-
Notifications
You must be signed in to change notification settings - Fork 1
142 lines (124 loc) · 4.16 KB
/
backend-ci.yml
File metadata and controls
142 lines (124 loc) · 4.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Backend Development Pipeline
on:
push:
branches: [ main ]
paths:
- 'backend/**'
pull_request:
branches: [ main ]
paths:
- 'backend/**'
jobs:
build-and-deploy:
runs-on: ubuntu-latest
defaults:
run:
working-directory: backend
permissions:
contents: read
packages: write
security-events: write
actions: write
steps:
# 1. Checkout code
- name: Checkout source code
uses: actions/checkout@v4
# 2. Setup Java (JVM)
- name: Setup Java 18
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 18
# 3. Setup Scala + sbt
- name: Setup Scala & sbt
uses: coursier/setup-action@v1
with:
apps: sbt
# 4. Cache sbt dependencies
- name: Cache sbt dependencies
uses: actions/cache@v4
with:
path: |
~/.ivy2/cache
~/.sbt
~/.coursier
backend/target
backend/project/target
key: ${{ runner.os }}-sbt-${{ hashFiles('**/build.sbt') }}
restore-keys: |
${{ runner.os }}-sbt-
# 5. Clean old caches (keep only 15 most recent)
- name: Clean old caches
# if: github.ref == 'refs/heads/main'
uses: actions/github-script@v7
with:
script: |
const caches = await github.rest.actions.getActionsCacheList({
owner: context.repo.owner,
repo: context.repo.repo,
per_page: 100,
sort: 'created_at',
direction: 'desc'
});
const cachesToDelete = caches.data.actions_caches.slice(10);
if (cachesToDelete.length === 0) {
console.log('No old caches to delete.');
return;
}
console.log(`Found ${cachesToDelete.length} cache(s) to delete.`);
for (const cache of cachesToDelete) {
console.log(`Deleting cache: ${cache.key} (ID: ${cache.id})`);
await github.rest.actions.deleteActionsCacheById({
owner: context.repo.owner,
repo: context.repo.repo,
cache_id: cache.id
});
}
# 6. Build (compile & stage)
- name: Build Play Framework App
run: sbt stage
# 7. Run Scalastyle (Static Code Analysis)
- name: Run Scalastyle
run: sbt scalastyle
# 8. Run tests with coverage
- name: Run Scoverage Tests
run: sbt clean coverage test coverageReport coverageAggregate
# 8. Log in to ghcr.io
- name: Log in to the Container registry
if: ${{ github.ref == 'refs/heads/main' }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# 9. Set up Docker Buildx
- name: Set up Docker Buildx
if: ${{ github.ref == 'refs/heads/main' }}
uses: docker/setup-buildx-action@v3
# 10. Build and push Docker image (with cache)
- name: Build and push Docker image
if: ${{ github.ref == 'refs/heads/main' }}
uses: docker/build-push-action@v6
with:
context: ./backend
push: true
tags: ghcr.io/nashtech-garage/smart-taskhub-be:latest
cache-from: type=gha
cache-to: type=gha,mode=max
# 10. Scan docker image with Trivy
- name: "Scan Docker Image with Trivy"
if: ${{ github.ref == 'refs/heads/main' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/nashtech-garage/smart-taskhub-be:latest'
format: 'sarif'
scan-type: 'image'
severity: 'CRITICAL,HIGH,WARNING'
output: 'trivy-results.sarif'
# 11. Upload Trivy scan results to GitHub Security tab
- name: "Upload Trivy scan results to GitHub Security tab"
if: ${{ github.ref == 'refs/heads/main' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: 'image'