Update files based on repository configuration (#243)

Co-authored-by: pleo-file-distributor[bot] <114988919+pleo-file-distributor[bot]@users.noreply.github.com>
pleo-io · Feb 2, 2024 · d34ee74 · d34ee74
1 parent d7daa4f
commit d34ee74
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 40 deletions.
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -91,14 +91,14 @@ jobs:
 
         # Set up a JDK environment for building, testing and releasing.
       - name: Set up JDK 17
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@v4.0.0
         with:
           java-version: 17
           distribution: temurin
 
       # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.10.0
+        uses: gradle/gradle-build-action@v2.11.1
         with:
           gradle-executable: ./gradlew
           gradle-version: wrapper
@@ -123,11 +123,29 @@ jobs:
 
       - name: Publish Unit Tests report to GitHub
         if: steps.s3-cache.outputs.processed != 'true'
-        uses: mikepenz/action-junit-report@0831a82caad2465c31c6dd929978f640cb42556c # v4.0.3
+        uses: mikepenz/action-junit-report@b1b7f659602565970688b2e2588738b9398e895d # v4.0.4
         with:
           check_name: Unit Tests report
           report_paths: "**/build/test-results/test/TEST-*.xml"
 
+      # Run Detekt
+      - name: Run Detekt
+        continue-on-error: true
+        if: ${{ github.ref == 'refs/heads/main' }}
+        run: ./gradlew detekt --stacktrace
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          GRADLE_READ_KEY: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
+
+      # Publish Detekt results to GitHub.
+      - name: Publish Detekt SARIF report to GitHub
+        continue-on-error: true
+        if: ${{ github.ref == 'refs/heads/main' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: build/reports/detekt/detekt.sarif
+
       - name: Trigger release
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: peter-evans/repository-dispatch@v2

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -21,6 +21,7 @@ env:
   language_JavaScript: "javascript"
   language_TypeScript: "javascript"
   WORKING_LANGUAGE: ""
+  CONFIG_FILE: ""
 
 jobs:
   analyze-java:
@@ -39,15 +40,15 @@ jobs:
         run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_ENV"
       # Set up a JDK environment for building, testing and releasing.
       - name: Set up JDK 17
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@v4.0.0
         if: ${{ env.WORKING_LANGUAGE == 'java' }}
         with:
           java-version: 17
           distribution: temurin
 
       # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.10.0
+        uses: gradle/gradle-build-action@v2.11.1
         if: ${{ env.WORKING_LANGUAGE == 'java' }}
         with:
           gradle-executable: ./gradlew
@@ -63,12 +64,13 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ github.event.repository.language }}
           ram: 4096
           queries: security-and-quality
           tools: latest
+          config-file: ${{ env.CONFIG_FILE }}
 
       - name: Gradle Build
         run: ./gradlew classes testClasses --stacktrace -Dorg.gradle.jvmargs=-Xmx4g -Dorg.gradle.parallel=true
@@ -79,6 +81,6 @@ jobs:
           JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           ram: 4096
diff --git a/.github/workflows/pr-help.yaml b/.github/workflows/pr-help.yaml
@@ -33,7 +33,7 @@ jobs:
   auto-approve-pr:
     runs-on: ubuntu-latest
     name: Auto-approve PR
-    if: ${{ github.actor == 'pleo-bot-renovate' && contains(github.event.pull_request.labels.*.name, 'autoapprove') }}
+    if: ${{ contains(fromJSON('["pleo-bot-renovate", "pleo-file-distributor[bot]"]'), github.actor) && contains(github.event.pull_request.labels.*.name, 'autoapprove') }}
     steps:
       - uses: hmarr/auto-approve-action@v3
         if: env.autoApproveEnabled == 'true'

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -21,6 +21,7 @@ env:
   publishTypeScriptFrontendModels: false
   publishAdditionalProjects: false
   deploymentEnabled: false
+  environmentTenant: product
   productionDeploymentEnabled: true
   generateChangelogUpdate: true
 
@@ -45,14 +46,14 @@ jobs:
 
