dev.yml

name: Bygg og deploy dev

on:
  push:
    branches:
      - dev

env:
  APP: spinntektsmelding-frontend
  IMAGE: ghcr.io/${{ github.repository }}/spinntektsmelding-frontend:${{ github.sha }}
  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NPM_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
jobs:
  # Bygg:
  #   runs-on: ubuntu-latest
  #   steps:
  #     - uses: actions/checkout@master
  #     - run: yarn install --immutable
  #     - run: yarn build
  #     - uses: actions/upload-artifact@v2
  #       with:
  #         name: spinntektsmelding-frontend-artifact
  #         path: ${{ github.workspace }}/build/**/*

  # Kodekvalitet:
  #   runs-on: ubuntu-latest
  #   steps:
  #     - uses: actions/checkout@master
  #     - uses: actions/setup-node@v3
  #       with:
  #         node-version: '22.6'
  #         registry-url: 'https://npm.pkg.github.com'
  #     - run: yarn install --immutable
  #     - run: yarn test
  #     - name: SonarCloud Scan
  #       uses: sonarsource/sonarcloud-github-action@master
  #       env:
  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  # Eslint:
  #   runs-on: ubuntu-latest
  #   steps:
  #     - uses: actions/checkout@master
  #     - uses: actions/setup-node@v3
  #       with:
  #         node-version: '22.6'
  #         registry-url: 'https://npm.pkg.github.com'
  #     - run: yarn install --immutable
  #     - run: yarn lint

  # Snyk:
  #   runs-on: ubuntu-latest
  #   steps:
  #     - uses: actions/checkout@master
  #     - name: Run Snyk to check for vulnerabilities
  #       uses: snyk/actions/node@master
  #       env:
  #         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

  Docker:
    # needs: [Kodekvalitet, Eslint]
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write # to write sarif
      security-events: write # push sarif to github security
    steps:
      - uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      # - uses: actions/setup-node@v3
      #   with:
      #     node-version: '22.6'
      #     registry-url: "https://npm.pkg.github.com"
      #     always-auth: true
      # - uses: actions/checkout@master
      # - uses: actions/download-artifact@v2
      #   with:
      #     name: fritak-frontend-artifact
      #     path: build
      #
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: |
            ${{ env.IMAGE }}
          secrets: |
            "NODE_AUTH_TOKEN=${{ secrets.READER_TOKEN }}"
          build-args: |
            "BUILDMODE=development"

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.IMAGE }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          limit-severities-for-sarif: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  Deploy:
    needs: [Docker]
    runs-on: ubuntu-latest
    permissions:
      packages: write
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: nais/deploy/actions/deploy@v2
        env:
          TEAM: helsearbeidsgiver
          CLUSTER: dev-gcp
          RESOURCE: naiserator.yaml
          VARS: nais/dev-gcp.json
          REF: ${{ env.COMMIT }}
          IMAGE: ${{ env.IMAGE }}