Add workflow to build and publish a Docker container

.github/workflows/maven.yml → .github/workflows/build.yml

@@ -1,8 +1,7 @@
 # This workflow will build a Java project with Maven
 # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
 
-name: CI Github
-
+name: Build
 on:
   push:
     branches: [ main ]
@@ -11,9 +10,7 @@ on:
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v3
     - name: Set up JDK 1.8
@@ -41,9 +38,7 @@ jobs:
       uses: codecov/[email protected]
 
   client:
-
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2

.github/workflows/release.yml

@@ -0,0 +1,156 @@
+# yamllint disable rule:line-length
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+  workflow_dispatch:
+
+jobs:
+  build:
+    permissions:
+      packages: write
+      contents: write
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.versioncheck.outputs.version }}
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 1.8
+        uses: actions/setup-java@v4
+        with:
+          java-version: 8
+          distribution: "temurin"
+
+      - name: Determine the version
+        run: echo "version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)" >> $GITHUB_OUTPUT
+        id: versioncheck
+
+      - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name
+        run: |
+          echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch"
+          exit 1
+        if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT'))
+
+      - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml
+        run: |
+          echo echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}"
+          exit 1
+        if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name
+
+      - name: Set up JDK 1.8 for snapshots
+        uses: actions/setup-java@v4
+        with:
+          java-version: 8
+          distribution: "temurin"
+          cache: "maven"
+          server-id: openconext-snapshots
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+        if: ( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT'))
+
+      - name: Set up JDK 1.8
+        uses: actions/setup-java@v4
+        with:
+          java-version: 8
+          distribution: "temurin"
+          cache: "maven"
+          server-id: openconext-releases
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+        if: ${{!( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) }}
+
+      - name: install node
+        uses: dcodeIO/setup-node-nvm@master
+        with:
+          node-version: 14
+
+      - name: Deploy with Maven
+        run: mvn --batch-mode deploy -DskipTests
+        env:
+          MAVEN_USERNAME: ${{ secrets.BUILD_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }}
+
+      - name: Upload the produced artefacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: brokerbuilds
+          path: |
+            client/public/
+            server/target/*.jar
+          retention-days: 1
+
+      - name: Codecov
+        uses: codecov/[email protected]
+
+      - name: Create release
+        uses: actions/create-release@v1
+        id: create_release
+        with:
+          draft: false
+          prerelease: true
+          release_name: Release ${{ github.ref_name }}
+          tag_name: ${{ github.ref_name }}
+          body: |
+            ${{ steps.changelog.outputs.changelog }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        if: github.event_name != 'workflow_dispatch'
+
+  dockerbuild:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    needs: build
+    strategy:
+      matrix:
+        include:
+          - image: ghcr.io/SURFnet/student-mobility-broker/brokerclient
+            app: client
+          - image: ghcr.io/SURFnet/student-mobility-broker/brokerserver
+            app: server
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download the previous produced artefacts
+        uses: actions/download-artifact@v4
+        with:
+          name: brokerbuilds
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set docker labels and tags
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.image }}
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=tag
+            type=raw,event=tag,value=latest
+            type=raw,event=workflow_dispatch,value=snapshot
+            type=semver,pattern={{version}},value=${{ needs.build.outputs.version }}
+            type=sha
+
+      - name: Build and push the ${{ matrix.app }} image
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.app }}
+          file: ${{ matrix.app }}/docker/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

README.md

@@ -1,5 +1,5 @@
 # student-mobility-broker
-[![Build Status](https://github.com/SURFnet/student-mobility-broker/actions/workflows/maven.yml/badge.svg)](https://github.com/SURFnet/student-mobility-broker/actions/workflows/maven.yml/badge.svg)
+[![Build](https://github.com/SURFnet/student-mobility-broker/actions/workflows/build.yml/badge.svg)](https://github.com/SURFnet/student-mobility-broker/actions/workflows/build.yml)
 [![codecov](https://codecov.io/gh/SURFnet/student-mobility-broker/branch/master/graph/badge.svg)](https://codecov.io/gh/SURFnet/student-mobility-broker)
 
 Broker for educational cross-institution registrations.

client/docker/Dockerfile

@@ -0,0 +1,4 @@
+FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest
+ADD ./public/ /var/www/
+RUN rm -rf /etc/apache2/sites-enabled/*.conf
+COPY ./docker/appconf.conf /etc/apache2/sites-enabled/

client/docker/appconf.conf

@@ -0,0 +1,60 @@
+ServerName client
+RewriteEngine On
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.wav$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/api/
+RewriteCond %{REQUEST_URI} !^/login/
+RewriteCond %{REQUEST_URI} !^/oauth2/
+RewriteCond %{REQUEST_URI} !^/ui/
+RewriteCond %{REQUEST_URI} !^/internal/
+RewriteCond %{REQUEST_URI} !^/deprovision/
+RewriteCond %{REQUEST_URI} !^/fonts/
+RewriteRule (.*) /index.html [L]
+ProxyPass /api http://brokerserver:8080/api retry=0
+ProxyPassReverse /api http://brokerserver:8080/api
+ProxyPassMatch ^/oauth2(.*)$ http://brokerserver:8080
+ProxyPassReverse /oauth2 http://brokerserver:8080/oauth2
+ProxyPassMatch ^/internal(.*)$ http://brokerserver:8080
+ProxyPassReverse /internal http://brokerserver:8080/internal
+ProxyPassMatch ^/login(.*)$ http://brokerserver:8080
+ProxyPassReverse /login http://brokerserver:8080/login
+ProxyPassMatch ^/ui(.*)$ http://brokerserver:8080
+ProxyPassReverse /ui http://brokerserver:8080/ui
+ProxyPass /deprovision http://brokerserver:8080/api
+ProxyPassReverse /deprovision http://brokerserver:8080/api
+
+DocumentRoot /var/www/
+
+<Location "/api">
+    ProxyPreserveHost On
+</Location>
+<Location "/oauth2">
+    ProxyPreserveHost On
+</Location>
+<Location "/internal">
+    ProxyPreserveHost On
+</Location>
+<Location "/login">
+    ProxyPreserveHost On
+</Location>
+<Directory /var/www>
+  Require all granted
+  Options -Indexes
+</Directory>
+
+<FilesMatch "\.html$">
+Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
+Header set Expires "Sun, 8 Jun 1986 08:06:00 GMT"
+</FilesMatch>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+Header always set X-Content-Type-Options "nosniff"

client/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.surfnet</groupId>
         <artifactId>student-mobility-broker</artifactId>
-        <version>0.2.11</version>
+        <version>0.2.12</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

client/yarn.lock

@@ -2204,9 +2204,9 @@ camelcase@^5.0.0, camelcase@^5.3.1:
   integrity sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==
 
 caniuse-lite@^1.0.30001400:
-  version "1.0.30001436"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001436.tgz#22d7cbdbbbb60cdc4ca1030ccd6dea9f5de4848b"
-  integrity sha512-ZmWkKsnC2ifEPoWUvSAIGyOYwT+keAaaWPHiQ9DfMqS1t6tfuyFYoWR78TeZtznkEQ64+vGXH9cZrElwR2Mrxg==
+  version "1.0.30001599"
+  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001599.tgz"
+  integrity sha512-LRAQHZ4yT1+f9LemSMeqdMpMxZcc4RMWdj4tiFe3G8tNkWK+E58g+/tzotb5cU6TbcVJLr4fySiAW7XmxQvZQA==
 
 capture-exit@^2.0.0:
   version "2.0.0"

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>org.surfnet</groupId>
     <artifactId>student-mobility-broker</artifactId>
-    <version>0.2.11</version>
+    <version>0.2.12</version>
     <name>student-mobility-broker</name>
     <description>student-mobility-broker-app</description>
     <packaging>pom</packaging>

server/docker/Dockerfile

@@ -0,0 +1,3 @@
+FROM eclipse-temurin:8-jdk-alpine
+COPY target/*.jar app.jar
+ENTRYPOINT ["java","-jar","/app.jar"]

server/docker/application.yml

@@ -0,0 +1,100 @@
+logging:
+  level:
+    root: WARN
+    broker: DEBUG
+    org.springframework: WARN
+    org.springframework.security: WARN
+
+server:
+  port: 8091
+  error:
+    path: "/error"
+    include-message: always
+  servlet:
+    session:
+      cookie:
+        secure: false
+      timeout: 3d
+
+spring:
+  main:
+    banner-mode: off
+  jackson:
+    default-property-inclusion: non_null
+  session:
+    jdbc:
+      initialize-schema: always
+    store-type: jdbc
+
+# If enabled there must be a database according to the datasource properties below
+database-session-enabled: true
+
+datasource:
+  driver-class-name: com.mysql.cj.jdbc.Driver
+  url: jdbc:mysql://localhost/student_mobility
+  username: student_mobility
+  password: secret
+
+config:
+  # Endpoint called by catalog. For testing purposes the client can call it as well
+  start_broker_endpoint: http://localhost:8091/api/broker
+  # Set to False in every non-local environment
+  local: True
+  # Do we allow to mock the different scenario's - only allow on test
+  allow_playground: True
+  # Default home institution if playground is enabled
+  play_home_institution_schacHome: "utrecht.nl"
+  # Default guest institution if playground is enabled
+  play_guest_institution_schacHome: "wageningen.nl"
+  # Default offeringId if playground is enabled
+  play_offering_id: "6259518E-EF2A-4203-83C2-757E4FEACEDD"
+  # The basic authn to mimic the SIS that reports back results - only configure with values on test
+  sis_user: sis
+  sis_password: secret
+  sis_results_endpoint: http://localhost:8092/api/play-results
+  broker_client_url: http://localhost:3003
+  catalog_url: http://educhange.nl/
+  connection_timeout_millis: 20_000
+  oauth2:
+    token_endpoint: http://localhost:8081/oidc/token
+    client_id: student.mobility.broker.local
+    secret: secret
+  edu_hub:
+    gateway_url: http://localhost:8081
+    user: eduhub
+    password: secret
+  queueit:
+    url: "https://edubrokersurf.queue-it.net"
+    customer_id: "edubrokersurf"
+    redirect_uri: "http://localhost:8091/api/queue/redirect"
+
+
+service_registry:
+  path: classpath:/service-registry.yml
+
+management:
+  endpoints:
+    enabled-by-default: false
+    web:
+      exposure:
+        include:
+          - health
+          - info
+      base-path: "/internal"
+  endpoint:
+    health:
+      enabled: true
+      show-details: when_authorized
+    info:
+      enabled: true
+  info:
+    git:
+      mode: full
+    defaults:
+      enabled: true
+
+# used by the git plugin
+info:
+  build:
+    artifact: "@project.artifactId@"
+    version: "@project.version@"