Update build-maven.yml #30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- dev | |
pull_request: | |
branches: | |
- main | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestation. | |
contents: read | |
jobs: | |
build-publish-maven: | |
runs-on: ubuntu-latest | |
env: | |
DOCKER_REPO: 'mgm-project-docker-local' | |
IMAGE_NAME: 'my-very-cool-image:${{ github.run_number }}' | |
JF_URL: https://${{ vars.JF_URL }}/ | |
DOCKER_CLI_EXPERIMENTAL: enabled | |
JFROG_PLATFORM_REPO: 'mgm-project-maven-virtual' | |
JF_PROJECT: mgm-project | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v4 | |
- name: Setup JFrog CLI | |
id: setup-cli | |
uses: jfrog/setup-jfrog-cli@v4 | |
env: | |
JF_URL: https://${{ vars.JF_URL }}/ | |
JF_PROJECT: mgm-project | |
with: | |
oidc-provider-name: mgm-demo | |
oidc-audience: mgm-demo-aud | |
- name: Configure Maven | |
run: jf mvnc --repo-deploy-releases $JFROG_PLATFORM_REPO --repo-deploy-snapshots $JFROG_PLATFORM_REPO --repo-resolve-releases $JFROG_PLATFORM_REPO --repo-resolve-snapshots $JFROG_PLATFORM_REPO | |
- name: Build and Upload JAR to Artifactory | |
env: | |
JF_URL: https://${{ vars.JF_URL }}/ | |
JF_PROJECT: mgm-project | |
run: jf mvn package deploy | |
- name: Audit with JFrog Xray | |
run: jf audit . | |
- name: Audit with JFrog Xray | |
run: jf scan **/* | |
- name: Collect environment variables for build | |
env: | |
CI_JOB_NAME: ${{ github.job }} | |
CI_JOB_ID: ${{ github.run_id }} | |
run: jf rt bce $CI_JOB_NAME $CI_JOB_ID | |
- name: Collect VCS details from Git | |
env: | |
CI_JOB_NAME: ${{ github.job }} | |
CI_JOB_ID: ${{ github.run_id }} | |
run: jf rt bag $CI_JOB_NAME $CI_JOB_ID | |
- name: Publish build info | |
env: | |
CI_JOB_NAME: ${{ github.job }} | |
CI_JOB_ID: ${{ github.run_id }} | |
run: jf rt bp $CI_JOB_NAME $CI_JOB_ID | |
- name: Authenticate Docker | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ vars.JF_URL }} | |
username: ${{ steps.setup-cli.outputs.oidc-user }} | |
password: ${{ steps.setup-cli.outputs.oidc-token }} | |
- name: docker build through | |
run: | | |
jf docker --version | |
jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} --metadata-file metadata.json --push . | |
- name: docker scan | |
run: | | |
jf docker pull ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} | |
jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} | |
- name: Gather Docker image metadata | |
run: | | |
docker inspect ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} > metadata.json | |
echo "----------------" | |
cat metadata.json | |
echo "----------------" | |
digest=$(jq -r '.[0].RepoDigests[0]' metadata.json | awk -F '@' '{print $2}') | |
echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@$digest" > metadata.json | |
jf rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json | |
- name: publish build info | |
run: | | |
jf rt build-collect-env | |
jf rt build-add-dependencies . | |
jf rt build-add-git | |
jf rt build-publish | |
jf rt bp $CI_JOB_NAME $CI_JOB_ID | |
- name: build scan | |
run: | | |
jf build-scan $CI_JOB_NAME $CI_JOB_ID | |