Gradle: Bump org.owasp.dependencycheck from 9.0.2 to 11.1.1 #3956
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test and Package | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| - '!*-test' | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: | |
| - 'main' | |
| - 'release/**' | |
| - 'feature/**' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Build with Gradle | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: > | |
| ./gradlew | |
| build | |
| -x generateClients | |
| -x test | |
| -x integrationTest | |
| -x spotlessCheck | |
| -x openApiValidate | |
| -x detekt | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run unit tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew test -x spotlessCheck -x openApiValidate | |
| connector_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run Connector integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-connector-api:integrationTest -x spotlessCheck -x openApiValidate | |
| dataset_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run RBAC Dataset integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-dataset-api:integrationTest --tests "com.cosmotech.dataset.service.DatasetServiceRBACTest" -x spotlessCheck -x openApiValidate | |
| - name: Run Dataset integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-dataset-api:integrationTest --tests "com.cosmotech.dataset.service.DatasetServiceIntegrationTest" -x spotlessCheck -x openApiValidate | |
| organization_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run Organization integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-organization-api:integrationTest --tests "com.cosmotech.organization.service.OrganizationServiceIntegrationTest" -x spotlessCheck -x openApiValidate | |
| - name: Run RBAC Organization integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-organization-api:integrationTest --tests "com.cosmotech.organization.service.OrganizationServiceRBACTest" -x spotlessCheck -x openApiValidate | |
| solution_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run Solution integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-solution-api:integrationTest --tests "com.cosmotech.solution.service.SolutionServiceIntegrationTest" -x spotlessCheck -x openApiValidate | |
| - name: Run RBAC Solution integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-solution-api:integrationTest --tests "com.cosmotech.solution.service.SolutionServiceRBACTest" -x spotlessCheck -x openApiValidate | |
| workspace_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run Workspace integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-workspace-api:integrationTest --tests "com.cosmotech.workspace.service.WorkspaceServiceIntegrationTest" -x spotlessCheck -x openApiValidate | |
| - name: Run RBAC Workspace integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-workspace-api:integrationTest --tests "com.cosmotech.workspace.service.WorkspaceServiceRBACTest" -x spotlessCheck -x openApiValidate | |
| runner_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run Runner integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-runner-api:integrationTest --tests "com.cosmotech.runner.service.RunnerServiceIntegrationTest" -x spotlessCheck -x openApiValidate | |
| - name: Run RBAC Runner integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-runner-api:integrationTest --tests "com.cosmotech.runner.service.RunnerServiceRBACTest" -x spotlessCheck -x openApiValidate | |
| run_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Launch Run integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-run-api:integrationTest -x spotlessCheck -x openApiValidate | |
| homecontroller_it: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| permissions: read-all | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Run HomeController integration tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew :cosmotech-api:integrationTest -x spotlessCheck -x openApiValidate | |
| test_helm: | |
| name: Test Helm Chart | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| # If the PR is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". | |
| # Otherwise, clone it normally. | |
| # This allows Dependabot PRs to have access to the repository Secrets, | |
| # but using the Workflows in the context of the base branch | |
| if: | | |
| (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') || | |
| (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') | |
| env: | |
| CHART_RELEASE_TEST_NAMESPACE: phoenix | |
| permissions: read-all | |
| steps: | |
| - name: Checkout | |
| if: ${{ github.event_name != 'pull_request_target' }} | |
| uses: actions/checkout@v4 | |
| - name: Checkout PR | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Set up api version to deploy | |
| run: | | |
| echo "Event: ${{ github.event_name }}, Actor: ${{ github.actor }}, Ref: ${{ github.ref }}, Ref Name: ${{ github.ref_name }}, Head: ${{ github.head_ref }}, Base: ${{ github.base_ref }}" | |
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| echo Building from PR | |
| arrIN=(${GITHUB_REF_NAME//\// }) | |
