-
Notifications
You must be signed in to change notification settings - Fork 0
215 lines (184 loc) · 8.27 KB
/
ci.yml
File metadata and controls
215 lines (184 loc) · 8.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
tags: ['v*']
workflow_dispatch:
env:
# Registries
GHCR_REGISTRY: ghcr.io
HARBOR_REGISTRY: ps-registry.pack-test.net
# Image names
HARBOR_IMAGE: suite-epargne/se-api
GHCR_IMAGE: pack-solutions/se-api
JAVA_VERSION: '21'
jobs:
# ==============================================================================
# Job 1: Tests (runs on PRs and pushes)
# ==============================================================================
test:
name: Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup JDK 21
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: ${{ env.JAVA_VERSION }}
cache: 'gradle'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-version: wrapper
- name: Run Unit Tests
run: ./gradlew test --no-daemon --parallel
- name: Run Integration Tests
run: ./gradlew integrationTest --no-daemon --parallel
- name: Publish Test Results
if: always()
uses: EnricoMi/publish-unit-test-result-action@v2
with:
files: |
**/build/test-results/test/TEST-*.xml
**/build/test-results/integrationTest/TEST-*.xml
check_name: 'Test Results'
# ==============================================================================
# Job 2: Build and Push Docker Image (only on push to main or tags)
# ==============================================================================
build:
name: Build & Push Image
runs-on: ubuntu-latest
needs: [test]
if: github.event_name == 'push'
permissions:
contents: read
packages: write
outputs:
harbor_tag: ${{ steps.meta.outputs.harbor_primary_tag }}
ghcr_tag: ${{ steps.meta.outputs.ghcr_tag }}
build_type: ${{ steps.meta.outputs.build_type }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate image metadata
id: meta
run: |
SHA_SHORT="${GITHUB_SHA::7}"
TIMESTAMP=$(date -u +%Y%m%d)
# Extract version from gradle.properties for GHCR
GHCR_VERSION=$(grep '^version=' gradle.properties | cut -d'=' -f2)
if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
# Release tag - use semver for Harbor
SEMVER="${GITHUB_REF#refs/tags/v}"
HARBOR_PRIMARY_TAG="${SEMVER}"
HARBOR_TAGS="${SEMVER},${SHA_SHORT}"
BUILD_TYPE="release"
else
# Push to main - use timestamp-sha for Harbor
HARBOR_PRIMARY_TAG="${TIMESTAMP}-${SHA_SHORT}"
HARBOR_TAGS="${TIMESTAMP}-${SHA_SHORT},${SHA_SHORT}"
BUILD_TYPE="dev"
fi
echo "harbor_primary_tag=${HARBOR_PRIMARY_TAG}" >> $GITHUB_OUTPUT
echo "harbor_tags=${HARBOR_TAGS}" >> $GITHUB_OUTPUT
echo "ghcr_tag=${GHCR_VERSION}" >> $GITHUB_OUTPUT
echo "sha_short=${SHA_SHORT}" >> $GITHUB_OUTPUT
echo "build_type=${BUILD_TYPE}" >> $GITHUB_OUTPUT
echo "## Image Tags" >> $GITHUB_STEP_SUMMARY
echo "- **Build Type:** ${BUILD_TYPE}" >> $GITHUB_STEP_SUMMARY
echo "- **Harbor Primary:** ${HARBOR_PRIMARY_TAG}" >> $GITHUB_STEP_SUMMARY
echo "- **GHCR:** ${GHCR_VERSION}" >> $GITHUB_STEP_SUMMARY
- name: Setup JDK 21
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: ${{ env.JAVA_VERSION }}
cache: 'gradle'
- name: Build application JAR
run: ./gradlew assembly:buildFatJar --no-daemon --parallel -x test
# GHCR login disabled - Harbor only for now
# - name: Log in to GHCR
# id: ghcr_login
# continue-on-error: true
# run: |
# echo "${{ secrets.GHCR_PAT }}" | docker login ${{ env.GHCR_REGISTRY }} -u "${{ github.actor }}" --password-stdin
- name: Build Docker image
run: |
docker build \
--build-arg APP_VERSION=${{ steps.meta.outputs.harbor_primary_tag }} \
--build-arg BUILD_DATE=${{ github.event.head_commit.timestamp }} \
--build-arg VCS_REF=${{ github.sha }} \
-t ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }} \
-t ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }} \
-f ./Dockerfile .
- name: Install skopeo and cosign
run: |
sudo apt-get update && sudo apt-get install -y skopeo
# Install cosign
COSIGN_VERSION="v2.4.1"
curl -sLO "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
cosign version
- name: Push to Harbor with skopeo
id: push
run: |
# Push primary tag and capture digest (direct daemon→registry, no tarball)
skopeo copy --digestfile=/tmp/digest.txt \
--dest-creds "${{ secrets.HARBOR_USERNAME }}:${{ secrets.HARBOR_PASSWORD }}" \
docker-daemon:${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }} \
docker://${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }}
# Capture digest from push (avoids registry query which may fail with content trust)
DIGEST=$(cat /tmp/digest.txt)
echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
echo "Image digest: ${DIGEST}"
# Push sha short tag
skopeo copy --dest-creds "${{ secrets.HARBOR_USERNAME }}:${{ secrets.HARBOR_PASSWORD }}" \
docker-daemon:${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }} \
docker://${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }}
# GHCR push disabled - Harbor only for now
# - name: Tag and push to GHCR (backup)
# if: steps.ghcr_login.outcome == 'success'
# run: |
# docker tag ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }} \
# ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}
# docker push ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.ghcr_tag }}
- name: Authenticate to Vault
uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportToken: true
- name: Sign image with cosign
env:
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
VAULT_TOKEN: ${{ env.VAULT_TOKEN }}
TRANSIT_SECRET_ENGINE_PATH: operator-transit
run: |
IMAGE_REF="${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}@${{ steps.push.outputs.digest }}"
echo "Signing image: ${IMAGE_REF}"
cosign sign --yes \
--key hashivault://cosign-key \
--registry-username "${{ secrets.HARBOR_USERNAME }}" \
--registry-password "${{ secrets.HARBOR_PASSWORD }}" \
"${IMAGE_REF}"
echo "Image signed successfully"
- name: Summary
run: |
echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Harbor (Primary)" >> $GITHUB_STEP_SUMMARY
echo "- \`${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.harbor_primary_tag }}\`" >> $GITHUB_STEP_SUMMARY
echo "- \`${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_IMAGE }}:${{ steps.meta.outputs.sha_short }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Signing" >> $GITHUB_STEP_SUMMARY
echo "- **Digest:** \`${{ steps.push.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
echo "- **Signed with:** Vault Transit (cosign-key)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Commit:** \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY