ajuste final

Alfredo Tornero · Alfredo Tornero · commit 3eec3937af98 · 2025-10-28T08:56:38.000-05:00
diff --git a/.github/workflows/deploy-azure-container.yml b/.github/workflows/deploy-azure-container.yml
@@ -13,7 +13,7 @@ on:
         required: true
         type: string
       image_tag:
-        default: "latest"
+        default: "latest"   # 👈 se reemplaza dinámicamente desde el workflow principal
         type: string
       slot:
         default: "production"
@@ -26,16 +26,22 @@ on:
       AZURE_SUBSCRIPTION_ID:
         required: true
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy-container:
     runs-on: ubuntu-latest
+    name: 🚀 Deploy Container to Azure
 
     env:
       APP_NAME: ${{ inputs.app_name }}
       SLOT_NAME: ${{ inputs.slot }}
       ACR_NAME: ${{ inputs.acr_name }}
       IMAGE_NAME: ${{ inputs.image_name }}
       IMAGE_TAG: ${{ inputs.image_tag }}
+      RESOURCE_GROUP: scharff-nsf-dev-rg  # 👈 mejor definirlo como variable (fácil de reutilizar)
 
     steps:
       - name: 🔐 Login Azure (OIDC)
@@ -46,40 +52,38 @@ jobs:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           enable-oidc: true
 
-      - name: 🧩 Verificar versión Azure CLI
-        run: az version
-
-      - name: 🔄 Actualizar Azure CLI
-        run: |
-          echo "🔄 Actualizando Azure CLI a la última versión..."
-          sudo az upgrade --yes
-
       - name: 🔐 Login a ACR
-        run: |
-          az acr login --name $ACR_NAME
+        run: az acr login --name $ACR_NAME
 
-      - name: 🔁 Actualizar App Service para usar nueva imagen
+      - name: 🔁 Actualizar App Service con nueva imagen
         run: |
-          echo "🔁 Actualizando imagen en $APP_NAME..."
+          echo "🔁 Actualizando imagen en $APP_NAME con tag: $IMAGE_TAG"
           az webapp config container set \
             --name $APP_NAME \
-            --resource-group scharff-nsf-dev-rg \
+            --resource-group $RESOURCE_GROUP \
+            --slot $SLOT_NAME \
             --container-image-name "$ACR_NAME.azurecr.io/$IMAGE_NAME:$IMAGE_TAG" \
             --container-registry-url "https://$ACR_NAME.azurecr.io"
-
-      - name: 🔍 Verificar configuración del App Service
+      
+      - name: 🔍 Verificar configuración del contenedor
         run: |
-          echo "🔍 Verificando imagen aplicada..."
+          echo "🔍 Configuración actual de contenedor:"
           az webapp config show \
             --name $APP_NAME \
-            --resource-group scharff-nsf-dev-rg \
-            --query "linuxFxVersion"   
+            --resource-group $RESOURCE_GROUP \
+            --slot $SLOT_NAME \
+            --query "linuxFxVersion"
 
       - name: 🔄 Reiniciar App Service
         run: |
-          az webapp restart --name $APP_NAME --resource-group scharff-nsf-dev-rg
+          echo "🔄 Reiniciando $APP_NAME..."
+          az webapp restart --name $APP_NAME --resource-group $RESOURCE_GROUP --slot $SLOT_NAME
 
-      - name: ✅ Verificar estado del despliegue
+      - name: ✅ Validar despliegue
         run: |
-          az webapp show --name $APP_NAME --resource-group scharff-nsf-dev-rg \
+          echo "✅ Estado actual:"
+          az webapp show \
+            --name $APP_NAME \
+            --resource-group $RESOURCE_GROUP \
+            --slot $SLOT_NAME \
             --query "state" -o tsv
diff --git a/.github/workflows/docker-build-acr.yml b/.github/workflows/docker-build-acr.yml
@@ -9,23 +9,31 @@ on:
         required: true
       AZURE_SUBSCRIPTION_ID:
         required: true
+    outputs:
+      tag:
+        description: "Tag generado para la imagen Docker"
+        value: ${{ jobs.build-scan-push.outputs.image_tag }}
 
 permissions:
   id-token: write
   contents: read
 
 env:
-  ACR_NAME: nsfacrdev             # 👈 reemplaza con tu ACR real
-  IMAGE_NAME: nsf-backend-util
-  TAG: ${{ github.run_number }}
+  ACR_NAME: nsfacrdev              # 👈 tu ACR real
+  IMAGE_NAME: nsf-backend-util     # 👈 nombre de tu imagen
+  TAG: ${{ github.run_number }}    # 👈 tag dinámico
   AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
   AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
   AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
 jobs:
   build-scan-push:
-    runs-on: ubuntu-latest
     name: 🏗️ Build + Scan + Push ACR
+    runs-on: ubuntu-latest
+
+    # 👇 exportamos el TAG para que lo use el workflow principal
+    outputs:
+      image_tag: ${{ env.TAG }}
 
     steps:
       - name: 🧰 Checkout del código
@@ -43,33 +51,31 @@ jobs:
           enable-oidc: true
 
