Skip to content

build: use non-root user for API container #3118

build: use non-root user for API container

build: use non-root user for API container #3118

name: Preview Deployment
concurrency: ${{ github.ref }}_environment
on:
pull_request:
types: [ closed, synchronize ]
issue_comment:
types: [ created ]
permissions:
pull-requests: write
jobs:
has-deployment:
if: github.event.issue.pull_request || github.event_name == 'pull_request'
outputs:
has-swa: ${{ steps.has-swa.outputs.has-swa }}
has-wa: ${{ steps.has-wa.outputs.has-wa }}
runs-on: ubuntu-latest
steps:
- name: Check if Webapp Environment exists
id: has-swa
run: echo "has-swa=true" >> $GITHUB_OUTPUT # this temporarily disables preview deployments
- name: Check if API Environment exists
id: has-wa
run: echo "has-wa=false" >> $GITHUB_OUTPUT # this temporarily disables preview deployments
comment-handler:
if: |
(github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/deploy-preview')) &&
(needs.has-deployment.outputs.has-swa == 'false' && needs.has-deployment.outputs.has-wa == 'false')
needs: has-deployment
runs-on: ubuntu-latest
outputs:
is-admin: ${{ steps.is-admin-check.outputs.require-result }}
steps:
- name: Check Permission
uses: actions-cool/check-user-permission@v2
id: is-admin-check
with:
require: 'admin'
- name: Remove Comment
uses: actions/github-script@v7
with:
script: 'github.rest.issues.deleteComment({ comment_id: context.payload.comment.id, owner: context.repo.owner, repo: context.repo.repo })'
deployment:
needs: comment-handler
runs-on: ubuntu-latest
if: |
(github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/deploy-preview')) &&
(needs.comment-handler.outputs.is-admin == 'true')
permissions:
contents: read
packages: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.issue.number }}/head
- name: Set PR SHA
id: set-pr-sha
run: |
head_sha=$(git rev-parse HEAD)
echo "::set-output name=head_sha::$head_sha"
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'npm'
- run: npm ci --ignore-scripts
- name: Initial Deployment Preview Comment
uses: peter-evans/[email protected]
id: pr-preview-comment
with:
issue-number: ${{ github.event.issue.number }}
body: |
### 🚧 Building Deployment Preview..
A preview of this Pull Request is being created. Hold tight while it's building ⚒️
This comment will be automatically updated when the preview is ready.
- name: Build and Deploy API
id: api-deployment
uses: ./.github/actions/build-and-deploy-api
with:
deploymentEnv: "pr${{ github.event.issue.number }}"
releaseVersion: ${{ steps.set-pr-sha.outputs.head_sha }}
sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
containerRegistryUrl: ghcr.io
containerRegistryUsername: ${{ github.actor }}
containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
containerTag: ghcr.io/kordis-leitstelle/kordis-api:${{ steps.set-pr-sha.outputs.head_sha }}
- name: Build and Deploy SPA
id: spa-deployment
uses: ./.github/actions/build-and-deploy-spa
with:
releaseVersion: ${{ steps.set-pr-sha.outputs.head_sha }}
deploymentEnv: "pr${{ github.event.issue.number }}"
sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
containerRegistryUrl: ghcr.io
containerRegistryUsername: ${{ github.actor }}
containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
containerTag: ghcr.io/kordis-leitstelle/kordis-spa:${{ steps.set-pr-sha.outputs.head_sha }}
- name: Update PR Preview Comment
uses: peter-evans/[email protected]
with:
comment-id: ${{ steps.pr-preview-comment.outputs.comment-id }}
edit-mode: replace
body: |
### 🚀 Deployment Preview
SPA: ${{ steps.spa-deployment.outputs.url }}
API: ${{ steps.api-deployment.outputs.url }}
Commit SHA: ${{ steps.set-pr-sha.outputs.head_sha }}
reactions: "rocket"
- name: AZ B2C Tenant Login
uses: azure/[email protected]
with:
creds: '${{ secrets.AZURE_AADB2C_CREDENTIALS }}'
allow-no-subscriptions: true
enable-AzPSSession: true
- name: Add redirect URL to Azure AD tenant
uses: azure/powershell@v1
with:
inlineScript: |
$currentConfig = az ad app show --id ${{ secrets.AADB2C_DEV_APP_OBJ_ID }} | ConvertFrom-Json -AsHashtable
$currentConfig.spa.redirectUris += "${{ steps.spa-deployment.outputs.url }}"
