Skip to content

Merge pull request #1206 from NASA-AMMOS/1113-add-operation-to-check-… #734

Merge pull request #1206 from NASA-AMMOS/1113-add-operation-to-check-…

Merge pull request #1206 from NASA-AMMOS/1113-add-operation-to-check-… #734

Workflow file for this run

name: Publish
on:
push:
branches:
- develop
tags:
- v*
env:
REGISTRY: ghcr.io
OWNER: nasa-ammos
IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
jobs:
init:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v3
- uses: gradle/wrapper-validation-action@v1
- uses: gradle/gradle-build-action@v2
with:
generate-job-summary: false
- name: Gradle Version
run: ./gradlew --version
containers:
runs-on: ubuntu-latest
needs: init
permissions:
contents: read
packages: write
strategy:
matrix:
components:
- image: aerie-merlin
context: merlin-server
file: merlin-server/Dockerfile
- image: aerie-merlin-worker
context: merlin-worker
file: merlin-worker/Dockerfile
- image: aerie-scheduler
context: scheduler-server
file: scheduler-server/Dockerfile
- image: aerie-scheduler-worker
context: scheduler-worker
file: scheduler-worker/Dockerfile
- image: aerie-sequencing
context: sequencing-server
file: sequencing-server/Dockerfile
- image: aerie-hasura
context: .
file: docker/Dockerfile.hasura
- image: aerie-postgres
context: .
file: docker/Dockerfile.postgres
name: ${{ matrix.components.image }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: "19"
- name: Init Gradle cache
uses: gradle/gradle-build-action@v2
with:
generate-job-summary: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: linux/amd64,linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to ${{ env.REGISTRY }}
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Extract metadata (tags, labels) for ${{ matrix.components.image }}
id: metadata-step
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.components.image }}
- name: Assemble ${{ matrix.components.context }}
env:
component: ${{ matrix.components.context }}
run: |
set -x
if [[ "$component" == "." ]]; then
# aerie-hasura and aerie-postgres don't need compiled java
./gradlew distributeSql --no-daemon
else
./gradlew ":$component:assemble" --no-daemon --parallel
fi
- name: Build and push ${{ matrix.components.image }}
uses: docker/build-push-action@v3
with:
context: ${{ matrix.components.context }}
file: ${{ matrix.components.file }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.metadata-step.outputs.tags }}
labels: ${{ steps.metadata-step.outputs.labels }}
scan:
runs-on: ubuntu-latest
needs: containers
strategy:
matrix:
image:
- aerie-merlin
- aerie-merlin-worker
- aerie-scheduler
- aerie-scheduler-worker
- aerie-sequencing
- aerie-hasura
- aerie-postgres
fail-fast: false
name: scan ${{ matrix.image }}
steps:
- name: Scan ${{ matrix.image }} for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.image }}:develop
ignore-unfixed: true
exit-code: '1'
severity: 'CRITICAL'
format: 'template'
template: "@/contrib/html.tpl"
scanners: "vuln"
output: '${{ matrix.image }}-results.html'
- name: Upload ${{ matrix.image }} scan results
if: always()
uses: actions/upload-artifact@v3
with:
name: Vuln Scan Results
path: '${{ matrix.image }}-results.html'
publish:
name: gradle publish
runs-on: ubuntu-latest
needs: init
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v3
- name: Gradle Cache
uses: gradle/gradle-build-action@v2
with:
generate-job-summary: false
- name: Publish Package
run: ./gradlew publish -Pversion.isRelease=$IS_RELEASE --parallel
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Create deployment archive
run: ./gradlew archiveDeployment
- name: Publish deployment
uses: actions/upload-artifact@v3
with:
name: Deployment
path: deployment.tar