feat: PROMOTE TO UAT (#3)

.devops/deploy-pipelines.yml

@@ -0,0 +1,181 @@
+# Build and push image to Azure Container Registry; Deploy to Azure Kubernetes Service
+# https://docs.microsoft.com/azure/devops/pipelines/languages/docker
+
+parameters:
+  - name: 'executeBuild'
+    displayName: 'Launch docker build'
+    type: boolean
+    default: true
+
+trigger:
+  branches:
+    include:
+      - develop
+      - uat
+      - main
+  paths:
+    include:
+      - src/*
+      - build.gradle.kts
+      - helm/*
+      - Dockerfile
+      - settings.gradle.kts
+
+pr: none
+
+resources:
+  - repo: self
+
+variables:
+
+  #  vmImageNameDefault: 'ubuntu-latest'
+  vmImageNameDefault: ubuntu-22.04
+
+  imageRepository: '$(K8S_IMAGE_REPOSITORY_NAME)'
+  deployNamespace: '$(DEPLOY_NAMESPACE)'
+  helmReleaseName : '$(HELM_RELEASE_NAME)'
+  canDeploy: true
+
+  ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/uat') }}:
+    environment: 'UAT'
+    dockerRegistryName: '$(UAT_CONTAINER_REGISTRY_NAME)'
+    dockerRegistryServiceConnection: '$(UAT_CONTAINER_REGISTRY_SERVICE_CONN)'
+    kubernetesServiceConnection: '$(UAT_KUBERNETES_SERVICE_CONN)'
+    containerRegistry: '$(UAT_CONTAINER_REGISTRY_NAME)'
+    selfHostedAgentPool: $(UAT_AGENT_POOL)
+    postmanEnvFile: p4pa_UAT.postman_environment.json
+
+  ${{ elseif eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
+    environment: 'PROD'
+    dockerRegistryName: '$(PROD_CONTAINER_REGISTRY_NAME)'
+    dockerRegistryServiceConnection: '$(PROD_CONTAINER_REGISTRY_SERVICE_CONN)'
+    kubernetesServiceConnection: '$(PROD_KUBERNETES_SERVICE_CONN)'
+    containerRegistry: '$(PROD_CONTAINER_REGISTRY_NAME)'
+    selfHostedAgentPool: $(PROD_AGENT_POOL)
+
+  ${{ else }}:
+    environment: 'DEV'
+    dockerRegistryName: '$(DEV_CONTAINER_REGISTRY_NAME)'
+    dockerRegistryServiceConnection: '$(DEV_CONTAINER_REGISTRY_SERVICE_CONN)'
+    kubernetesServiceConnection: '$(DEV_KUBERNETES_SERVICE_CONN)'
+    containerRegistry: '$(DEV_CONTAINER_REGISTRY_NAME)'
+    selfHostedAgentPool: $(DEV_AGENT_POOL)
+    postmanEnvFile: p4pa_DEV.postman_environment.json
+
+stages:
+  - stage: stage_build
+    condition: eq(variables.canDeploy, true)
+    displayName: 'Build and publish image to ${{ variables.environment }} registry'
+    jobs:
+      - job: job_build
+        displayName: Build
+        pool:
+          vmImage: $(vmImageNameDefault)
+        steps:
+          - task: Bash@3
+            displayName: Get app version
+            name: getAppVersion
+            condition: and(succeeded(), eq(variables.canDeploy, true))
+            inputs:
+              targetType: 'inline'
+              script: |
+                version=$(cat build.gradle.kts | grep "version = '.*'" | cut -d"'" -f2)
+                echo "Building $version version"
+                echo "##vso[task.setvariable variable=appVersion;isOutput=true]$version"
+              failOnStderr: true
+
+          - task: Docker@2
+            condition: and(succeeded(), ${{ parameters.executeBuild }})
+            displayName: 'Build and publish $(imageRepository) image'
+            inputs:
+              containerRegistry: '$(dockerRegistryServiceConnection)'
+              repository: '$(imageRepository)'
+              command: 'buildAndPush'
+              tags: |
+                latest
+                $(Build.SourceVersion)
+                $(getAppVersion.appVersion)
+
+          - task: PublishPipelineArtifact@1
+            displayName: 'Publish manifests into pipeline artifacts'
+            condition: succeeded()
+            inputs:
+              targetPath: '$(Build.Repository.LocalPath)/helm'
+              artifact: 'helm'
+              publishLocation: 'pipeline'
+          - task: 'Bash@3'
