Build Container Image in CI Pipeline #57
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| tags: [ "v*.*.*" ] | |
| branches: [ "main", "incubate" ] | |
| pull_request: | |
| branches: [ "main", "incubate" ] | |
| env: | |
| MAVEN_ARGS: -B -T1C -Dmockserver.logLevel=WARN | |
| jobs: | |
| analyze: | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| permissions: | |
| security-events: write | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: java | |
| queries: security-and-quality | |
| - name: Build | |
| run: make build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| build-jar: | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| - name: Build Dependencies | |
| run: make install-dependencies | |
| - name: Unit Tests | |
| run: mvn ${MAVEN_ARGS} test --projects ${{ matrix.agent }} | |
| - name: Integration Tests | |
| run: mvn ${MAVEN_ARGS} verify --projects ${{ matrix.agent }} -DskipUnitTests | |
| - name: Build Agent | |
| run: mvn ${MAVEN_ARGS} install --projects ${{ matrix.agent }} -DskipTests | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: true | |
| - name: Upload Jar | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.agent }} | |
| path: ${{ matrix.agent }}/target/${{ matrix.agent }}.jar | |
| if-no-files-found: error | |
| build-image: | |
| needs: [ build-jar ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download Agent Jar | |
| if: ${{ matrix.agent }} | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ matrix.agent }} | |
| path: ${{ matrix.agent }}/target | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and Save Container Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ${{ matrix.agent }} | |
| tags: ${{ matrix.agent }}:latest | |
| outputs: type=docker,dest=/tmp/${{ matrix.agent }}.tar | |
| - name: Upload Container Image | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.agent }}-image | |
| path: /tmp/${{ matrix.agent }}.tar | |
| if-no-files-found: error | |
| scan-image: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - name: Download Container Image | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ matrix.agent }}-image | |
| path: /tmp | |
| - name: Load Container Image | |
| run: docker load --input /tmp/${{ matrix.agent }}.tar | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: ${{ matrix.agent }}:latest | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: 'CRITICAL,HIGH' | |
| timeout: '15m0s' | |
| - name: Upload Trivy Scan Results to GitHub Security Tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| e2e-tests: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download Container Image | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: '*-image' | |
| merge-multiple: true | |
| path: /tmp | |
| - name: Login to SMITH Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: creg.smith.care | |
| username: ${{ secrets.smith_creg_username }} | |
| password: ${{ secrets.smith_creg_password }} | |
| - name: Load Container Image | |
| run: | | |
| echo "clinical-domain-agent trust-center-agent research-domain-agent" | |
| | xargs -n1 docker load --input /tmp/ | |
| - name: Start Test Environment | |
| run: docker compose -f .github/test/docker-compose.yaml up -d | |
| - name: Upload Test Data | |
| run: | | |
| .github/scripts/upload-consent.sh patient-1 | |
| .github/scripts/upload-patient.sh patient-1 | |
| - name: Upload Test Data | |
| run: .github/scripts/start-transfer.sh example | |
| push-image: | |
| if: github.event_name != 'pull_request' || (github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name) | |
| needs: | |
| - scan-image | |
| - e2e-tests | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| packages: write | |
| strategy: | |
| matrix: | |
| agent: | |
| - clinical-domain-agent | |
| - trust-center-agent | |
| - research-domain-agent | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download Agent Jar | |
| if: ${{ matrix.agent }} | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: ${{ matrix.agent }}* | |
| merge-multiple: true | |
| path: ${{ matrix.agent }}/target | |
| - name: Load Container Image | |
| run: docker load --input /tmp/${{ matrix.agent }}.tar | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Container Image Metadata | |
| id: ghcr-meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository_owner }}/fts-${{ matrix.agent }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| - name: Build and Push Container Image | |
| uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6 | |
| with: | |
| context: ${{ matrix.agent }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.ghcr-meta.outputs.tags }} | |
| labels: ${{ steps.ghcr-meta.outputs.labels }} |