Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 4 additions & 11 deletions .github/workflows/jersey-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ jobs:
- name: Check
run: ./gradlew :appserver-jersey:check

# Check that the docker image builds correctly
docker:
runs-on: ubuntu-latest
permissions:
Expand All @@ -52,14 +51,12 @@ jobs:
run: |
echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${IMAGE_NAME}" >>${GITHUB_ENV}

# Add Docker labels and tags
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_IMAGE }}

# Setup docker build environment
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Expand All @@ -68,12 +65,12 @@ jobs:

- name: Cache Docker layers
id: cache-buildx
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile.appserver-jersey', 'appserver-jersey/build.gradle.kts', 'buildSrc/src/main/kotlin/Versions.kt', 'settings.gradle.kts', 'build.gradle.kts', 'appserver-jersey/src/main/**') }}
key: ${{ runner.os }}-buildx-jersey-${{ hashFiles('Dockerfile.appserver-jersey', 'appserver-jersey/build.gradle.kts', 'buildSrc/src/main/kotlin/Versions.kt', 'settings.gradle.kts', 'build.gradle.kts') }}
restore-keys: |
${{ runner.os }}-buildx-
${{ runner.os }}-buildx-jersey-

- name: Cache parameters
id: cache-parameters
Expand All @@ -85,7 +82,7 @@ jobs:
fi

- name: Build docker
uses: docker/build-push-action@v3
uses: docker/build-push-action@v6
with:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: ${{ steps.cache-parameters.outputs.cache-to }}
Expand All @@ -101,10 +98,6 @@ jobs:
- name: Inspect docker image
run: docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

- name: Check docker image
run: docker run --rm ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} curl --help

# Push the image on the dev and master branches
- name: Push image
if: ${{ github.event_name != 'pull_request' }}
run: docker push ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/jersey-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ jobs:
platforms: linux/amd64,linux/arm64
context: .
push: true
file: Dockerfile.appserver-jersey
tags: ${{ steps.docker_meta.outputs.tags }}
labels: |
${{ steps.docker_meta.outputs.labels }}
Expand Down
25 changes: 8 additions & 17 deletions .github/workflows/microservices-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
run: ./gradlew :microservices:${{ matrix.service }}:check

docker:
name: Docker setup for ${{ matrix.service }}
name: Docker ${{ matrix.service }}
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -101,19 +101,18 @@ jobs:

- name: Cache Docker layers
id: cache-buildx
uses: actions/cache@v3
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ hashFiles(
key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ hashFiles(
format('microservices/{0}/Dockerfile', matrix.service),
'settings.gradle.kts',
'buildSrc/src/main/kotlin/Versions.kt',
'build.gradle.kts',
format('microservices/{0}/build.gradle.kts', matrix.service),
format('microservices/{0}/src/main/**', matrix.service)
format('microservices/{0}/build.gradle.kts', matrix.service)
) }}
restore-keys: |
${{ runner.os }}-buildx-
${{ runner.os }}-buildx-${{ matrix.service }}-

- name: Cache parameters
id: cache-parameters
Expand All @@ -124,11 +123,8 @@ jobs:
echo "cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max" >> $GITHUB_OUTPUT
fi

- name: Compile ${{ matrix.service }} code
run: ./gradlew --no-daemon :microservices:${{ matrix.service }}:assemble

- name: Build docker
uses: docker/build-push-action@v3
uses: docker/build-push-action@v6
with:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: ${{ steps.cache-parameters.outputs.cache-to }}
Expand All @@ -140,13 +136,10 @@ jobs:
${{ steps.docker_meta.outputs.labels }}
org.opencontainers.image.vendor=RADAR-base
org.opencontainers.image.licenses=Apache-2.0

- name: Inspect docker image
run: docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

- name: Check docker image
run: docker run --rm ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} curl --help || true

- name: Push image
if: ${{ github.event_name != 'pull_request' }}
run: docker push ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
Expand Down Expand Up @@ -177,7 +170,7 @@ jobs:
integration-test:
runs-on: ubuntu-latest
needs: docker
if: ${{ always() }} # Running this job even if the docker job fails. It will build the image from source, and collect the logs
if: ${{ always() }}

steps:
- uses: actions/checkout@v5
Expand Down Expand Up @@ -215,7 +208,6 @@ jobs:

svc_upper=$(echo "$service" | tr '[:lower:]-' '[:upper:]_' )

# variable names for microservices images
echo "RADAR_APPSERVER_${svc_upper}_IMAGE_NAME=${image}" >> $OUTFILE
echo "RADAR_APPSERVER_${svc_upper}_IMAGE_TAG=${tag}" >> $OUTFILE

Expand All @@ -231,7 +223,6 @@ jobs:

- name: Decrypt google application credentials
run: |
# adjust path to encrypted file if needed
gpg --pinentry-mode loopback --local-user "Adi Mishra" --batch --yes \
--passphrase "${{ secrets.GPG_SECRET_KEY_PASSPHRASE }}" \
--output microservices/integration-tests/src/integrationTest/resources/docker/fcm/google-credentials.json \
Expand Down
77 changes: 77 additions & 0 deletions .github/workflows/scheduled-snyk-docker.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
name: Snyk Docker scheduled test
on:
schedule:
- cron: '0 3 * * 1'
push:
branches:
- master

env:
REGISTRY: ghcr.io
REPOSITORY: ${{ github.repository }}

jobs:
jersey:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v5

- name: Lowercase image name
run: |
echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/radar-appserver" >>${GITHUB_ENV}

- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_IMAGE }}:latest
args: --file=Dockerfile.appserver-jersey --severity-threshold=high

- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: snyk.sarif

microservices:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
service:
- project-service
- user-service
- gateway-service
- github-service
- protocol-service
- task-service
- cloud-messaging-service
steps:
- uses: actions/checkout@v5

- name: Lowercase image name
run: |
echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${{ matrix.service }}" >>${GITHUB_ENV}

- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_IMAGE }}:latest
args: --file=microservices/${{ matrix.service }}/Dockerfile --severity-threshold=high

- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: snyk.sarif
2 changes: 1 addition & 1 deletion .github/workflows/scheduled-snyk.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
env:
REPORT_FILE: test.json
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v5

- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/gradle-jdk17@master
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/snyk.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v5

- name: Run Snyk to check for JDK vulnerabilities
uses: snyk/actions/gradle-jdk17@master
Expand Down
8 changes: 4 additions & 4 deletions Dockerfile.appserver-jersey
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@ COPY ./buildSrc /code/buildSrc
COPY ./build.gradle.kts ./settings.gradle.kts /code/
COPY appserver-jersey/build.gradle.kts /code/appserver-jersey/

RUN gradle appserver-jersey:downloadDependencies appserver-jersey:copyDependencies appserver-jersey:startScripts
RUN gradle --no-daemon appserver-jersey:downloadDependencies appserver-jersey:copyDependencies appserver-jersey:startScripts

COPY appserver-jersey/src/ /code/appserver-jersey/src

RUN gradle jar
RUN gradle --no-daemon :appserver-jersey:jar

FROM eclipse-temurin:17-jre

Expand All @@ -35,10 +35,10 @@ COPY --from=builder /code/appserver-jersey/build/third-party/* /usr/lib/
COPY --from=builder /code/appserver-jersey/build/libs/*.jar /usr/lib/
COPY --from=builder /code/appserver-jersey/src/main/resources/appserver.yml /etc/appserver-jersey/appserver.yml

ENV LIQUIBASE_ANALYTICS_ENABLED=false

USER 101

EXPOSE 8080

CMD ["appserver-jersey"]


Loading
Loading