fix(deps): update all dependencies #120
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Commit Stage 🤖 | |
on: | |
push: | |
branches: [ feature/*, develop ] | |
pull_request: | |
branches: [ main, develop ] | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
VERSION: ${{ github.sha }} | |
CI: CI | |
NATIVE_IMAGE_ENABLED: enabled | |
CI_GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }} | |
permissions: | |
packages: write | |
contents: write | |
issues: write | |
jobs: | |
validation: | |
name: Validation 👀 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Validate Gradle wrapper | |
uses: gradle/[email protected] | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Check | |
run: pnpm run check | |
build: | |
name: Build and Test 🧪 | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: 🔍 CI_GITHUB_TOKEN | |
if: env.CI_GITHUB_TOKEN == '' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: echo "CI_GITHUB_TOKEN=${GITHUB_TOKEN}" >> $GITHUB_ENV | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
with: | |
java-version: 21 | |
gradle-arguments: build --scan | |
- name: Source code vulnerability scanning | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
format: 'sarif' | |
output: 'trivy-results-source-code.sarif' | |
- name: Upload vulnerability report | |
uses: github/codeql-action/upload-sarif@v3 | |
if: success() || failure() | |
with: | |
sarif_file: 'trivy-results-source-code.sarif' | |
category: source-code | |
code-coverage: | |
name: Code Coverage 📊 | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Run Code Coverage | |
run: | | |
./gradlew koverXmlReport --no-daemon --stacktrace | |
- name: Upload coverage reports | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: build/reports/kover/report.xml | |
fail_ci_if_error: true # optional (default = false) | |
verbose: true # optional (default = false) | |
static-analysis-security: | |
name: 🔮 Static analysis and 🔒Security Checks | |
needs: [ validation ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: 🔄 Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Install Tools & Dependencies | |
uses: ./.github/actions/install/node | |
- name: Check OWASP 🛡️ | |
run: ./gradlew dependencyCheckAnalyze --no-daemon --stacktrace | |
- name: Upload owasp-report results 🛡️⬆️ | |
uses: actions/upload-artifact@v4 | |
with: | |
name: owasp-reports | |
path: build/reports/owasp | |
- name: Run detekt | |
run: ./gradlew detektAll --no-daemon --stacktrace | |
- name: Upload static reports artifact | |
uses: actions/[email protected] | |
with: | |
name: static-report | |
path: | | |
build/reports/detekt/detekt.xml | |
**/build/reports/lint-results-debug.xml | |
retention-days: 1 | |
- name: Analyze detekt report | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: build/reports/detekt/detekt.sarif | |
checkout_path: ${{ github.workspace }} | |
package: | |
name: Package and Publish 📦 | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
permissions: write-all | |
steps: | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Java Tools & Dependencies | |
uses: ./.github/actions/install/java | |
- name: Execute Gradle build | |
run: | | |
chmod +x gradlew | |
./gradlew assemble | |
./gradlew bootBuildImage --imageName ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
- name: OCI image vulnerability scanning | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
format: 'sarif' | |
output: 'trivy-results-oci-image.sarif' | |
- name: Upload vulnerability report | |
uses: github/codeql-action/upload-sarif@v3 | |
if: success() || failure() | |
with: | |
sarif_file: 'trivy-results-oci-image.sarif' | |
- name: Log into container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ env.CI_GITHUB_TOKEN }} | |
- name: Publish container image | |
run: docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} | |
- name: Publish container image (latest) | |
run: | | |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} \ | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly | |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly |