Merge branch 'main' into blog-post-identity-sync-architecture

Author: tomootes

.github/workflows/build.yml

@@ -11,17 +11,17 @@ on:
         default: "main"
 
 env:
-  IMAGE_NAME: ghcr.io/developer-overheid-nl/don-site
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           target: caddy
           tags: |
@@ -33,21 +33,20 @@ jobs:
             "PIWIK_PRO_SITE_ID=${{ secrets.PIWIK_PRO_SITE_ID }}"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: image
           path: ${{ runner.temp }}/image.tar
           retention-days: 1
 
   publish:
     if: |
-      github.repository == 'developer-overheid-nl/don-site' &&
-      (github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch')
+      github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     needs: build
     steps:
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: image
           path: ${{ runner.temp }}
@@ -57,7 +56,7 @@ jobs:
           docker load --input ${{ runner.temp }}/image.tar
 
       - name: Login to container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/check-links.yml

@@ -8,7 +8,7 @@ jobs:
   check-links:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Install pnpm
         run: npm install -g pnpm
@@ -20,7 +20,7 @@ jobs:
         run: pnpm run build
 
       - name: Run Linkinator to check external links
-        uses: JustinBeckwith/linkinator-action@v1
+        uses: JustinBeckwith/linkinator-action@f62ba0c110a76effb2ee6022cc6ce4ab161085e3
         continue-on-error: true
         with:
           paths: "build"

.github/workflows/check-wcag.yml

@@ -9,7 +9,7 @@ jobs:
   check-wcag:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Install pnpm
         run: npm install -g pnpm
@@ -21,33 +21,16 @@ jobs:
         run: pnpm run build
 
       - name: Serve Files
-        uses: Eun/http-server-action@v1
-        with:
-          content-types: |
-            {
-              "css": "text/css",
-              "html": "text/html",
-              "ico": "image/x-icon",
-              "jpeg": "image/jpeg",
-              "jpg": "image/jpeg",
-              "js": "text/javascript",
-              "json": "application/json",
-              "png": "image/png",
-              "svg": "image/svg+xml",
-              "txt": "text/plain",
-              "xml": "text/xml"
-            }
-          port: 3000
-          directory: build/
-          index-files: |
-            ["index.html"]
+        run: |
+          npx --yes serve build/ --listen 3000 &
+          npx --yes wait-on http://localhost:3000
 
       - name: Run Axe to check for WCAG compliance
         run: node scripts/wcag-sitemap-check.js
 
       - name: Upload WCAG report to Slack
         if: always()
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95
         with:
           method: files.uploadV2
           token: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/deploy-prod.yml

@@ -0,0 +1,87 @@
+name: Deploy to Production
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+env:
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+  INFRA_REPO: ${{ vars.INFRA_REPO }}
+  KUSTOMIZE_PATH: ${{ vars.KUSTOMIZE_PATH }}
+  DEPLOY_ENV: prod
+
+jobs:
+  create-infra-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Parse infra repository
+        id: infra-repo
+        run: |
+          INFRA_REPO="${{ env.INFRA_REPO }}"
+
+          if [[ -z "$INFRA_REPO" || "$INFRA_REPO" != */* ]]; then
+            echo "INFRA_REPO moet de vorm owner/repo hebben, huidige waarde: '$INFRA_REPO'" >&2
+            exit 1
+          fi
+
+          echo "owner=${INFRA_REPO%%/*}" >> "$GITHUB_OUTPUT"
+          echo "repo=${INFRA_REPO#*/}" >> "$GITHUB_OUTPUT"
+
+      - name: Genereer app token (Release proces app)
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
+        with:
+          app-id: ${{ secrets.RELEASE_PROCES_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PROCES_APP_PRIVATE_KEY }}
+          owner: ${{ steps.infra-repo.outputs.owner }}
+          repositories: ${{ steps.infra-repo.outputs.repo }}
+
+      - name: Checkout don-infra
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          repository: ${{ env.INFRA_REPO }}
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Maak release branch aan in don-infra
+        id: branch
+        run: |
+          BRANCH="release/don-site-${{ github.sha }}"
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          git checkout -b "$BRANCH"
+
+      - name: Update image tag in prod overlay
+        run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
+          yq e '(.images[] | select(.newName == "${{ env.IMAGE_NAME }}")).newTag = "${{ github.sha }}"' -i "$KUSTOMIZATION_FILE"
+
+      - name: Commit en push release branch
+        run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git add "$KUSTOMIZATION_FILE"
+          git commit -m "release: don-site → ${{ github.sha }}
+
+          Commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}"
+          git push origin "${{ steps.branch.outputs.branch }}"
+
+      - name: Maak PR aan in don-infra
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          gh pr create \
+            --repo "${{ env.INFRA_REPO }}" \
+            --base main \
+            --head "${{ steps.branch.outputs.branch }}" \
+            --title "Release: don-site → ${GITHUB_SHA::7}" \
+            --body "## don-site productie deploy
+
+          **Image:** \`${{ env.IMAGE_NAME }}:${{ github.sha }}\`
+          **Branch:** \`${{ github.ref_name }}\`
+          **Commit:** ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}
+
+          Merge deze PR om de nieuwe versie naar productie te deployen."

