[TASK-81] backend setup (#67) #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy to Main Stage ๐ซ | |
on: | |
push: | |
branches: [ main ] | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
VERSION: ${{ github.sha }} | |
CI: CI | |
NATIVE_IMAGE_ENABLED: enabled | |
CI_GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }} | |
OWNER: ${{ github.repository_owner }} | |
DEPLOY_REPO: ${{ github.event.repository.name }} | |
permissions: | |
packages: write | |
contents: write | |
issues: write | |
jobs: | |
validation: | |
name: Validation ๐ | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Validate Gradle wrapper | |
uses: gradle/[email protected] | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Check | |
run: pnpm run check | |
build: | |
name: Build and Test ๐งช | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: ๐ CI_GITHUB_TOKEN | |
if: env.CI_GITHUB_TOKEN == '' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: echo "CI_GITHUB_TOKEN=${GITHUB_TOKEN}" >> $GITHUB_ENV | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
with: | |
java-version: 21 | |
gradle-arguments: build --scan | |
- name: Source code vulnerability scanning | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
format: 'sarif' | |
output: 'trivy-results-source-code.sarif' | |
- name: Upload vulnerability report | |
uses: github/codeql-action/upload-sarif@v3 | |
if: success() || failure() | |
with: | |
sarif_file: 'trivy-results-source-code.sarif' | |
category: source-code | |
static-analysis-security: | |
name: ๐ฎ Static analysis and ๐Security Checks | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: ๐ Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Check OWASP ๐ก๏ธ | |
run: ./gradlew dependencyCheckAnalyze --no-daemon --stacktrace | |
- name: Upload owasp-report results ๐ก๏ธโฌ๏ธ | |
uses: actions/upload-artifact@v4 | |
with: | |
name: owasp-reports | |
path: build/reports/owasp | |
- name: Run detekt | |
run: ./gradlew detektAll --no-daemon --stacktrace | |
- name: Upload static reports artifact | |
uses: actions/[email protected] | |
with: | |
name: static-report | |
path: | | |
build/reports/detekt/detekt.xml | |
**/build/reports/lint-results-debug.xml | |
retention-days: 1 | |
- name: Analyze detekt report | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: build/reports/detekt/detekt.sarif | |
checkout_path: ${{ github.workspace }} | |
functional: | |
name: Functional Acceptance Tests ๐ฏ | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running functional acceptance tests" | |
performance: | |
name: Performance Tests ๐ | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running performance tests" | |
security: | |
name: Security Tests ๐ค | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Running security tests" | |
code-coverage: | |
name: Code Coverage ๐ | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Code Coverage | |
run: | | |
./gradlew koverXmlReport --no-daemon --stacktrace | |
- name: Upload coverage reports | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: build/reports/kover/report.xml | |
fail_ci_if_error: true # optional (default = false) | |
verbose: true # optional (default = false) | |
approval: | |
name: Deploy Approval ๐ซ | |
runs-on: ubuntu-latest | |
needs: [ functional, performance, security ] | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- id: get_data | |
run: | | |
echo "version=$(cat gradle.properties | grep "version =" | cut -d'=' -f2)" >> $GITHUB_OUTPUT | |
- name: Wait for approval | |
uses: trstringer/manual-approval@v1 | |
timeout-minutes: 60 | |
with: | |
secret: ${{ env.CI_GITHUB_TOKEN }} | |
minimum-approvals: 1 | |
approvers: ${{ github.repository_owner }} | |
issue-title: '๐ Deploying ${{ steps.get_data.outputs.version }} to production' | |
issue-body: "Please approve or deny the release of ${{ github.github.repository }}. **VERSION**: ${{ steps.get_data.outputs.version }} **TAG**: ${{ github.ref_name }} **COMMIT**: ${{ github.sha }}" | |
exclude-workflow-initiator-as-approver: false | |
additional-approved-words: '' | |
additional-denied-words: '' | |
semantic-release: | |
name: Semantic Release ๐งญ | |
needs: [ approval ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Semantic Release | |
run: | | |
npx semantic-release | |
env: | |
GITHUB_TOKEN: ${{ env.CI_GITHUB_TOKEN }} | |
package: | |
name: Package and Publish ๐ฆ | |
needs: [ semantic-release ] | |
runs-on: ubuntu-latest | |
permissions: write-all | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Execute Gradle build | |
run: | | |
chmod +x gradlew | |
./gradlew assemble | |
./gradlew bootBuildImage --imageName ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
- name: OCI image vulnerability scanning | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
format: 'sarif' | |
output: 'trivy-results-oci-image.sarif' | |
- name: Upload vulnerability report | |
uses: github/codeql-action/upload-sarif@v3 | |
if: success() || failure() | |
with: | |
sarif_file: 'trivy-results-oci-image.sarif' | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Log into container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Publish container image | |
run: docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
- name: Publish container image (latest) | |
run: | | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} n4t5u/lyra:${{ env.VERSION }} | |
docker push n4t5u/lyra:${{ env.VERSION }} | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} n4t5u/lyra:latest | |
docker push n4t5u/lyra:latest | |
- name: Deliver application to production | |
uses: peter-evans/repository-dispatch@v2 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
repository: ${{ env.OWNER }}/${{ env.DEPLOY_REPO }} | |
event-type: app_delivery | |
client-payload: '{ | |
"app_image": "${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.APP_REPO }}", | |
"app_name": "${{ env.APP_REPO }}", | |
"app_version": "${{ env.VERSION }}" | |
}' |