feat: ci

corona-warn-app · Jun 5, 2020 · cbda0d1 · cbda0d1
1 parent 8c09a75
commit cbda0d1
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 16 deletions.
diff --git a/.github/workflows/ci.yml → .github/workflows/ci-master.yml b/.github/workflows/ci.yml → .github/workflows/ci-master.yml
@@ -1,13 +1,8 @@
-name: ci
+name: ci-master
 on:
   push:
     branches:
     - master
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -35,16 +30,11 @@ jobs:
         echo "::set-env name=VERSION::${VERSION}"
     - name: mvn version
       run: mvn --batch-mode versions:set -DgenerateBackupPoms=false -DnewVersion=${VERSION}
-    - name: mvn package
-      if: ${{ github.event_name == 'pull_request' }}
-      run: mvn --batch-mode package
     - name: mvn deploy
-      if: ${{ github.event_name == 'push' }}
       run: mvn --batch-mode deploy
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: mvn sonar
-      if: ${{ github.event_name == 'push' }}
       run: |
         mvn --batch-mode verify sonar:sonar \
         -Dsonar.login=${SONAR_TOKEN} \
@@ -60,13 +50,35 @@ jobs:
         name: target
         path: target
     - name: docker build
-      if: ${{ github.event_name == 'pull_request' }}
-      run: docker build .
-    - name: docker build and push
-      if: ${{ github.event_name == 'push' }}
+      run: |
+        docker build \
+        --tag docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION} \
+        --tag ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION} \
+        .
+      env:
+        TRUSTED_URL: ${{ secrets.TRUSTED_URL }}
+        TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }}
+    - name: docker push github
       run: |
         echo ${GITHUB_TOKEN} | docker login docker.pkg.github.com -u ${GITHUB_REPOSITORY_OWNER} --password-stdin
-        docker build --tag docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION} .
         docker push docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: docker push trusted
+      run: |
+        echo ${TRUSTED_TOKEN} | docker login ${TRUSTED_URL} -u ${TRUSTED_USER} --password-stdin
+        export DOCKER_CONTENT_TRUST=1
+        export DOCKER_CONTENT_TRUST_SERVER=${TRUSTED_SERVER_URL}
+        export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=${TRUSTED_TOKEN}
+        export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${TRUSTED_TOKEN}
+        gpg --quiet --batch --yes --decrypt --passphrase=${TRUSTED_TOKEN} \
+        --output trusted.key trusted.key.gpg
+        docker trust key load trusted.key --name user
+        docker trust sign ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION}
+        docker push ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION}
+      env:
+        TRUSTED_URL: ${{ secrets.TRUSTED_URL }}
+        TRUSTED_SERVER_URL: ${{ secrets.TRUSTED_SERVER_URL }}
+        TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }}
+        TRUSTED_USER: ${{ secrets.TRUSTED_USER }}
+        TRUSTED_TOKEN: ${{ secrets.TRUSTED_TOKEN }}
diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml
@@ -0,0 +1,28 @@
+name: ci-pull-request
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+    - uses: actions/cache@v1
+      env:
+        cache-name: m2
+      with:
+        path: ~/.m2/repository
+        key: ${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }}
+        restore-keys: ${{ env.cache-name }}-
+    - uses: actions/setup-java@v1
+      with:
+        java-version: 11
+    - name: mvn package
+      run: mvn --batch-mode package
+    - name: docker build
+      run: docker build .
diff --git a/trusted.key.gpg b/trusted.key.gpg