Skip to content
CICD Pipeline

build(deps): bump the java-dependencies group across 1 directory with… #124

Sign in to view logs

build(deps): bump the java-dependencies group across 1 directory with…

build(deps): bump the java-dependencies group across 1 directory with… #124

Workflow file for this run

.github/workflows/pipeline.yml at 41f9c5c
name: CICD Pipeline
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: write
pull-requests: write
jobs:
conventional-commit-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Conventional commit check
uses: cocogitto/cocogitto-action@v3
build:
runs-on: ubuntu-latest
needs: conventional-commit-check
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
- run: ( ./gradlew build -x test )
name: "Executing build"
unit-test:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
- run: ( ./gradlew test )
name: "Executing tests"
- run: ( ./gradlew jacocoTestCoverageVerification )
name: "Code coverage"
mutation-test:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
- run: ( ./gradlew pitest )
name: "Executing mutation tests"
dependency-vulnerability-analysis:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- name: Cached Gradle packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-v1-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
path: |
~/.gradle/caches
~/.gradle/wrapper
~/.gradle/dependency-check-data/
- run: ( ./gradlew dependencyCheckAnalyze -PUseNVDKey )
name: "Executing dependency vulnerability checks"
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
sast-snyk:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: snyk/actions/maven-3-jdk-21@master
name: Run Snyk scan for dependency and license
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- uses: actions/setup-java@v4
with:
distribution: adopt
java-version: 21
check-latest: true
- uses: snyk/actions/setup@master
- name: Snyk SAST code
run: snyk code test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
sast-iac-trivy-hadolint:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- uses: hadolint/[email protected]
with:
dockerfile: Dockerfile
failure-threshold: error
- name: Run Trivy vulnerability for IAC
uses: aquasecurity/[email protected]
with:
scan-type: config
scan-ref: './'
exit-code: 1
trivy-config: ./config/trivy/trivy.yaml
dependabot-pr-auto-merge:
runs-on: ubuntu-latest
needs:
- unit-test
- mutation-test
- dependency-vulnerability-analysis
- sast-iac-trivy-hadolint
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'abhisheksr01/spring-boot-microservice-best-practices'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
# if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
docker-build-push:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs:
- unit-test
- mutation-test
- dependency-vulnerability-analysis
- sast-snyk
- sast-iac-trivy-hadolint
outputs:
is-dryrun-version-bumped: ${{ steps.bump-version.outputs.is-dryrun-version-bumped }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: fetch-tags
run: git fetch --tags origin
shell: bash
- id: bump-version
uses: abhisheksr01/github-actions/[email protected]
with:
dry-run: true # Since we are setting dryrun argument the bump-version will always be available until 'current-version' is pushed as release
- name: check-bump-version-output
run: |
echo "previous-version: ${{ steps.bump-version.outputs.previous-version }}"
echo "bump-version: ${{ steps.bump-version.outputs.bump-version }}"
echo "current-version: ${{ steps.bump-version.outputs.current-version }}"
echo "is-version-bumped: ${{ steps.bump-version.outputs.is-version-bumped }}"
echo "is-dryrun-version-bumped: ${{ steps.bump-version.outputs.is-dryrun-version-bumped }}"
shell: bash
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
id: meta
uses: docker/metadata-action@v5
with:
images: abhisheksr01/companieshouse
context: git
tags: |
type=ref,event=pr
type=semver,pattern={{version}},prefix=v,value=${{ steps.bump-version.outputs.bump-version }}
labels: |
"org.opencontainers.image.title": "abhisheksr01/companieshouse",
"org.opencontainers.image.description": "Best practices and integrations available for Spring Boot based Microservice in a single repository with companieshouse API use case.",
"org.opencontainers.image.url": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices",
"org.opencontainers.image.source": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices",
"org.opencontainers.image.version": ${{ steps.bump-version.outputs.bump-version }},
"org.opencontainers.image.created": "2020-01-10T00:30:00.000Z",
"org.opencontainers.image.revision": ${{ github.sha }},
"org.opencontainers.image.licenses": "MIT"
- name: Build and push
if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
uses: docker/build-push-action@v6
with:
push: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
sbom: true
provenance: true
create-release:
if: ${{ needs.docker-build-push.outputs.is-dryrun-version-bumped == 'true' }} # Only release when new version is available
runs-on: ubuntu-latest
permissions:
contents: write # to be able to publish a GitHub release
needs:
- docker-build-push
environment:
name: approve-release # Manual Approval to decide if we are ready to push tags and release
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
- uses: abhisheksr01/github-actions/[email protected] # Publishing the tags
id: bump-tag-version
- name: Generate changelog
run: cog changelog --at v${{ steps.bump-tag-version.outputs.current-version }} -t full_hash > CHANGELOG.md
- run: |
set -euo pipefail
echo "Creating release from tag $tag"
gh release create "$tag" \
--title="$tag" \
--repo="$GITHUB_REPOSITORY" \
--notes-file CHANGELOG.md
env:
tag: v${{ steps.bump-tag-version.outputs.current-version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}