-
Notifications
You must be signed in to change notification settings - Fork 12
130 lines (114 loc) · 4.57 KB
/
maven-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Deploy to Maven Central
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Set up GnuPG
env:
GPG_EXECUTABLE: gpg
GPG_SECRET_KEYS: ${{ secrets.GPG_SECRET_KEYS }}
GPG_OWNERTRUST: ${{ secrets.GPG_OWNERTRUST }}
run: |
mkdir -m 700 ~/.gnupg/
echo 'use-agent' > ~/.gnupg/gpg.conf
echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf
echo 'allow-loopback-pinentry' > ~/.gnupg/gpg-agent.conf
echo $GPG_SECRET_KEYS | base64 --decode | $GPG_EXECUTABLE --yes --batch --import
echo $GPG_OWNERTRUST | base64 --decode | $GPG_EXECUTABLE --yes --batch --import-ownertrust
- name: Checkout Source
uses: actions/checkout@v4
- name: Cache maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-dpl-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-dpl
${{ runner.os }}-maven
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: 'adopt'
java-version: 17
- name: Build with Maven
env:
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
run: |
mvn test-compile -P build-ci --settings maven-ci-settings.xml -B
- name: Test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
run: |
mvn install -P test --settings maven-ci-settings.xml -B
- name: Restore CVD Database from Cache
uses: actions/cache/restore@v4
with:
path: |
~/.m2/repository/org/owasp/dependency-check-data
key: ${{ runner.os }}-maven-owasp-cvedb
- name: Update CVD Database
env:
OWASP_OSS_INDEX_USERNAME: ${{ secrets.OWASP_OSS_INDEX_USERNAME }}
OWASP_OSS_INDEX_APIKEY: ${{ secrets.OWASP_OSS_INDEX_APIKEY }}
NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
run: |
mvn -B -P owasp -DnvdApiDelay=6000 --settings maven-ci-settings.xml org.owasp:dependency-check-maven:update-only
- name: Save CVD Database to Cache
uses: actions/cache/save@v4
with:
path: |
~/.m2/repository/org/owasp/dependency-check-data
key: ${{ runner.os }}-maven-owasp-cvedb
- name: Dependency Vulnerability Check with OWASP
env:
OWASP_OSS_INDEX_USERNAME: ${{ secrets.OWASP_OSS_INDEX_USERNAME }}
OWASP_OSS_INDEX_APIKEY: ${{ secrets.OWASP_OSS_INDEX_APIKEY }}
run: |
mvn org.owasp:dependency-check-maven:aggregate -P owasp --settings maven-ci-settings.xml -B
- name: Build and Deploy with Maven
env:
GPG_EXECUTABLE: gpg
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
run: mvn clean deploy -P release --settings maven-ci-settings.xml -B
- name: Set env variables
run: |
echo "Exporting Variables"
export STARTER_NAME=$(mvn -pl starter -Dexec.executable='echo' -Dexec.args='${project.build.finalName}' exec:exec -q)
echo "STARTER_ARTIFACT=${STARTER_NAME}.jar" >> $GITHUB_ENV
export version=$(mvn -Dexec.executable='echo' -Dexec.args='${project.version}' --non-recursive exec:exec -q)
echo "VERSION=${version}" >> $GITHUB_ENV
echo "DOCKER_TAG_SHORT=${version%.*}" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push docker image - starter
uses: docker/build-push-action@v5
with:
platforms: linux/amd64,linux/arm64
context: "./starter"
push: true
build-args: |
ARTIFACT_FILE=${{ env.STARTER_ARTIFACT }}
tags: |
fraunhoferiosb/faaast-service:${{ env.VERSION }}
fraunhoferiosb/faaast-service:${{ env.DOCKER_TAG_SHORT }}