Skip to content

Improve CVE context (#55) #184

Improve CVE context (#55)

Improve CVE context (#55) #184

Workflow file for this run

name: Java CI with Gradle
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
workflow_dispatch:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
# This is required for requesting the JWT
id-token: write
# Push container images
packages: write
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: "pages"
cancel-in-progress: false
jobs:
build:
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'sapmachine'
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
- name: Build with Gradle Wrapper
run: ./gradlew --no-daemon build asciidoctor
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: 'build'
container-image:
runs-on: ubuntu-24.04
needs:
- build
env:
IMAGE_NAME: gardenlinux/glvd-api
IMAGE_TAG: latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
- run: mkdir -p build
- name: Download built jar
uses: actions/download-artifact@v4
with:
name: build-artifacts
path: build
- name: Install qemu dependency for multi-arch build
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ env.IMAGE_TAG }}
platforms: linux/amd64, linux/arm64
containerfiles: |
./Containerfile
- name: Echo Outputs
run: |
echo "Image: ${{ steps.build_image.outputs.image }}"
echo "Tags: ${{ steps.build_image.outputs.tags }}"
echo "Tagged Image: ${{ steps.build_image.outputs.image-with-tag }}"
- name: Check images created
run: buildah images | grep '${{ env.IMAGE_NAME }}'
- name: Check manifest
run: |
set -x
buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}
- name: Push To ghcr.io
id: push-to-ghcr
if: ${{ github.event_name != 'pull_request' }}
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to ghcr.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
- name: Build bare images
if: ${{ github.event_name != 'pull_request' }}
id: bare
run: |
./build_bare.sh
podman push --digestfile=bare-amd64-digest ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare
podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare
echo "bare-amd64-digest=$(cat ./bare-amd64-digest)" >> $GITHUB_OUTPUT
- name: Print image url
if: ${{ github.event_name != 'pull_request' }}
run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}"
- name: Print digest
if: ${{ github.event_name != 'pull_request' }}
run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.digest }}"
- name: Get OIDC token
if: ${{ github.event_name != 'pull_request' }}
id: get-token
run: |
IDTOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=glvd" | jq -r '.value')
echo "idToken=${IDTOKEN}" >> $GITHUB_OUTPUT
- uses: azure/k8s-set-context@v4
if: ${{ github.event_name != 'pull_request' }}
with:
method: kubeconfig
kubeconfig: "${{ secrets.KUBECONFIG }}"
- name: Deploy the image
if: ${{ github.event_name != 'pull_request' }}
run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare@${{ steps.bare.outputs.bare-amd64-digest }}
dependency-submission:
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'sapmachine'
# Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
# See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
deploy-pages:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-24.04
needs:
- build
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Pages
uses: actions/configure-pages@v5
- uses: actions/download-artifact@v4
with:
name: build-artifacts
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
path: 'docs/asciidoc'
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4