Build #339
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| tags: | |
| - 'v*.*.*' | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| schedule: | |
| - cron: '0 1 * * *' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - name: Cache Local Maven Repo | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2/repository | |
| key: tests-maven-${{ hashFiles('pom.xml') }} | |
| - uses: s4u/[email protected] | |
| with: | |
| servers: | | |
| [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}] | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: java | |
| queries: security-and-quality | |
| - name: Download Ontology and Build | |
| run: mvn -Pdownload-ontology -B verify | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| - name: Upload Torch Jar | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: torch-jar | |
| path: target/torch.jar | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and Export to Docker | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| tags: torch:latest | |
| outputs: type=docker,dest=/tmp/torch.tar | |
| - name: Upload torch Image | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: torch-image | |
| path: /tmp/torch.tar | |
| image-scan: | |
| needs: build | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Download torch Image | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: torch-image | |
| path: /tmp | |
| - name: Load torch Image | |
| run: docker load --input /tmp/torch.tar | |
| - name: Check out Git repository | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: torch:latest | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: 'CRITICAL,HIGH' | |
| timeout: '15m0s' | |
| skip-files: 'app/ontology/*' | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | |
| - name: Upload Trivy Scan Results to GitHub Security Tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| push-image: | |
| needs: | |
| - build | |
| - image-scan | |
| runs-on: ubuntu-22.04 | |
| if: ${{ ! startsWith(github.head_ref, 'dependabot/')}} | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 21 for Maven Build | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - name: Maven Build for Ontology Download | |
| run: mvn process-resources | |
| - name: Download torch Jar | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: torch-jar | |
| path: target | |
| - name: Download torch Image | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: torch-image | |
| path: /tmp | |
| - name: Load torch Image | |
| run: docker load --input /tmp/torch.tar | |
| - uses: s4u/[email protected] | |
| with: | |
| servers: | | |
| [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}] | |
| - name: Download Ontology | |
| run: mvn -Pdownload-ontology -B -DskipTests package | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: docker-meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/medizininformatik-initiative/torch | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.docker-meta.outputs.tags }} | |
| labels: ${{ steps.docker-meta.outputs.labels }} | |
| - name: Release | |
| uses: softprops/action-gh-release@v2 | |
| if: startsWith(github.ref, 'refs/tags/') |