From cbda0d12eb9be65ff12f0ef74f30a969ca31d98e Mon Sep 17 00:00:00 2001 From: Julien Hagestedt Date: Fri, 5 Jun 2020 08:30:40 +0200 Subject: [PATCH] feat: ci --- .github/workflows/{ci.yml => ci-master.yml} | 44 +++++++++++++------- .github/workflows/ci-pull-request.yml | 28 +++++++++++++ trusted.key.gpg | Bin 0 -> 2570 bytes 3 files changed, 56 insertions(+), 16 deletions(-) rename .github/workflows/{ci.yml => ci-master.yml} (58%) create mode 100644 .github/workflows/ci-pull-request.yml create mode 100644 trusted.key.gpg diff --git a/.github/workflows/ci.yml b/.github/workflows/ci-master.yml similarity index 58% rename from .github/workflows/ci.yml rename to .github/workflows/ci-master.yml index bba6f46..3ad94be 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci-master.yml @@ -1,13 +1,8 @@ -name: ci +name: ci-master on: push: branches: - master - pull_request: - types: - - opened - - synchronize - - reopened jobs: build: runs-on: ubuntu-latest @@ -35,16 +30,11 @@ jobs: echo "::set-env name=VERSION::${VERSION}" - name: mvn version run: mvn --batch-mode versions:set -DgenerateBackupPoms=false -DnewVersion=${VERSION} - - name: mvn package - if: ${{ github.event_name == 'pull_request' }} - run: mvn --batch-mode package - name: mvn deploy - if: ${{ github.event_name == 'push' }} run: mvn --batch-mode deploy env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: mvn sonar - if: ${{ github.event_name == 'push' }} run: | mvn --batch-mode verify sonar:sonar \ -Dsonar.login=${SONAR_TOKEN} \ @@ -60,13 +50,35 @@ jobs: name: target path: target - name: docker build - if: ${{ github.event_name == 'pull_request' }} - run: docker build . - - name: docker build and push - if: ${{ github.event_name == 'push' }} + run: | + docker build \ + --tag docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION} \ + --tag ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION} \ + . + env: + TRUSTED_URL: ${{ secrets.TRUSTED_URL }} + TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }} + - name: docker push github run: | echo ${GITHUB_TOKEN} | docker login docker.pkg.github.com -u ${GITHUB_REPOSITORY_OWNER} --password-stdin - docker build --tag docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION} . docker push docker.pkg.github.com/${GITHUB_REPOSITORY}/${ARTIFACT_ID}:${VERSION} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: docker push trusted + run: | + echo ${TRUSTED_TOKEN} | docker login ${TRUSTED_URL} -u ${TRUSTED_USER} --password-stdin + export DOCKER_CONTENT_TRUST=1 + export DOCKER_CONTENT_TRUST_SERVER=${TRUSTED_SERVER_URL} + export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=${TRUSTED_TOKEN} + export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${TRUSTED_TOKEN} + gpg --quiet --batch --yes --decrypt --passphrase=${TRUSTED_TOKEN} \ + --output trusted.key trusted.key.gpg + docker trust key load trusted.key --name user + docker trust sign ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION} + docker push ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/${ARTIFACT_ID}:${VERSION} + env: + TRUSTED_URL: ${{ secrets.TRUSTED_URL }} + TRUSTED_SERVER_URL: ${{ secrets.TRUSTED_SERVER_URL }} + TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }} + TRUSTED_USER: ${{ secrets.TRUSTED_USER }} + TRUSTED_TOKEN: ${{ secrets.TRUSTED_TOKEN }} diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml new file mode 100644 index 0000000..1ed8614 --- /dev/null +++ b/.github/workflows/ci-pull-request.yml @@ -0,0 +1,28 @@ +name: ci-pull-request +on: + pull_request: + types: + - opened + - synchronize + - reopened +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: actions/cache@v1 + env: + cache-name: m2 + with: + path: ~/.m2/repository + key: ${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ env.cache-name }}- + - uses: actions/setup-java@v1 + with: + java-version: 11 + - name: mvn package + run: mvn --batch-mode package + - name: docker build + run: docker build . diff --git a/trusted.key.gpg b/trusted.key.gpg new file mode 100644 index 0000000000000000000000000000000000000000..1794db352fa483e838e606a535a9249255410e88 GIT binary patch literal 2570 zcmV+l3ib7j4Fm}T0+JB~g4Cg_3h2`70f6aEv~~RHA~N1vU2_A94x_d*YT`gg?}oQ&P7>;LpVWy0G$^gAnZ~`fCgYl?;z1T$%7Oh?y5lqO-1N`P6q| z^B+4FfSfNJ*F>H;6D6zGGyMSR8P9P1M9Ccmf*@TE%vQpp=yfcxmi$~YydO@9`f)c_ zXo|Wh{Gv_R4>{n7C%T#mQZ{zYetJf>K-oJ6#;+2EqGtatFT5-o8!3POjHDBKqeT#k zDwu`b?NwwE5?~7HnI;s6w0&CDG)Hbj*O@bmIxl}gdwsa&#!=k=m)N+Ufsw#&1;_2S zkAeg_HU7tgo>jT{H;&?Z_Mqle09xavxsYUHsEeUHuMp`gx6A>VFO%LJA7+1_sMwjs z{bpnw(9`!><@f@3mV&XIS@{nMgO+M|5AfB5!{ySQIMc)J}a#h%sO-;Gj>p&K2$rZ#YMoxLsEhls zaYY68Wa|Z8EKSLIFoS;%L0gC z*$DBb`R67*{WSftm*70r*{t*BC{o(CY@Rnelscq-}KOL}lR(b3tO#`Zq zkS!4Bp~D^Z0BLN!a`HVLP1gZlTK+l5X+Mx6gDW#cW|AN$c8V99Eq-RNmT-fP|4oFQH7-NuHCl?!=%V^FJ~0Tc8EE&>PJg5oN{#+mxtZz9?wBZ!8#c!U-9Nzj17|zs&bdUn9}} zsc_#zp?d*BhuZJwndtOJm{|sW5#93JF;_Q1iKc{_^vToms5f1t@)J5FLg5Y(J!-Z} z>-n}NH$j?EH6>A9d#XpgU)st&bWoAzPhryMNi4=kY#l`61aH_m)FnSYjp2q%`BfSr z!mT7m_-OXJ%YmL*OL{n?wMO%mUU|{vQebi5L7ue2$C-jZM3R17M!+9Sv2yo_7Nm%= zsS7h03q6S11n?MHF7rR|W$hxQM@yLw-yL|ytz9QGhwjMdm2ZJr&TpO!{P}T zxJ!+OjkPx^k-2SMIV_XDe;e40O+&!}2}HAH+V@1bhfnvF-vuLLVxv?!SV$Dg$hnE(wq>&^C8RqUY#wdj=0bL&*;+xjKv{ zG=M-SE(QI31y)(-ioBFt)F}iA^BC5I<+7K*Sk|Sf6(x`rhT&k5)t^vpF4XoN=CjQG zE~pvXM>${CAgyDQ3N-X>faxH{XYp5osHnhQb&f@{5}vjAw(fY?z>wM~VyrNU0&GnW?C<5Oaw+@3M8Q zawECf9_dy*%zv;kRw8Sja-4qb^_!TqT{_Ci2{{{fGewRDr(ZBry~!Nd{=AID;FGN~ z5lZuD*fZAHr>0?a1#)HD8ij~aZF7)(KDl7;XMV&YFMxTqqwl(gk`R(2!8gdGSzeiy z`AnMDqG+?C{dLn*+=B^fb?=>ocC#dJH#)SZtpE*kVZ4H+@-B7kW|bQ=+nkkC!`lEz zV`~xt6ZK9J?{MQYCA-itPGCGw6Y>BKug}1AN_YHFwER&U&L#0IM^u3LYDyP*}D*~af+6c6MTH|yYY^kGtt-!Ce$ z-bY)_FqKi``P7UJ!~@xM29z1+VX0CMjv5d9K+8itnxa+3cw#`-nbu+^wBkXk#7cct z-88WZ@YTL)0xITTl2RpQUR+k>`Kfoz$03AkVEt;HK2@0;57VnEtD1ZZ1i)NBhZ64v zI3gO{H~F=_W`*2xowghs<{I~tqG-JSTB>#1F2DS^R2fudL&BnwaXczlLHo9S+dVuY g;