chore: update GitHub Actions workflows to use dynamic repository names and latest action versions [deploy-test]

Author: pasibun

.github/workflows/build.yml

@@ -11,17 +11,17 @@ on:
         default: "main"
 
 env:
-  IMAGE_NAME: ghcr.io/developer-overheid-nl/don-site
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           target: caddy
           tags: |
@@ -33,21 +33,20 @@ jobs:
             "PIWIK_PRO_SITE_ID=${{ secrets.PIWIK_PRO_SITE_ID }}"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: image
           path: ${{ runner.temp }}/image.tar
           retention-days: 1
 
   publish:
     if: |
-      github.repository == 'developer-overheid-nl/don-site' &&
-      (github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch')
+      github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     needs: build
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: image
           path: ${{ runner.temp }}
@@ -57,7 +56,7 @@ jobs:
           docker load --input ${{ runner.temp }}/image.tar
 
       - name: Login to container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/check-links.yml

@@ -8,7 +8,7 @@ jobs:
   check-links:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Install pnpm
         run: npm install -g pnpm
@@ -20,7 +20,7 @@ jobs:
         run: pnpm run build
 
       - name: Run Linkinator to check external links
-        uses: JustinBeckwith/linkinator-action@v2.4.0
+        uses: JustinBeckwith/linkinator-action@f62ba0c110a76effb2ee6022cc6ce4ab161085e3
         continue-on-error: true
         with:
           paths: "build"

.github/workflows/check-wcag.yml

@@ -9,7 +9,7 @@ jobs:
   check-wcag:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Install pnpm
         run: npm install -g pnpm
@@ -30,7 +30,7 @@ jobs:
 
       - name: Upload WCAG report to Slack
         if: always()
-        uses: slackapi/slack-github-action@v3.0.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95
         with:
           method: files.uploadV2
           token: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/deploy-prod.yml

@@ -7,25 +7,39 @@ on:
       - main
 
 env:
-  IMAGE_NAME: ghcr.io/developer-overheid-nl/don-site
-  INFRA_REPO: developer-overheid-nl/don-infra
-  KUSTOMIZE_PATH: apps/frontend/overlays/prod
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+  INFRA_REPO: ${{ vars.INFRA_REPO }}
+  KUSTOMIZE_PATH: ${{ vars.KUSTOMIZE_PATH }}
+  DEPLOY_ENV: prod
 
 jobs:
   create-infra-pr:
-    if: github.repository == 'developer-overheid-nl/don-site'
     runs-on: ubuntu-latest
     steps:
+      - name: Parse infra repository
+        id: infra-repo
+        run: |
+          INFRA_REPO="${{ env.INFRA_REPO }}"
+
+          if [[ -z "$INFRA_REPO" || "$INFRA_REPO" != */* ]]; then
+            echo "INFRA_REPO moet de vorm owner/repo hebben, huidige waarde: '$INFRA_REPO'" >&2
+            exit 1
+          fi
+
+          echo "owner=${INFRA_REPO%%/*}" >> "$GITHUB_OUTPUT"
+          echo "repo=${INFRA_REPO#*/}" >> "$GITHUB_OUTPUT"
+
       - name: Genereer app token (Release proces app)
         id: app-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
         with:
           app-id: ${{ secrets.RELEASE_PROCES_APP_ID }}
           private-key: ${{ secrets.RELEASE_PROCES_APP_PRIVATE_KEY }}
-          repositories: don-infra
+          owner: ${{ steps.infra-repo.outputs.owner }}
+          repositories: ${{ steps.infra-repo.outputs.repo }}
 
       - name: Checkout don-infra
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           repository: ${{ env.INFRA_REPO }}
           token: ${{ steps.app-token.outputs.token }}
@@ -39,14 +53,18 @@ jobs:
 
       - name: Update image tag in prod overlay
         run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
           yq e '(.images[] | select(.name == "static")).newTag = "${{ github.sha }}"' \
-            -i ${{ env.KUSTOMIZE_PATH }}/kustomization.yaml
+            -i "$KUSTOMIZATION_FILE"
 
       - name: Commit en push release branch
         run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          git add ${{ env.KUSTOMIZE_PATH }}/kustomization.yaml
+          git add "$KUSTOMIZATION_FILE"
           git commit -m "release: don-site → ${{ github.sha }}
 
           Commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}"

.github/workflows/deploy-test.yml

@@ -7,9 +7,10 @@ on:
       - main
 
 env:
-  IMAGE_NAME: ghcr.io/developer-overheid-nl/don-site
-  INFRA_REPO: developer-overheid-nl/don-infra
-  KUSTOMIZE_PATH: apps/frontend/overlays/test
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+  INFRA_REPO: ${{ vars.INFRA_REPO }}
+  KUSTOMIZE_PATH: ${{ vars.KUSTOMIZE_PATH }}
+  DEPLOY_ENV: test
 
 jobs:
   check-keyword:
@@ -35,28 +36,27 @@ jobs:
   build-and-push:
     needs: check-keyword
     if: |
-      needs.check-keyword.outputs.deploy == 'true' &&
-      github.repository == 'developer-overheid-nl/don-site'
+      needs.check-keyword.outputs.deploy == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Login to container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           context: .
           target: caddy
@@ -72,30 +72,48 @@ jobs:
     needs: build-and-push
     runs-on: ubuntu-latest
     steps:
+      - name: Parse infra repository
+        id: infra-repo
+        run: |
+          INFRA_REPO="${{ env.INFRA_REPO }}"
+
+          if [[ -z "$INFRA_REPO" || "$INFRA_REPO" != */* ]]; then
+            echo "INFRA_REPO moet de vorm owner/repo hebben, huidige waarde: '$INFRA_REPO'" >&2
+            exit 1
+          fi
+
+          echo "owner=${INFRA_REPO%%/*}" >> "$GITHUB_OUTPUT"
+          echo "repo=${INFRA_REPO#*/}" >> "$GITHUB_OUTPUT"
+
       - name: Genereer app token (Release proces app)
         id: app-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
         with:
           app-id: ${{ secrets.RELEASE_PROCES_APP_ID }}
           private-key: ${{ secrets.RELEASE_PROCES_APP_PRIVATE_KEY }}
-          repositories: don-infra
+          owner: ${{ steps.infra-repo.outputs.owner }}
+          repositories: ${{ steps.infra-repo.outputs.repo }}
 
       - name: Checkout don-infra
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           repository: ${{ env.INFRA_REPO }}
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Update image tag in test overlay
         run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
           yq e '(.images[] | select(.name == "static")).newTag = "${{ github.sha }}"' \
-            -i ${{ env.KUSTOMIZE_PATH }}/kustomization.yaml
+            -i "$KUSTOMIZATION_FILE"
 
       - name: Commit en push naar don-infra
         run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          git add ${{ env.KUSTOMIZE_PATH }}/kustomization.yaml
+          git add "$KUSTOMIZATION_FILE"
           git commit -m "test: don-site → ${{ github.sha }}
 
           Branch: ${{ github.ref_name }}