StarExecMiami · AndresCdo · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/.github/workflows/_java-setup.yml b/.github/workflows/_java-setup.yml
@@ -0,0 +1,37 @@
+name: Reusable Java Setup
+
+on:
+  workflow_call:
+    inputs:
+      java-version:
+        required: false
+        type: string
+        default: '17'
+        description: 'Java version to setup'
+      cache-key-prefix:
+        required: false
+        type: string
+        default: 'maven'
+        description: 'Cache key prefix for Maven dependencies'
+
+jobs:
+  setup:
+    name: Setup Java Environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up JDK ${{ inputs.java-version }}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ inputs.java-version }}
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Verify Java version
+        run: java -version
+
+      - name: Verify Maven version
+        run: mvn -version
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -0,0 +1,88 @@
+name: Container Build
+
+on:
+  push:
+    branches: [UMprod, dev, containerised]
+    paths:
+      - 'src/**'
+      - 'Dockerfile'
+      - 'docker/entrypoint.sh'
+      - 'docker/setenv.sh'
+      - 'pom.xml'
+      - '.github/workflows/container-build.yml'
+  pull_request:
+    branches: [UMprod, dev, containerised]
+    paths:
+      - 'Dockerfile'
+      - 'docker/entrypoint.sh'
+      - 'docker/setenv.sh'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  build:
+    name: Build & Scan Container
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build container image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: starexec:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+
+      - name: Run container structure tests
+        run: |
+          echo "Running container validation tests..."
+
+          # Test Java installation
+          docker run --rm starexec:test java -version
+
+          # Test basic container inspection
+          IMAGE_INFO=$(docker inspect starexec:test)
+          echo "✓ Container structure validation passed"
+
+          # Display image details
+          echo ""
+          echo "=== Container Image Details ==="
+          docker inspect starexec:test | jq '.[0] | {Size, Created, Architecture: .Architecture, Os: .Os}'
+
+      - name: Scan image for vulnerabilities with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'starexec:test'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy-container'
+
+      - name: Generate scan summary
+        if: always()
+        run: |
+          echo "## Container Build Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Build Status:** ✓ Success" >> $GITHUB_STEP_SUMMARY
+          echo "**Image Tag:** starexec:test" >> $GITHUB_STEP_SUMMARY
+          echo "**Scan Tool:** Trivy" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f "trivy-results.sarif" ]; then
+            echo "**Security Scan:** Results uploaded to GitHub Security tab" >> $GITHUB_STEP_SUMMARY
+          fi
diff --git a/.github/workflows/container-publish.yml b/.github/workflows/container-publish.yml
@@ -0,0 +1,104 @@
+name: Container Publish
+
+on:
+  push:
+    branches: [UMprod, containerised]
+    paths:
+      - 'src/**'
+      - 'Dockerfile'
+      - 'pom.xml'
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Target environment for deployment'
+        required: true
+        default: 'dev'
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  publish:
+    name: Build & Publish Container
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}
+          tags: |
+            type=sha,prefix={{branch}}-,format=short
+            type=sha,prefix={{branch}}-
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/containerised' }}
+
+      - name: Build and push container image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            VCS_REF=${{ github.sha }}
+            VERSION=${{ github.ref_name }}
+
+      - name: Generate image summary
+        if: success()
+        run: |
+          echo "## 📦 Container Image Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Registry:** \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Repository:** \`${{ github.repository }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Branch:** \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Commit SHA:** \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Image Tags" >> $GITHUB_STEP_SUMMARY
+          echo '${{ steps.meta.outputs.tags }}' | while IFS= read -r tag; do
+            echo "- \`$tag\`" >> $GITHUB_STEP_SUMMARY
+          done
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ github.ref }}" == "refs/heads/containerised" ]; then
+            echo "✅ **Latest tag:** Updated on production branch" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Create deployment annotation
+        if: success()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: 'refs/tags/deployment-${{ github.ref_name }}-${{ github.run_number }}',
+              sha: context.sha
+            }).catch(err => console.log('Deployment tag already exists'));