From a4abc6f9928789817d37523f58ef83c653b556a2 Mon Sep 17 00:00:00 2001
From: Sven Dolderer <sven.dolderer@mercedes-benz.com>
Date: Wed, 30 Oct 2024 18:23:55 +0100
Subject: [PATCH 1/3] k8s probing added #3517

---
 .../docker/Web-UI-Debian.dockerfile           | 56 ++++++++++---------
 sechub-web-ui-solution/docker/nginx.conf      |  6 +-
 .../helm/sechub-web-ui/Chart.yaml             |  2 +-
 .../sechub-web-ui/templates/deployment.yaml   | 38 ++++++-------
 sechub-webui-solution/README.adoc             |  8 ---
 5 files changed, 52 insertions(+), 58 deletions(-)
 delete mode 100644 sechub-webui-solution/README.adoc

diff --git a/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile b/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
index 11b4249e9..00e309af5 100644
--- a/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
+++ b/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
@@ -66,22 +66,30 @@ RUN echo "build stage"
 #-------------------
 
 FROM ${BASE_IMAGE} AS web-ui
+ARG HTDOCS_FOLDER="/var/www/html"
 ARG USER=www-data
 ARG WEB_UI_ARTIFACTS="/artifacts"
-ARG WEB_UI_FOLDER="/var/www/html/"
-
-COPY --from=builder "${WEB_UI_ARTIFACTS}/.output/public" "${WEB_UI_FOLDER}"
 
 # env vars in container
 ENV UID="4242"
 ENV GID="${UID}"
+ENV CERTIFICATE_DIRECTORY="/etc/nginx/certificates"
+ENV LOADBALANCER_START_MODE="server"
 ENV WEB_UI_VERSION="${WEB_UI_VERSION}"
-ENV WEB_UI_FOLDER="${WEB_UI_FOLDER}"
+ENV HTDOCS_FOLDER="${HTDOCS_FOLDER}"
 
-# non-root user
-# using fixed group and user ids
+# using fixed group and user ids + prepare alive check file
 RUN usermod -u "$UID" "$USER" && \
-    groupmod -g "$GID" "$USER"
+    groupmod -g "$GID" "$USER" && \
+    NGINX_ALIVE_DIR="$HTDOCS_FOLDER/health"
+    mkdir -p "$NGINX_ALIVE_DIR"
+    echo "SecHub Web-UI is alive" > "$NGINX_ALIVE_DIR/alive.html"
+
+# Copy configuration script
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Copy run script into container
+COPY run.sh /run.sh
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
@@ -98,31 +106,25 @@ RUN cd /tmp && \
         -nodes \
         -x509 \
         -subj "/C=DE/ST=BW/L=Stuttgart/O=Loadbalancer/CN=localhost" \
-        -keyout localhost.key \
-        -out localhost.cert
+        -keyout sechub-web-ui.key \
+        -out sechub-web-ui.cert
 
-# Certificates
-RUN mkdir -p /certificates && \
-    mv /tmp/localhost.cert /certificates/localhost.cert && \
-    mv /tmp/localhost.key /certificates/localhost.key
+# Prepare certificates
+RUN mkdir -p "$CERTIFICATE_DIRECTORY" && \
+    mv /tmp/sechub-web-ui.cert "$CERTIFICATE_DIRECTORY"/sechub-web-ui.cert && \
+    mv /tmp/sechub-web-ui.key "$CERTIFICATE_DIRECTORY"/sechub-web-ui.key && \
+    # Generate ephemeral Diffie-Hellman paramaters for perfect forward secrecy
+    # see: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#toc_5
+    openssl dhparam -out "$CERTIFICATE_DIRECTORY"/certsdhparam.pem 2048
 
-# Generate ephemeral Diffie-Hellman paramaters for perfect forward secrecy
-# see: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#toc_5
-RUN openssl dhparam -out /certificates/certsdhparam.pem 2048
-
-# Copy configuration script
-COPY nginx.conf /etc/nginx/nginx.conf
+# Copy content to web server's document root
+COPY --from=builder "${WEB_UI_ARTIFACTS}/.output/public" "${HTDOCS_FOLDER}"
 
