people/.github/workflows/docker-hub.yml

name: Docker Hub Workflow
run-name: Docker Hub Workflow

on:
  workflow_dispatch:
  push:
    branches:
      - 'main'
    tags:
      - 'v*'
  pull_request:
    branches:
      - 'main'

env:
  DOCKER_USER: 1001:127

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    steps:
      -
        uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: "people,secrets"
      -
        name: Checkout repository
        uses: actions/checkout@v2
        with:
          submodules: recursive
          token: ${{ steps.app-token.outputs.token }}
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            lasuite/people-backend
            lasuite/people-frontend
      -
        name: Run trivy scan (backend)
        uses: numerique-gouv/action-trivy-cache@main
        with:
          docker-build-args: '--target backend-production -f Dockerfile'
          docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}'
      -
        name: Run trivy scan (frontend)
        uses: numerique-gouv/action-trivy-cache@main
        with:
          docker-build-args: '--target frontend-production -f Dockerfile'
          docker-image-name: 'docker.io/lasuite/people-frontend:${{ github.sha }}'

  build-and-push-backend:
    runs-on: ubuntu-latest
    steps:
      -
        uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: "people,secrets"
      -
        name: Checkout repository
        uses: actions/checkout@v2
        with:
          submodules: recursive
          token: ${{ steps.app-token.outputs.token }}
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: lasuite/people-backend
      -
        name: Load sops secrets
        uses: rouja/actions-sops@main
        with:
          secret-file: secrets/numerique-gouv/people/secrets.enc.env
          age-key: ${{ secrets.SOPS_PRIVATE }}
      -
        name: Login to DockerHub
        if: github.event_name != 'pull_request'
        run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
      - name: create-version-json
        id: create-version-json
        uses: jsdaniell/create-json@v1.2.3
        with:
          name: "version.json"
          json: '{"source":"${{github.repository}}", "version":"${{github.ref_name}}", "commit":"${{github.sha}}", "build": "NA"}'
          dir: 'src/backend'
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          target: backend-production
          build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  build-and-push-frontend:
    runs-on: ubuntu-latest
    steps:
      -
        uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: "people,secrets"
      -
        name: Checkout repository
        uses: actions/checkout@v2
        with:
          submodules: recursive
          token: ${{ steps.app-token.outputs.token }}
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: lasuite/people-frontend
      -
        name: Load sops secrets
        uses: rouja/actions-sops@main
        with:
          secret-file: secrets/numerique-gouv/people/secrets.enc.env
          age-key: ${{ secrets.SOPS_PRIVATE }}
      - name: create-version-json
        id: create-version-json
        uses: jsdaniell/create-json@v1.2.3
        with:
          name: "version.json"
          json: '{"source":"${{github.repository}}", "version":"${{github.ref_name}}", "commit":"${{github.sha}}", "build": "NA"}'
          dir: 'src/frontend/apps/desk'
      -
        name: Login to DockerHub
        if: github.event_name != 'pull_request'
        run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          target: frontend-production
          build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  notify-argocd:
    needs:
      - build-and-push-frontend
      - build-and-push-backend
    runs-on: ubuntu-latest
    if: github.event_name != 'pull_request'
    steps:
      -
        uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: "people,secrets"
      -
        name: Checkout repository
        uses: actions/checkout@v2
        with:
          submodules: recursive
          token: ${{ steps.app-token.outputs.token }}
      -
        name: Load sops secrets
        uses: rouja/actions-sops@main
        with:
          secret-file: secrets/numerique-gouv/people/secrets.enc.env
          age-key: ${{ secrets.SOPS_PRIVATE }}
      -
        name: Call argocd github webhook
        run: |
          data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
          sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
          curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL