-
Notifications
You must be signed in to change notification settings - Fork 12
134 lines (118 loc) · 4.74 KB
/
maven-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Maven Build
on:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-20.04
steps:
- name: Checkout Source
uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Cache maven repository
uses: actions/cache@v4
with:
path: |
~/.m2/repository
~/.sonar/cache
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-maven
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: 'adopt'
java-version: 17
- name: Build with Maven
env:
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
run: |
mvn test-compile -P build-ci --settings maven-ci-settings.xml -B
- name: Test with Coverage
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
run: |
mvn install sonar:sonar -P coverage -Dsonar.projectKey=FraunhoferIOSB_FAAAST-Service --settings maven-ci-settings.xml -B
- name: Restore CVD Database from Cache
uses: actions/cache/restore@v4
with:
path: |
~/.m2/repository/org/owasp/dependency-check-data
key: ${{ runner.os }}-maven-owasp-cvedb
- name: Update CVD Database
env:
OWASP_OSS_INDEX_USERNAME: ${{ secrets.OWASP_OSS_INDEX_USERNAME }}
OWASP_OSS_INDEX_APIKEY: ${{ secrets.OWASP_OSS_INDEX_APIKEY }}
NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
run: |
mvn -B -P owasp -DnvdApiDelay=6000 --settings maven-ci-settings.xml org.owasp:dependency-check-maven:update-only
- name: Save CVD Database to Cache
uses: actions/cache/save@v4
with:
path: |
~/.m2/repository/org/owasp/dependency-check-data
key: ${{ runner.os }}-maven-owasp-cvedb
- name: Dependency Vulnerability Check with OWASP
env:
OWASP_OSS_INDEX_USERNAME: ${{ secrets.OWASP_OSS_INDEX_USERNAME }}
OWASP_OSS_INDEX_APIKEY: ${{ secrets.OWASP_OSS_INDEX_APIKEY }}
run: |
mvn org.owasp:dependency-check-maven:aggregate -P owasp --settings maven-ci-settings.xml -B
- name: Set env variables
run: |
echo "Exporting Variables"
export STARTER_NAME=$(mvn -pl starter -Dexec.executable='echo' -Dexec.args='${project.build.finalName}' exec:exec -q)
echo "STARTER_ARTIFACT=${STARTER_NAME}.jar" >> $GITHUB_ENV
export version=$(mvn -Dexec.executable='echo' -Dexec.args='${project.version}' --non-recursive exec:exec -q)
echo "VERSION=${version}" >> $GITHUB_ENV
- name: Set up GnuPG
if: ${{ endsWith(env.VERSION, '-SNAPSHOT') }}
env:
GPG_EXECUTABLE: gpg
GPG_SECRET_KEYS: ${{ secrets.GPG_SECRET_KEYS }}
GPG_OWNERTRUST: ${{ secrets.GPG_OWNERTRUST }}
run: |
mkdir -m 700 ~/.gnupg/
echo 'use-agent' > ~/.gnupg/gpg.conf
echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf
echo 'allow-loopback-pinentry' > ~/.gnupg/gpg-agent.conf
echo $GPG_SECRET_KEYS | base64 --decode | $GPG_EXECUTABLE --yes --batch --import
echo $GPG_OWNERTRUST | base64 --decode | $GPG_EXECUTABLE --yes --batch --import-ownertrust
- name: Deploy SNAPSHOTS
if: ${{ endsWith(env.VERSION, '-SNAPSHOT') }}
env:
GPG_EXECUTABLE: gpg
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
run: mvn clean deploy -P release --settings maven-ci-settings.xml -B
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push docker image - starter
uses: docker/build-push-action@v6
with:
platforms: linux/amd64,linux/arm64
context: "./starter"
push: true
build-args: |
ARTIFACT_FILE=${{ env.STARTER_ARTIFACT }}
tags: |
fraunhoferiosb/faaast-service:latest
fraunhoferiosb/faaast-service:${{ env.VERSION }}