGNITO_USER_POOL=${{ secrets.COGNITO_USER_POOL }} | |
| -p COGNITO_DOMAIN=${{ secrets.COGNITO_DOMAIN }} | |
| -p COGNITO_ENVIRONMENT=PROD | |
| -p LANDING_URL='${{ secrets.COGNITO_LOGOUT_URI }}' | |
| -p FRONTEND_URL=${{ env.URL }} |