Bump azul/zulu-openjdk-alpine from 21.0.6-jre-headless@sha256:75c5cc1ca1429513b56e9cbe3121bce86476cdec18b5b74b6842ab0af4b5a57f to sha256:f0c64ed4465f2dbd22d8d2e6169318b18c873d4b82d2dbbcb864ba8a6b2683c0 in /api #448
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Infra: CVE checks" | |
| on: | |
| pull_request: | |
| types: [ "opened", "reopened", "synchronize" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 8 15 * *' | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-cves: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # infered from @v4 | |
| with: | |
| token: ${{ github.token }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # infered from @v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'zulu' | |
| cache: 'gradle' | |
| - name: Build project | |
| id: build | |
| run: | | |
| ./gradlew clean build \ | |
| -x test \ | |
| -Pbuild-docker-images=true \ | |
| -Pinclude-frontend=true \ | |
| -Pversion=latest | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # infered from @v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # infered from @v3 | |
| - name: Cache Docker layers | |
| uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # infered from @v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Build docker image | |
| uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # infered from @v6 | |
| with: | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: api | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: | | |
| ghcr.io/kafbat/kafka-ui:latest | |
| build-args: | | |
| JAR_FILE=build/libs/api-latest.jar | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| - name: Run CVE checks | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # infered from @v0.29.0 | |
| with: | |
| image-ref: "ghcr.io/kafbat/kafka-ui:latest" | |
| format: "table" | |
| exit-code: "1" | |
| notify: | |
| needs: check-cves | |
| if: ${{ always() && needs.build-and-test.result == 'failure' && github.event_name == 'schedule' }} | |
| uses: ./.github/workflows/infra_discord_hook.yml | |
| with: | |
| message: "Attention! CVE checks run failed! Please fix them CVEs :(" | |
| secrets: | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL_CVE }} |