ci(pipeline.yml): #275 build semver versioned container image using cog-bump #46
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CICD Pipeline | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| conventional-commit-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Conventional commit check | |
| uses: cocogitto/cocogitto-action@v3 | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: conventional-commit-check | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: adopt | |
| java-version: 21 | |
| check-latest: true | |
| - name: Cached Gradle packages | |
| uses: actions/cache@v4 | |
| with: | |
| key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| - run: ( ./gradlew build -x test ) | |
| name: "Executing build" | |
| unit-test: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: adopt | |
| java-version: 21 | |
| check-latest: true | |
| - name: Cached Gradle packages | |
| uses: actions/cache@v4 | |
| with: | |
| key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| - run: ( ./gradlew test ) | |
| name: "Executing tests" | |
| - run: ( ./gradlew jacocoTestCoverageVerification ) | |
| name: "Code coverage" | |
| mutation-test: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: adopt | |
| java-version: 21 | |
| check-latest: true | |
| - name: Cached Gradle packages | |
| uses: actions/cache@v4 | |
| with: | |
| key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| - run: ( ./gradlew pitest ) | |
| name: "Executing mutation tests" | |
| dependency-vulnerability-analysis: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-java@v4 | |
| with: | |
| distribution: adopt | |
| java-version: 21 | |
| check-latest: true | |
| - name: Cached Gradle packages | |
| uses: actions/cache@v4 | |
| with: | |
| key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| - run: ( ./gradlew dependencyCheckAnalyze -PUseNVDKey ) | |
| name: "Executing dependency vulnerability checks" | |
| env: | |
| NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
| sast-code-snyk: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Snyk to static code analysis for vulnerabilities | |
| uses: snyk/actions/maven-3-jdk-21@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| sast-dockerfile-trivy-hadolint: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: hadolint/[email protected] | |
| with: | |
| dockerfile: Dockerfile | |
| failure-threshold: error | |
| - name: Run Trivy vulnerability for Dockerfile | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: config | |
| scan-ref: './' | |
| exit-code: 1 | |
| severity: 'CRITICAL,HIGH' | |
| trivy-config: ./config/trivy/trivy.yaml | |
| docker-build-push: | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - unit-test | |
| - mutation-test | |
| - dependency-vulnerability-analysis | |
| - sast-code-snyk | |
| - sast-dockerfile-trivy-hadolint | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: fetch-tags | |
| run: git fetch --tags origin | |
| shell: bash | |
| - id: bump-version | |
| uses: armakuni/github-actions/bump-version@main | |
| - name: check-bump-version-output | |
| run: | | |
| echo "version-was-bump: ${{ steps.bump-version.outputs.version-was-bump }}" | |
| echo "previous-version: ${{ steps.bump-version.outputs.previous-version }}" | |
| echo "current-version: ${{ steps.bump-version.outputs.current-version }}" | |
| shell: bash | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: abhisheksr01/companieshouse | |
| context: git | |
| tags: | | |
| type=ref,event=pr | |
| type=semver,pattern={{version}},prefix=v,value=${{ steps.bump-version.outputs.current-version }} | |
| labels: | | |
| "org.opencontainers.image.title": "abhisheksr01/companieshouse", | |
| "org.opencontainers.image.description": "Best practices and integrations available for Spring Boot based Microservice in a single repository with companieshouse API use case.", | |
| "org.opencontainers.image.url": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices", | |
| "org.opencontainers.image.source": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices", | |
| "org.opencontainers.image.version": ${{ steps.bump-version.outputs.current-version }}, | |
| "org.opencontainers.image.created": "2020-01-10T00:30:00.000Z", | |
| "org.opencontainers.image.revision": ${{ github.sha }}, | |
| "org.opencontainers.image.licenses": "MIT" | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: ${{ github.event_name != 'pull_request' }} # Only push on main branch | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| sbom: true | |
| provenance: true |