add trivy cache #387
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PROD- Build, push, and deploy | |
on: | |
push: | |
paths-ignore: | |
- "README.md" | |
branches: | |
- master | |
jobs: | |
test: | |
name: Run tests | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
java-version: 21 | |
cache: 'gradle' | |
distribution: temurin | |
- name: Run tests | |
run: ./gradlew clean test | |
- name: Unit tests results | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unit-tests-results | |
path: build/reports/tests | |
trivy-setup: | |
name: Setup Trivy | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Add Trivy folder | |
run: mkdir -p .trivy | |
- name: Setup Trivy | |
uses: 'aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8' # ratchet:aquasecurity/[email protected] | |
env: | |
TRIVY_DOWNLOAD_JAVA_DB_ONLY: "true" | |
TRIVY_JAVA_DB_REPOSITORY: "europe-north1-docker.pkg.dev/nais-io/remote-ghcr/aquasecurity/trivy-java-db:1" | |
TRIVY_CACHE_DIR: ".trivy" | |
- name: Cache Trivy DB | |
uses: actions/cache@v3 | |
with: | |
path: .trivy | |
key: trivy-java-db | |
build: | |
name: Build and push Docker container | |
needs: [test, trivy-setup] | |
if: github.actor != 'dependabot[bot]' | |
runs-on: ubuntu-20.04 | |
outputs: | |
telemetry: ${{ steps.docker-build-push.outputs.telemetry }} | |
"image": ${{ steps.docker-build-push.outputs.image }} | |
permissions: | |
packages: "write" | |
contents: "read" | |
id-token: "write" | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
with: | |
java-version: 21 | |
cache: 'gradle' | |
distribution: temurin | |
- name: Build JAR | |
run: ./gradlew bootJar -x test | |
- name: Push docker image to GAR and sign image | |
uses: nais/docker-build-push@v0 | |
id: docker-build-push | |
with: | |
team: aura | |
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} # Provided as Organization Secret | |
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} # Provided as Organization Variable | |
env: | |
TRIVY_OFFLINE_SCAN: "true" | |
TRIVY_SKIP_DB_UPDATE: "true" | |
TRIVY_CACHE_DIR: ".trivy" | |
- name: Upload salsa | |
uses: actions/upload-artifact@v4 | |
with: | |
name: salsa | |
path: ${{ steps.docker-build-push.outputs.salsa }} | |
deploy-dev-t4: | |
name: Deploy to NAIS dev (old t4) | |
needs: build | |
if: "github.ref == 'refs/heads/master'" | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
env: | |
CLUSTER: dev-fss | |
RESOURCE: .nais/nais.yml | |
VARS: .nais/t4-vars.yml | |
VAR: image=${{ needs.build.outputs.image }} | |
TIMEOUT: 15m | |
TELEMETRY: ${{ needs.build.outputs.telemetry }} | |
deploy-dev: | |
name: Deploy to NAIS dev | |
needs: [ build, deploy-dev-t4 ] | |
if: "github.ref == 'refs/heads/master'" | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
env: | |
CLUSTER: dev-fss | |
RESOURCE: .nais/nais.yml | |
VARS: .nais/default-vars.yml | |
VAR: image=${{ needs.build.outputs.image }} | |
TIMEOUT: 15m | |
TELEMETRY: ${{ needs.build.outputs.telemetry }} | |
deploy-prod: | |
name: Deploy to NAIS prod | |
needs: [ build, deploy-dev, deploy-dev-t4 ] | |
if: "github.ref == 'refs/heads/master'" | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
env: | |
CLUSTER: prod-fss | |
RESOURCE: .nais/nais.yml | |
VARS: .nais/prod-vars.yml | |
VAR: image=${{ needs.build.outputs.image }} | |
TIMEOUT: 15m | |
TELEMETRY: ${{ needs.build.outputs.telemetry }} |