| versionTag="pr${arrIN[0]}" | |
| echo "IMAGE_TAG_FROM_REF_NAME=$versionTag" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=$versionTag" >> $GITHUB_ENV; | |
| echo "The current version is $versionTag"; | |
| else | |
| export firstPart=$(echo ${{ github.ref_name }} | cut -d '.' -f1) | |
| if [[ $firstPart == \"v*\" ]]; then | |
| echo "IMAGE_TAG_FROM_REF_NAME=${{ github.ref_name }}" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=$firstPart" >> $GITHUB_ENV; | |
| echo "The current version is $firstPart"; | |
| elif [[ $firstPart == \"main\" ]]; then | |
| echo "IMAGE_TAG_FROM_REF_NAME=latest" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=latest" >> $GITHUB_ENV | |
| echo "The current version is latest"; | |
| else | |
| echo "IMAGE_TAG_FROM_REF_NAME=${{ github.ref_name }}" >> $GITHUB_ENV; | |
| echo "API_VERSION_FROM_REF_NAME=v$firstPart" >> $GITHUB_ENV | |
| echo "The current version is v$firstPart"; | |
| fi | |
| fi | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.6.0 | |
| - name: Generate KinD Config | |
| run: | | |
| cat <<EOF > /tmp/csm-kind-config.yaml | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| containerdConfigPatches: | |
| - |- | |
| [plugins."io.containerd.grpc.v1.cri".containerd] | |
| disable_snapshot_annotations = true | |
| [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] | |
| endpoint = ["http://kind-registry:5000"] | |
| nodes: | |
| - role: control-plane | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: InitConfiguration | |
| nodeRegistration: | |
| kubeletExtraArgs: | |
| node-labels: "ingress-ready=true" | |
| extraPortMappings: | |
| - containerPort: 80 | |
| hostPort: 80 | |
| protocol: TCP | |
| - containerPort: 443 | |
| hostPort: 443 | |
| protocol: TCP | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=compute,cosmotech.com/size=basic" | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=services" | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=db" | |
| - role: worker | |
| image: kindest/node:v1.23.6 | |
| kubeadmConfigPatches: | |
| - | | |
| kind: JoinConfiguration | |
| nodeRegistration: | |
| taints: | |
| - key: "vendor" | |
| value: "cosmotech" | |
| effect: "NoSchedule" | |
| kubeletExtraArgs: | |
| node-labels: "kubernetes.io/os=linux,cosmotech.com/tier=monitoring" | |
| networking: | |
| # disable kindnet, which does not support Network Policies | |
| disableDefaultCNI: true | |
| # set to Calico's default subnet | |
| podSubnet: 192.168.0.0/16 | |
| featureGates: | |
| # TTL Controller for finished resources is currently an opt-in alpha feature | |
| # https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | |
| TTLAfterFinished: true | |
| EOF | |
| - name: Provision Kubernetes KinD Cluster and local Container Registry | |
| uses: container-tools/kind-action@v2 | |
| with: | |
| version: v0.14.0 | |
| config: /tmp/csm-kind-config.yaml | |
| - name: Deploy Calico | |
| run: | | |
| helm repo add projectcalico https://docs.tigera.io/calico/charts | |
| helm \ | |
| install calico \ | |
| projectcalico/tigera-operator \ | |
| --version v3.24.3 \ | |
| --wait \ | |
| --timeout 2m | |
| - name: Make scripts executable | |
| run: | | |
| chmod +x .github/scripts/*.sh | |
| chmod +x api/kubernetes/*.sh | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Build, package and push container image | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: > | |
| ./gradlew | |
| :cosmotech-api:jib | |
| -Djib.to.image=localhost:5000/cosmotech-api:${{ env.IMAGE_TAG_FROM_REF_NAME }} | |
| -Djib.allowInsecureRegistries=true | |
| - name: Install the Helm Chart (current Version) | |
| env: | |
| PHOENIXAKSDEV_TENANT_ID: ${{ secrets.PHOENIXAKSDEV_TENANT_ID }} | |
| PHOENIXAKSDEV_CLIENT_ID: ${{ secrets.PHOENIXAKSDEV_CLIENT_ID }} | |
| PHOENIXAKSDEV_CLIENT_SECRET: ${{ secrets.PHOENIXAKSDEV_CLIENT_SECRET }} | |
| PHOENIXAKSDEV_STORAGE_ACCOUNT_NAME: ${{ secrets.PHOENIXAKSDEV_STORAGE_ACCOUNT_NAME }} | |
| PHOENIXAKSDEV_STORAGE_ACCOUNT_KEY: ${{ secrets.PHOENIXAKSDEV_STORAGE_ACCOUNT_KEY }} | |
| PHOENIXAKSDEV_ADX_BASE_URI: ${{ secrets.PHOENIXAKSDEV_ADX_BASE_URI }} | |
| PHOENIXAKSDEV_ADX_INGESTION_BASE_URI: ${{ secrets.PHOENIXAKSDEV_ADX_INGESTION_BASE_URI }} | |
| PHOENIXAKSDEV_EVENT_HUBS_BASE_URI: ${{ secrets.PHOENIXAKSDEV_EVENT_HUBS_BASE_URI }} | |
| IDP_DOMAIN: ${{ secrets.PHOENIXDEV_IDP_DOMAIN }} | |
| run: .github/scripts/install-helm-chart.sh ${{ env.API_VERSION_FROM_REF_NAME }} ${{ env.IMAGE_TAG_FROM_REF_NAME }} | |
| - name: Test Helm Release (current Version) | |
| run: .github/scripts/test-helm-release.sh ${{ env.API_VERSION_FROM_REF_NAME }} | |
| scan_and_push_container_images_to_registries: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| - connector_it | |
| - dataset_it | |
| - organization_it | |
| - solution_it | |
| - workspace_it | |
| - runner_it | |
| - run_it | |
| - homecontroller_it | |
| - test_helm | |
| permissions: | |
| packages: write | |
| contents: read | |
| security-events: write | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Fetch all tags since Gradle project version is built upon SCM | |
