From c48054ce2af3c0c17aa30afb8de491a9fb7da099 Mon Sep 17 00:00:00 2001 From: Marcus Fabarius Date: Wed, 28 Feb 2024 07:55:43 +0100 Subject: [PATCH 1/4] merge build and push docker image --- .github/workflows/PR_to_develop.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/PR_to_develop.yml b/.github/workflows/PR_to_develop.yml index 3bb149e9..f76f8ebd 100644 --- a/.github/workflows/PR_to_develop.yml +++ b/.github/workflows/PR_to_develop.yml @@ -1,6 +1,7 @@ name: PR into develop on: + push: pull_request_target: branches: - 'develop' @@ -73,15 +74,12 @@ jobs: cache: 'maven' - name: Build run: mvn clean package - - name: build image - run: mvn spring-boot:build-image -Dspring-boot.build-image.imageName=${{ secrets.DOCKER_USERNAME }}/num-portal:develop -DskipTests - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Build and push - uses: docker/build-push-action@v5 - with: - load: true - tags: ${{ secrets.DOCKER_USERNAME }}/num-portal:develop + - name: build and push Docker image + run: | + mvn spring-boot:build-image -Dspring-boot.build-image.imageName=${{ secrets.DOCKER_USERNAME }}/num-portal:develop -DskipTests + docker push $DOCKER_USER/num-portal:develop From 309eaf47668c2b270e334e76a43c9c7e4400d66d Mon Sep 17 00:00:00 2001 From: Marcus Fabarius Date: Wed, 28 Feb 2024 08:49:00 +0100 Subject: [PATCH 2/4] fix typo --- .github/workflows/PR_to_develop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/PR_to_develop.yml b/.github/workflows/PR_to_develop.yml index f76f8ebd..1e75124e 100644 --- a/.github/workflows/PR_to_develop.yml +++ b/.github/workflows/PR_to_develop.yml @@ -82,4 +82,4 @@ jobs: - name: build and push Docker image run: | mvn spring-boot:build-image -Dspring-boot.build-image.imageName=${{ secrets.DOCKER_USERNAME }}/num-portal:develop -DskipTests - docker push $DOCKER_USER/num-portal:develop + docker push ${{ secrets.DOCKER_USERNAME }}/num-portal:develop From 71d7c35806f710875497f69acda74740b57868b6 Mon Sep 17 00:00:00 2001 From: Marcus Fabarius Date: Wed, 28 Feb 2024 11:57:16 +0100 Subject: [PATCH 3/4] merge push and PR pipeline --- ..._develop.yml => build-for-development.yml} | 41 +++++++------ .github/workflows/push.yml | 61 ------------------- 2 files changed, 23 insertions(+), 79 deletions(-) rename .github/workflows/{PR_to_develop.yml => build-for-development.yml} (75%) delete mode 100644 .github/workflows/push.yml diff --git a/.github/workflows/PR_to_develop.yml b/.github/workflows/build-for-development.yml similarity index 75% rename from .github/workflows/PR_to_develop.yml rename to .github/workflows/build-for-development.yml index 1e75124e..a395d3df 100644 --- a/.github/workflows/PR_to_develop.yml +++ b/.github/workflows/build-for-development.yml @@ -1,13 +1,14 @@ -name: PR into develop +name: Build for development on: push: + branches: [ 'feature/**' ] pull_request_target: - branches: - - 'develop' + branches: [ develop ] + types: [ closed ] jobs: - verify: + test_and_scan: runs-on: ubuntu-latest steps: @@ -24,24 +25,17 @@ jobs: - name: Run integration tests run: mvn verify -P integration-tests continue-on-error: true - - name: Save test results + - name: Prepare test results run: | mkdir -p ~/test-results/unit-tests/ mkdir -p ~/test-results/integration-tests/ find . -type f -regex ".*/target/surefire-reports/.*xml" -exec cp {} ~/test-results/unit-tests/ \; find . -type f -regex ".*/target/failsafe-reports/.