.github/workflows/build.yml

name: Build

on:
  push:
    branches:
    - main
    - develop
    tags:
    - 'v*.*.*'
  pull_request:
    branches:
    - main
    - develop
  schedule:
  - cron: '0 1 * * *'

jobs:
  build:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4

      - name: Set up JDK 21
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 21

      - name: Cache Local Maven Repo
        uses: actions/cache@v4
        with:
          path: ~/.m2/repository
          key: tests-maven-${{ hashFiles('pom.xml') }}

      - uses: s4u/maven-settings-action@v3.0.0
        with:
          servers: |
            [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: java
          queries: security-and-quality

      - name: Download Ontology and Build
        run: mvn -Pdownload-ontology -B verify

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v4

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

      - name: Upload Torch Jar
        uses: actions/upload-artifact@v4
        with:
          name: torch-jar
          path: target/torch.jar

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and Export to Docker
        uses: docker/build-push-action@v6
        with:
          context: .
          tags: torch:latest
          outputs: type=docker,dest=/tmp/torch.tar

      - name: Upload torch Image
        uses: actions/upload-artifact@v4
        with:
          name: torch-image
          path: /tmp/torch.tar

  image-scan:
    needs: build
    runs-on: ubuntu-22.04

    steps:
      - name: Download torch Image
        uses: actions/download-artifact@v4
        with:
          name: torch-image
          path: /tmp

      - name: Load torch Image
        run: docker load --input /tmp/torch.tar

      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Run Trivy Vulnerability Scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: torch:latest
          format: sarif
          output: trivy-results.sarif
          severity: 'CRITICAL,HIGH'
          timeout: '15m0s'
          skip-files: 'app/ontology/*'
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1

      - name: Upload Trivy Scan Results to GitHub Security Tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

  push-image:
    needs:
      - build
      - image-scan
    runs-on: ubuntu-22.04
    if: ${{ ! startsWith(github.head_ref, 'dependabot/')}}

    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Set up JDK 21 for Maven Build
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 21

      - name: Maven Build for Ontology Download
        run: mvn process-resources

      - name: Download torch Jar
        uses: actions/download-artifact@v4
        with:
          name: torch-jar
          path: target

      - name: Download torch Image
        uses: actions/download-artifact@v4
        with:
          name: torch-image
          path: /tmp

      - name: Load torch Image
        run: docker load --input /tmp/torch.tar

      - uses: s4u/maven-settings-action@v3.0.0
        with:
          servers: |
            [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

      - name: Download Ontology
        run: mvn -Pdownload-ontology -B -DskipTests package

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: docker-meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/medizininformatik-initiative/torch
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.docker-meta.outputs.tags }}
          labels: ${{ steps.docker-meta.outputs.labels }}

      - name: Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')