Switching to CodeQL & Dependabot #511
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: IRS build | |
on: | |
workflow_dispatch: # Trigger manually | |
pull_request: | |
paths-ignore: | |
- '**/*.md' | |
- '**/*.txt' | |
- 'charts/**' | |
- '.config/**' | |
- 'docs/**' | |
- 'local/**' | |
- 'CHANGELOG.md' | |
push: | |
branches: | |
- main | |
tags: | |
- '**' | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Cache maven packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Build with Maven | |
run: | | |
mvn clean verify --batch-mode | |
analyze_with_Sonar: | |
# No need to run if we cannot use the sonar token | |
if: >- | |
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && | |
github.actor != 'dependabot[bot]' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of sonar analysis | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Cache maven packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Cache SonarCloud packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: Analyze with Sonar | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
run: | | |
mvn --batch-mode --update-snapshots verify \ | |
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ | |
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} \ | |
-Dcheckstyle.skip -Dpmd.skip=true | |
build_images: | |
strategy: | |
matrix: | |
image: | |
- irs-api | |
runs-on: ubuntu-latest | |
outputs: | |
image-tag: ${{ steps.version.outputs.image_tag }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build image to make sure Dockerfile is valid | |
run: | | |
# RUN --mount=type=cache is used in the IRS Dockerfile to cache directories for maven. | |
# And the --mount option requires BuildKit. | |
DOCKER_BUILDKIT=1 docker build --build-arg BUILD_TARGET=${{ matrix.image }} --target ${{ matrix.image }} -t ${{ matrix.image }}:latest . | |
- name: Set image version | |
id: version | |
run: | | |
# Strip git ref prefix from version | |
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
# Strip "v" prefix from tag name | |
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
# Support PR ref versions | |
[[ "${{ github.ref }}" == "refs/pull/"* ]] && VERSION=PR-$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\)/merge,\1,') | |
# Use Docker `latest` tag convention | |
[ "$VERSION" == "main" ] && VERSION=latest | |
echo VERSION=$VERSION | |
echo "::set-output name=image_tag::$VERSION" | |
- name: Log in to registry | |
env: | |
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }} | |
if: >- | |
env.DOCKER_HUB_USER == '' && | |
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && | |
github.actor != 'dependabot[bot]' | |
# This is where you will update the PAT to GITHUB_TOKEN | |
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
- name: Push image (GHCR) | |
env: | |
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }} | |
if: >- | |
env.DOCKER_HUB_USER == '' && | |
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && | |
github.actor != 'dependabot[bot]' | |
run: | | |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/${{ matrix.image }} | |
# Change all uppercase to lowercase | |
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') | |
echo IMAGE_ID=$IMAGE_ID | |
docker tag ${{ matrix.image }} $IMAGE_ID:${{ steps.version.outputs.image_tag }} | |
docker push $IMAGE_ID:${{ steps.version.outputs.image_tag }} | |
docker tag ${{ matrix.image }} $IMAGE_ID:$GITHUB_SHA | |
docker push $IMAGE_ID:$GITHUB_SHA | |
- name: Login to Docker Hub | |
env: | |
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }} | |
if: env.DOCKER_HUB_USER != '' | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USER }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Push image (DockerHub) | |
env: | |
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }} | |
IMAGE_NAMESPACE: tractusx | |
IMAGE_NAME: irs-api | |
if: env.DOCKER_HUB_USER != '' | |
run: | | |
docker tag ${{ matrix.image }} ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }} | |
docker push ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }} | |
# https://github.com/peter-evans/dockerhub-description | |
- name: Update Docker Hub description | |
env: | |
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }} | |
IMAGE_NAMESPACE: tractusx | |
IMAGE_NAME: irs-api | |
if: env.DOCKER_HUB_USER != '' && github.event_name != 'pull_request' | |
uses: peter-evans/dockerhub-description@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USER }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} | |
trigger-trivy-image-scan: | |
if: >- | |
github.event_name != 'pull_request' | |
needs: | |
- build_images | |
uses: ./.github/workflows/trivy-docker-hub-scan.yml |