Skip to content

chore(trivy):[#xxx] trivy fix mentioned in the Community Office Hour #988

chore(trivy):[#xxx] trivy fix mentioned in the Community Office Hour

chore(trivy):[#xxx] trivy fix mentioned in the Community Office Hour #988

Workflow file for this run

name: IRS build
on:
workflow_dispatch: # Trigger manually
pull_request:
paths-ignore:
- '**/*.md'
- '**/*.txt'
- 'charts/**'
- '.config/**'
- 'docs/**'
- '!docs/src/api/**'
- 'local/**'
- 'CHANGELOG.md'
push:
branches:
- main
tags:
- '**'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Cache maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build with Maven
run: |
mvn clean verify --batch-mode
analyze_with_Sonar:
# No need to run if we cannot use the sonar token
if: >-
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
github.actor != 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of sonar analysis
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Cache maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Cache SonarCloud packages
uses: actions/cache@v4
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Analyze with Sonar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
mvn --batch-mode --update-snapshots verify \
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} \
-Dcheckstyle.skip -Dpmd.skip=true
build_images:
strategy:
matrix:
image:
- irs-api
runs-on: ubuntu-latest
outputs:
image-tag: ${{ steps.version.outputs.image_tag }}
steps:
- uses: actions/checkout@v4
- name: Build image to make sure Dockerfile is valid
run: |
# RUN --mount=type=cache is used in the IRS Dockerfile to cache directories for maven.
# And the --mount option requires BuildKit.
DOCKER_BUILDKIT=1 docker build --build-arg BUILD_TARGET=${{ matrix.image }} --target ${{ matrix.image }} -t ${{ matrix.image }}:latest .
- name: Set image version
id: version
run: |
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
# Strip "v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
# Support PR ref versions
[[ "${{ github.ref }}" == "refs/pull/"* ]] && VERSION=PR-$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\)/merge,\1,')
# Use Docker `latest` tag convention
[ "$VERSION" == "main" ] && VERSION=latest
echo VERSION=$VERSION
echo "::set-output name=image_tag::$VERSION"
- name: Log in to registry
env:
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }}
if: >-
env.DOCKER_HUB_USER == '' &&
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
github.actor != 'dependabot[bot]'
# This is where you will update the PAT to GITHUB_TOKEN
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Push image (GHCR)
env:
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }}
if: >-
env.DOCKER_HUB_USER == '' &&
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
github.actor != 'dependabot[bot]'
run: |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
# Change all uppercase to lowercase
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
echo IMAGE_ID=$IMAGE_ID
docker tag ${{ matrix.image }} $IMAGE_ID:${{ steps.version.outputs.image_tag }}
docker push $IMAGE_ID:${{ steps.version.outputs.image_tag }}
docker tag ${{ matrix.image }} $IMAGE_ID:$GITHUB_SHA
docker push $IMAGE_ID:$GITHUB_SHA
- name: Login to Docker Hub
env:
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }}
if: env.DOCKER_HUB_USER != ''
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Push image (DockerHub)
env:
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }}
IMAGE_NAMESPACE: tractusx
IMAGE_NAME: irs-api
if: env.DOCKER_HUB_USER != ''
run: |
docker tag ${{ matrix.image }} ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }}
docker push ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }}
# https://github.com/peter-evans/dockerhub-description
- name: Update Docker Hub description
env:
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }}
IMAGE_NAMESPACE: tractusx
IMAGE_NAME: irs-api
if: env.DOCKER_HUB_USER != '' && github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@v4
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
readme-filepath: ./DOCKER_NOTICE.md
trigger-trivy-image-scan:
if: >-
github.event_name != 'pull_request'
needs:
- build_images
uses: ./.github/workflows/trivy-docker-hub-scan.yml