.github/workflows/deploy.yml

name: Deploy to dev
on:
  push:
    branches:
      - main

jobs:
  build:
    permissions:
      contents: "write"
      id-token: "write"
      security-events: "write"
    name: Checkout code and create docker tag
    runs-on: ubuntu-latest
    steps:
      - name: Setup java
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '21'
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Gradle wrapper validation
        uses: gradle/wrapper-validation-action@v3.5.0
      - name: Setup gradle dependency cache
        uses: actions/cache@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/.*gradle*') }}
          restore-keys: |
            ${{ runner.os }}-gradle-
      - name: Run tests
        run: |
          ./gradlew test
      - name: setup frontend
        uses: actions/setup-node@v4
        with:
          node-version: '22'
      - run: corepack enable
      - run: yarn --immutable
        env:
          NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
        working-directory: web
      - run: yarn build
        working-directory: web
      - run: yarn copy
        working-directory: web
      - name: Build jar
        run: |
          ./gradlew shadowJar -x test
      - name: docker-build-push
        if: github.event.pull_request.user.login != 'dependabot[bot]'
        uses: nais/docker-build-push@v0
        id: docker-build-push
        with:
          team: teamsykmelding
          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}

    outputs:
      image: ${{ steps.docker-build-push.outputs.image }}

  trivy-docker:
    if: github.event.pull_request.user.login != 'dependabot[bot]'
    permissions:
      contents: "write"
      id-token: "write"
      security-events: "write"
    name: Trivy docker
    runs-on: ubuntu-latest
    needs: [ build ]
    steps:
      - run: touch me
      - uses: nais/login@v0
        with:
          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
          team: teamsykmelding

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
        with:
          image-ref: ${{ needs.build.outputs.image }}
          ignore-unfixed: true
          vuln-type: 'os'
          severity: 'CRITICAL,HIGH'
          format: 'sarif'
          output: 'trivy-results.sarif'
          scanners: 'vuln'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

  deploy-dev:
    if: github.event.pull_request.user.login != 'dependabot[bot]'
    name: Deploy to dev
    runs-on: ubuntu-latest
    needs: [ build ]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Deploy to dev
        uses: nais/deploy/actions/deploy@master
        env:
          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
          CLUSTER: dev-gcp
          RESOURCE: naiserator-dev.yaml
          VAR: image=${{ needs.build.outputs.image }}