Fjerner utdatert bibucket pipelines. La til action for å teste cert-c… #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy | |
# More GitHub Actions for Azure: https://github.com/Azure/actions | |
name: Build and deploy container app to Azure Web App - dibk-ip-prod | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
env: | |
acrPath: /app/integrasjonspunkt | |
appDir: /app | |
s6version: '3.2.0.0' | |
mavenRepo: 'https://repo1.maven.org/maven2/no/difi/meldingsutveksling/integrasjonspunkt' | |
altinnPort: 443 | |
jobs: | |
build: | |
runs-on: [self-hosted, macOS] | |
environment: production | |
steps: | |
- name: Henter inn integrasjonspunktets versjon | |
id: getVersion | |
run: | | |
curl -Lso maven-metadata.xml "https://repo1.maven.org/maven2/no/difi/meldingsutveksling/integrasjonspunkt/maven-metadata.xml" | |
echo "appVersion=$(sed -ne '/latest/{s/.*<latest>\(.*\)<\/latest>.*/\1/p;q;}' <<< cat maven-metadata.xml)" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v4 | |
- name: Hent integrasjonspunktet fra cache | |
id: app-cache | |
uses: actions/cache@v4 | |
env: | |
cache-name: app-cache | |
with: | |
path: ./app.jar | |
key: ${{env.cache-name}}-${{ steps.getVersion.outputs.appVersion }} | |
restore-keys: ${{ env.cache-name }}- | |
- name: Last ned integrasjonspunktet | |
if: steps.app-cache.outputs.cache-hit != 'true' | |
run: curl -Lso ./app.jar ${{env.mavenRepo}}/${{steps.getVersion.outputs.appVersion}}/integrasjonspunkt-${{steps.getVersion.outputs.appVersion}}.jar | |
- name: Lås opp nøkkelring | |
run: security -v unlock-keychain -p ${{ secrets.MACOS_KC_PASS }} ~/Library/Keychains/login.keychain-db | |
- name: Azure CLI login | |
run: | | |
echo "${{ secrets.AZURE_SP_CERT }}" > sp.cert | |
az login --service-principal -u ${{ vars.AZURE_SP_ID }} -p ./sp.cert --tenant ${{ vars.AZURE_TENANT_ID }} | |
az acr login --name ${{vars.ACR}} | |
- name: Henter virksomhetssertifikat fra Key Vault og setter passord på det | |
run: | | |
az keyvault secret download --encoding base64 --name ${{ vars.AZURE_KV_CERT_NAME }} --file vs.p12 --vault-name ${{ vars.KEYVAULT_NAME }} | |
empty= | |
openssl pkcs12 -in vs.p12 -passin pass:$empty -nodes -out vs-auth.pem | |
openssl pkcs12 -export -in vs-auth.pem -out auth.p12 -passout pass:${{secrets.KEYSTORE_PASS}} -name ${{vars.KEYSTORE_ALIAS}} | |
rm vs-auth.pem vs.p12 | |
- name: Henter inn CA-sertifikater fra cache | |
uses: actions/cache@v4 | |
id: ca-certs-cache | |
env: | |
cache-name: ca-certs-cache | |
with: | |
path: docker/trustcerts | |
key: ${{env.cache-name}}-${{ hashFiles('docker/trustcerts/*.cer') }} | |
restore-keys: ${{ env.cache-name }}- | |
- name: Henter inn CA-sertifikater uten cache | |
if: steps.ca-certs-cache.outputs.cache-hit != 'true' | |
run: | | |
curl -Lso docker/trustcerts/BuyPassClass3RootCA.cer "https://github.com/felleslosninger/docs/raw/gh-pages/resources/begrep/sikkerDigitalPost/sikkerhet/sertifikater/prod/BPClass3RootCA.cer" | |
