Merge pull request #132 from koenighotze/dependabot/gradle/io.mockk-m… #141

Workflow file for this run

.github/workflows/build-and-deploy.yml at f2257f3

	name: Build main

	on:
	push:
	branches: [ main, migrate-to-kotlin ]
	tags:
	- "v*"
	paths-ignore:
	- '**.md'
	workflow_dispatch:


	permissions:
	contents: read

	env:
	CONTAINER_REGISTRY: ${{ secrets.CONTAINER_REGISTRY }}
	GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}

	jobs:
	security-scan-code:
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Run Snyk to check for vulnerabilities
	uses: snyk/actions/gradle@0.4.0
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	args: --severity-threshold=high
	- name: Run vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@0.16.1
	with:
	scan-type: "fs"
	ignore-unfixed: false
	format: "table"
	exit-code: "1"
	severity: "CRITICAL"

	qa:
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Check shell scripts
	uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 #2.0.0
	with:
	severity: warning
	scandir: './scripts'

	test:
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- uses: actions/setup-java@v4
	with:
	distribution: temurin
	java-version: 17
	- name: Unit test with coverage
	run: ./gradlew --warning-mode all cleanTest test jacocoTestReport
	- name: Upload coverage
	run: \|
	bash <(curl -Ls https://coverage.codacy.com/get.sh) report -r build/reports/jacoco/test/jacocoTestReport.xml
	env:
	CODACY_PROJECT_NAME: bodleian-service
	CODACY_ORGANIZATION_PROVIDER: gh
	CODACY_USERNAME: ${{ github.repository_owner }}
	CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}

	integration-test:
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- uses: actions/setup-java@v4
	with:
	distribution: temurin
	java-version: 17
	- name: Integration test
	run: ./gradlew --warning-mode all integrationTests

	build-container:
	needs:
	- qa
	- test
	- integration-test
	- security-scan-code

	permissions:
	id-token: write
	contents: read

	runs-on: ubuntu-20.04

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Authenticate
	uses: google-github-actions/auth@v2
	id: auth
	with:
	workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
	service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }}
	token_format: id_token
	id_token_audience: ${{ secrets.CLOUD_RUN_BACKEND_URL }}
	id_token_include_email: true
	- name: Set up GCP environment
	uses: google-github-actions/setup-gcloud@v2
	- uses: actions/setup-java@v4
	with:
	distribution: temurin
	java-version: 17
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Build image
	run: ./scripts/containerize.sh
	- name: Run vulnerability scanner
	uses: aquasecurity/trivy-action@0.16.1
	with:
	image-ref: ${{ env.image-name }}
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	# - name: Push image
	# run: ./scripts/containerize.sh
	# env:
	# OUTPUT_MODE: push
	# - name: Deploy
	# id: deploy
	# uses: google-github-actions/deploy-cloudrun@v1.0.2
	# with:
	# image: ${{ env.image-name }}
	# service: ${{ secrets.CLOUD_RUN_SERVICE }}
	# region: ${{ secrets.CLOUD_RUN_REGION }}
	# timeout: 10 # allow enough time to startup container
	# no_traffic: true
	# flags: '--concurrency=1 --cpu=1 --max-instances=1'
	# # no_traffic: ${{ !startsWith(github.event.ref, 'refs/tags/v') }}
	# tag: ${{ env.git-tag }}
	# - name: Test if service is up
	# run: \|
	# ./scripts/is-service-up.sh
	# env:
	# BASE_URL: ${{ steps.deploy.outputs.url }}
	# BEARER_TOKEN: ${{ steps.auth.outputs.id_token }}
	# - name: Report failures to Slack
	# uses: ravsamhq/notify-slack-action@bca2d7f5660b833a27bda4f6b8bef389ebfefd25 #v2
	# if: always()
	# with:
	# status: ${{ job.status }}
	# token: ${{ secrets.GITHUB_TOKEN }}
	# notification_title: "{workflow} has {status_message}"
	# message_format: "{emoji} {workflow} {status_message} in <{repo_url}\|{repo}>"
	# footer: "Linked Repo <{repo_url}\|{repo}> \| <{workflow_url}\|View Workflow>"
	# notify_when: "failure"
	# env:
	# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
	# - name: Route traffic to new version
	# # TODO: check why using the deploy-action does not work with tags.
	# if: ${{ startsWith(github.event.ref, 'refs/tags/v') }}
	# run: \|
	# echo "Routing full traffic to tag $git-tag"
	# gcloud run services update-traffic --region=${{ secrets.CLOUD_RUN_REGION }} ${{ secrets.CLOUD_RUN_SERVICE }} --to-tags="${{ env.git-tag }}=100"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #132 from koenighotze/dependabot/gradle/io.mockk-m… #141

Workflow file

Merge pull request #132 from koenighotze/dependabot/gradle/io.mockk-m… #141

Jobs

Run details

Workflow file for this run