Merge pull request #6 from getjerry/jerry/pii_masking #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build + Docker Uberjar | |
| on: | |
| push: | |
| branches: | |
| - "master" | |
| paths-ignore: | |
| # config files | |
| - ".**" | |
| # documentation | |
| - 'docs/**' | |
| - "**.md" | |
| # this covers both BE and FE unit tests, as well as E2E tests | |
| - '**test/**' | |
| - "**_test.clj" | |
| - "**/frontend/**.unit.*" | |
| workflow_dispatch: | |
| inputs: | |
| commit: | |
| description: 'Optional full-length commit SHA-1 hash' | |
| jobs: | |
| build: | |
| name: Build MB ${{ matrix.edition }} | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 40 | |
| strategy: | |
| matrix: | |
| edition: [ee, oss] | |
| env: | |
| MB_EDITION: ${{ matrix.edition }} | |
| INTERACTIVE: false | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.inputs.commit }} | |
| - name: Prepare front-end environment | |
| uses: ./.github/actions/prepare-frontend | |
| - name: Prepare back-end environment | |
| uses: ./.github/actions/prepare-backend | |
| with: | |
| m2-cache-key: uberjar | |
| - name: Build | |
| run: ./bin/build.sh | |
| - name: Prepare uberjar artifact | |
| uses: ./.github/actions/prepare-uberjar-artifact | |
| check_jar_health: | |
| runs-on: ubuntu-22.04 | |
| name: Is ${{ matrix.edition }} (java ${{ matrix.java-version }}) healthy? | |
| needs: build | |
| timeout-minutes: 10 | |
| strategy: | |
| matrix: | |
| edition: [ee, oss] | |
| java-version: [11, 17] | |
| steps: | |
| - name: Prepare JRE (Java Run-time Environment) | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-package: jre | |
| java-version: ${{ matrix.java-version }} | |
| distribution: 'temurin' | |
| - run: java -version | |
| - uses: actions/download-artifact@v3 | |
| name: Retrieve uberjar artifact | |
| with: | |
| name: metabase-${{ matrix.edition }}-uberjar | |
| - name: Launch uberjar | |
| run: java -jar ./target/uberjar/metabase.jar & | |
| - name: Wait for Metabase to start | |
| run: while ! curl 'http://localhost:3000/api/health' | grep '{"status":"ok"}'; do sleep 1; done | |
| containerize_test_and_push_container: | |
| runs-on: ubuntu-22.04 | |
| name: Containerize ${{ matrix.edition }} | |
| needs: check_jar_health | |
| strategy: | |
| matrix: | |
| edition: [ee, oss] | |
| services: | |
| registry: | |
| image: registry:2 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - name: Extract and clean branch name | |
| shell: bash | |
| run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/} | sed 's/[^-._a-zA-Z0-9]/-/g')" | |
| id: extract_branch | |
| - name: Check out the code (Dockerfile needed) | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.inputs.commit }} | |
| - name: Download uploaded artifacts to insert into container | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: metabase-${{ matrix.edition }}-uberjar | |
| path: bin/docker/ | |
| - name: Move the ${{ matrix.edition }} uberjar to the context dir | |
| run: mv bin/docker/target/uberjar/metabase.jar bin/docker/. | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v1 | |
| with: | |
| driver-opts: network=host | |
| - name: Build ${{ matrix.edition }} container | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: bin/docker/. | |
| platforms: linux/amd64 | |
| network: host | |
| tags: localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }} | |
| no-cache: true | |
| push: true | |
| - name: Launch ${{ matrix.edition }} container | |
| run: docker run --rm -dp 3000:3000 localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-${{ matrix.edition }} | |
| timeout-minutes: 5 | |
| - name: Is Docker running? | |
| run: docker ps | |
| - name: Wait for Metabase to start and reach 100% health | |
| run: while ! curl -s 'http://localhost:3000/api/health' | grep '{"status":"ok"}'; do sleep 1; done | |
| timeout-minutes: 3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Retag and push images if master (ee) | |
| if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee' }} | |
| run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee metabase/metabase-enterprise-head:latest && docker push metabase/metabase-enterprise-head:latest | |
| - name: Retag and push images if master (oss) | |
| if: ${{ (github.ref_name == 'master') && matrix.edition == 'oss' }} | |
| run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-oss metabase/metabase-head:latest && docker push metabase/metabase-head:latest | |
| - name: Retag and push images if dev branch | |
| if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }} | |
| run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }} && docker push metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }} | |
| - name: Run Trivy vulnerability scanner if master (ee) | |
| if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee' }} | |
| uses: aquasecurity/trivy-action@master | |
| env: | |
| TRIVY_OFFLINE_SCAN: true | |
| with: | |
| image-ref: docker.io/metabase/metabase-enterprise-head:latest | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Run Trivy vulnerability scanner if master (oss) | |
| if: ${{ (github.ref_name == 'master') && matrix.edition == 'oss' }} | |
| uses: aquasecurity/trivy-action@master | |
| env: | |
| TRIVY_OFFLINE_SCAN: true | |
| with: | |
| image-ref: docker.io/metabase/metabase-head:latest | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Run Trivy vulnerability scanner if dev branch | |
| if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }} | |
| uses: aquasecurity/trivy-action@master | |
| env: | |
| TRIVY_OFFLINE_SCAN: true | |
| with: | |
| image-ref: docker.io/metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }} | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab if master (ee) | |
| if: ${{ (github.ref_name == 'master') && matrix.edition == 'ee' }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab if master (oss) | |
| if: ${{ (github.ref_name == 'master') && matrix.edition == 'oss' }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab if dev branch | |
| if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' |