curl -Lso docker/trustcerts/CommfidesClass3RootCA.cer "https://github.com/felleslosninger/docs/raw/gh-pages/resources/begrep/sikkerDigitalPost/sikkerhet/sertifikater/prod/cpn%20rootca%20sha256%20class%203.crt" | |
openssl s_client -connect ${{vars.ALTINN_HOST}}:${{env.altinnPort}} < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > docker/trustcerts/${{vars.ALTINN_HOST}}.cer | |
- name: Befolker properties-fila | |
env: | |
APP_VERSION: ${{steps.getVersion.outputs.appVersion}} | |
APP_ENV: ${{vars.APP_ENV}} | |
SERVER_PORT: ${{vars.SERVER_PORT}} | |
ORG_NR: ${{vars.ORG_NR}} | |
KEYSTORE_ALIAS: ${{vars.KEYSTORE_ALIAS}} | |
KEYSTORE_PASS: ${{secrets.KEYSTORE_PASS}} | |
KEYSTORE_PATH: ${{vars.KEYSTORE_PATH}} | |
KEYSTORE_TYPE: ${{vars.KEYSTORE_TYPE}} | |
DPO_ENABLE: ${{vars.DPO_ENABLE}} | |
DPO_USERNAME: ${{vars.DPO_USERNAME}} | |
DPO_PASSWORD: ${{secrets.DPO_PASSWORD}} | |
DPE_ENABLE: ${{vars.DPE_ENABLE}} | |
DPI_ENABLE: ${{vars.DPI_ENABLE}} | |
DPV_ENABLE: ${{vars.DPV_ENABLE}} | |
DPV_USERNAME: ${{vars.DPV_USERNAME}} | |
DPV_PASSWORD: ${{secrets.DPV_PASSWORD}} | |
AUTH_ENABLE: ${{vars.AUTH_ENABLE}} | |
AUTH_USERNAME: ${{vars.AUTH_USERNAME}} | |
AUTH_PASSWORD: ${{secrets.AUTH_PASSWORD}} | |
DB_URL: ${{vars.DB_URL}} | |
DB_USERNAME: ${{vars.DB_USERNAME}} | |
DB_PASSWORD: ${{secrets.DB_PASSWORD}} | |
DPF_ENABLE: ${{vars.DPF_ENABLE}} | |
SVARINN_USER: ${{vars.SVARINN_USER}} | |
SVARUT_USER: ${{vars.SVARUT_USER}} | |
SVARINN_PASSWORD: ${{secrets.SVARINN_PASSWORD}} | |
SVARUT_PASSWORD: ${{secrets.SVARUT_PASSWORD}} | |
MAIL_HOST: ${{vars.MAIL_HOST}} | |
MAIL_PORT: ${{vars.MAIL_PORT}} | |
MAIL_TO: ${{vars.MAIL_TO}} | |
MAIL_FROM: ${{vars.MAIL_FROM}} | |
MAIL_TLS: ${{vars.MAIL_TLS}} | |
MAIL_ONERROR: ${{vars.MAIL_ONERROR}} | |
MAIL_AUTH: ${{vars.MAIL_AUTH}} | |
MAIL_USER: ${{vars.MAIL_USER}} | |
MAIL_PASSWORD: ${{secrets.MAIL_PASSWORD}} | |
run: | | |
envsubst < "integrasjonspunkt-local.properties.dist" > "integrasjonspunkt-local.properties" | |
envsubst < "docker/motd.template" > "docker/motd.sh" | |
- name: Bygger og publiserer image | |
uses: docker/bake-action@v5 | |
env: | |
APP_ENV: ${{vars.APP_ENV}} | |
APP_VERSION: ${{steps.getVersion.outputs.appVersion}} | |
S6_OVERLAY_VERSION: ${{env.s6version}} | |
ACR: ${{ vars.ACR }} | |
ACRPATH: ${{ env.acrPath }} | |
SHA: ${{ github.sha }} | |
APP_DIR: ${{env.appDir}} | |
SERVER_PORT: ${{vars.SERVER_PORT}} | |
with: | |
files: 'docker-bake.hcl' | |
push: true | |
deploy: | |
runs-on: self-hosted | |
needs: build | |
steps: | |
- name: Deploy to Azure Web App | |
id: deploy-to-webapp | |
uses: azure/webapps-deploy@v2 | |
with: | |
app-name: 'dibk-ip-prod' | |
slot-name: 'production' | |
publish-profile: ${{ secrets.AzureAppService_PublishProfile_8e31a0a286fe4f0a9fc10228293a10a9 }} | |
images: '${{ vars.ACR }}${{ env.acrPath }}:${{ github.sha }}' |