 # Create PID file and set permissions
 RUN touch /var/run/nginx.pid && \
-    chmod 755 ${WEB_UI_FOLDER} && \
-    chown -R "$USER:$USER" /certificates /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid ${WEB_UI_FOLDER}
-
-# Copy run script into container
-COPY run.sh /run.sh
-RUN chmod +x /run.sh
-
-ENV LOADBALANCER_START_MODE=server
+    chmod 755 "$HTDOCS_FOLDER" && \
+    chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" "$HTDOCS_FOLDER" /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid && \
+    chmod +x /run.sh
 
 # Switch from root to non-root user
 USER "$USER"
diff --git a/sechub-web-ui-solution/docker/nginx.conf b/sechub-web-ui-solution/docker/nginx.conf
index 273161f0f..798c341bf 100644
--- a/sechub-web-ui-solution/docker/nginx.conf
+++ b/sechub-web-ui-solution/docker/nginx.conf
@@ -25,12 +25,12 @@ http {
          index  index.html index.htm;
       }
 
-      ssl_certificate /certificates/localhost.cert;
-      ssl_certificate_key /certificates/localhost.key;
+      ssl_certificate /etc/nginx/certificates/sechub-web-ui.cert;
+      ssl_certificate_key /etc/nginx/certificates/sechub-web-ui.key;
       ssl_protocols TLSv1.2 TLSv1.3;
       ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
       ssl_prefer_server_ciphers on;
-      ssl_dhparam /certificates/certsdhparam.pem;
+      ssl_dhparam /etc/nginx/certificates/certsdhparam.pem;
       ssl_ecdh_curve secp384r1;
 
       ssl_session_timeout 1d;
diff --git a/sechub-web-ui-solution/helm/sechub-web-ui/Chart.yaml b/sechub-web-ui-solution/helm/sechub-web-ui/Chart.yaml
index 8459dea9a..853da2851 100644
--- a/sechub-web-ui-solution/helm/sechub-web-ui/Chart.yaml
+++ b/sechub-web-ui-solution/helm/sechub-web-ui/Chart.yaml
@@ -11,4 +11,4 @@ type: application
 # This version number should be incremented each time you make changes to the chart and its templates.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 0.1.0
+version: 0.2.0
diff --git a/sechub-web-ui-solution/helm/sechub-web-ui/templates/deployment.yaml b/sechub-web-ui-solution/helm/sechub-web-ui/templates/deployment.yaml
index bbf02b3bd..8d170bfb2 100644
--- a/sechub-web-ui-solution/helm/sechub-web-ui/templates/deployment.yaml
+++ b/sechub-web-ui-solution/helm/sechub-web-ui/templates/deployment.yaml
@@ -79,25 +79,25 @@ spec:
         ports:
         - name: {{ .Values.name }}-https
           containerPort: 8443
-#        startupProbe:
-#          httpGet:
-#            scheme: HTTPS
-#            path: /alive-test.html
-#            port: {{ .Values.name }}-https
-#          failureThreshold: 24
-#          periodSeconds: 5
-#          successThreshold: 1
-#          timeoutSeconds: 1
-#          initialDelaySeconds: 5
-#        livenessProbe:
-#          httpGet:
-#            scheme: HTTPS
-#            path: /alive-test.html
-#            port: {{ .Values.name }}-https
-#          failureThreshold: 3
-#          periodSeconds: 10
-#          successThreshold: 1
-#          timeoutSeconds: 3
+        startupProbe:
+          httpGet:
+            scheme: HTTPS
+            path: /health/alive.html
+            port: {{ .Values.name }}-https
+          failureThreshold: 24
+          periodSeconds: 2
+          successThreshold: 1
+          timeoutSeconds: 1
+          initialDelaySeconds: 5
+        readinessProbe:
+          httpGet:
+            scheme: HTTPS
+            path: /health/alive.html
+            port: {{ .Values.name }}-https
+          failureThreshold: 2
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
         volumeMounts:
 {{- if ne .Values.web_ui.ssl.keystoreAlias "undefined" }}
           - mountPath: /sechub-web-ui/secrets/secret-ssl
diff --git a/sechub-webui-solution/README.adoc b/sechub-webui-solution/README.adoc
deleted file mode 100644
index eb4b1943c..000000000
--- a/sechub-webui-solution/README.adoc
+++ /dev/null
@@ -1,8 +0,0 @@
-// SPDX-License-Identifier: MIT
-
-== Web UI Image
-
-The files to create the Web UI container image.
-The Web UI is a Vue.js SPA build with nuxt.js and is build on a node.js image.
-
-NITRO_SSL_CERT and NITRO_SSL_KEY - if both are present, this will launch the server in HTTPS mode. In the vast majority of cases, this should not be used other than for testing, and the Nitro server should be run behind a reverse proxy like nginx or Cloudflare which terminates SSL.

