Skip to content

Bump github/codeql-action from 2.22.5 to 2.22.9 #286

Bump github/codeql-action from 2.22.5 to 2.22.9

Bump github/codeql-action from 2.22.5 to 2.22.9 #286

Workflow file for this run

---
# Workflow syntax for GitHub Actions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
# Build Application and Upload Container Image to Docker Hub
name: Build and Scan Image
# Events: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
on:
# Run workflow on push except for ignored branches and paths
push:
# Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
branches-ignore:
# - 'dependabot/**'
- 'cherry-pick-*'
paths-ignore:
- '**.md' # Ignore documentation changes
- '.github/**(!build.yml)' # Ignore other workflow changes
# Run workflow on pull request
pull_request: # By default, a workflow only runs when a pull_request event's activity type is opened, synchronize, or reopened
# Allow user to manually trigger Workflow execution
workflow_dispatch:
# Set Workflow-level permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
permissions:
contents: read
# Run a single job at a time: https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
# Run job when not triggered by a merge
if: (github.event_name == 'push' && contains(toJSON(github.event.head_commit.message), 'Merge pull request ') == false) || (github.event_name != 'push')
runs-on: ubuntu-latest
environment: docker-hub # Use `docker-hub` repository environment
# Set Job-level environment variables
env:
MYSQL_DATABASE: demoapp
MYSQL_USER: user
MYSQL_PASSWORD: password
MYSQL_ROOT_PASSWORD: local
# Select builder from: ["docker", "maven"]
# "docker" uses multi-stage build
# "maven" uses dockerfile-maven-plugin
BUILDERS: '["docker", "maven"]'
BUILDER: maven
# Uncomment lines below to run `build` job on container
# Note: container image must contains commands required for step execution, e.g. docker, gzip, etc.
# container:
# image: mcr.microsoft.com/openjdk/jdk:17-ubuntu # Image Java version must match with `project.version` in pom.xml
# # Set credentials when container registry requires authentication to pull the image
# # credentials:
# # username: ${{ github.actor }}
# # password: ${{ secrets.github_token }}
services:
mysql:
image: mysql:8.0 # Use same mysql image from devcontainer.json
env:
MYSQL_DATABASE: ${{ env.MYSQL_DATABASE }}
MYSQL_USER: ${{ env.MYSQL_USER }}
MYSQL_PASSWORD: ${{ env.MYSQL_PASSWORD }}
MYSQL_ROOT_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }}
# Ports are required only when `container` keyword is not defined
ports:
- 3306:3306 # Opens tcp port 3306 on the host and service container
steps:
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action
# Set Complete Container Image URL
- name: Set CONTAINER_IMAGE_URL
run: |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV
# Fail job when invalid builder is selected
- name: Check BUILDER environment variable
# if expression clarification: https://github.com/github/docs/blob/main/data/reusables/actions/expression-syntax-if.md
if: ${{! contains(fromJSON(env.BUILDERS), env.BUILDER) }}
run: |
echo "Invalid builder: ${{ env.BUILDER }}"
echo "Builders: ${{ env.BUILDERS }}"
exit 1
- name: Checkout repository
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout
# Setup Java
- uses: actions/setup-java@v3 # https://github.com/actions/setup-java
with:
distribution: microsoft # Microsoft was selected to match Visual Studio Code Dev Container Java distribuition, see .devcontainer/devcontainer.json. Supported distributions: https://github.com/actions/setup-java#supported-distributions
java-version: '17' # Java version must match `project.properties['java.version']` in pom.xml
# Cache Maven dependencies
- name: Install and Cache Maven dependencies
id: cache
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions
with:
path: |
~/.m2
key: maven-${{ hashFiles('**/pom.xml') }}
- name: Set up QEMU
if: env.BUILDER == 'docker'
uses: docker/setup-qemu-action@v3 # https://github.com/marketplace/actions/docker-setup-qemu
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 # https://github.com/marketplace/actions/docker-setup-build
- name: Login to DockerHub
