Create automized main and dev branches

[maxjmohr]

Description

As stated in the corresponding issue, we want to create a stable release branch with automized releases and docker image builds.

Type of Change

Please delete options that are not relevant.

• 🐛 Bug fix
• ✨ New feature
• 🧹 Code cleanup or refactor

Related Issue

Closes #251

[maxjmohr]

We now have 4 workflow files:

• codeql.yml: Analyzes code on PR and push to main and release branches (no structural changes)
• release-pr.yml: PRs to release only accepted from main branch, scans for npm vulnerabilites, starts application and tests whether it runs (entirely new workflow)
• docker-images.yml: on push to release, build backend and frontend images, test and scan them for insecurities. If they fail: clean up the images and remove them. If all successful: push images to DockerHub (changed steps order to be able to remove bad images)
• release-push.yml: on push to release and after successful docker image builds, bump up version (new VERSION file), create github release and publish, as well as deprecate old releases (keeping last 5) (entirely new workflow)

@jzakotnik Please have a look.
Also, a question I yet don't know the answer to is how we could test this... not sure if there is a possibility or we have to run & see...

[jzakotnik]

We can push the images to DockerHub, similar to this one: https://hub.docker.com/u/trubudget

[jzakotnik]

@phpai can you have a quick sanity check compared to previous integrations we did?

[maxjmohr]

We now have these 4 workflow files:

• codeql.yml: Analyzes code on PR to main and dev branches
• main-pr.yml: on PR to main
  1. Accepts PRs only from dev branch
  2. Scans for npm vulnerabilites (backend & frontend)
  3. Starts application and tests whether it runs
• docker-images.yml: on push tomain
  1. Build backend and frontend images, push first versions to DockerHub, test and scan them for insecurities
  2. If they fail: clean up the images and remove them
  3. If all successful: push images to DockerHub
• main-push.yml: on push to main and after successful docker image builds
  1. Bump up version in VERSION and publiccode.yml
  2. Create github release and publish

So the pipeline will roughly be as following:
features/bug fixes -> PRs into dev -> collect new features/bug fixes in dev -> bundle them in PR to main -> build docker images and GitHub release

TODOs @jzakotnik

1. Have a look if you like the logic of the explained workflows :)
2. I need to change some settings in the repo for the dev branch etc. but can't access them. Either you could assign me the rights to change settings or we could do this together with your account. As you wish :)

TODOs @maxjmohr

1. As explained in jure 2, I have to change some settings for the workflows
2. Will check how to integrate OpenCode [Feature]: When automatically creating new releases, sync to OpenCode #288 as another workflow

[maxjmohr]

So I have analyzed https://guide.opencode.de/projekte/spiegeln/#so-funktioniert-die-pull-spiegelung and how to mirror our repo to OpenCode. I have created the file that we have to move in the OpenCode gitlab repo: .gitlab-ci.yml

However, most of the steps require admin access to create tokens and configure settings, so @jzakotnik here in short what we have to do (the guide at the top explains in detail):

1. I guess we want to use the already existing OpenCode repo? Then I would suggest to clear all branches in the repo and create a new main branch with .gitlab-ci.yml in the root.
2. Create GITLAB_PAT access token as described in the guide and add to settings accordingly. Same for GITLAB_PAT_NAME. Also make sure that the variables and branch are accessible.
3. Add a pipeline timeline, perhaps every 2 weeks to mirror the repo?

Let me know if anything is unclear.

[maxjmohr]

@jzakotnik Instead of the GitLab pull mirror, I have now created this workflow that runs after successful GitHub release creation (so on push to main, at the very end):

...
  push_to_opencode:
    name: Push main to OpenCode Repository
    runs-on: ubuntu-latest
    needs: release
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Configure Git
        run: |
          git config user.name "GitHub → OpenCode Bot"
          git config user.email "mirror@opencode.de"

      - name: Add OpenCode GitLab remote
        run: |
          git remote add opencode \
            https://oauth2:${{ secrets.OPENCODE_GITLAB_PAT }}@gitlab.opencode.de/openkfw/truspace.git

      - name: Push main to OpenCode
        run: |
          git push opencode main:main --force

This should then sync main to the OpenCode GitLab main.
I have already created the secret in our GitHub Repo. However, I wasn't able to test this now yet.
If we want this, we can also cleanup OpenCode i.e. delete all other branches other than main.

Fyi: I have kept .gitlab-ci.yml for now, if the push workflow works we can delete the file afterwards.