.github/workflows/main.yaml

name: Build and deploy main

on:
  push:
    branches:
      - main
    paths-ignore:
      - "*.md"

env:
  BASEIMAGE: "cgr.dev/chainguard/jdk"

jobs:
  build:
    name: Build all the things
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      security-events: write
    outputs:
      tag: "${{ steps.build-push-sign.outputs.tag }}"
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # ratchet:actions/setup-java@v3
        with:
          java-version: "21"
          distribution: "temurin"
          cache: "gradle"
      - uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # ratchet:gradle/wrapper-validation-action@v1
      - name: Setup Gradle
        uses: gradle/gradle-build-action@915a66c096a03101667f9df2e56c9efef558b165 # ratchet:gradle/gradle-build-action@v2
        with:
          dependency-graph: generate-and-submit
      - name: Build and test the app
        run: ./gradlew test shadowJar
      - name: Install cosign
        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@main
        with:
          cosign-release: 'v2.2.0'
      - name: Verify distroless base image
        run: cosign verify --certificate-identity "https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" $BASEIMAGE
      - name: Create SBOM
        run: ./gradlew cyclonedxBom
      - name: "Build and push image"
        uses: nais/platform-build-push-sign@main # ratchet:exclude
        id: build-push-sign
        with:
          name: start.nais.io
          google_service_account: gh-start-nais-io
          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
          sbom: build/reports/bom.json
          multi-platform: true
      -  name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # ratchet:aquasecurity/trivy-action@master
         with:
            image-ref: "${{ steps.build-push-sign.outputs.tag }}"
            format: "sarif"
            output: "trivy-results.sarif"
      -  name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # ratchet:github/codeql-action/upload-sarif@v2
         with:
            sarif_file: 'trivy-results.sarif'

  deploy_to_prod:
    name: Deploy to prod-gcp
    needs: build
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
      - uses: nais/deploy/actions/deploy@913eb0f92e9d132dbe0cbba3390a340675849f30 # ratchet:nais/deploy/actions/deploy@v1
        env:
          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
          CLUSTER: prod-gcp
          RESOURCE: .nais/nais.yaml,.nais/alerts.yaml
          VARS: .nais/prod.yaml
          IMAGE: ${{ needs.build.outputs.tag }}