api/.github/workflows/api_test.yml at main · fluent-labs/api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: API PR Review

on: [pull_request]

jobs:
  build:
    name: Build API
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2.4.0

    - uses: brpaz/hadolint-action@v1.5.0
      name: Lint base image
      with:
        dockerfile: Dockerfile_base

    - uses: brpaz/hadolint-action@v1.5.0
      name: Lint builder image
      with:
        dockerfile: Dockerfile_builder

    - uses: brpaz/hadolint-action@v1.5.0
      name: Lint production image
      with:
        dockerfile: Dockerfile

    # - name: Login to Docker Hub
    #   uses: docker/login-action@v1.8.0
    #   with:
    #     username: ${{ secrets.DOCKERHUB_USERNAME }}
    #     password: ${{ secrets.DOCKERHUB_TOKEN }}

    - uses: dorny/paths-filter@v2.10.2
      name: Check which docker images to rebuild
      id: changed_files
      with:
        filters: |
          base:
            - 'Dockerfile_base'
          dependencies:
            - 'project/build.properties'
            - 'project/Dependencies.scala'
            - 'project/plugins.sbt'

    - name: Build base image
      if: steps.changed_files.outputs.base == 'true'
      run: docker build . -f Dockerfile_base -t lkjaero/foreign-language-reader-api:base

    - name: Cache sbt packages
      if: steps.changed_files.outputs.dependencies == 'true' || steps.changed_files.outputs.base == 'true'
      uses: actions/cache@v2
      with:
        key: sbt_cache
        path: ~/.cache/coursier/v1/

    # Why do we do this here instead of in the docker image?
    # It's because github package repository needs auth
    # And we DO NOT want that auth inside the docker image
    - name: Download dependencies
      if: steps.changed_files.outputs.dependencies == 'true' || steps.changed_files.outputs.base == 'true'
      run: |
        mv build.sbt build-real-sbt
        mv build-dependencies build.sbt
        sbt compile
        cp -r ~/.cache/coursier/v1/ ./coursier_cache
        mv build.sbt build-dependencies
        mv build-real-sbt build.sbt
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    # Remember not to push
    - name: Build dependencies image
      if: steps.changed_files.outputs.dependencies == 'true' || steps.changed_files.outputs.base == 'true'
      run: |
        docker build . -f Dockerfile_builder -t lkjaero/foreign-language-reader-api:builder
        rm -rf ./github_packages

    - name: Build container
      run: docker build . -t api

    - name: Enforce security rules
      uses: anchore/scan-action@v3
      id: scan
      with:
        image: "api:latest"
        acs-report-enable: true

    - name: Upload scan report
      if: ${{ always() }}
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: ${{ steps.scan.outputs.sarif }}