.github/workflows/build-for-development.yml

name: Build for development

on:
  push:
    branches: [ 'feature/**' ]  
  pull_request:
    branches: [ develop, main ]
    types: [ opened, ready_for_review ]
  pull_request_target:
    branches: [ develop, main ]
    types: [ closed ]
  workflow_dispatch:

jobs:
  test_and_scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: 'maven'
      - name: Run Checkstyle
        run: mvn validate
      - name: Run unit tests
        run: mvn clean test
      - name: Run integration tests
        run: mvn verify -P integration-tests
      - name: Prepare test results
        run: |
          mkdir -p ~/test-results/unit-tests/
          mkdir -p ~/test-results/integration-tests/
          find . -type f -regex ".*/target/surefire-reports/.*xml" -exec cp {} ~/test-results/unit-tests/ \;
          find . -type f -regex ".*/target/failsafe-reports/.*xml" -exec cp {} ~/test-results/integration-tests/ \;
      - name: Upload test coverage report
        uses: actions/upload-artifact@v4
        with:
          name: test-coverage-report
          path: target/site/jacoco-merged-test-coverage-report
      - name: Upload unit tests report
        uses: actions/upload-artifact@v4
        with:
          name: unit-tests-report
          path: ~/test-results/unit-tests/
      - name: Upload integration tests report
        uses: actions/upload-artifact@v4
        with:
          name: integration-tests-report
          path: ~/test-results/integration-tests/
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
      - name: Upload Trivy scan results to GitHub Security tab
        if: github.event_name == 'pull_request'  
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  registry:
    needs: test_and_scan
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: 'maven'
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push docker image
        run: |
          IMAGE_NAME=ghcr.io/num-forschungsdatenplattform/num-portal:develop
          mvn spring-boot:build-image -Dspring-boot.build-image.imageName=$IMAGE_NAME -DskipTests
          docker push $IMAGE_NAME