Create SECURITY.md (#38) #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy to Main Stage π« | |
on: | |
push: | |
branches: [ main ] | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
VERSION: ${{ github.sha }} | |
CI: CI | |
NATIVE_IMAGE_ENABLED: enabled | |
CI_GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }} | |
OWNER: ${{ github.repository_owner }} | |
DEPLOY_REPO: ${{ github.event.repository.name }} | |
permissions: | |
packages: write | |
contents: write | |
issues: write | |
jobs: | |
validation: | |
name: Validation π | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Validate Gradle wrapper | |
uses: gradle/[email protected] | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Check | |
run: pnpm run check | |
build: | |
name: Build and Test π§ͺ | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: π CI_GITHUB_TOKEN | |
if: env.CI_GITHUB_TOKEN == '' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: echo "CI_GITHUB_TOKEN=${GITHUB_TOKEN}" >> $GITHUB_ENV | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
with: | |
java-version: 21 | |
gradle-arguments: build --scan | |
- name: Source code vulnerability scanning | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
format: 'sarif' | |
output: 'trivy-results-source-code.sarif' | |
- name: Upload vulnerability report | |
uses: github/codeql-action/upload-sarif@v3 | |
if: success() || failure() | |
with: | |
sarif_file: 'trivy-results-source-code.sarif' | |
category: source-code | |
functional: | |
name: Functional Acceptance Tests π― | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running functional acceptance tests" | |
performance: | |
name: Performance Tests π | |
needs: [ functional ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running performance tests" | |
security: | |
name: Security Tests π€ | |
needs: [ performance ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running security tests" | |
approval: | |
name: Deploy Approval π« | |
runs-on: ubuntu-latest | |
needs: [ functional, performance, security ] | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- id: get_data | |
run: | | |
echo "version=$(cat gradle.properties | grep "version =" | cut -d'=' -f2)" >> $GITHUB_OUTPUT | |
- name: Wait for approval | |
uses: trstringer/manual-approval@v1 | |
timeout-minutes: 60 | |
with: | |
secret: ${{ env.CI_GITHUB_TOKEN }} | |
minimum-approvals: 1 | |
approvers: ${{ github.repository_owner }} | |
issue-title: 'π Deploying ${{ steps.get_data.outputs.version }} to production' | |
issue-body: "Please approve or deny the release of ${{ github.github.repository }}. **VERSION**: ${{ steps.get_data.outputs.version }} **TAG**: ${{ github.ref_name }} **COMMIT**: ${{ github.sha }}" | |
exclude-workflow-initiator-as-approver: false | |
additional-approved-words: '' | |
additional-denied-words: '' | |
semantic-release: | |
name: Semantic Release π§ | |
needs: [ approval ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Semantic Release | |
run: | | |
npx semantic-release | |
env: | |
GITHUB_TOKEN: ${{ env.CI_GITHUB_TOKEN }} | |
package: | |
name: Package and Publish π¦ | |
needs: [ semantic-release ] | |
runs-on: ubuntu-latest | |
permissions: write-all | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Execute Gradle build | |
run: | | |
chmod +x gradlew | |
./gradlew assemble bootBuildImage --imageName ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
- name: OCI image vulnerability scanning | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
format: 'sarif' | |
output: 'trivy-results-oci-image.sarif' | |
- name: Upload vulnerability report | |
uses: github/codeql-action/upload-sarif@v3 | |
if: success() || failure() | |
with: | |
sarif_file: 'trivy-results-oci-image.sarif' | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Log into container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Publish container image | |
run: docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
- name: Publish container image (latest) | |
run: | | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} n4t5u/lyra:${{ env.VERSION }} | |
docker push n4t5u/lyra:${{ env.VERSION }} | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} n4t5u/lyra:latest | |
docker push n4t5u/lyra:latest | |
- name: Deliver application to production | |
uses: peter-evans/repository-dispatch@v2 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
repository: ${{ env.OWNER }}/${{ env.DEPLOY_REPO }} | |
event-type: app_delivery | |
client-payload: '{ | |
"app_image": "${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.APP_REPO }}", | |
"app_name": "${{ env.APP_REPO }}", | |
"app_version": "${{ env.VERSION }}" | |
}' |