Skip to content

Merge pull request #14 from medizininformatik-initiative/develop #42

Merge pull request #14 from medizininformatik-initiative/develop

Merge pull request #14 from medizininformatik-initiative/develop #42

Workflow file for this run

name: CI
on:
push:
branches:
- main
- develop
tags:
- v[0-9]+.[0-9]+**
pull_request:
branches:
- main
- develop
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'zulu'
java-version: 17
- name: Cache Local Maven Repo
uses: actions/cache@v3
with:
path: ~/.m2/repository
key: maven-repo
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: java
queries: security-and-quality
- name: Build
run: mvn -B package
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker Image
uses: docker/build-push-action@v4
with:
context: .
file: docker/aktin-client/Dockerfile
tags: security-scan-build:latest
push: false
- name: Run Trivy Vulnerability Scanner and Save to Sarif File
uses: aquasecurity/trivy-action@master
with:
image-ref: security-scan-build:latest
format: sarif
output: trivy-results.sarif
severity: 'CRITICAL,HIGH'
timeout: '15m0s'
- name: Upload Trivy Scan Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: security-scan-build:latest
exit-code: 1
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
timeout: '15m0s'
build-client:
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
needs: [test, security-scan]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Login to GitHub Docker Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Prepare Version
id: prep
run: |
echo "repository=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
- name: Build and push docker image for aktin-broker
uses: docker/build-push-action@v4
with:
context: .
file: docker/aktin-client/Dockerfile
tags: |
ghcr.io/${{ steps.prep.outputs.repository }}/feasibility-aktin-client:latest
ghcr.io/${{ steps.prep.outputs.repository }}/feasibility-aktin-client:${{ steps.prep.outputs.version }}
push: true