+            displayName: 'Send message on Slack'
+            condition: in(variables['Agent.JobStatus'], 'SucceededWithIssues', 'Failed')
+            inputs:
+              targetType: 'inline'
+              script: >
+                curl -X POST \
+                  -H "Content-type: application/json" \
+                  --data '{"text": "*Attention: There is an error in pipeline $(System.DefinitionName) in step _build_!*\nCheck the logs for more details $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) to view the build results."}' \
+                  $(SLACK_WEBHOOK_URL)
+  - stage: stage_deploy
+    displayName: 'Deploy to ${{ variables.environment }} K8S'
+    dependsOn: [ stage_build ]
+    variables:
+      appVersion: $[ stageDependencies.stage_build.job_build.outputs['getAppVersion.appVersion'] ]
+    condition: and(succeeded(), eq(variables.canDeploy, true))
+    jobs:
+      - deployment: job_deploy
+        displayName: 'Deploy'
+        pool:
+          name: $(selfHostedAgentPool)
+        environment: '$(environment)'
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - download: none
+                - task: DownloadPipelineArtifact@2
+                  inputs:
+                    buildType: 'current'
+                    artifactName: 'helm'
+                    targetPath: '$(Pipeline.Workspace)/helm'
+                - task: KubectlInstaller@0
+                - task: Bash@3
+                  name: helm_dependency_build
+                  displayName: Helm dependency build
+                  inputs:
+                    workingDirectory: '$(Pipeline.Workspace)/helm'
+                    targetType: 'inline'
+                    script: |
+                      helm repo add pagopa-microservice https://pagopa.github.io/aks-microservice-chart-blueprint
+                      helm dep build
+                    failOnStderr: true
+                - bash: |
+                    echo 'microservice-chart:
+                       podAnnotations:
+                          "build/buildNumber": "$(Build.BuildNumber)"
+                          "build/appVersion": "$(appVersion)"
+                          "build/sourceVersion": "$(Build.SourceVersion)"' > buildMetadata.yaml
+                  displayName: Writing build metadata
+
+                - task: HelmDeploy@0
+                  displayName: Helm upgrade
+                  inputs:
+                    kubernetesServiceEndpoint: ${{ variables.kubernetesServiceConnection }}
+                    namespace: '$(deployNamespace)'
+                    command: upgrade
+                    chartType: filepath
+                    chartPath: $(Pipeline.Workspace)/helm
+                    chartName: ${{ variables.helmReleaseName }}
+                    releaseName: ${{ variables.helmReleaseName }}
+                    valueFile: "$(Pipeline.Workspace)/helm/values-${{ lower(variables.environment) }}.yaml"
+                    install: true
+                    waitForExecution: true
+                    arguments: --timeout 5m0s
+                      --values buildMetadata.yaml
+                - task: 'Bash@3'
+                  displayName: 'Send message on Slack'
+                  condition: in(variables['Agent.JobStatus'], 'SucceededWithIssues', 'Failed')
+                  inputs:
+                    targetType: 'inline'
+                    script: >
+                      curl -X POST \
+                        -H "Content-type: application/json" \
+                        --data '{"text": "*Attention: There is an error in pipeline $(System.DefinitionName) in step _deploy_!*\nCheck the logs for more details $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) to view the build results."}' \
+                        $(SLACK_WEBHOOK_URL)

