Merge pull request #698 from Onlineberatung/TSYSTEMS-140-upgrade-spri… #654
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker image | |
on: | |
push: | |
branches: | |
- 'release' | |
- 'staging' | |
- 'develop' | |
tags: | |
- "dockerImage.v.*" | |
- "v*" | |
jobs: | |
test: | |
name: Build and run unit tests | |
runs-on: ubuntu-latest | |
timeout-minutes: 40 | |
env: | |
FAIL_WEBHOOK_SECRET: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Prepare environment variables | |
run: | | |
raw=$(git branch -r --contains ${{ github.ref }}) | |
branch=${raw##*/} | |
echo BRANCH_NAME=$(echo -n "${branch}") >> $GITHUB_ENV | |
- name: Setup JVM | |
uses: actions/setup-java@v1 | |
with: | |
java-version: 11.0.10 | |
java-package: jdk | |
architecture: x64 | |
- name: Caching maven dependencies | |
uses: actions/cache@v1 | |
env: | |
cache-name: cache-maven-dependencies | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/pom.xml') }} | |
- name: Maven Package | |
run: mvn -B -Pprod clean package -DskipTests=true | |
- name: Maven Verify | |
run: mvn -B -Pprod clean verify -DskipTests=true | |
- uses: actions/upload-artifact@v2 | |
with: | |
name: targetfiles | |
path: target/*.jar | |
- name: Microsoft Teams Fail Card | |
if: ${{ (env.FAIL_WEBHOOK_SECRET != null) && (env.FAIL_WEBHOOK_SECRET != '') && (failure() || cancelled()) }} | |
uses: toko-bifrost/[email protected] | |
with: | |
github-token: ${{ github.token }} | |
webhook-uri: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
show-on-start: false | |
show-on-exit: true | |
show-on-failure: true | |
card-layout-exit: complete | |
environment: ${{ env.BRANCH_NAME }} | |
custom-actions: | | |
- text: View CI | |
url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
push_to_registry: | |
strategy: | |
matrix: | |
registry: [ "ghcr.io" ] | |
needs: [ test ] | |
name: Push Docker image to GitHub Packages | |
runs-on: ubuntu-latest | |
timeout-minutes: 40 | |
env: | |
IMAGE_WEBHOOK_SECRET: ${{ secrets.MS_TEAMS_IMAGE_WEBHOOK_URI }} | |
FAIL_WEBHOOK_SECRET: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Download buildfiles artifact | |
uses: actions/download-artifact@v2 | |
with: | |
name: targetfiles | |
- name: Get current time | |
id: time | |
uses: nanzm/[email protected] | |
with: | |
timeZone: 2 | |
format: "YYYYMMDD[_]HHmmss" | |
- name: Prepare environment variables | |
run: | | |
raw=$(git branch -r --contains ${{ github.ref }}) | |
branch=${raw##*/} | |
echo BRANCH_NAME=$(echo -n "${branch}") >> $GITHUB_ENV | |
echo "DOCKER_REGISTRY=$(echo "${{ matrix.registry }}/${{ github.repository }}" | awk '{print tolower($0)}')" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE=$(echo "${{ github.repository }}" | awk -F / '{print tolower($2)}')" >> $GITHUB_ENV | |
echo "REPO_NAME_WITHOUT_PREFIX"=$(echo "${{ github.repository }}" | sed "s/.*\///" | awk -F / '{print tolower($0)}') >> $GITHUB_ENV | |
echo CLEAN_REF=$(echo "${GITHUB_REF_NAME#refs/heads/}") >> $GITHUB_ENV | |
echo TYPE=$(echo -n "${GITHUB_REF_TYPE}") >> $GITHUB_ENV | |
echo TIME_STAMP=$(echo -n "${{ steps.time.outputs.time }}") >> $GITHUB_ENV | |
shell: bash | |
- name: Set branch_timestamp for image from branch | |
if: ${{ env.TYPE == 'branch' }} | |
run: echo DOCKER_IMAGE_TAG=$(echo "${{ env.CLEAN_REF }}_${{ env.TIME_STAMP }}") >> $GITHUB_ENV | |
shell: bash | |
- name: Set tag for image from tag | |
if: ${{ env.TYPE == 'tag' }} | |
run: echo DOCKER_IMAGE_TAG=$(echo "${{ env.CLEAN_REF }}") >> $GITHUB_ENV | |
shell: bash | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: '${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }}' | |
flavor: | | |
latest=false | |
tags: | | |
type=ref,event=branch | |
type=ref,event=tag | |
type=raw,value=${{ env.DOCKER_IMAGE_TAG}} | |
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'release') }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.DOCKER_REGISTRY }} | |
username: ${{ secrets.GH_PACKAGE_RELEASE_USER }} | |
password: ${{ secrets.GH_PACKAGE_RELEASE_TOKEN }} | |
- name: Push to GitHub Packages | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Hint about the Docker Image Tag if successfull | |
if: ${{ success() }} | |
run: | | |
echo "### Publish Docker image :white_check_mark:" >> $GITHUB_STEP_SUMMARY | |
echo "" >> $GITHUB_STEP_SUMMARY | |
echo "- Image name: ${{ env.DOCKER_IMAGE }}" >> $GITHUB_STEP_SUMMARY | |
echo "- Version: ${{ env.DOCKER_IMAGE_TAG }}" >> $GITHUB_STEP_SUMMARY | |
- name: Hint about the Docker Image Tag if not successfull | |
if: ${{ failure() || cancelled() }} | |
run: | | |
echo "### Publish Docker image :x:" >> $GITHUB_STEP_SUMMARY | |
echo "" >> $GITHUB_STEP_SUMMARY | |
echo "- It seems that something has gone wrong" >> $GITHUB_STEP_SUMMARY | |
- name: Run Trivy vulnerability image scanner | |
if: ${{ (matrix.registry == 'ghcr.io') }} | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: '${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }}:${{ env.DOCKER_IMAGE_TAG }}' | |
format: 'table' | |
exit-code: '0' | |
vuln-type: 'os,library' | |
severity: 'CRITICAL' | |
- name: Microsoft Teams Fail Card | |
if: ${{ (env.FAIL_WEBHOOK_SECRET != null) && (env.FAIL_WEBHOOK_SECRET != '') && (matrix.registry == 'ghcr.io') && (failure() || cancelled()) }} | |
uses: toko-bifrost/[email protected] | |
with: | |
github-token: ${{ github.token }} | |
webhook-uri: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
show-on-start: false | |
show-on-exit: true | |
show-on-failure: true | |
card-layout-exit: complete | |
environment: ${{ env.BRANCH_NAME }} | |
custom-actions: | | |
- text: View CI | |
url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
- name: Microsoft Teams Image Card | |
if: ${{ (env.IMAGE_WEBHOOK_SECRET != null) && (env.IMAGE_WEBHOOK_SECRET != '') && (matrix.registry == 'ghcr.io') && success() }} | |
uses: toko-bifrost/[email protected] | |
with: | |
github-token: ${{ github.token }} | |
webhook-uri: ${{ secrets.MS_TEAMS_IMAGE_WEBHOOK_URI }} | |
show-on-start: false | |
show-on-exit: true | |
show-on-failure: false | |
card-layout-exit: complete | |
environment: ${{ env.BRANCH_NAME }} | |
custom-facts: | | |
- name: Registry | |
value: ${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }} | |
- name: Tag | |
value: ${{ env.DOCKER_IMAGE_TAG }} | |
custom-actions: | | |
- text: View CI | |
url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |