Merge pull request #501 from medizininformatik-initiative/renovate/pr… #1456
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| tags: [ "v*.*.*" ] | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| merge_group: | |
| jobs: | |
| test: | |
| env: | |
| MAVEN_ARGS: -B -T1C -Dfts.retryTimeout=false | |
| GITHUB_TOKEN: ${{ github.token }} | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| max-parallel: 6 | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| auth: | |
| - none | |
| - basic | |
| - cert | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| - name: Run Tests | |
| run: mvn ${MAVEN_ARGS} verify --also-make --projects ${{ matrix.agent }} -Dspring.profiles.active=auth:${{ matrix.auth }} | |
| - name: Generate Code Coverage Report | |
| run: mvn ${MAVEN_ARGS} jacoco:report-aggregate@report | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: true | |
| build-jar: | |
| needs: [ test ] | |
| env: | |
| MAVEN_ARGS: -B -T1C -Dfts.retryTimeout=false | |
| GITHUB_TOKEN: ${{ github.token }} | |
| COMMIT_TAG: ${{ github.ref_type == 'tag' && github.ref_name || '' }} | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| - name: Build Agent | |
| run: mvn ${MAVEN_ARGS} -DskipTests package ${COMMIT_TAG:+-Drevision=${COMMIT_TAG#v}} | |
| - name: Upload Jar | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
| with: | |
| name: ${{ matrix.agent }} | |
| path: ${{ matrix.agent }}/target/${{ matrix.agent }}.jar | |
| if-no-files-found: error | |
| build-image: | |
| needs: [ build-jar ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Download Agent Jar | |
| if: ${{ matrix.agent }} | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: ${{ matrix.agent }} | |
| path: ${{ matrix.agent }}/target | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
| - name: Build and Save Container Image | |
| uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 | |
| with: | |
| context: ${{ matrix.agent }} | |
| tags: ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }}:local | |
| outputs: type=docker,dest=/tmp/${{ matrix.agent }}.tar | |
| - name: Upload Container Image | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
| with: | |
| name: ${{ matrix.agent }}-image | |
| path: /tmp/${{ matrix.agent }}.tar | |
| if-no-files-found: error | |
| scan-image: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - name: Download Container Image | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: ${{ matrix.agent }}-image | |
| path: /tmp | |
| - name: Load Container Image | |
| run: docker load --input /tmp/${{ matrix.agent }}.tar | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
| with: | |
| image-ref: ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }}:local | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: 'CRITICAL,HIGH' | |
| timeout: '15m0s' | |
| env: | |
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2 | |
| TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1 | |
| - name: Upload Trivy Scan Results to GitHub Security Tab | |
| uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| e2e-tests: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: .github/test | |
| env: | |
| TEST_SET_SIZE: 100 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Download Agent Images | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| pattern: '*-image' | |
| merge-multiple: true | |
| path: /tmp | |
| - name: Load Agent Images | |
| run: | | |
| echo -n "clinical-domain-agent trust-center-agent research-domain-agent" \ | |
| | xargs -d' ' -I{} docker load --input /tmp/{}.tar | |
| - name: Pull Container Images | |
| run: make pull | |
| - name: Configure PATH | |
| run: echo "${GITHUB_WORKSPACE}/.github/scripts" >> ${GITHUB_PATH} | |
| - name: Install Blazectl | |
| run: install-blazectl.sh | |
| - name: Start Test Environment | |
| run: make start | |
| - name: Cache Test Data | |
| id: cache-test-data | |
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 | |
| with: | |
| path: .github/test/test-data | |
| key: test-data-${{ env.TEST_SET_SIZE }} | |
| - name: Download Test Data | |
| if: steps.cache-test-data.outputs.cache-hit != 'true' | |
| run: make download | |
| - name: Upload Test Data | |
| run: make upload | |
| - name: Check Consent | |
| run: make check-consent | |
| - name: Run e2e for all Consented Patients | |
| run: | | |
| make transfer-all wait | |
| make check-status check-resources | |
| - name: Clean RD HDS and gPAS DB | |
| run: make clean-rd-hds-and-gpas-db | |
| - name: Run e2e for Selected Patients | |
| run: | | |
| make transfer-list wait | |
| make check-status check-resources | |
| - name: Collect Agent Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs cd-agent tc-agent rd-agent | |
| - name: Collect MOSAIC Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs gics gpas | |
| - name: Collect HDS Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs cd-hds rd-hds | |
| - name: Collect DB Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs gics-db gpas-db keystore | |
| push-image: | |
| if: github.event_name != 'pull_request' || (github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name) | |
| needs: | |
| - scan-image | |
| - e2e-tests | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| packages: write | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Download Agent Jar | |
| if: ${{ matrix.agent }} | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: ${{ matrix.agent }} | |
| path: ${{ matrix.agent }}/target | |
| - name: Download Container Image | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: ${{ matrix.agent }}-image | |
| path: /tmp | |
| - name: Load Container Image | |
| run: docker load --input /tmp/${{ matrix.agent }}.tar | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
| - name: Login to GHCR | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Container Image Metadata | |
| id: meta | |
| uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Build and Push Container Image | |
| uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 | |
| with: | |
| context: ${{ matrix.agent }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| create-release: | |
| needs: push-image | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: .github/release | |
| permissions: | |
| contents: write | |
| actions: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Create Release Archives | |
| env: | |
| COMMIT_TAG: ${{ github.ref_type == 'tag' && github.ref_name || 'latest' }} | |
| run: make cd-agent tc-agent rd-agent | |
| - name: Upload Archives | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4 | |
| with: | |
| path: | | |
| .github/release/cd-agent.tar.gz | |
| .github/release/tc-agent.tar.gz | |
| .github/release/rd-agent.tar.gz | |
| if-no-files-found: error | |
| - name: Recognize Prerelease | |
| env: | |
| GITHUB_REF: ${{ github.ref_name }} | |
| # In SemVer 2.0, a prerelease version is always indicated by the presence of a hyphen | |
| run: | | |
| if [[ "${GITHUB_REF}" == *-* ]]; then | |
| echo "is_prerelease=true" >>$GITHUB_ENV | |
| fi | |
| - name: Release | |
| if: github.ref_type == 'tag' | |
| uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2 | |
| with: | |
| files: | | |
| .github/release/cd-agent.tar.gz | |
| .github/release/tc-agent.tar.gz | |
| .github/release/rd-agent.tar.gz | |
| draft: false | |
| prerelease: ${{ env.is_prerelease }} | |
| generate_release_notes: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Trigger Pages Build | |
| if: github.ref_type == 'tag' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh workflow run Pages --ref main --repo ${{ github.repository }} |