labs/.github/workflows/full-pipeline.yaml at d3e46182475f134fcdeb4cccf274220d868e86cf · kosli-dev/labs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Main workflow
on: [push, workflow_dispatch]
env: # Set the secret as an input
  docker_username: ${{ github.actor }}
  docker_password: ${{ secrets.GITHUB_TOKEN }} #Nees to be set to be made available to the workflow
  APP_NAME: ${{ github.event.repository.name }}
  BUILD_NUMBER: ${{ github.run_number }}
  GIT_REPO: ${{ github.repository }}
  GIT_REPO_URL: ${{ github.event.repository.clone_url }}
  GIT_BRANCH: ${{ github.ref_name }}
  GIT_COMMIT: ${{ github.sha }}
  IMAGE: ${{ github.repository_owner }}/${{ github.event.repository.name }}
  BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
  COMMIT_URL: ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}

jobs:
  Build:
    runs-on: ubuntu-latest
    container: gradle:8.0.1-jdk11
    steps:
      - name: Clone down repository
        uses: actions/checkout@v6
      - name: Build application
        run: bash ci/build-app.sh
      - name: Test
        run: bash ci/unit-test-app.sh
      - name: Upload repo
        uses: actions/upload-artifact@v5
        with:
          name: code
          path: .
          include-hidden-files: true
  Linting:
    runs-on: ubuntu-latest
    needs: [Build]
    steps:
      - name: Download code
        uses: actions/download-artifact@v6
        with:
          name: code
          path: .
      - name: run linting
        uses: super-linter/super-linter/slim@v7
        env:
          DEFAULT_BRANCH: main
          # To report GitHub Actions status checks
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          DISABLE_ERRORS: true
  Docker-image:
    runs-on: ubuntu-latest
    needs: [Build]
    permissions:
      packages: write
    steps:
    - name: Download code
      uses: actions/download-artifact@v6
      with:
        name: code
        path: .
    - name: Log in to GHCR
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: build docker
      run: bash ci/build-docker.sh
    - name: push docker
      run: bash ci/push-docker.sh

    - name: Generate SBOM for the docker image
      uses: anchore/sbom-action@v0
      with:
        image: ghcr.io/${{ env.IMAGE }}:latest
        format: 'spdx-json'
        output-file: 'sbom.spdx.json'
        upload-artifact: false

  Security-scan:
    runs-on: ubuntu-latest
    needs: Docker-image
    steps:
    - name: Download code
      uses: actions/download-artifact@v6
      with:
        name: code
        path: .
    - name: Log in to GHCR
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: 'ghcr.io/${{ env.IMAGE }}:latest'
        format: 'table'
        #exit-code: '1' #Defaults to 0 meaning that the action will not fail the build if vulnerabilities are found
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL,HIGH'
  Component-test:
    runs-on: ubuntu-latest
    needs: Docker-image
    steps:
    - name: Download code
      uses: actions/download-artifact@v6
      with:
        name: code
        path: .
    - name: Log in to GHCR
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Execute component test
      run: bash ci/component-test.sh
  Performance-test:
    runs-on: ubuntu-latest
    needs: Docker-image
    steps:
    - name: Download code
      uses: actions/download-artifact@v6
      with:
        name: code
        path: .
    - name: Log in to GHCR
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Execute performance test
      run: bash ci/performance-test.sh
  Deploy:
    runs-on: ubuntu-latest
    needs: [Docker-image, Security-scan, Component-test, Performance-test]
    steps:
    - name: Download code
      uses: actions/download-artifact@v6
      with:
        name: code
        path: .
    - name: Log in to GHCR
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Deploy to production
      run: bash ci/start-application.sh
    - name: stop production environment
      run: bash ci/stop-application.sh