.gitattributes

@@ -0,0 +1,3 @@
+/gradlew text eol=lf
+*.bat text eol=crlf
+*.jar binary

.github/terraform/00_data.tf

@@ -23,3 +23,11 @@ data "azurerm_key_vault_secret" "sonar_token" {
   key_vault_id = data.azurerm_key_vault.key_vault_core.id
   name         = "sonar-cloud-token"
 }
+
+# Key Vault - Slack webhok
+data "azurerm_key_vault_secret" "slack_webhook" {
+  count = var.env_short == "p" ? 1 : 0
+
+  key_vault_id = data.azurerm_key_vault.key_vault_core.id
+  name         = "slack-webhook-url"
+}

.github/terraform/99_locals.tf

@@ -18,7 +18,8 @@ locals {
   env_variables = {}
 
   repo_secrets = var.env_short == "p" ? {
-    SONAR_TOKEN = data.azurerm_key_vault_secret.sonar_token[0].value
+    SONAR_TOKEN       = data.azurerm_key_vault_secret.sonar_token[0].value
+    SLACK_WEBHOOK_URL = data.azurerm_key_vault_secret.slack_webhook[0].value
   } : {}
 
   repo_env = var.env_short == "p" ? {

.github/workflows/codereview.yml

@@ -0,0 +1,48 @@
+name: P4PA-PDND-SERVICES - Code Review
+
+on:
+  push:
+    branches:
+      - main
+      - uat
+      - develop
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: Setup Java
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 #v4.2.1
+        with:
+          distribution: 'corretto'
+          java-version: 17
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x ./gradlew
+
+      - name: Build with Gradle
+        working-directory: ./
+        run: ./gradlew clean build jacocoTestReport
+
+      - name: Sonar Scan
+        working-directory: ./
+        run: >
+          ./gradlew sonar
+          -Dorg.gradle.jvmargs=-Xmx4096M
+          -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.organization=${{ vars.SONARCLOUD_ORG }}
+          -Dsonar.projectKey=${{ vars.SONARCLOUD_PROJECT_KEY }}
+          -Dsonar.projectName="${{ vars.SONARCLOUD_PROJECT_NAME }}"
+          -Dsonar.token=${{ secrets.SONAR_TOKEN }}
+          -Dsonar.sources=src/main
+          -Dsonar.tests=src/test
+          -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/jacoco/test/jacocoTestReport.xml

.github/workflows/config/trivy.yaml

@@ -0,0 +1,3 @@
+db:
+  repository: "public.ecr.aws/aquasecurity/trivy-db:2"
+  java-repository: "public.ecr.aws/aquasecurity/trivy-java-db:1"

.github/workflows/pr-title.yml

@@ -1,4 +1,4 @@
-name: Validate PR title
+name: "Validate PR title"
 
 on:
   pull_request_target:
@@ -14,7 +14,8 @@ jobs:
     steps:
       # Please look up the latest version from
       # /~https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+      # from /~https://github.com/amannn/action-semantic-pull-request/commits/main
+      - uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -30,7 +31,7 @@ jobs:
           requireScope: false
           # Configure additional validation for the subject based on a regex.
           # This example ensures the subject starts with an uppercase character.
-          subjectPattern: ^[A-Z].+$
+          subjectPattern: ^.+$
           # If `subjectPattern` is configured, you can use this property to override
           # the default error message that is shown when the pattern doesn't match.
           # The variables `subject` and `title` can be used within the message.
@@ -52,4 +53,4 @@ jobs:
           validateSingleCommit: false
           # Related to `validateSingleCommit` you can opt-in to validate that the PR
           # title matches a single commit to avoid confusion.
-          validateSingleCommitMatchesPrTitle: false
+          validateSingleCommitMatchesPrTitle: false

.github/workflows/security-scan.yml

@@ -0,0 +1,70 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Trivy tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.
+name: Container Scan
+
+on:
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop", "uat", "main" ]
+  workflow_dispatch:
+  schedule:
+    - cron: '00 07 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  BuildAndScan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    outputs:
+      CVE_CRITICAL: ${{env.CVE_CRITICAL}}
+      CVE_HIGH: ${{env.CVE_HIGH}}
+      CVE_MEDIUM: ${{env.CVE_MEDIUM}}
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+      - name: Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled
+        id: scan
+        uses: aquasecurity/trivy-action@0.28.0 #v0.28.0
+        with:
+          trivy-config: 'config/trivy.yaml'
+          image-ref: "localbuild/testimage:latest"
+          format: 'sarif'
+          output: 'results.sarif'
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@99c9897648dded3fe63d6f328c46089dd57735ca #codeql bundle v2.17.0
+        with:
+          sarif_file: 'results.sarif'
+      - name: CVE Description escaped extraction and print
+        run: |
+          SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
+          echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
+          echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
+          echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
+
+          echo $SCAN_RESULTS
+      - name: Fails if CVE HIGH or CRITICAL are detected
+        id: cve-threshold
+        if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
+        run: exit 1
+  SendSlackNotification:
+    needs: BuildAndScan
+    uses: ./.github/workflows/send-notification.yml
+    if: always() && (needs.BuildAndScan.outputs.CVE_HIGH > 0 || needs.BuildAndScan.outputs.CVE_CRITICAL > 0)
+    with:
+      CVE_CRITICAL: ${{needs.BuildAndScan.outputs.CVE_CRITICAL}}
+      CVE_HIGH: ${{needs.BuildAndScan.outputs.CVE_HIGH}}
+      CVE_MEDIUM: ${{needs.BuildAndScan.outputs.CVE_MEDIUM}}
+    secrets: inherit