Merge pull request #537 from BBMRI-ERIC/dependabot/maven/spring-boot.… #2373

Workflow file for this run

	---
	name: CI build

	on:
	workflow_dispatch:
	schedule:
	- cron: '0 10 * * *' # every day at 10am
	push:
	branches:
	- master
	tags:
	- 'v..*'
	pull_request:
	permissions: read-all
	jobs:

	compile:
	name: Compile with maven
	runs-on: ubuntu-latest

	steps:

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up JDK 17
	uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
	with:
	java-version: '17'
	distribution: 'temurin'
	cache: maven

	- name: Build with Maven
	run: mvn --quiet clean compile -DskipTests=True

	lint:
	name: Lint Code Base
	runs-on: ubuntu-latest

	steps:
	- name: Set up JDK 17
	uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
	with:
	java-version: '17'
	distribution: 'temurin'

	- name: Checkout Code
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Lint Code Base
	run: mvn clean com.spotify.fmt:fmt-maven-plugin:check


	unit-tests:
	name: Unit tests
	runs-on: ubuntu-latest
	needs:
	- compile
	steps:

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up JDK 17
	uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
	with:
	java-version: '17'
	distribution: 'temurin'
	cache: maven

	- name: Run unit tests
	run: mvn --quiet clean test -B --file pom.xml

	- name: Upload coverage to Codecov
	uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	fail_ci_if_error: true
	flags: unit
	continue-on-error: true


	integration-tests:
	name: Integration tests
	runs-on: ubuntu-latest
	needs:
	- unit-tests
	steps:

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up JDK 17
	uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
	with:
	java-version: '17'
	distribution: 'temurin'
	cache: maven

	- name: Run integration tests
	run: mvn --quiet clean verify -B -Dspring.profiles.active=test

	- name: Upload coverage to Codecov
	uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	fail_ci_if_error: true
	flags: unit
	continue-on-error: true


	analyze:
	name: CodeQL Analysis
	runs-on: ubuntu-latest
	timeout-minutes: 120
	permissions:
	actions: read
	contents: write
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up JDK 17
	uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
	with:
	java-version: '17'
	distribution: 'temurin'
	cache: maven

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: java

	- name: Compile with maven
	run: mvn --quiet -B clean package -Dmaven.test.skip=true

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: java

	- name: Update dependency graph
	uses: advanced-security/maven-dependency-submission-action@v4


	build-image:
	name: Build docker image
	runs-on: ubuntu-latest
	needs:
	- integration-tests
	steps:

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

	- name: Build and push
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
	with:
	context: .
	tags: bbmrieric/negotiator:latest
	outputs: type=docker,dest=/tmp/negotiator.tar

	- name: Upload image
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
	with:
	name: negotiator
	path: /tmp/negotiator.tar

	image-scan:
	needs: build-image
	runs-on: ubuntu-latest
	permissions:
	security-events: write

	steps:
	- name: Download artifact
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: negotiator
	path: /tmp

	- name: Load image
	run: docker load --input /tmp/negotiator.tar

	- name: Check out Git repository
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Run Trivy Vulnerability Scanner
	uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564
	with:
	image-ref: bbmrieric/negotiator:latest
	format: sarif
	output: trivy-results.sarif
	severity: 'CRITICAL,HIGH'
	timeout: '15m0s'

	- name: Upload Trivy Scan Results to GitHub Security Tab
	if: ${{ (github.repository_owner == 'bbmri-eric') \|\| (vars.IMAGE_SCAN_UPLOAD == 'true') }}
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: trivy-results.sarif

	system-test:
	name: System tests
	runs-on: ubuntu-latest
	needs:
	- build-image
	steps:

	- name: Download artifact
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: negotiator
	path: /tmp

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Load image
	run: docker load --input /tmp/negotiator.tar

	- name: Clone deployment repo
	run: git clone https://gitlab.bbmri-eric.eu/negotiator-deployment/negotiator-deployment-template.git /opt/negotiator

	- name: Run docker compose
	working-directory: /opt/negotiator
	run: docker compose -f compose.yaml -f $GITHUB_WORKSPACE/.github/compose-overrides/compose.override.system.yaml up -d negotiator

	- name: Wait
	run: sleep 30

	- name: Get docker logs
	run: docker logs negotiator

	- name: Get running containers
	run: docker ps

	- name: Check health
	run: $GITHUB_WORKSPACE/.github/scripts/check_health.sh negotiator

