Merge pull request #123 from Onlineberatung/develop #446
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker image | |
on: | |
push: | |
branches: | |
- "develop" | |
- "*" | |
tags: | |
- "dockerImage.v.*" | |
- "v*" | |
jobs: | |
test: | |
name: Build and run unit tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Setup JVM | |
uses: actions/setup-java@v1 | |
with: | |
java-version: 11.0.10 | |
java-package: jdk | |
architecture: x64 | |
- name: Caching maven dependencies | |
uses: actions/cache@v1 | |
env: | |
cache-name: cache-maven-dependencies | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }} | |
- name: Maven Package | |
run: mvn -B -Pprod clean package -DskipTests=true | |
# - name: Maven Verify | |
# run: mvn -B -Pprod clean verify -DskipTests=true | |
- uses: actions/upload-artifact@v2 | |
with: | |
name: targetfiles | |
path: target/*.jar | |
push_to_registry: | |
strategy: | |
matrix: | |
registry: ["docker.pkg.github.com", "ghcr.io"] | |
needs: [test] | |
name: Push Docker image to GitHub Packages | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Download buildfiles artifact | |
uses: actions/download-artifact@v2 | |
with: | |
name: targetfiles | |
- name: Get current time | |
id: time | |
uses: nanzm/[email protected] | |
with: | |
timeZone: 2 | |
format: "YYYYMMDD[_]HHmmss" | |
- name: Prepare environment variables | |
run: | | |
echo "DOCKER_REGISTRY=$(echo "${{ matrix.registry }}/${{ github.repository }}" | awk '{print tolower($0)}')" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE=$(echo "${{ github.repository }}" | awk -F / '{print tolower($2)}')" >> $GITHUB_ENV | |
echo "REPO_NAME_WITHOUT_PREFIX"=$(echo "${{ github.repository }}" | sed "s/.*\///" | awk -F / '{print tolower($0)}') >> $GITHUB_ENV | |
echo CLEAN_REF=$(echo "${GITHUB_REF_NAME#refs/heads/}") >> $GITHUB_ENV | |
echo TYPE=$(echo -n "${GITHUB_REF_TYPE}") >> $GITHUB_ENV | |
echo TIME_STAMP=$(echo -n "${{ steps.time.outputs.time }}") >> $GITHUB_ENV | |
shell: bash | |
- name: Set branch_timestamp for image from branch | |
if: ${{ env.TYPE == 'branch' }} | |
run: echo DOCKER_IMAGE_TAG=$(echo "${{ env.CLEAN_REF }}_${{ env.TIME_STAMP }}") >> $GITHUB_ENV | |
shell: bash | |
- name: Set tag for image from tag | |
if: ${{ env.TYPE == 'tag' }} | |
run: echo DOCKER_IMAGE_TAG=$(echo "${{ env.CLEAN_REF }}") >> $GITHUB_ENV | |
shell: bash | |
- name: Push to GitHub Packages | |
uses: docker/[email protected] | |
with: | |
username: ${{ secrets.GH_PACKAGE_RELEASE_USER }} | |
password: ${{ secrets.GH_PACKAGE_RELEASE_TOKEN }} | |
registry: ${{ env.DOCKER_REGISTRY }} | |
repository: ${{ env.DOCKER_IMAGE }} | |
tags: ${{ env.DOCKER_IMAGE_TAG}} | |
- name: Hint about the Docker Image Tag if successfull | |
if: ${{ success() }} | |
run: | | |
echo "### Publish Docker image :white_check_mark:" >> $GITHUB_STEP_SUMMARY | |
echo "" >> $GITHUB_STEP_SUMMARY | |
echo "- Image name: ${{ env.DOCKER_IMAGE }}" >> $GITHUB_STEP_SUMMARY | |
echo "- Version: ${{ env.DOCKER_IMAGE_TAG }}" >> $GITHUB_STEP_SUMMARY | |
- name: Hint about the Docker Image Tag if not successfull | |
if: ${{ failure() || cancelled() }} | |
run: | | |
echo "### Publish Docker image :x:" >> $GITHUB_STEP_SUMMARY | |
echo "" >> $GITHUB_STEP_SUMMARY | |
echo "- It seems that something has gone wrong" >> $GITHUB_STEP_SUMMARY | |
- name: Run Trivy vulnerability image scanner | |
if: ${{ (matrix.registry == 'ghcr.io') }} | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: '${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }}:${{ env.DOCKER_IMAGE_TAG }}' | |
format: 'table' | |
exit-code: '1' | |
vuln-type: 'os,library' | |
severity: 'CRITICAL' |