Migrerer til GAR (#533)

.github/workflows/deploy-dev.yml

@@ -2,13 +2,9 @@ name: Build and deploy to dev
 on:
   workflow_dispatch:
 
-env:
-  IMAGE: ghcr.io/navikt/familie-ef-personhendelse:${{ github.sha }}
-
 permissions:
   contents: "read"
   id-token: "write"
-  packages: "write"
 
 jobs:
   build:
@@ -29,12 +25,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: mvn -B --no-transfer-progress package --settings .m2/maven-settings.xml --file pom.xml
       - name: Build and publish Docker image
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo ${GITHUB_TOKEN} | docker login ghcr.io --username ${GITHUB_REPOSITORY} --password-stdin
-          docker build --tag ${IMAGE} .
-          docker push ${IMAGE}
+        id: docker-push
+        uses: nais/docker-build-push@v0
+        with:
+          team: teamfamilie
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
+          byosbom: target/classes/META-INF/sbom/application.cdx.json
+    outputs:
+      image: ${{ steps.docker-push.outputs.image }}
   deploy:
     name: Deploy to dev
     needs: build
@@ -45,3 +44,4 @@ jobs:
         env:
           CLUSTER: dev-gcp
           RESOURCE: .deploy/preprod.yaml
+          IMAGE: ${{ needs.build.outputs.image }}

.github/workflows/deploy-prod.yaml

@@ -3,20 +3,15 @@ on:
   push:
     branches:
       - main
-env:
-  IMAGE: ghcr.io/navikt/familie-ef-personhendelse:${{ github.sha }}
 
 permissions:
   contents: "read"
   id-token: "write"
-  packages: "write"
 
 jobs:
   build:
     name: Build and push docker image
     runs-on: ubuntu-latest
-    permissions:
-      packages: "write"
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -32,12 +27,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: mvn -B --no-transfer-progress package --settings .m2/maven-settings.xml --file pom.xml
       - name: Build and publish Docker image
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo ${GITHUB_TOKEN} | docker login ghcr.io --username ${GITHUB_REPOSITORY} --password-stdin
-          docker build --tag ${IMAGE} .
-          docker push ${IMAGE}
+        id: docker-push
+        uses: nais/docker-build-push@v0
+        with:
+          team: teamfamilie
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
+          byosbom: target/classes/META-INF/sbom/application.cdx.json
+    outputs:
+      image: ${{ steps.docker-push.outputs.image }}
   deploy:
     name: Deploy to dev and prod
     needs: build
@@ -49,8 +47,10 @@ jobs:
         env:
           CLUSTER: dev-gcp
           RESOURCE: .deploy/preprod.yaml
+          IMAGE: ${{ needs.build.outputs.image }}
       - name: Deploy til prod-gcp
         uses: nais/deploy/actions/deploy@v2
         env:
           CLUSTER: prod-gcp
           RESOURCE: .deploy/prod.yaml
+          IMAGE: ${{ needs.build.outputs.image }}

pom.xml

@@ -379,6 +379,20 @@
                     <!-- additional 3rd party ruleset(s) can be specified here -->
                 </dependencies>
             </plugin>
+            <plugin>
+                <!-- For å få dependency graph i SLSA som pushes av docker-build-push parameter byosbom -->
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <version>2.8.0</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>makeAggregateBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>