fix: ci

Sphereon-Opensource · Jan 15, 2025 · a015b2e · a015b2e
1 parent c165bed
commit a015b2e
Show file tree

Hide file tree

Showing 20 changed files with 609 additions and 65 deletions.
diff --git a/.docker/admin-server/Dockerfile b/.docker/admin-server/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:21-jdk as builder
+FROM openjdk:21-jdk AS builder
 RUN microdnf install findutils
 
 WORKDIR /app
@@ -9,10 +9,17 @@ RUN chmod +x ./gradlew
 
 RUN ./gradlew :modules:admin-server:bootJar -x test -x allTests -x jsBrowserTest
 
-FROM openjdk:21-jdk as runner
+FROM openjdk:21-jdk AS runner
+RUN microdnf install curl
 
 WORKDIR /app
 
-COPY --from=builder /app/modules/admin-server/build/libs/admin-server-0.1.2-SNAPSHOT.jar ./admin-server-0.1.2.jar
+COPY --from=builder /app/modules/admin-server/build/libs/admin-server-*.jar ./admin-server.jar
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:8080/status || exit 1
 
-ENTRYPOINT ["java", "-jar", "admin-server-0.1.2.jar"]
+# Create non-root user
+RUN useradd -r -u 1002 -g root admin-server
+USER admin-server
+
+ENTRYPOINT ["java"]
+CMD ["-XX:MaxRAMPercentage=75.0", "-XX:InitialRAMPercentage=50.0", "-XX:+UseG1GC", "-jar", "admin-server.jar"]
diff --git a/.docker/federation-server/Dockerfile b/.docker/federation-server/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:21-jdk as builder
+FROM openjdk:21-jdk AS builder
 RUN microdnf install findutils
 
 WORKDIR /app
@@ -9,10 +9,17 @@ RUN chmod +x ./gradlew
 
 RUN ./gradlew :modules:federation-server:bootJar -x test -x allTests -x jsBrowserTest
 
-FROM openjdk:21-jdk as runner
+FROM openjdk:21-jdk AS runner
+RUN microdnf install curl
 
 WORKDIR /app
 
-COPY --from=builder /app/modules/federation-server/build/libs/federation-server-0.1.2-SNAPSHOT.jar ./federation-server-0.1.2.jar
+COPY --from=builder /app/modules/federation-server/build/libs/federation-server-*.jar ./federation-server.jar
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:8080/status || exit 1
 
-ENTRYPOINT ["java", "-jar", "federation-server-0.1.2.jar"]
+# Create non-root user
+RUN useradd -r -u 1001 -g root federation-server
+USER federation-server
+
+ENTRYPOINT ["java"]
+CMD ["-XX:MaxRAMPercentage=75.0", "-XX:InitialRAMPercentage=50.0", "-XX:+UseG1GC", "-jar", "federation-server.jar"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,10 +1,13 @@
 name: Run CI
+
 on:
   push:
   workflow_dispatch:
 
 jobs:
   gradle:
+    outputs:
+      success: ${{ steps.build.outcome == 'success' }}
     strategy:
       matrix:
         # Removed windows, because build failing with docker network. "bridge" network driver is not supported for Windows containers
@@ -18,34 +21,86 @@ jobs:
           distribution: temurin
           java-version: 21
 
-      - name: Run database
-        run: docker compose -f docker-compose.yaml up db -d
-        env:
-          DATASOURCE_USER: ${{ secrets.DATASOURCE_USER }}
-          DATASOURCE_PASSWORD: ${{ secrets.DATASOURCE_PASSWORD }}
-          DATASOURCE_URL: ${{ secrets.DATASOURCE_URL }}
-
-      - name: Run local KMS database
-        run: docker compose -f docker-compose.yaml up local-kms-db -d
-        env:
-          DATASOURCE_USER: ${{ secrets.LOCAL_KMS_DATASOURCE_USER }}
-          DATASOURCE_PASSWORD: ${{ secrets.LOCAL_KMS_DATASOURCE_PASSWORD }}
-          DATASOURCE_URL: ${{ secrets.LOCAL_KMS_DATASOURCE_URL }}
-
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 
       - name: Grant execute permission for Gradlew (Linux/Mac)
         if: runner.os != 'Windows'
         run: chmod +x ./gradlew
 
