Skip to content

Merge pull request #131 from koenighotze/dependabot/github_actions/Gi… #140

Merge pull request #131 from koenighotze/dependabot/github_actions/Gi…

Merge pull request #131 from koenighotze/dependabot/github_actions/Gi… #140

name: Build main
on:
push:
branches: [ main, migrate-to-kotlin ]
tags:
- "v*"
paths-ignore:
- '**.md'
workflow_dispatch:
permissions:
contents: read
env:
CONTAINER_REGISTRY: ${{ secrets.CONTAINER_REGISTRY }}
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
jobs:
security-scan-code:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/gradle@0.4.0
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Run vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.16.1
with:
scan-type: "fs"
ignore-unfixed: false
format: "table"
exit-code: "1"
severity: "CRITICAL"
qa:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check shell scripts
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 #2.0.0
with:
severity: warning
scandir: './scripts'
test:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Unit test with coverage
run: ./gradlew --warning-mode all cleanTest test jacocoTestReport
- name: Upload coverage
run: |
bash <(curl -Ls https://coverage.codacy.com/get.sh) report -r build/reports/jacoco/test/jacocoTestReport.xml
env:
CODACY_PROJECT_NAME: bodleian-service
CODACY_ORGANIZATION_PROVIDER: gh
CODACY_USERNAME: ${{ github.repository_owner }}
CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
integration-test:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Integration test
run: ./gradlew --warning-mode all integrationTests
build-container:
needs:
- qa
- test
- integration-test
- security-scan-code
permissions:
id-token: write
contents: read
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate
uses: google-github-actions/auth@v2
id: auth
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }}
token_format: id_token
id_token_audience: ${{ secrets.CLOUD_RUN_BACKEND_URL }}
id_token_include_email: true
- name: Set up GCP environment
uses: google-github-actions/setup-gcloud@v2
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image
run: ./scripts/containerize.sh
- name: Run vulnerability scanner
uses: aquasecurity/trivy-action@0.16.1
with:
image-ref: ${{ env.image-name }}
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
# - name: Push image
# run: ./scripts/containerize.sh
# env:
# OUTPUT_MODE: push
# - name: Deploy
# id: deploy
# uses: google-github-actions/deploy-cloudrun@v1.0.2
# with:
# image: ${{ env.image-name }}
# service: ${{ secrets.CLOUD_RUN_SERVICE }}
# region: ${{ secrets.CLOUD_RUN_REGION }}
# timeout: 10 # allow enough time to startup container
# no_traffic: true
# flags: '--concurrency=1 --cpu=1 --max-instances=1'
# # no_traffic: ${{ !startsWith(github.event.ref, 'refs/tags/v') }}
# tag: ${{ env.git-tag }}
# - name: Test if service is up
# run: |
# ./scripts/is-service-up.sh
# env:
# BASE_URL: ${{ steps.deploy.outputs.url }}
# BEARER_TOKEN: ${{ steps.auth.outputs.id_token }}
# - name: Report failures to Slack
# uses: ravsamhq/notify-slack-action@bca2d7f5660b833a27bda4f6b8bef389ebfefd25 #v2
# if: always()
# with:
# status: ${{ job.status }}
# token: ${{ secrets.GITHUB_TOKEN }}
# notification_title: "{workflow} has {status_message}"
# message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>"
# footer: "Linked Repo <{repo_url}|{repo}> | <{workflow_url}|View Workflow>"
# notify_when: "failure"
# env:
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# - name: Route traffic to new version
# # TODO: check why using the deploy-action does not work with tags.
# if: ${{ startsWith(github.event.ref, 'refs/tags/v') }}
# run: |
# echo "Routing full traffic to tag $git-tag"
# gcloud run services update-traffic --region=${{ secrets.CLOUD_RUN_REGION }} ${{ secrets.CLOUD_RUN_SERVICE }} --to-tags="${{ env.git-tag }}=100"