	- name: Send request
	run: $GITHUB_WORKSPACE/.github/scripts/new_request.sh

	oauth-test:
	name: OAuth2 Authorization tests
	runs-on: ubuntu-latest
	needs:
	- build-image
	steps:

	- name: Download artifact
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: negotiator
	path: /tmp

	- name: Load image
	run: docker load --input /tmp/negotiator.tar

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Setup environment with auth server
	run: docker compose up -d

	- name: Wait
	run: sleep 30

	- name: Get docker logs
	run: docker logs negotiator

	- name: Check health
	run: .github/scripts/check_health.sh negotiator

	- name: Send authenticated request
	run: chmod +x .github/scripts/send_authenticated_request.sh && .github/scripts/send_authenticated_request.sh

	backwards-compatibility:
	name: DB migration tests
	runs-on: ubuntu-latest
	needs:
	- build-image
	steps:

	- name: Download artifact
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: negotiator
	path: /tmp

	- name: Clone deployment repo
	run: git clone https://gitlab.bbmri-eric.eu/negotiator-deployment/negotiator-deployment-template.git /opt/negotiator

	- name: Run docker compose
	working-directory: /opt/negotiator
	run: docker compose up -d negotiator

	- name: Wait
	run: sleep 30

	- name: Down docker compose
	run: cd /opt/negotiator && docker compose down

	- name: Remove image
	run: docker image rm bbmrieric/negotiator

	- name: Load image
	run: docker load --input /tmp/negotiator.tar

	- name: Run docker compose
	run: cd /opt/negotiator && docker compose up -d negotiator

	- name: Wait
	run: sleep 30

	- name: Get docker logs
	run: docker logs negotiator

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Check health
	run: .github/scripts/check_health.sh negotiator

	build-push-image:
	name: Publish Docker image
	runs-on: ubuntu-latest
	needs:
	- system-test
	- oauth-test
	- backwards-compatibility
	permissions:
	packages: write
	contents: read
	steps:

	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

	- name: Login to DockerHub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
	with:
	username: ${{ secrets.DOCKERHUB_USER }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
	with:
	images: \|
	bbmrieric/negotiator
	ghcr.io/${{ github.repository_owner }}/negotiator
	tags: \|
	type=ref,event=branch
	type=raw,value=${{ github.head_ref }},event=pr
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}

	- name: Build and push
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
	with:
	context: .
	platforms: linux/amd64,linux/arm64
	push: true
	labels: ${{ steps.meta.outputs.labels }}
	tags: ${{ steps.meta.outputs.tags }}
	build-args: ARTIFACT_VERSION=${{ github.ref_name }}

	build-pages:
	runs-on: ubuntu-24.04
	steps:
	- name: Check out Git repository
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
	with:
	fetch-depth: 0

	- name: Setup Node
	uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4
	with:
	node-version: 21
	cache: npm
	cache-dependency-path: 'docs/package-lock.json'

	- name: Build
	working-directory: docs
	env:
	DOCS_BASE: "/${{ github.event.repository.name }}/"
	run: make build

	- name: Setup Pages
	uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5

	- name: Upload artifact
	uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
	with:
	path: docs/.vitepress/dist

	deploy-pages:
	if: github.ref == 'refs/heads/master'
	runs-on: ubuntu-24.04
	needs: [ build-pages ]
	permissions:
	pages: write
	id-token: write
	environment:
	name: github-pages
	url: ${{ steps.deployment.outputs.page_url }}
	steps:
	- name: Deploy to GitHub Pages
	id: deployment
	uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

	publish-jar:
	if: github.event_name == 'push' && github.ref_type == 'tag'
	name: Publish JAR file
	runs-on: ubuntu-latest
	permissions:
	packages: write
	needs:
	- system-test
	- oauth-test
	- backwards-compatibility
	steps:
	- name: Checkout codebase
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

	- name: Set up JDK 17
	uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
	with:
	java-version: '17'
	distribution: 'temurin'
	cache: maven

	- name: Publish package
	run: mvn --quiet -B versions:set -DnewVersion="${ARTIFACT_VERSION//v}"
	env:
	ARTIFACT_VERSION: ${{ github.ref_name }}

	- name: Publish package
	run: mvn --batch-mode deploy
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #537 from BBMRI-ERIC/dependabot/maven/spring-boot.… #2373

Workflow file

Merge pull request #537 from BBMRI-ERIC/dependabot/maven/spring-boot.… #2373

Jobs

Run details

Workflow file for this run