Skip to content

Build

Build #348

Workflow file for this run

name: Build
on:
push:
branches:
- main
- develop
tags:
- 'v*.*.*'
pull_request:
branches:
- main
- develop
schedule:
- cron: '0 1 * * *'
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
- name: Cache Local Maven Repo
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: tests-maven-${{ hashFiles('pom.xml') }}
- uses: s4u/[email protected]
with:
servers: |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
queries: security-and-quality
- name: Download Ontology and Build
run: mvn -Pdownload-ontology -B verify
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
- name: Upload Torch Jar
uses: actions/upload-artifact@v4
with:
name: torch-jar
path: target/torch.jar
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and Export to Docker
uses: docker/build-push-action@v6
with:
context: .
tags: torch:latest
outputs: type=docker,dest=/tmp/torch.tar
- name: Upload torch Image
uses: actions/upload-artifact@v4
with:
name: torch-image
path: /tmp/torch.tar
image-scan:
needs: build
runs-on: ubuntu-22.04
steps:
- name: Download torch Image
uses: actions/download-artifact@v4
with:
name: torch-image
path: /tmp
- name: Load torch Image
run: docker load --input /tmp/torch.tar
- name: Check out Git repository
uses: actions/checkout@v4
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: torch:latest
format: sarif
output: trivy-results.sarif
severity: 'CRITICAL,HIGH'
timeout: '15m0s'
skip-files: 'app/ontology/*'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
- name: Upload Trivy Scan Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
push-image:
needs:
- build
- image-scan
runs-on: ubuntu-22.04
if: ${{ ! startsWith(github.head_ref, 'dependabot/')}}
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Set up JDK 21 for Maven Build
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
- name: Maven Build for Ontology Download
run: mvn process-resources
- name: Download torch Jar
uses: actions/download-artifact@v4
with:
name: torch-jar
path: target
- name: Download torch Image
uses: actions/download-artifact@v4
with:
name: torch-image
path: /tmp
- name: Load torch Image
run: docker load --input /tmp/torch.tar
- uses: s4u/[email protected]
with:
servers: |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]
- name: Download Ontology
run: mvn -Pdownload-ontology -B -DskipTests package
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: docker-meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/medizininformatik-initiative/torch
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}
- name: Release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')