       - name: 🔐 Login al ACR
-        run: |
-          az acr login --name $ACR_NAME
+        run: az acr login --name $ACR_NAME
 
       - name: 🏗️ Build de la imagen Docker
         run: |
+          echo "🏷️ Tag actual: $TAG"
           docker build -t $ACR_NAME.azurecr.io/$IMAGE_NAME:$TAG .
 
-      # 🚨 Si hay vulnerabilidades HIGH o CRITICAL, falla el pipeline
       - name: 🧪 Escaneo de vulnerabilidades con Trivy (bloqueante)
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
         with:
           image-ref: ${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ env.TAG }}
           format: 'table'
           vuln-type: 'os,library'
           severity: 'HIGH,CRITICAL'
-          exit-code: '1'            # ⚠️ Falla el job si encuentra HIGH/CRITICAL
+          exit-code: '1'             # ❌ falla si hay HIGH o CRITICAL
           ignore-unfixed: true
           output: 'trivy-report.txt'
 
       - name: 📊 Subir reporte Trivy como artefacto
-        if: always()                # 📁 se sube aunque falle
+        if: always()                 # 📁 se sube aunque falle
         uses: actions/upload-artifact@v4
         with:
           name: trivy-report
           path: trivy-report.txt
 
       - name: 🚀 Push de la imagen al ACR
-        if: success()               # 🚫 Solo si no hubo vulnerabilidades graves
-        run: |
-          docker push $ACR_NAME.azurecr.io/$IMAGE_NAME:$TAG
+        if: success()
+        run: docker push $ACR_NAME.azurecr.io/$IMAGE_NAME:$TAG
diff --git a/.github/workflows/master_nsf-backend-ga.yml b/.github/workflows/master_nsf-backend-ga.yml
@@ -13,19 +13,72 @@ permissions:
   security-events: write
 
 jobs:
+  # -------------------------------
+  # 🧪 CI: Build + Test
+  # -------------------------------
+  ci:
+    uses: ./.github/workflows/dotnet-ci.yml
+    with:
+      solution: "nsf-backend-util.sln"
+      test_project: "./Scharff.UnitTest/Scharff.UnitTest.csproj"
+
+  # -------------------------------
+  # 🔍 Análisis de seguridad
+  # -------------------------------
+  analyze:
+    needs: ci
+    uses: ./.github/workflows/analyze-security.yml
+    with:
+      solution: "nsf-backend-util.sln"
+      sonar_project_key: "atorneroc_NSF-BACKEND-UTIL-GA"
+      sonar_org: "atorneroc"
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
+  # -------------------------------
+  # 🐳 Build + Scan + Push a ACR
+  # -------------------------------
+  docker:
+    if: github.event_name == 'push'
+    needs: [ci, analyze]
+    uses: ./.github/workflows/docker-build-acr.yml
+    id: docker-job   # 👈 importante para referenciar outputs
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+  # -------------------------------
+  # 🚀 Despliegue 1: App Service por Código
+  # -------------------------------
+  deploy:
+    if: ${{ success() && github.event_name == 'push' }}
+    needs: docker
+    uses: ./.github/workflows/deploy-azure.yml
+    with:
+      app_name: "nsf-backend-ga"
+      slot: "production"
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
   # -------------------------------
   # 🚀 Despliegue 2: App Service por Contenedor
   # -------------------------------
   deploy-container:
-    if: ${{ github.event_name == 'push' }}
+    if: ${{ success() && github.event_name == 'push' }}
+    needs: docker
     uses: ./.github/workflows/deploy-azure-container.yml
     with:
       app_name: "nsf-backend-ga-cont"          # 👈 tu App Service basado en ACR
       acr_name: "nsfacrdev"
       image_name: "nsf-backend-util"
-      image_tag: "99"
+      image_tag: ${{ needs.docker.outputs.tag }}
       slot: "production"
     secrets:
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
