chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates #45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Scan & Deploy to Azure | |
| on: | |
| push: | |
| branches: ["main", "staging"] | |
| pull_request: | |
| branches: ["main"] | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write # Required for OIDC | |
| contents: read | |
| packages: write # Push to GHCR | |
| security-events: write # CodeQL/Trivy results | |
| env: | |
| IMAGE_NAME: ghcr.io/gratech-sa/gratech-cometx:${{ github.sha }} | |
| IMAGE_LATEST: ghcr.io/gratech-sa/gratech-cometx:latest | |
| AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
| RESOURCE_GROUP: rg-cometx-prod | |
| APP_PROD: ca-cometx-api | |
| APP_STG: ca-cometx-api-staging | |
| jobs: | |
| build-scan-push: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| load: true | |
| tags: | | |
| ${{ env.IMAGE_NAME }} | |
| ${{ env.IMAGE_LATEST }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run Trivy security scan (CRITICAL only) | |
| uses: aquasecurity/trivy-action@0.33.1 | |
| with: | |
| image-ref: ${{ env.IMAGE_NAME }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL' | |
| scanners: 'vuln' | |
| - name: Push Docker image | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| docker push ${{ env.IMAGE_NAME }} | |
| docker push ${{ env.IMAGE_LATEST }} | |
| deploy: | |
| needs: build-scan-push | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| environment: | |
| name: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }} | |
| steps: | |
| - name: Azure login via OIDC | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ env.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ env.AZURE_TENANT_ID }} | |
| subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to Production | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| az containerapp update \ | |
| --name "${{ env.APP_PROD }}" \ | |
| --resource-group "${{ env.RESOURCE_GROUP }}" \ | |
| --image "${{ env.IMAGE_LATEST }}" | |
| - name: Deploy to Staging | |
| if: github.ref == 'refs/heads/staging' | |
| run: | | |
| az containerapp update \ | |
| --name "${{ env.APP_STG }}" \ | |
| --resource-group "${{ env.RESOURCE_GROUP }}" \ | |
| --image "${{ env.IMAGE_LATEST }}" | |
| - name: Verify deployment | |
| run: | | |
| APP_NAME=${{ github.ref == 'refs/heads/main' && env.APP_PROD || env.APP_STG }} | |
| FQDN=$(az containerapp show \ | |
| --name "$APP_NAME" \ | |
| --resource-group "${{ env.RESOURCE_GROUP }}" \ | |
| --query "properties.configuration.ingress.fqdn" -o tsv) | |
| echo "🚀 Deployment completed!" | |
| echo "🌐 URL: https://$FQDN" |