From b88ac32705969714d1c35be670b17791a80f65f2 Mon Sep 17 00:00:00 2001
From: Sven Dolderer <sven.dolderer@mercedes-benz.com>
Date: Thu, 31 Oct 2024 16:15:50 +0100
Subject: [PATCH 2/3] web-ui dockerfile improved #3517

---
 .../docker/Web-UI-Debian.dockerfile           | 32 +++++++++----------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile b/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
index 00e309af5..3d59ec5f0 100644
--- a/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
+++ b/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
@@ -5,25 +5,24 @@
 #-------------------
 
 # The image argument needs to be placed on top
+ARG BASE_IMAGE
 ARG NODE_VERSION="22.9.0"
 ARG NODE_BASE_IMAGE="node:${NODE_VERSION}-slim"
-ARG BASE_IMAGE
+ARG WEB_UI_ARTIFACTS="/artifacts"
 
 # Build args
 ARG WEB_UI_VERSION
 ARG BUILD_TYPE
 
-ARG NODE_ENV
 #-------------------
 # Builder Build
 #-------------------
-
 FROM ${NODE_BASE_IMAGE} AS builder-build
 ARG GIT_URL="https://github.com/mercedes-benz/sechub.git"
 ARG GIT_BRANCH
 ARG GIT_TAG
 ARG WEB_UI_BUILD_FOLDER="/build"
-ARG WEB_UI_ARTIFACTS="/artifacts"
+ARG WEB_UI_ARTIFACTS
 
 RUN mkdir --parent "${WEB_UI_ARTIFACTS}"
 RUN mkdir --parent "${WEB_UI_BUILD_FOLDER}"
@@ -46,9 +45,8 @@ RUN cd "${WEB_UI_BUILD_FOLDER}" && \
 #-------------------
 # Builder Copy Build
 #-------------------
-
 FROM ${NODE_BASE_IMAGE} AS builder-copy
-ARG WEB_UI_ARTIFACTS="/artifacts"
+ARG WEB_UI_ARTIFACTS
 
 RUN mkdir --parent "${WEB_UI_ARTIFACTS}"
 
@@ -57,18 +55,17 @@ COPY ./copy "${WEB_UI_ARTIFACTS}"
 #-------------------
 # Builder
 #-------------------
-
-FROM builder-${BUILD_TYPE} as builder
+FROM builder-${BUILD_TYPE} AS builder
 RUN echo "build stage"
 
 #-------------------
 # WebUI Server Image
 #-------------------
-
 FROM ${BASE_IMAGE} AS web-ui
 ARG HTDOCS_FOLDER="/var/www/html"
 ARG USER=www-data
-ARG WEB_UI_ARTIFACTS="/artifacts"
+ARG WEB_UI_ARTIFACTS
+ARG WEB_UI_VERSION
 
 # env vars in container
 ENV UID="4242"
@@ -81,13 +78,10 @@ ENV HTDOCS_FOLDER="${HTDOCS_FOLDER}"
 # using fixed group and user ids + prepare alive check file
 RUN usermod -u "$UID" "$USER" && \
     groupmod -g "$GID" "$USER" && \
-    NGINX_ALIVE_DIR="$HTDOCS_FOLDER/health"
-    mkdir -p "$NGINX_ALIVE_DIR"
+    NGINX_ALIVE_DIR="$HTDOCS_FOLDER/health" && \
+    mkdir -p "$NGINX_ALIVE_DIR" && \
     echo "SecHub Web-UI is alive" > "$NGINX_ALIVE_DIR/alive.html"
 
