Skip to content
littil-backend-build-deploy

Merge pull request #403 from Devoxx4Kids-NPO/dependabot/maven/com.aut… #339

Sign in to view logs

Merge pull request #403 from Devoxx4Kids-NPO/dependabot/maven/com.aut…

Merge pull request #403 from Devoxx4Kids-NPO/dependabot/maven/com.aut… #339

Workflow file for this run

.github/workflows/publish-build-container.yml at 7d2b1cf
---
name: littil-backend-build-deploy
on:
push:
branches:
- main
tags:
- v*
env:
IMAGE_NAME: littil-backend
jobs:
push:
name: Building project image
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: graalvm/setup-graalvm@v1
with:
version: '22.3.1'
java-version: '17'
components: 'native-image'
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: s4u/[email protected]
with:
java-version: 17
java-distribution: temurin
maven-version: 3.8.6
- name: Verify project
run: mvn verify --batch-mode
- name: Analyze build code
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven@master
env:
JAVA_HOME : "" # snyk runs with included java version
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: false
with:
command: test --severity-threshold=high --sarif-file-output=target/snyk-report/snyk.sarif
- name: Build image
run: docker build . --file src/main/docker/Dockerfile.jvm --tag $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
- name: Log in to registry
# This is where you will update the PAT to GITHUB_TOKEN
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
- name: Determine container image version
run: |
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
# Strip "v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
# Use Docker `latest` tag convention
[ "$VERSION" == "main" ] && VERSION=latest
echo VERSION=$VERSION
echo "IMAGE_VERSION=$VERSION" >> $GITHUB_ENV
cat $GITHUB_ENV
- name: Tag and push image to ghcr.io
run: |
IMAGE_VERSION=${{ env.IMAGE_VERSION }}
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
# Change all uppercase to lowercase
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
echo IMAGE_ID=$IMAGE_ID
echo "Going to push $IMAGE_ID:$IMAGE_VERSION to ghcr.io"
docker tag $IMAGE_NAME $IMAGE_ID:$IMAGE_VERSION
docker push $IMAGE_ID:$IMAGE_VERSION
- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ECR }}
role-session-name: github_publish_littil_ecr
aws-region: ${{ secrets.AWS_REGION }}
- name: Test credentials
run: |
aws sts get-caller-identity
- name: Tag and push image to ECR
run: |
IMAGE_VERSION=${{ env.IMAGE_VERSION }}
ECR_IMAGE_ID=${{ secrets.AWS_ECR_REPOSITORY }}
aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ECR_REPOSITORY }}
docker tag $IMAGE_NAME $ECR_IMAGE_ID:$IMAGE_VERSION
echo "Going to push $ECR_IMAGE_ID:$IMAGE_VERSION to ECR"
docker push $ECR_IMAGE_ID:$IMAGE_VERSION
docker tag $IMAGE_NAME $ECR_IMAGE_ID:latest
echo "Going to push $ECR_IMAGE_ID:latest to ECR"
docker push $ECR_IMAGE_ID:latest