.github/workflows/deploy-test.yml

@@ -0,0 +1,120 @@
+name: Deploy to Test
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - main
+
+env:
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+  INFRA_REPO: ${{ vars.INFRA_REPO }}
+  KUSTOMIZE_PATH: ${{ vars.KUSTOMIZE_PATH }}
+  DEPLOY_ENV: test
+
+jobs:
+  check-keyword:
+    runs-on: ubuntu-latest
+    outputs:
+      deploy: ${{ steps.check.outputs.deploy }}
+    steps:
+      - name: Check commit message for deploy keyword
+        id: check
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+        run: |
+          # Keyword: [deploy-test] anywhere in de commit message
+          # Voorbeeld: "feat: nieuwe feature [deploy-test]"
+          if echo "$COMMIT_MESSAGE" | grep -qi "\[deploy-test\]"; then
+            echo "deploy=true" >> $GITHUB_OUTPUT
+            echo "Deploy keyword gevonden in commit message."
+          else
+            echo "deploy=false" >> $GITHUB_OUTPUT
+            echo "Geen deploy keyword gevonden, sla deploy over."
+          fi
+
+  build-and-push:
+    needs: check-keyword
+    if: |
+      needs.check-keyword.outputs.deploy == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
+
+      - name: Login to container registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        with:
+          context: .
+          target: caddy
+          push: true
+          tags: |
+            ${{ env.IMAGE_NAME }}:test
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          secrets: |
+            "PIWIK_PRO_ACCOUNT_ADDRESS=${{ secrets.PIWIK_PRO_ACCOUNT_ADDRESS }}"
+            "PIWIK_PRO_SITE_ID=${{ secrets.PIWIK_PRO_SITE_ID }}"
+
+  update-infra-test:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Parse infra repository
+        id: infra-repo
+        run: |
+          INFRA_REPO="${{ env.INFRA_REPO }}"
+
+          if [[ -z "$INFRA_REPO" || "$INFRA_REPO" != */* ]]; then
+            echo "INFRA_REPO moet de vorm owner/repo hebben, huidige waarde: '$INFRA_REPO'" >&2
+            exit 1
+          fi
+
+          echo "owner=${INFRA_REPO%%/*}" >> "$GITHUB_OUTPUT"
+          echo "repo=${INFRA_REPO#*/}" >> "$GITHUB_OUTPUT"
+
+      - name: Genereer app token (Release proces app)
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
+        with:
+          app-id: ${{ secrets.RELEASE_PROCES_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PROCES_APP_PRIVATE_KEY }}
+          owner: ${{ steps.infra-repo.outputs.owner }}
+          repositories: ${{ steps.infra-repo.outputs.repo }}
+
+      - name: Checkout don-infra
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          repository: ${{ env.INFRA_REPO }}
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Update image tag in test overlay
+        run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
+          yq e '(.images[] | select(.newName == "${{ env.IMAGE_NAME }}")).newTag = "${{ github.sha }}"' -i "$KUSTOMIZATION_FILE"
+
+      - name: Commit en push naar don-infra
+        run: |
+          KUSTOMIZATION_FILE="${{ env.KUSTOMIZE_PATH }}${{ env.DEPLOY_ENV }}/kustomization.yaml"
+
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git add "$KUSTOMIZATION_FILE"
+          git commit -m "test: don-site → ${{ github.sha }}
+
+          Branch: ${{ github.ref_name }}
+          Commit: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}"
+          git push

.github/workflows/json-ci.yml

@@ -12,11 +12,11 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
       - name: Run Super-Linter
-        uses: super-linter/super-linter@v8.5.0
+        uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           FILTER_REGEX_EXCLUDE: "(^|.*/)\\.vscode/|(^|.*/)tsconfig(\\..+)?\\.json$"