-# Copy configuration script
-COPY nginx.conf /etc/nginx/nginx.conf
-
 # Copy run script into container
 COPY run.sh /run.sh
 
@@ -97,6 +91,9 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get --assume-yes install nginx openssl sed && \
     apt-get --assume-yes clean
 
+# Copy configuration script
+COPY nginx.conf /etc/nginx/nginx.conf
+
 # Create self-signed certificate
 RUN cd /tmp && \
     openssl req \
@@ -107,7 +104,8 @@ RUN cd /tmp && \
         -x509 \
         -subj "/C=DE/ST=BW/L=Stuttgart/O=Loadbalancer/CN=localhost" \
         -keyout sechub-web-ui.key \
-        -out sechub-web-ui.cert
+        -out sechub-web-ui.cert \
+    2>&1 | sed 's/\.//g'
 
 # Prepare certificates
 RUN mkdir -p "$CERTIFICATE_DIRECTORY" && \
@@ -115,7 +113,7 @@ RUN mkdir -p "$CERTIFICATE_DIRECTORY" && \
     mv /tmp/sechub-web-ui.key "$CERTIFICATE_DIRECTORY"/sechub-web-ui.key && \
     # Generate ephemeral Diffie-Hellman paramaters for perfect forward secrecy
     # see: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#toc_5
-    openssl dhparam -out "$CERTIFICATE_DIRECTORY"/certsdhparam.pem 2048
+    openssl dhparam -out "$CERTIFICATE_DIRECTORY"/certsdhparam.pem 2048 2>&1 | sed 's/\.//g'
 
 # Copy content to web server's document root
 COPY --from=builder "${WEB_UI_ARTIFACTS}/.output/public" "${HTDOCS_FOLDER}"

From 38945785a5b020424ab942b021ea6907ae4037ed Mon Sep 17 00:00:00 2001
From: Sven Dolderer <sven.dolderer@mercedes-benz.com>
Date: Thu, 31 Oct 2024 16:51:04 +0100
Subject: [PATCH 3/3] initial web-ui release workflow

incomplete - but it needs to be in develop branch in order to test it
---
 .github/workflows/release-web-ui.yml | 257 +++++++++++++++++++++++++++
 1 file changed, 257 insertions(+)
 create mode 100644 .github/workflows/release-web-ui.yml