-      - name: Execute Gradle build
+      - name: Execute build
+        id: build
+        env:
+          APP_KEY: ${{ secrets.APP_KEY }}
+          DATASOURCE_USER: ${{ secrets.DATASOURCE_USER }}
+          DATASOURCE_PASSWORD: ${{ secrets.DATASOURCE_PASSWORD }}
+          DATASOURCE_URL: ${{ secrets.DATASOURCE_URL }}
+          LOCAL_KMS_DATASOURCE_USER: ${{ secrets.LOCAL_KMS_DATASOURCE_USER }}
+          LOCAL_KMS_DATASOURCE_PASSWORD: ${{ secrets.LOCAL_KMS_DATASOURCE_PASSWORD }}
+          LOCAL_KMS_DATASOURCE_URL: ${{ secrets.LOCAL_KMS_DATASOURCE_URL }}
+          NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
+          NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          KMS_PROVIDER: local
         run: |
           ./gradlew build
           ./gradlew :modules:openapi:jsPublicPackageJson
           ./gradlew :modules:openid-federation-common:jsPublicPackageJson
           ./gradlew publishJsPackageToNpmjsRegistry
           ./gradlew publishAllPublicationsToSphereon-opensourceRepository
+
+  auto-tag:
+    needs: gradle
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    if: github.event_name == 'repository_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == true) || (github.event_name == 'push' && needs.gradle.outputs.success == 'true')
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get version info
+        id: get_version_info
+        run: |
+          git config --local user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git config --local user.name "${GITHUB_ACTOR}"
+          EVENT_NAME="${{ github.event_name }}"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
+          else
+            BRANCH_NAME="${GITHUB_REF#refs/heads/}"
+          fi
+          if [[ $BRANCH_NAME == "develop" ]]; then
+            PREFIX="dev"
+          elif [[ $BRANCH_NAME == "main" ]]; then
+            PREFIX="main"
+          elif [[ $BRANCH_NAME == feature/* ]]; then
+            PREFIX="feat"
+          elif [[ $BRANCH_NAME == hotfix/* ]]; then
+            PREFIX="fix"
+          elif [[ $BRANCH_NAME == release/* ]]; then
+            PREFIX="rel"
+          else
+            PREFIX="build"
+          fi
+          GRADLE_VERSION=$(grep 'version = ' build.gradle.kts | sed 's/.*version = "\(.*\)".*/\1/')
+          GRADLE_VERSION=${GRADLE_VERSION%-SNAPSHOT}
+          COMMIT_SHA=$(git rev-parse --short HEAD)
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          if [[ -n $PR_NUMBER ]]; then
+            NEW_VERSION="v${GRADLE_VERSION}-${PREFIX}.pr${PR_NUMBER}.${COMMIT_SHA}"
+          else
+            NEW_VERSION="v${GRADLE_VERSION}-${PREFIX}.${COMMIT_SHA}"
+          fi
+          echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+          git tag -a ${NEW_VERSION} -m "Release ${NEW_VERSION}"
+          git push origin ${NEW_VERSION}
+
         env:
           APP_KEY: ${{ secrets.APP_KEY }}
           DATASOURCE_USER: ${{ secrets.DATASOURCE_USER }}

diff --git a/.github/workflows/dockerhub-publish.yml b/.github/workflows/dockerhub-publish.yml
@@ -0,0 +1,173 @@
+name: Publish Docker images
+
+on:
+  push:
+    tags:
+      - 'v*.*.*-*'
+env:
+  REGISTRY: docker.io
+
+# Ensure we don't have multiple workflows running for the same ref
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      docker_login: ${{ steps.docker_login.outcome }}
+    steps:
+      - name: Log in to Docker Hub
+        id: docker_login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+  federation-server:
+    needs: setup
+    if: needs.setup.outputs.docker_login == 'success'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Gradle cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+
+      - name: Authenticate Snyk
+        run: snyk auth ${{ secrets.SNYK_TOKEN }}
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-server
+          strip.prefix: true
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,format=long
+            type=ref,event=branch
+            type=ref,event=pr
+
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./.docker/federation-server/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-server:buildcache
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:buildcache
+          cache-to: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-server:buildcache,mode=max
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:buildcache,mode=max
+      - name: Scan Federation Server dependencies
+        run: timeout 300s snyk test --all-projects --severity-threshold=high || exit 1
+
+  admin-server:
+    needs: setup
+    if: needs.setup.outputs.docker_login == 'success'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Gradle cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+
+      - name: Authenticate Snyk
+        run: snyk auth ${{ secrets.SNYK_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server
+          strip.prefix: true
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,format=long
+            type=ref,event=branch
+            type=ref,event=pr
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./.docker/admin-server/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server:buildcache
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:buildcache
+          cache-to: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server:buildcache,mode=max
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:buildcache,mode=max
+
+      - name: Generate SBOM
+        run: syft ${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server:latest -o spdx-json > admin-server-sbom.json
+
+      - name: Scan Admin Server dependencies
+        run: timeout 300s snyk test --all-projects --severity-threshold=high || exit 1
+
+      - name: Scan Admin Server container
+        run: timeout 300s snyk container test ${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server:latest --severity-threshold=high --file=./.docker/admin-server/Dockerfile || exit 1
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: admin-server-sbom
+          path: admin-server-sbom.json
diff --git a/.gitignore b/.gitignore
@@ -26,3 +26,7 @@ kotlin-js-store/
 .env.local
 /.docker/keycloak-dev/
 /modules/admin-server/logs/
+/logs/*
+!logs/.gitkeep
+!logs/admin-server/.gitkeep
+!logs/federation-server/.gitkeep