chore: fixed copy of jar file #115
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and deploy | |
| on: | |
| push: | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'kotlin' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| cache: 'gradle' | |
| - name: Build gradle artifacts | |
| run: | | |
| ./gradlew clean build --no-build-cache -x test | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-java@v4 | |
| id: setup-java | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| cache: 'gradle' | |
| - run: ./gradlew test | |
| build-push: | |
| if: github.actor != 'dependabot[bot]' | |
| name: Build and push | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| cache: 'gradle' | |
| - name: build artifact | |
| run: ./gradlew bootJar | |
| - name: Push docker image to GAR | |
| uses: nais/docker-build-push@v0 | |
| id: docker-build-push | |
| env: | |
| ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| team: tsm | |
| identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} | |
| project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} | |
| outputs: | |
| image: "${{ steps.docker-build-push.outputs.image }}" | |
| trivy-docker: | |
| if: github.actor != 'dependabot[bot]' | |
| permissions: | |
| contents: "write" | |
| id-token: "write" | |
| security-events: "write" | |
| name: Trivy docker | |
| runs-on: ubuntu-latest | |
| needs: [ build-push ] | |
| steps: | |
| - run: touch me | |
| - uses: nais/login@v0 | |
| with: | |
| project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} | |
| identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} | |
| team: tsm | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| env: | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db" | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" | |
| with: | |
| image-ref: ${{ needs.build-push.outputs.image }} | |
| ignore-unfixed: true | |
| vuln-type: 'os' | |
| severity: 'CRITICAL,HIGH' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| scanners: 'vuln' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| dependabot-build: | |
| if: github.actor == 'dependabot[bot]' | |
| name: Build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| cache: 'gradle' | |
| - name: build artifact | |
| run: ./gradlew bootJar | |
| deploy-dev: | |
| if: github.actor != 'dependabot[bot]' | |
| name: Deploy to dev | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| needs: [ test, build-push ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy to NAIS | |
| uses: nais/deploy/actions/deploy@v2 | |
| env: | |
| CLUSTER: dev-gcp | |
| RESOURCE: .nais/nais-dev.yaml | |
| VAR: image=${{ needs.build-push.outputs.image }} | |
| deploy-prod: | |
| if: github.ref_name == 'main' | |
| name: Deploy to prod | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| needs: [ test, build-push, deploy-dev ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy to NAIS | |
| uses: nais/deploy/actions/deploy@v2 | |
| env: | |
| CLUSTER: prod-gcp | |
| RESOURCE: .nais/nais-prod.yaml | |
| VAR: image=${{ needs.build-push.outputs.image }} |