diff --git a/.github/workflows/release-web-ui.yml b/.github/workflows/release-web-ui.yml
new file mode 100644
index 000000000..9737b3f50
--- /dev/null
+++ b/.github/workflows/release-web-ui.yml
@@ -0,0 +1,257 @@
+# SPDX-License-Identifier: MIT
+name: Release Web UI
+
+on:
+  workflow_dispatch:
+    inputs:
+      actor-email:
+        description: Insert your email address here. It will be used in the generated pull requests
+        required: true
+      web-ui-version:
+        description: Web-UI Version (e.g. 0.1.0)
+        required: true
+      web-ui-milestone-number:
+        description: Web-UI Milestone number (e.g. 70)
+        required: true
+
+permissions:
+  contents: write
+  issues: write
+  packages: write
+  pull-requests: write
+
+env:
+  ACTIONS_BASE_IMAGE_DEBIAN: debian:12-slim
+  ACTIONS_SECHUB_REGISTRY: ghcr.io/mercedes-benz/sechub
+  ACTIONS_HELM_REGISTRY: "oci://ghcr.io/mercedes-benz/sechub/helm-charts"
+
+jobs:
+  release-version:
+    name: Create Web-UI release
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: "Show Inputs"
+        run: |
+          echo "actor-email: '${{ inputs.actor-email }}'"
+          echo "Web-UI '${{ inputs.web-ui-version }}' - Milestone '${{ inputs.web-ui-milestone-number }}'"
+
+      # Check inputs:
+      - name: "Verify Input for Web-UI release"
+        if: (inputs.web-ui-version == '') || (inputs.web-ui-milestone-number == '')
+        run: |
+          echo "For Web-UI release, web-ui-version and web-ui-milestone-number must be provided!"
+          exit 1
+
+      - name: Checkout master
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          ref: master
+
+      # Create temporary local tag, so we build for this tag...
+      # The final tag on git server side will be done automatically by the release when the draft is saved as "real" release
+      - name: "Temporary tag server version: v${{ inputs.web-ui-version }}-web-ui"
+        run: git tag v${{ inputs.web-ui-version }}-web-ui
+
+      # ----------------------
+      # Setup + Caching
+      # ----------------------
+      - name: Set up JDK 17
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73
+        with:
+          java-version: 17
+          distribution: temurin
+
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808
+        with:
+          cache-read-only: false
+
+      - name: Docker login to ghcr.io
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # ----------------------
+      # Create pull request if license headers are missing
+      # ----------------------
+      - name: run apply-headers.sh
+        id: apply-headers
+        run: |
+          git config user.name "$GITHUB_TRIGGERING_ACTOR (via github-actions)"
+          git config user.email "${{ inputs.actor-email }}"
+          ./apply-headers.sh
+          git commit -am "SPDX headers added by SecHub release job @github-actions" || true
+          COMMITS=`git log --oneline --branches --not --remotes`
+          echo "commits=$COMMITS" >> $GITHUB_OUTPUT
+
+      - name: Create pull request for SPDX license headers
+        id: pr_spdx_headers
+        if: steps.apply-headers.outputs.commits != ''
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f
+        with:
+          branch: release-spdx-headers
+          branch-suffix: short-commit-hash
+          delete-branch: true
+          title: '0 - Before web-ui release: Add missing SPDX license headers [auto-generated]'
+          body: |
+            Auto-generated by Github Actions web-ui release job.
+
+            -> Please review and merge **before** publishing the web-ui release.
+
+      - name: Print PR infos
+        if: steps.apply-headers.outputs.commits != ''
+        run: |
+          echo "Pull Request Number - ${{ steps.pr_spdx_headers.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.pr_spdx_headers.outputs.pull-request-url }}"
+
+      # ----------------------
+      # Build SecHub Web-UI
+      # ----------------------
+      # tbd
+
+      - name: Collect GIT status
+        if: always()
+        run: |
+          # restore reduced-openapi3.json
+          git restore sechub-api-java/src/main/resources/reduced-openapi3.json
+          mkdir -p build/reports
+          git status > build/reports/git-status.txt
+          echo "--- git tags:" >> build/reports/git-status.txt
+          git tag --points-at HEAD >> build/reports/git-status.txt
+
+      - name: Archive GIT status
+        if: always()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+        with:
+          name: git-status.txt
+          path: build/reports/git-status.txt
+          retention-days: 14
+
+      - name: Archive Web-UI artifacts
+        if: always()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+        with:
+          name: sechub-web-ui
+          path: sechub-web-ui/build/libs
+          retention-days: 14
+
+      # -----------------------------------------
+      # Assert releaseable: Check for uncommitted changes
+      # -----------------------------------------
