Skip to content
Closed
74 changes: 33 additions & 41 deletions .github/workflows/ci-cd-java.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
name: ci-cd-java.yml

permissions:
contents: read
packages: read
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -32,9 +30,12 @@
IMAGE_NAME_MIXED_CASE: "${{ github.repository }}"

jobs:
build-check-test-push:
name: Build, check, test, push
ci:
name: Build, check, test
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
Expand Down Expand Up @@ -161,45 +162,43 @@
name: 'app.jar'
path: '/app/app.jar'

release:
name: Build & push Docker image
needs: ci
if: >-
github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/aks-dev' ||
startsWith(github.ref, 'refs/tags/') ||
inputs.performRelease == true
runs-on: ubuntu-latest
environment: docker-hub-release
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
clean: 'true'

Check warning

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Warning

credential persistence through GitHub Actions artifacts
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed

- name: Set Docker Image Name
env:
IMAGE_NAME_INPUT: ${{ inputs.imageName }}
run: |
OWNER="${GITHUB_REPOSITORY%%/*}"

if [[ -n "${{ inputs.imageName }}" ]]; then
IMAGE_NAME="${OWNER,,}/${{ inputs.imageName }}"
if [[ -n "${IMAGE_NAME_INPUT}" ]]; then
IMAGE_NAME="${OWNER,,}/${IMAGE_NAME_INPUT}"
else
IMAGE_NAME="${GITHUB_REPOSITORY,,}"
fi

echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"

- name: Build Docker Image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: ${{ inputs.workingDirectory }}
push: 'false'
tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
build-args:
GITHUB_ACTOR=${{ github.actor }}

- name: Check if perform release
id: perform_release
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract Docker metadata
if: ${{ env.PERFORM_RELEASE == 'true' }}
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
Expand All @@ -212,26 +211,19 @@
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.vendor=hsldevcom

- name: Setup Docker Buildx
if: ${{ env.PERFORM_RELEASE == 'true' }}
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Login to Docker Hub
if: ${{ env.PERFORM_RELEASE == 'true' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build & Push Docker image
if: ${{ env.PERFORM_RELEASE == 'true' }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: ${{ inputs.workingDirectory }}
push: ${{ env.PERFORM_RELEASE }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
build-args: |
GITHUB_ACTOR=${{ github.actor }}
github_actor=${{ github.actor }}
64 changes: 30 additions & 34 deletions .github/workflows/ci-cd-kotlin.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
name: ci-cd-kotlin.yml

permissions:
contents: read
packages: read
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -34,9 +32,12 @@
IMAGE_NAME_MIXED_CASE: "${{ github.repository }}"

jobs:
build-check-test-push:
name: Build, check, test, push
ci:
name: Build, check, test
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
Expand Down Expand Up @@ -90,24 +91,24 @@
if: ${{ inputs.runTestsInsideDocker }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_ACTOR_ARG: ${{ github.actor }}
GITHUB_ACTOR: ${{ github.actor }}
DOCKER_BUILDKIT: "1"
run: |
cat > /tmp/Dockerfile.test << DOCKERFILE
# syntax=docker/dockerfile:1
# check=error=true
FROM ${TEST_BASE_IMAGE}
WORKDIR /usr/app
ARG GITHUB_ACTOR=github-actions
COPY . .
RUN --mount=type=secret,id=github_token \
--mount=type=secret,id=github_actor \
export GITHUB_TOKEN="\$(cat /run/secrets/github_token)" && \
export GITHUB_ACTOR="\$GITHUB_ACTOR" && \
export GITHUB_ACTOR="\$(cat /run/secrets/github_actor)" && \
./gradlew test --stacktrace --no-daemon
DOCKERFILE
docker build \
--secret id=github_token,env=GITHUB_TOKEN \
--build-arg "GITHUB_ACTOR=${GITHUB_ACTOR_ARG}" \
--secret id=github_actor,env=GITHUB_ACTOR \
-f /tmp/Dockerfile.test \
.

Expand Down Expand Up @@ -153,36 +154,33 @@
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Lowercase Docker Image Name
run: |
echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"
- name: Build Docker Image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
release:
name: Build & push Docker image
needs: ci
if: >-
github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/aks-dev' ||
startsWith(github.ref, 'refs/tags/') ||
inputs.performRelease == true
runs-on: ubuntu-latest
environment: docker-hub-release
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
context: .
push: 'false'
tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'
clean: 'true'

Check warning

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Warning

credential persistence through GitHub Actions artifacts
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed

- name: Check if perform release
id: perform_release
- name: Lowercase Docker Image Name
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"
echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"

- name: Setup Docker Buildx
if: env.PERFORM_RELEASE == 'true'
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract Docker metadata
if: env.PERFORM_RELEASE == 'true'
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
Expand All @@ -196,17 +194,15 @@
org.opencontainers.image.vendor=hsldevcom

- name: Login to Docker Hub
if: env.PERFORM_RELEASE == 'true'
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build & Push Docker image
if: env.PERFORM_RELEASE == 'true'
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: ${{ env.PERFORM_RELEASE }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
85 changes: 47 additions & 38 deletions .github/workflows/ci-cd-typescript.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
name: ci-cd-typescript.yml

permissions:
contents: read
packages: read
permissions: {}

on:
workflow_call:
Expand All @@ -27,9 +25,12 @@
PRODUCTION_STAGE: production

jobs:
build-check-test-push:
name: Build, check, test, push
ci:
name: Build, check, test
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
Expand All @@ -38,10 +39,10 @@
fetch-depth: 2

- name: Install Node
# zizmor:ignore[cache-poisoning] Node binary tool-cache is implicit and cannot be disabled; no npm package cache is configured
Comment thread
bogdandina marked this conversation as resolved.
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "lts/*"
cache: "npm"

- name: Install NPM dependencies
run: npm ci
Expand All @@ -65,46 +66,17 @@
fail_ci_if_error: true
report_type: test_results

- name: Check if perform release
id: perform_release
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"

- name: Lowercase Docker Image Name
run: |
echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"

- name: Extract docker metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.IMAGE_NAME }}
tags: |
type=edge,branch=main
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
type=sha,format=long

- name: Setup Docker Buildx
if: env.PERFORM_RELEASE == 'true'
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Build and export to Docker
if: ${{ inputs.checkAndTestInsideDocker }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
load: true
no-cache: true
target: "${{ env.TEST_STAGE }}"
tags: "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}"

Expand All @@ -113,19 +85,56 @@
run: |
docker run --rm "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}"

release:
name: Build & push Docker image
needs: ci
if: >-
github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/aks-dev' ||
startsWith(github.ref, 'refs/tags/') ||
inputs.performRelease == true
runs-on: ubuntu-latest
environment: docker-hub-release
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
clean: 'true'

Check warning

Code scanning / zizmor

credential persistence through GitHub Actions artifacts Warning

credential persistence through GitHub Actions artifacts
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed

- name: Lowercase Docker Image Name
run: |
echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"

- name: Setup Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract docker metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.IMAGE_NAME }}
tags: |
type=edge,branch=main
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
type=sha,format=long

- name: Login to Docker Hub
if: env.PERFORM_RELEASE == 'true'
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build and push
if: env.PERFORM_RELEASE == 'true'
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: true
no-cache: true
target: "${{ env.PRODUCTION_STAGE }}"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Loading
Loading