Merge pull request #345 from dallay/dependabot/gradle/springBoot-3.3.4 #173
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy to Main Stage ๐ซ | |
on: | |
push: | |
branches: [ main ] | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
VERSION: ${{ github.sha }} | |
CI: CI | |
NATIVE_IMAGE_ENABLED: enabled | |
CI_GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }} | |
DEPLOY_REPO: ${{ github.event.repository.name }} | |
NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
permissions: | |
# required for all workflows | |
security-events: write | |
packages: write | |
contents: write | |
issues: write | |
pull-requests: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
validation: | |
name: Validation ๐ | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Check Project Integrity | |
uses: ./.github/actions/analysis/check | |
build: | |
name: Build and Test ๐งช | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: ๐ CI_GITHUB_TOKEN | |
if: env.CI_GITHUB_TOKEN == '' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: echo "CI_GITHUB_TOKEN=${GITHUB_TOKEN}" >> $GITHUB_ENV | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java โ Tools & Dependencies | |
uses: ./.github/actions/install/java | |
with: | |
java-version: 21 | |
gradle-encription-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} | |
gradle-arguments: build --scan --no-daemon --stacktrace | |
github_token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Source code vulnerability scanning | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
severity: 'CRITICAL' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
category: source-code | |
static-analysis-security: | |
name: ๐ฎ Static analysis and ๐Security Checks | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: ๐ Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Static Analysis Security | |
uses: ./.github/actions/analysis/security | |
with: | |
gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} | |
functional: | |
name: Functional Acceptance Tests ๐ฏ | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running functional acceptance tests" | |
performance: | |
name: Performance Tests ๐ | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running performance tests" | |
security: | |
name: Security Tests ๐ค | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running security tests" | |
code-coverage: | |
name: Code Coverage ๐ | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
with: | |
java-version: 21 | |
gradle-encription-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Code Coverage | |
run: | | |
./gradlew koverXmlReport --no-daemon --stacktrace | |
- name: Upload coverage reports | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: build/reports/kover/report.xml | |
fail_ci_if_error: true # optional (default = false) | |
verbose: true # optional (default = false) | |
approval: | |
name: Deploy Approval ๐ซ | |
runs-on: ubuntu-latest | |
needs: [ functional, performance, security, code-coverage ] | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- id: get_data | |
run: | | |
echo "version=$(cat gradle.properties | grep "version =" | cut -d'=' -f2)" >> $GITHUB_OUTPUT | |
- name: ๐ข Generate token for approval workflow | |
uses: actions/create-github-app-token@v1 | |
id: app-token | |
with: | |
app-id: ${{ secrets.APP_ID }} | |
private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
owner: ${{ github.repository_owner }} | |
- name: Wait for approval | |
uses: trstringer/manual-approval@v1 | |
timeout-minutes: 60 | |
with: | |
secret: ${{ steps.app-token.outputs.token }} # ${{ env.CI_GITHUB_TOKEN }} | |
minimum-approvals: 1 | |
approvers: nomads #${{ github.repository_owner }} | |
issue-title: '๐ Deploying ${{ steps.get_data.outputs.version }} to production' | |
issue-body: "Please approve or deny the release of ${{ github.github.repository }}. **VERSION**: ${{ steps.get_data.outputs.version }} **TAG**: ${{ github.ref_name }} **COMMIT**: ${{ github.sha }}" | |
exclude-workflow-initiator-as-approver: false | |
additional-approved-words: '' | |
additional-denied-words: '' | |
semantic-release: | |
name: Semantic Release ๐งญ | |
needs: [ approval ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
with: | |
java-version: 21 | |
gradle-encription-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Semantic Release | |
id: semantic-release | |
run: | | |
npx semantic-release | |
echo "VERSION=$(cat gradle.properties | grep "version =" | cut -d'=' -f2)" >> $GITHUB_ENV | |
env: | |
GITHUB_TOKEN: ${{ env.CI_GITHUB_TOKEN }} | |
package: | |
name: Package and Publish ๐ฆ | |
needs: [ semantic-release ] | |
runs-on: ubuntu-latest | |
permissions: write-all | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Package, Publish and Deploy ${{ github.repository }} version ${{ env.VERSION }} | |
uses: ./.github/actions/docker | |
with: | |
deliver: true | |
registry: ${{ env.REGISTRY }} | |
image_name: ${{ env.IMAGE_NAME }} | |
version: ${{ env.VERSION }} | |
ci_github_token: ${{ env.CI_GITHUB_TOKEN }} | |
docker_username: ${{ secrets.DOCKER_USERNAME }} | |
docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} |