dallay · yacosta738 · Oct 6, 2024 · Oct 5, 2024 · Oct 5, 2024 · Oct 5, 2024
@@ -66,5 +66,5 @@ runs:
       uses: github/codeql-action/[email protected]
       with:
         sarif_file: build/reports/detekt/detekt.sarif
-        checkout_path: ${{ github.workspace }}
         token: ${{ inputs.token }}
+        category: static-code-analysis
@@ -0,0 +1,80 @@
+name: Package and Publish Backend 📦
+description: |
+  This workflow is responsible for packaging and publishing the backend application
+  to the container registry. It also performs vulnerability scanning.
+
+inputs:
+  deliver:
+    description: 'Deliver backend to production'
+    required: true
+    default: 'true'
+  docker_username:
+    description: 'The username for Docker Hub'
+    required: true
+  docker_password:
+    description: 'The password for Docker Hub'
+    required: true
+  version:
+    description: 'The version of the backend'
+    required: true
+  ci_github_token:
+    description: 'GITHUB_TOKEN with permissions to push to the container registry'
+    required: true
+  gradle-encryption-key:
+    description: 'The encryption key to use for the gradle cache'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Install Java Tools & Dependencies
+      uses: ./.github/actions/install/java
+      with:
+        java-version: 21
+        gradle-encription-key: ${{ inputs.gradle-encryption-key }}
+
+    - name: Cache Gradle Dependencies
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Execute Gradle build
+      run: |
+        chmod +x gradlew
+        ./gradlew assemble
+        ./gradlew bootBuildImage -x test
+      shell: bash
+
+    - name: 🪄 Scan Docker images for vulnerabilities
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: ghcr.io/dallay/lyra:latest
+        format: sarif
+        output: trivy-lyra-report.sarif
+        severity: HIGH,CRITICAL
+        ignore-unfixed: true
+        cache-dir: /tmp/trivy-cache-lyra
+
+    - name: ⇪ Upload Trivy Scan Report
+      uses: actions/upload-artifact@v3
+      with:
+        name: trivy-lyra-report
+        path: trivy-lyra-report.sarif
+
+    - name: 🐳 Authenticate to Docker Hub and GHCR
+      run: |
+        echo ${{ inputs.ci_github_token }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        echo ${{ inputs.docker_password }} | docker login docker.io -u ${{ inputs.docker_username }} --password-stdin
+      shell: bash
+
+    - name: 🐳 Push Docker image to GHCR and Docker Hub
+      if: ${{ inputs.deliver }}
+      run: |
+        docker push --all-tags ${{ inputs.docker_username }}/lyra
+        docker push --all-tags ghcr.io/dallay/lyra
+      shell: bash