*xml" -exec cp {} ~/test-results/integration-tests/ \; - - name: Run CVE scan - run: mvn dependency-check:check - name: Upload test coverage report uses: actions/upload-artifact@v4 with: name: test-coverage-report path: target/site/jacoco-merged-test-coverage-report - - name: Upload dependency check report - uses: actions/upload-artifact@v4 - with: - name: dependency-check-report - path: target/dependency-check-report.html - name: Upload unit tests report uses: actions/upload-artifact@v4 with: @@ -52,6 +46,18 @@ jobs: with: name: integration-tests-report path: ~/test-results/integration-tests/ + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' - name: SonarCloud Scan uses: sonarsource/sonarcloud-github-action@v2.1.1 env: @@ -60,9 +66,10 @@ jobs: continue-on-error: true docker: - runs-on: ubuntu-latest - needs: verify + needs: test_and_scan + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -72,14 +79,12 @@ jobs: java-version: '17' distribution: 'temurin' cache: 'maven' - - name: Build - run: mvn clean package - - name: Login to Docker Hub + - name: Login to docker hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: build and push Docker image + - name: Build and push docker image run: | mvn spring-boot:build-image -Dspring-boot.build-image.imageName=${{ secrets.DOCKER_USERNAME }}/num-portal:develop -DskipTests docker push ${{ secrets.DOCKER_USERNAME }}/num-portal:develop diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml deleted file mode 100644 index e41fc2cd..00000000 --- a/.github/workflows/push.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: onpush pipeline - -on: - push: - -jobs: - verify: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - cache: 'maven' - - name: Run unit tests - run: mvn clean test - - name: Run integration tests - run: mvn verify -P integration-tests - continue-on-error: true - - name: Save test results - run: | - mkdir -p ~/test-results/unit-tests/ - mkdir -p ~/test-results/integration-tests/ - find . -type f -regex ".*/target/surefire-reports/.*xml" -exec cp {} ~/test-results/unit-tests/ \; - find . -type f -regex ".*/target/failsafe-reports/.*xml" -exec cp {} ~/test-results/integration-tests/ \; - - name: Upload test coverage report - uses: actions/upload-artifact@v4 - with: - name: test-coverage-report - path: target/site/jacoco-merged-test-coverage-report - - name: Upload unit tests report - uses: actions/upload-artifact@v4 - with: - name: unit-tests-report - path: ~/test-results/unit-tests/ - - name: Upload integration tests report - uses: actions/upload-artifact@v4 - with: - name: integration-tests-report - path: ~/test-results/integration-tests/ - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@v2.1.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - continue-on-error: true From b1cb58450966f3a84698e2e83cd6e08d892e4037 Mon Sep 17 00:00:00 2001 From: Marcus Fabarius Date: Wed, 28 Feb 2024 12:02:34 +0100 Subject: [PATCH 4/4] replace dependencyCheck with trivy --- .github/workflows/nightly.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 6b32b1c6..8ac0a894 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -9,7 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - name: Set up JDK 17 uses: actions/setup-java@v4 with: @@ -21,24 +22,17 @@ jobs: - name: Run integration tests run: mvn verify -P integration-tests continue-on-error: true - - name: Save test results + - name: Prepare test results run: | mkdir -p ~/test-results/unit-tests/ mkdir -p ~/test-results/integration-tests/ find . -type f -regex ".*/target/surefire-reports/.*xml" -exec cp {} ~/test-results/unit-tests/ \; find . -type f -regex ".*/target/failsafe-reports/.*xml" -exec cp {} ~/test-results/integration-tests/ \; - - name: Run CVE scan - run: mvn dependency-check:check - name: Upload test coverage report uses: actions/upload-artifact@v4 with: name: test-coverage-report path: target/site/jacoco-merged-test-coverage-report - - name: Upload dependency check report - uses: actions/upload-artifact@v4 - with: - name: dependency-check-report - path: target/dependency-check-report.html - name: Upload unit tests report uses: actions/upload-artifact@v4 with: @@ -49,6 +43,18 @@ jobs: with: name: integration-tests-report path: ~/test-results/integration-tests/ + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' - name: SonarCloud Scan uses: sonarsource/sonarcloud-github-action@v2.1.1 env: