Merge pull request #6 from navikt/dependabot/docker/distroless/java21… #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and deploy | |
on: | |
push: | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Java 21 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
cache: 'gradle' | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: kotlin | |
- name: Build gradle artifacts | |
run: | | |
./gradlew bootJar -x test | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:${{matrix.language}}" | |
test: | |
name: Test | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: actions/setup-java@v4 | |
id: setup-java | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
cache: 'gradle' | |
- run: ./gradlew test | |
build-push: | |
if: github.actor != 'dependabot[bot]' | |
name: Build and push | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Java 21 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
cache: 'gradle' | |
- name: build artifact | |
run: ./gradlew bootJar | |
- name: Push docker image to GAR | |
uses: nais/docker-build-push@v0 | |
id: docker-build-push | |
env: | |
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
team: tsm | |
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} | |
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} | |
outputs: | |
image: "${{ steps.docker-build-push.outputs.image }}" | |
trivy-docker: | |
if: github.actor != 'dependabot[bot]' | |
permissions: | |
contents: "write" | |
id-token: "write" | |
security-events: "write" | |
name: Trivy docker | |
runs-on: ubuntu-latest | |
needs: [ build-push ] | |
steps: | |
- run: touch me | |
- uses: nais/login@v0 | |
with: | |
project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} | |
identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} | |
team: tsm | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db" | |
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" | |
with: | |
image-ref: ${{ needs.build-push.outputs.image }} | |
ignore-unfixed: true | |
vuln-type: 'os' | |
severity: 'CRITICAL,HIGH' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scanners: 'vuln' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: 'trivy-results.sarif' | |
dependabot-build: | |
if: github.actor == 'dependabot[bot]' | |
name: Build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Java 21 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
cache: 'gradle' | |
- name: build artifact | |
run: ./gradlew bootJar | |
deploy-dev: | |
if: github.actor != 'dependabot[bot]' | |
name: Deploy to dev | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
needs: [ test, build-push ] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Deploy to NAIS | |
uses: nais/deploy/actions/deploy@v2 | |
env: | |
CLUSTER: dev-gcp | |
RESOURCE: .nais/nais-dev.yaml | |
VAR: image=${{ needs.build-push.outputs.image }} | |
deploy-prod: | |
if: github.ref_name == 'main' | |
name: Deploy to prod | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
needs: [ test, build-push, deploy-dev ] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Deploy to NAIS | |
uses: nais/deploy/actions/deploy@v2 | |
env: | |
CLUSTER: prod-gcp | |
RESOURCE: .nais/nais-prod.yaml | |
VAR: image=${{ needs.build-push.outputs.image }} |