uses: docker/login-action@v3 # https://github.com/marketplace/actions/docker-login
with:
registry: ${{ vars.DOCKER_REGISTRY_URL }}
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
# Build with Maven and Upload Container Image to Docker Hub
- name: Maven Build
if: env.BUILDER == 'maven'
env:
# Use localhost when `container` keyword is not defined
SPRING_DATASOURCE_URL: jdbc:mysql://localhost:3306/demoapp
# Use service name when `container` keyword is defined
# SPRING_DATASOURCE_URL: jdbc:mysql://mysql:3306/demoapp
SPRING_DATASOURCE_USERNAME: root
SPRING_DATASOURCE_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }}
# Use `vars` context when using repository environment variables: https://docs.github.com/en/actions/learn-github-actions/contexts#vars-context
run: |
mvn package -Ddockerfile.skip=true \
-Drevision=${{ env.CI_ACTION_REF_NAME }} \
-DDOCKER_REGISTRY_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/
- name: Docker Build and Push
if: env.BUILDER == 'maven'
uses: docker/build-push-action@v5 # https://github.com/marketplace/actions/build-and-push-docker-images
with:
context: .
file: Containerfile
# build-args syntax clarification: https://github.com/docker/build-push-action/issues/557#issuecomment-1030412477
build-args: |
"JAR_FILE=${{ env.CI_REPOSITORY_NAME }}-${{ env.CI_ACTION_REF_NAME }}.jar"
push: true
tags: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Docker Build and Push (Multi-Stage)
if: env.BUILDER == 'docker'
uses: docker/build-push-action@v5 # https://github.com/marketplace/actions/build-and-push-docker-images
with:
context: .
file: Containerfile.multistage
push: true
tags: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
cache-from: type=gha
cache-to: type=gha,mode=max
container-structure-test:
needs: build
runs-on: ubuntu-latest
environment: docker-hub # Use `docker-hub` repository environment
steps:
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action
# Set Complete Container Image URL
- name: Set CONTAINER_IMAGE_URL
run: |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV
- name: Login to DockerHub
uses: docker/login-action@v3 # https://github.com/marketplace/actions/docker-login
with:
registry: ${{ vars.DOCKER_REGISTRY_URL }}
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
- name: Pull Container Image
# CONTAINER_IMAGE_URL is defined in GITHUB_ENV
run: |
docker pull ${{ env.CONTAINER_IMAGE_URL }}
- name: Checkout repository
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout
- name: Run Container Structure Test
uses: ./.github/actions/container-structure-test
with:
image: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
configFile: ./container-structure-test.yaml
scan:
needs: build
runs-on: ubuntu-latest
# Set Job-level permissions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions
permissions:
security-events: write # Allow Job to upload scan results to GitHub
environment: docker-hub # Use `docker-hub` repository environment
env:
TRIVY_CACHE_DIR: /tmp/trivy/
steps:
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action
# Set Complete Container Image URL
- name: Set CONTAINER_IMAGE_URL
run: |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV
- name: Checkout repository
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout
- name: Cache Trivy
id: cache
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions
with:
path: ${{ env.TRIVY_CACHE_DIR }}
key: trivy-${{ hashFiles('**/pom.xml', '**/Containerfile*') }} # Trivy scan results are influenced by maven dependencies and Containerfile runtime image
- name: Scan Image with Aqua Security Trivy
uses: aquasecurity/trivy-action@0.13.0 # https://github.com/marketplace/actions/aqua-security-trivy
with:
image-ref: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
vuln-type: 'os,library'
severity: 'LOW,MEDIUM,HIGH,CRITICAL'
scanners: 'vuln,secret,config'
ignore-unfixed: true
exit-code: '1'
cache-dir: ${{ env.TRIVY_CACHE_DIR }}
format: sarif
output: 'trivy-results.sarif'
env:
TRIVY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2.22.9 # https://github.com/github/codeql-action/tree/main/upload-sarif
with:
sarif_file: 'trivy-results.sarif'