| fetch-depth: 0 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: "21" | |
| - name: Retrieve branch or tag name | |
| id: refvar | |
| run: echo "::set-output name=gitRefName::${GITHUB_REF#refs/*/}" | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: true | |
| - name: Build local Container Image for scanning | |
| run: > | |
| ./gradlew | |
| :cosmotech-api:jibDockerBuild | |
| -Djib.to.image=com.cosmotech/cosmotech-api:${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| id: scan | |
| # Add TRIVY_DB_REPOSITORY due to ratelimit issue | |
| # https://github.com/aquasecurity/trivy-action/issues/389 | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | |
| # TODO For now, do not block if the container scan action returns issues | |
| continue-on-error: true | |
| with: | |
| image-ref: com.cosmotech/cosmotech-api:${{ github.sha }} | |
| format: "sarif" | |
| severity: "CRITICAL,HIGH" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Archive container image scan report | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: container-image-scan-report | |
| path: "trivy-results.sarif" | |
| retention-days: 3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/[email protected] | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push API Container Image (sha) to GitHub Container Registry | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| run: | | |
| docker image tag com.cosmotech/cosmotech-api:${{github.sha}} \ | |
| ghcr.io/cosmo-tech/cosmotech-api:${{github.sha}} | |
| docker image push ghcr.io/cosmo-tech/cosmotech-api:${{github.sha}} | |
| - name: Push API Container Image (tag) to GitHub Container Registry | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| docker image tag com.cosmotech/cosmotech-api:${{github.sha}} \ | |
| ghcr.io/cosmo-tech/cosmotech-api:${{ steps.refvar.outputs.gitRefName }} | |
| docker image push ghcr.io/cosmo-tech/cosmotech-api:${{ steps.refvar.outputs.gitRefName }} | |
| - name: Push API Container Image (latest) to GitHub Container Registry | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| docker image tag com.cosmotech/cosmotech-api:${{github.sha}} \ | |
| ghcr.io/cosmo-tech/cosmotech-api:latest | |
| docker image push ghcr.io/cosmo-tech/cosmotech-api:latest | |
| push_helm_charts_to_oci_registries: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - path: api/kubernetes/helm-chart | |
| chart_name: cosmotech-api-chart | |
| name: API | |
| needs: | |
| - test | |
| - connector_it | |
| - dataset_it | |
| - organization_it | |
| - solution_it | |
| - workspace_it | |
| - runner_it | |
| - run_it | |
| - homecontroller_it | |
| - test_helm | |
| permissions: | |
| packages: write | |
| contents: read | |
| env: | |
| # OCI Support by Helm is considered experimental | |
| HELM_EXPERIMENTAL_OCI: 1 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.6.0 | |
| - name: Retrieve branch or tag name | |
| id: refvar | |
| run: echo "::set-output name=gitRefName::${GITHUB_REF#refs/*/}" | |
| - name: Login to GitHub Container Registry | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "${GITHUB_TOKEN}" | \ | |
| helm registry login ghcr.io \ | |
| --username "${{ github.actor }}" \ | |
| --password-stdin | |
| - name: Push Helm Chart (sha) for ${{ matrix.name }} to GitHub Container Registry | |
| run: | | |
| helm dependency update ${{ matrix.path }} | |
| helm chart save ${{ matrix.path }} ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${GITHUB_SHA} | |
| helm chart push ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${GITHUB_SHA} | |
| - name: Push Helm Chart (tag) for ${{ matrix.name }} to GitHub Container Registry | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| helm chart save ${{ matrix.path }} ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${{ steps.refvar.outputs.gitRefName }} | |
| helm chart push ghcr.io/cosmo-tech/${{ matrix.chart_name }}:${{ steps.refvar.outputs.gitRefName }} | |
| - name: Push Helm Chart (latest) for ${{ matrix.name }} to GitHub Container Registry | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| helm chart save ${{ matrix.path }} ghcr.io/cosmo-tech/${{ matrix.chart_name }}:latest | |
| helm chart push ghcr.io/cosmo-tech/${{ matrix.chart_name }}:latest | |
| - name: Logout from GitHub Container Registry | |
| if: ${{ always() }} | |
| run: | | |
| helm registry logout ghcr.io || true | |
| trigger_deployments: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| needs: | |
| - scan_and_push_container_images_to_registries | |
| - push_helm_charts_to_oci_registries | |
| steps: | |
| - name: Dispatch deployments | |
| env: | |
| GH_PAT: ${{ secrets.OPENAPI_CLIENTS_GITHUB_PAT }} | |
| run: | | |
| curl --request POST \ | |
| --url "https://api.github.com/repos/${{ github.repository }}/dispatches" \ | |
| --header "Authorization: Bearer ${GH_PAT}" \ | |
| --header 'content-type: application/json' \ | |
| --data '{ | |
| "event_type": "ready_to_deploy", | |
| "client_payload": { | |
| "gh_actor": "${{ github.actor }}", | |
| "gh_ref": "${{ github.ref }}", | |
| "gh_sha": "${{ github.sha }}" | |
| } | |
| }' |