       # Set up a JDK environment for building, testing and releasing.
       - name: Setup JDK 17
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@v4.0.0
         with:
           java-version: 17
           distribution: temurin
 
       # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.10.0
+        uses: gradle/gradle-build-action@v2.11.1
         with:
           gradle-executable: ./gradlew
           gradle-version: wrapper
@@ -61,7 +62,7 @@ jobs:
       # Allow caching the Auto executable to speed up CI/CD steps by not re-downloading Auto.
       - name: Cache Auto
         id: cache-auto
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/auto
           key: dependency--intuit/auto-v11.0.4
@@ -149,7 +150,7 @@ jobs:
       # Allow caching the Auto executable to speed up CI/CD steps by not re-downloading Auto.
       - name: Cache Auto
         id: cache-auto
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/auto
           key: dependency--intuit/auto-v11.0.4
@@ -163,14 +164,14 @@ jobs:
 
       # Setup JDK environment for Gradle build tasks.
       - name: Setup JDK 17
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@v4.0.0
         with:
           java-version: 17
           distribution: temurin
 
       # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.10.0
+        uses: gradle/gradle-build-action@v2.11.1
         with:
           gradle-executable: ./gradlew
           gradle-version: wrapper
@@ -280,14 +281,14 @@ jobs:
 
       # Setup a JDK environment for running Gradle publishing tasks.
       - name: Setup JDK 17
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@v4.0.0
         with:
           java-version: 17
           distribution: temurin
 
       # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.10.0
+        uses: gradle/gradle-build-action@v2.11.1
         with:
           gradle-executable: ./gradlew
           gradle-version: wrapper
@@ -435,7 +436,7 @@ jobs:
       # Setup a JDK environment for running Gradle publishing tasks.
       - name: Setup JDK 17
         if: env.deploymentEnabled == 'true'
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@v4.0.0
         with:
           java-version: 17
           distribution: temurin
@@ -479,90 +480,109 @@ jobs:
             GRADLE_READ_KEY=${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
 
       - name: Configure product-dev AWS credentials
-        if: env.deploymentEnabled == 'true'
+        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
         uses: aws-actions/[email protected]
         with:
           role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_PRODUCT_DEV}}:role/github/repository/${{ github.event.repository.name }}-github-actions
           role-session-name: GitHubActions
           aws-region: eu-west-1
           special-characters-workaround: true
 
-      - name: Login to Amazon ECR Product dev
-        if: env.deploymentEnabled == 'true'
+      - name: Login to Amazon ECR product-dev
+        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
         uses: aws-actions/[email protected]
 
-      - name: Push Docker Image to AWS ECR Product dev
-        if: env.deploymentEnabled == 'true'
+      - name: Push Docker Image to AWS ECR product-dev
+        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
         run: |
           ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_PRODUCT_DEV }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
           docker tag ${{ github.sha }} ${ecr_repo_url}
           docker push ${ecr_repo_url}
           docker rmi -f ${ecr_repo_url}
 
-      - name: Configure staging AWS credentials
-        if: env.deploymentEnabled == 'true'
+      - name: Configure product-staging AWS credentials
+        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
         uses: aws-actions/[email protected]
         with:
           role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_PRODUCT_STAGING}}:role/github/repository/${{ github.event.repository.name }}-github-actions
           role-session-name: GitHubActions
           aws-region: eu-west-1
           special-characters-workaround: true
 
-      # Allow publishing the built project Docker image to AWS ECR (staging).
-      - name: Login to Amazon ECR Staging
-        if: env.deploymentEnabled == 'true'
+      - name: Login to Amazon ECR product-staging
+        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
         uses: aws-actions/[email protected]
 
-      # Publish the built project Docker image to AWS ECR (staging).
-      - name: Push Docker Image to AWS ECR Staging
-        if: env.deploymentEnabled == 'true'
+      - name: Push Docker Image to AWS ECR product-staging
+        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
         run: |
           ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_PRODUCT_STAGING }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
           docker tag ${{ github.sha }} ${ecr_repo_url}
           docker push ${ecr_repo_url}
           docker rmi -f ${ecr_repo_url}
 
