Merge pull request #403 from Devoxx4Kids-NPO/dependabot/maven/com.aut… #339
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: littil-backend-build-deploy | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- v* | |
env: | |
IMAGE_NAME: littil-backend | |
jobs: | |
push: | |
name: Building project image | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: read | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: graalvm/setup-graalvm@v1 | |
with: | |
version: '22.3.1' | |
java-version: '17' | |
components: 'native-image' | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: s4u/[email protected] | |
with: | |
java-version: 17 | |
java-distribution: temurin | |
maven-version: 3.8.6 | |
- name: Verify project | |
run: mvn verify --batch-mode | |
- name: Analyze build code | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar | |
- name: Run Snyk to check for vulnerabilities | |
uses: snyk/actions/maven@master | |
env: | |
JAVA_HOME : "" # snyk runs with included java version | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
continue-on-error: false | |
with: | |
command: test --severity-threshold=high --sarif-file-output=target/snyk-report/snyk.sarif | |
- name: Build image | |
run: docker build . --file src/main/docker/Dockerfile.jvm --tag $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}" | |
- name: Log in to registry | |
# This is where you will update the PAT to GITHUB_TOKEN | |
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
- name: Determine container image version | |
run: | | |
# Strip git ref prefix from version | |
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
# Strip "v" prefix from tag name | |
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
# Use Docker `latest` tag convention | |
[ "$VERSION" == "main" ] && VERSION=latest | |
echo VERSION=$VERSION | |
echo "IMAGE_VERSION=$VERSION" >> $GITHUB_ENV | |
cat $GITHUB_ENV | |
- name: Tag and push image to ghcr.io | |
run: | | |
IMAGE_VERSION=${{ env.IMAGE_VERSION }} | |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME | |
# Change all uppercase to lowercase | |
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') | |
echo IMAGE_ID=$IMAGE_ID | |
echo "Going to push $IMAGE_ID:$IMAGE_VERSION to ghcr.io" | |
docker tag $IMAGE_NAME $IMAGE_ID:$IMAGE_VERSION | |
docker push $IMAGE_ID:$IMAGE_VERSION | |
- name: Configure aws credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_ECR }} | |
role-session-name: github_publish_littil_ecr | |
aws-region: ${{ secrets.AWS_REGION }} | |
- name: Test credentials | |
run: | | |
aws sts get-caller-identity | |
- name: Tag and push image to ECR | |
run: | | |
IMAGE_VERSION=${{ env.IMAGE_VERSION }} | |
ECR_IMAGE_ID=${{ secrets.AWS_ECR_REPOSITORY }} | |
aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ECR_REPOSITORY }} | |
docker tag $IMAGE_NAME $ECR_IMAGE_ID:$IMAGE_VERSION | |
echo "Going to push $ECR_IMAGE_ID:$IMAGE_VERSION to ECR" | |
docker push $ECR_IMAGE_ID:$IMAGE_VERSION | |
docker tag $IMAGE_NAME $ECR_IMAGE_ID:latest | |
echo "Going to push $ECR_IMAGE_ID:latest to ECR" | |
docker push $ECR_IMAGE_ID:latest |