+      - name: Assert releasable
+        run: |
+          git status
+          ./gradlew assertReleaseable
+
+      - name: Create Web-UI release
+        id: create_web-ui_release
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+        with:
+          tag_name: v${{ inputs.web-ui-version }}-web-ui
+          commitish: master
+          release_name: web-ui Version ${{ inputs.web-ui-version }}
+          body: |
+            Changes in this Release
+            - Some minor changes on Web-UI implementation
+
+            For more details please look at [Milestone ${{inputs.web-ui-milestone-number}}]( https://github.com/mercedes-benz/sechub/milestone/${{inputs.web-ui-milestone-number}}?closed=1)
+          draft: true
+          prerelease: false
+
+      - name: Create sha256 checksum file for Web-UI jar
+        run: |
+          cd sechub-web-ui/build/libs
+          sha256sum sechub-web-ui-${{ inputs.web-ui-version }}.jar > sechub-web-ui-${{ inputs.web-ui-version }}.jar.sha256sum
+
+      - name: Upload Web-UI release asset sechub-web-ui-${{ inputs.web-ui-version }}.jar
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_web-ui_release.outputs.upload_url }}
+          asset_path: sechub-web-ui/build/libs/sechub-web-ui-${{ inputs.web-ui-version }}.jar
+          asset_name: sechub-web-ui-${{ inputs.web-ui-version }}.jar
+          asset_content_type: application/zip
+
+      - name: Upload Web-UI release asset sechub-web-ui-${{ inputs.web-ui-version }}.jar.sha256sum
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_web-ui_release.outputs.upload_url }}
+          asset_path: sechub-web-ui/build/libs/sechub-web-ui-${{ inputs.web-ui-version }}.jar.sha256sum
+          asset_name: sechub-web-ui-${{ inputs.web-ui-version }}.jar.sha256sum
+          asset_content_type: text/plain
+
+      # -----------------------------------------
+      # Create release issue
+      # -----------------------------------------
+      - name: Create SecHub Web-UI ${{ inputs.web-ui-version }} release issue
+        uses: dacbd/create-issue-action@main
+        with:
+          token: ${{ github.token }}
+          title: Release SecHub Web-UI ${{ inputs.web-ui-version }}
+          body: |
+            See [Milestone ${{inputs.web-ui-milestone-number}}]( https://github.com/mercedes-benz/sechub/milestone/${{inputs.web-ui-milestone-number}}?closed=1) for details.
+
+            Please close this issue after the release.
+          milestone: ${{ inputs.web-ui-milestone-number }}
+
+      # Build SecHub Web-UI container image + push to ghcr
+      - name: Build sechub-web-ui ${{ inputs.web-ui-version }} container image + push to ghcr
+        run: |
+          WEB_SERVER_VERSION="${{ inputs.web-ui-version }}"
+          DOCKER_REGISTRY="$ACTIONS_SECHUB_REGISTRY/sechub-web-ui"
+          VERSION_TAG="${WEB_SERVER_VERSION}"
+          cp sechub-web-ui/build/libs/sechub-web-ui-${WEB_SERVER_VERSION}.jar sechub-web-ui-solution/docker/copy/
+          cd sechub-web-ui-solution
+          echo "# Building image $DOCKER_REGISTRY:$VERSION_TAG"
+          echo "  from $ACTIONS_BASE_IMAGE_DEBIAN"
+          ./10-create-image.sh "$DOCKER_REGISTRY" "$VERSION_TAG" "WEB_SERVER_VERSION" "$ACTIONS_BASE_IMAGE_DEBIAN" copy
+          echo "# Pushing image $DOCKER_REGISTRY:$VERSION_TAG (latest)"
+          ./20-push-image.sh "$DOCKER_REGISTRY" "$VERSION_TAG" yes
+
+      - name: Build sechub-web-ui Helm chart + push to ghcr
+        shell: bash
+        run: |
+          cd sechub-web-ui-solution/helm
+          echo "# Building Helm chart for SecHub Web-UI"
+          helm package sechub-web-ui
+          helm push sechub-web-ui-*.tgz $ACTIONS_HELM_REGISTRY
+
+      # -----------------------------------------
+      # Create a pull request for merging back `master` into `develop`
+      # -----------------------------------------
+      - name: pull-request master to develop
+        id: pr_master_to_develop
+        continue-on-error: true
+        uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          source_branch: "master"
+          destination_branch: "develop"
+          pr_allow_empty: true  # should allow an empty PR, but seems not to work
+          pr_title: '2 - After web-ui release: Merge master back into develop [auto-generated]'
+          pr_body: |
+            After SecHub Web-UI release
+            - Web-UI '${{ inputs.web-ui-version }}'
+
+            Merge master branch back into develop
+
+            -> Please merge **after** the release has been published.
+
+      - name: Print PR infos if PR was created
+        if: steps.pr_master_to_develop.outcome == 'success'
+        run: |
+          echo "Pull Request Number - ${{ steps.pr_master_to_develop.outputs.pr_number }}"
+          echo "Pull Request URL - ${{ steps.pr_master_to_develop.outputs.pr_url }}"
+
+      - name: Print info if no PR was created
+        if: steps.pr_master_to_develop.outcome != 'success'
+        run: |
+          echo "Nothing to merge - no pull request necessary."