-      - name: Configure production AWS credentials
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true'
+      - name: Configure product-production AWS credentials
+        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'product'
         uses: aws-actions/[email protected]
         with:
           role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_PRODUCT_PRODUCTION}}:role/github/repository/${{ github.event.repository.name }}-github-actions
           role-session-name: GitHubActions
           aws-region: eu-west-1
           special-characters-workaround: true
 
-      # Allow publishing the built project Docker image to AWS ECR (production).
-      - name: Login to AWS ECR Production
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true'
+      - name: Login to AWS ECR product-production
+        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'product'
         uses: aws-actions/[email protected]
 
-      # Publish the built project Docker image to AWS ECR (production).
-      - name: Push Docker Image to AWS ECR Production
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true'
+      - name: Push Docker Image to AWS ECR product-production
+        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'product'
         run: |
           ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_PRODUCT_PRODUCTION }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
           docker tag ${{ github.sha }} ${ecr_repo_url}
           docker push ${ecr_repo_url}
           docker rmi -f ${ecr_repo_url}
 
+      - name: Configure tooling-production AWS credentials
+        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'tooling'
+        uses: aws-actions/[email protected]
+        with:
+          role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_TOOLING_PRODUCTION}}:role/github/repository/${{ github.event.repository.name }}-github-actions
+          role-session-name: GitHubActions
+          aws-region: eu-west-1
+          special-characters-workaround: true
+
+      - name: Login to Amazon ECR tooling-production
+        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'tooling'
+        uses: aws-actions/[email protected]
+
+      - name: Push Docker Image to AWS ECR tooling-production
+        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'tooling'
+        run: |
+          ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_TOOLING_PRODUCTION }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
+          docker tag ${{ github.sha }} ${ecr_repo_url}
+          docker push ${ecr_repo_url}
+          docker rmi -f ${ecr_repo_url}
+
   get-env-variables:
     name: Prepare env variables
     outputs:
       deploymentEnabled: ${{ steps.env-variables.outputs.deploymentEnabled }}
+      environmentTenant: ${{ steps.env-variables.outputs.environmentTenant }}
     runs-on: ubuntu-latest
     steps:
       - name: Set output variables
         id: env-variables
         run: |
           echo "deploymentEnabled=${{ env.deploymentEnabled }}" >> "$GITHUB_OUTPUT"
+          echo "environmentTenant=${{ env.environmentTenant }}" >> "$GITHUB_OUTPUT"
 
   trigger-deploy-gitops-product-dev:
     name: Trigger deployment (GitOps)- Update product-dev image
     concurrency: update-image-tag
     needs:
       - publish-docker-image
       - get-env-variables
-    if: needs.get-env-variables.outputs.deploymentEnabled == 'true'
+    if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'product'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
       environment: product-dev
@@ -577,11 +597,26 @@ jobs:
     needs:
       - publish-docker-image
       - get-env-variables
-    if: needs.get-env-variables.outputs.deploymentEnabled == 'true'
+    if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'product'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
       environment: product-staging
       image_tag: ${{ github.sha }}
     secrets:
       application_id: ${{ secrets.PLEO_GH_APP_TOKEN_SIGNER_APP_ID }}
       application_private_key: ${{ secrets.PLEO_GH_APP_TOKEN_SIGNER_PRIVATE_KEY }}
+
+  trigger-deploy-gitops-tooling-production:
+    name: Trigger deployment (GitOps)- Update tooling-production image
+    concurrency: update-image-tag
+    needs:
+      - publish-docker-image
+      - get-env-variables
+    if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'tooling'
+    uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
+    with:
+      environment: tooling-production
+      image_tag: ${{ github.sha }}
+    secrets:
+      application_id: ${{ secrets.PLEO_GH_APP_TOKEN_SIGNER_APP_ID }}
+      application_private_key: ${{ secrets.PLEO_GH_APP_TOKEN_SIGNER_PRIVATE_KEY }}