update deps #214
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GitHub workflow to build and deploy Kotlin based API Backend | |
| name: kotlin | |
| # Controls when the action will run. Triggers the workflow on push requests only for the main branch | |
| on: | |
| # run on all pull requests (but note that certain steps are skipped if if: github.ref == 'refs/heads/main' ) | |
| pull_request: | |
| paths: [ 'kotlin/**', '.github/workflows/kotlin.yml' ] | |
| push: | |
| # If at least one path matches a pattern in the paths filter, the workflow runs. | |
| paths: [ 'kotlin/**','.github/workflows/kotlin.yml' ] | |
| branches: [ main ] | |
| # A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
| jobs: | |
| build: | |
| # Support [skip ci] out of box with GitHub actions Workaround | |
| # Only works for push https://github.com/actions/runner/issues/774 | |
| if: " ! contains(github.event.head_commit.message, 'skip ci') " | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - name: Checkout Repo | |
| uses: actions/checkout@v3 | |
| - name: Set up JDK 17 (temurin) | |
| uses: actions/setup-java@v3 | |
| with: | |
| # setup-java v2 supports temurin + zulu distros, see https://github.com/actions/setup-java | |
| distribution: 'temurin' | |
| java-version: 17 | |
| - name: Configure AWS Credentials | |
| # avoid https://github.com/aws-actions/configure-aws-credentials#notice-node12-deprecation-warning | |
| uses: aws-actions/configure-aws-credentials@v3.0.1 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: eu-central-1 | |
| - name: Pull Environment Config from AWS SSM ParamStore | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV | |
| echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
| echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
| # Cache Java / Gradle Dependencies | |
| # https://github.com/actions/cache/blob/main/examples.md#java---gradle | |
| # https://docs.github.com/en/actions/language-and-framework-guides/building-and-testing-java-with-gradle#caching-dependencies | |
| # https://docs.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v3.3.2 | |
| with: | |
| path: ~/.gradle/caches | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/build.gradle.kts') }} | |
| restore-keys: ${{ runner.os }}-gradle- | |
| # Cache Gradle Wrapper separately | |
| # Inspired by: https://github.com/JetBrains/intellij-platform-plugin-template/actions/runs/242898088/workflow | |
| - name: Setup Gradle Wrapper Cache | |
| uses: actions/cache@v3.3.2 | |
| with: | |
| path: ~/.gradle/wrapper | |
| key: ${{ runner.os }}-gradle-wrapper-${{ hashFiles('**/gradle/wrapper/gradle-wrapper.properties') }} | |
| # Actual Gradle build | |
| - name: Build and test with Gradle | |
| working-directory: ./kotlin | |
| run: | | |
| ./gradlew --console=plain test --fail-fast --stacktrace bootJar | |
| ls -l build/libs/app.jar | |
| env: | |
| CI: true | |
| # make sure to send SPRING_DATASOURCE_URL, _PASSWORD and _USERNAME as GitHub Secrets | |
| SPRING_DATASOURCE_USERNAME: ${{ secrets.SPRING_DATASOURCE_USERNAME }} | |
| SPRING_DATASOURCE_PASSWORD: ${{ secrets.SPRING_DATASOURCE_PASSWORD }} | |
| SPRING_DATASOURCE_URL: ${{ secrets.SPRING_DATASOURCE_URL }} | |
| SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_COGNITO_ISSUER_URI: ${{ secrets.SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_COGNITO_ISSUER_URI }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # for Sonarcloud Needed to get PR information, if any | |
| # Run Sonar after merge into main | |
| - name: Run Sonar Task and publish results | |
| working-directory: ./kotlin | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| SONAR_TOKEN=$(aws ssm get-parameter --name /angkor/prod/SONAR_TOKEN --with-decryption --query 'Parameter.Value' --output text) | |
| ./gradlew --console=plain sonar -Dsonar.token=${SONAR_TOKEN} -Dsonar.projectVersion=${{env.RELEASE_VERSION}} -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=tillkuhn | |
| # sonar is really unreliable these days, this should not stop the entire build (until it gets more stable) | |
| continue-on-error: true | |
| timeout-minutes: 10 | |
| env: | |
| CI: true | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # for Sonarcloud Needed to get PR information, if any | |
| # JUnit Reporting https://github.com/EnricoMi/publish-unit-test-result-action#github-action-to-publish-unit-test-results | |
| - name: Publish Unit Test Results | |
| uses: EnricoMi/publish-unit-test-result-action@v2 | |
| # The if: always() clause guarantees that this action always runs, | |
| # even if earlier steps (e.g., the unit test step) in your workflow fail. | |
| if: ${{ always() && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref }} | |
| with: | |
| files: "./kotlin/build/test-results/**/*.xml" | |
| # Run Hadolint Dockerfile linting tool | |
| # https://github.com/marketplace/actions/hadolint-action | |
| - name: Lint Dockerfile with hadolint | |
| uses: brpaz/hadolint-action@v1.5.0 | |
| with: | |
| dockerfile: ./kotlin/Dockerfile | |
| # Setup Docker buildx to support multi-platform images | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v2 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur. | |
| - name: Set LATEST_REPO_TAG env | |
| run: echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV | |
| # GitHub Action to build and push Docker images including multistage builds | |
| - name: Push to DockerHub | |
| uses: docker/build-push-action@v4 # https://github.com/docker/build-push-action | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| context: ./kotlin | |
| file: ./kotlin/Dockerfile | |
| platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386 | |
| push: true | |
| tags: ${{ secrets.DOCKER_USERNAME }}/angkor-api:latest | |
| build-args: | | |
| LATEST_REPO_TAG=${{ env.LATEST_REPO_TAG }} | |
| - name: Publish Action Event | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-api\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \ | |
| --message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}" | |
| env: | |
| TOPIC_ARN: ${{ secrets.TOPIC_ARN }} | |
| - name: Send Kafka Publish Event with Docker | |
| id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \ | |
| -ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \ | |
| -source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \ | |
| -type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-api" \ | |
| -record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}" | |
| # Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action | |
| # - https://github.com/aquasecurity/trivy-action | |
| # - https://blog.aquasec.com/github-vulnerability-scanner-trivy | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| if: github.ref == 'refs/heads/main' # this is how to skip only specific steps if not main | |
| # workaround trivy image scan suddenly timing out aka maven central issue | |
| # @see https://github.com/aquasecurity/trivy/issues/3421 | |
| # @see https://github.com/aquasecurity/trivy-action/issues/190#issuecomment-1380433570 | |
| env: | |
| TRIVY_OFFLINE_SCAN: true | |
| with: | |
| image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-api:latest' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| # Using Trivy with GitHub Code Scanning | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| sarif_file: 'trivy-results.sarif' |