$updatePayload = $currentConfig | Select-Object -Property spa | ConvertTo-Json -Compress
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${{ secrets.AADB2C_DEV_APP_OBJ_ID }}' --headers 'Content-Type=application/json' --body $updatePayload
azPSVersion: "latest"
update-deployment:
needs: has-deployment
runs-on: ubuntu-latest
if: |
(github.event_name == 'pull_request' && github.event.action == 'synchronize') &&
(needs.has-deployment.outputs.has-swa == 'true' || needs.has-deployment.outputs.has-wa == 'true') && false
permissions:
contents: read
packages: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'npm'
- run: npm ci --ignore-scripts
- name: Find PR Preview Comment
uses: peter-evans/find-comment@v3
id: deploy-preview-comment
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-includes: Deployment Preview
- name: Update PR Preview Comment
if: steps.deploy-preview-comment.outputs.comment-id != ''
uses: peter-evans/[email protected]
with:
comment-id: ${{ steps.deploy-preview-comment.outputs.comment-id }}
edit-mode: replace
body: |
### 🚧 Building Deployment Preview..
The Pull Request preview is being updated. Hold tight while it's building ⚒️
This comment will be automatically updated when the new version is ready.
- name: Build and Deploy API
id: api-deployment
uses: ./.github/actions/build-and-deploy-api
with:
deploymentEnv: "pr${{ github.event.pull_request.number }}"
releaseVersion: ${{ github.event.pull_request.head.sha }}
sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
containerRegistryUrl: ghcr.io
containerRegistryUsername: ${{ github.actor }}
containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
containerTag: ghcr.io/kordis-leitstelle/kordis-api:${{ github.event.pull_request.head.sha }}
- name: Build and Deploy SPA
id: spa-deployment
uses: ./.github/actions/build-and-deploy-spa
with:
releaseVersion: ${{ github.event.pull_request.head.sha }}
deploymentEnv: "pr${{ github.event.pull_request.number }}"
sentryAuthToken: ${{ secrets.SENTRY_AUTH_TOKEN }}
containerRegistryUrl: ghcr.io
containerRegistryUsername: ${{ github.actor }}
containerRegistryPassword: ${{ secrets.GITHUB_TOKEN }}
containerTag: ghcr.io/kordis-leitstelle/kordis-spa:${{ github.event.pull_request.head.sha }}
- name: Update PR Preview Comment
uses: peter-evans/[email protected]
with:
comment-id: ${{ steps.deploy-preview-comment.outputs.comment-id }}
edit-mode: replace
body: |
### 🚀 Deployment Preview
SPA: ${{ steps.spa-deployment.outputs.url }}
API: ${{ steps.api-deployment.outputs.url }}
Commit SHA: ${{ github.event.pull_request.head.sha }}
reactions: "rocket"
delete-deployment:
needs: has-deployment
runs-on: ubuntu-latest
if: |
(github.event_name == 'pull_request' && github.event.action == 'closed') &&
(needs.has-deployment.outputs.has-swa == 'true' || needs.has-deployment.outputs.has-wa == 'true') && false
steps:
- name: Find PR Preview Comment
uses: peter-evans/find-comment@v3
id: deploy-preview-comment
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-includes: Deployment Preview
- name: Update PR Preview Comment
if: steps.deploy-preview-comment.outputs.comment-id != ''
uses: peter-evans/[email protected]
with:
comment-id: ${{ steps.deploy-preview-comment.outputs.comment-id }}
edit-mode: replace
body: |
### Deployment Preview
🏁 This PR has been closed. No deployment preview is available.
reactions: "hooray"
- name: AZ B2C Tenant Login
uses: azure/[email protected]
with:
creds: '${{ secrets.AZURE_AADB2C_CREDENTIALS }}'
allow-no-subscriptions: true
enable-AzPSSession: true
- name: Remove redirect URL from Azure AD tenant
uses: azure/powershell@v1
with:
inlineScript: |
$currentConfig = az ad app show --id ${{ secrets.AADB2C_DEV_APP_OBJ_ID }} | ConvertFrom-Json -AsHashtable
$currentConfig.spa.redirectUris = $currentConfig.spa.redirectUris | Where-Object { $_ –ne "${{ steps.spa-deployment.outputs.url }}" }
$updatePayload = $currentConfig | Select-Object -Property spa | ConvertTo-Json -Compress
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/${{ secrets.AADB2C_DEV_APP_OBJ_ID }}' --headers 'Content-Type=application/json' --body $updatePayload
azPSVersion: "latest"