-
Notifications
You must be signed in to change notification settings - Fork 0
112 lines (108 loc) · 3.59 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: Build and publish Docker distributions to Github Container Registry ghcr.io
on:
push:
branches:
- master
- version-*
paths:
- gradle.properties
- grpc/gradle.properties
jobs:
versions:
name: Extract app version
uses: th2-net/.github/.github/workflows/compound-prebuild-java-workflow.yml@main
with:
project-path: app
changes:
name: Collect changed files
runs-on: ubuntu-20.04
outputs:
app: ${{ steps.filter.outputs.app }}
grpc: ${{ steps.filter.outputs.grpc }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v2
id: filter
with:
base: ${{ github.ref }}
filters: |
app:
- 'app/gradle.properties'
grpc:
- 'grpc/gradle.properties'
utils:
- 'utils/gradle.properties'
build-and-publish-grpc-java:
name: Build and publish Java gRPC distributions
needs:
- changes
if: ${{ needs.changes.outputs.grpc == 'true' }}
uses: th2-net/.github/.github/workflows/compaund-java-multi-project-build.yml@main
with:
projectPath: grpc
release: true
additionalTasks: '["publish"]'
secrets:
sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }}
sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }}
sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }}
sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }}
build-and-publish-grpc-python:
name: Build and publish Python distributions to PyPI
needs:
- changes
if: ${{ needs.changes.outputs.grpc == 'true' }}
uses: th2-net/.github/.github/workflows/compaund-python-grpc-pypi-publication.yml@main
with:
project-path: grpc
secrets:
pypi_password: ${{ secrets.PYPI_PASSWORD }}
build-and-publish-utils:
name: Build and publish utils library
needs:
- changes
if: ${{ needs.changes.outputs.utils == 'true' }}
uses: th2-net/.github/.github/workflows/compaund-java-multi-project-build.yml@main
with:
projectPath: utils
release: true
additionalTasks: '["publish"]'
secrets:
sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }}
sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }}
sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }}
sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }}
owasp-scan:
uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main
with:
multiproject: true
secrets:
nvd-api-key: ${{ secrets.NVD_APIKEY }}
publish-docker:
name: Build and publish docker image
if: |
always() &&
(needs.changes.outputs.app == 'true' || needs.changes.outputs.grpc == 'true')
needs:
- build-and-publish-grpc-python
- build-and-publish-grpc-java
- versions
uses: th2-net/.github/.github/workflows/compaund-java-docker-push.yml@main
with:
docker-username: ${{ github.actor }}
version: ${{ needs.versions.outputs.version }}
versionNumber: ${{ needs.versions.outputs.version }}
dockerContext: '.'
gradleParameters: '["clean", "build", "dockerPrepare"]'
secrets:
docker-password: ${{ secrets.GITHUB_TOKEN }}
trivy-docker-scan:
name: Scan Docker image for vulnerabilities
needs:
- publish-docker
- versions
uses: th2-net/.github/.github/workflows/trivy-scan-github.yml@main
with:
image-path: ghcr.io/${{ github.repository }}:${{ needs.versions.outputs.version }}
target: 'os,library'
sensitivity: 'CRITICAL,HIGH,MEDIUM'