From f5a6792708844a10a6f6ec6678d048b63ac2db71 Mon Sep 17 00:00:00 2001 From: aimee-889 Date: Mon, 16 Dec 2024 13:34:29 +0100 Subject: [PATCH] test build --- .github/workflows/create-release.yml | 3 + ...publish-check-deploy-on-push-scheduled.yml | 253 ++++++++++-------- 2 files changed, 138 insertions(+), 118 deletions(-) diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 6bda7a1e..ca0a9d3d 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -19,6 +19,9 @@ jobs: contents: read security-events: write + build_plugins: + + release_image: name: "Publish image and scan with trivy" needs: codeql_analyze diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml index 78732f48..2ac1f4b0 100644 --- a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -26,129 +26,146 @@ jobs: security-events: write build_image_on_push: - name: "Publish image and scan with trivy" if: ${{ github.event_name == 'push' }} + runs-on: ubuntu-latest permissions: packages: write security-events: write contents: read - uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@7 - with: - image_name: "dbildungs-iam-keycloak" - run_trivy_scan: true - image_tag_generation: ${{ github.ref_name == 'main' && 'commit_hash' || 'ticket_from_branch' }} - add_latest_tag: ${{ github.ref_name == 'main' }} - container_registry: "ghcr.io" - fail_on_vulnerabilites: false - report_location: "Dockerfile" - target: "deployment" - - scan_helm: - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} - uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 - permissions: - contents: read - select_helm_version_generation_and_image_tag_generation: - if: ${{ github.event_name == 'push'}} - runs-on: ubuntu-latest - outputs: - SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} - SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} - steps: - - id: select_generation - shell: bash - run: | - if ${{ github.ref_name == 'main' }}; then - echo "SELECT_HELM_VERION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" - echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" - else - echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT" - echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT" - fi - - release_helm: - needs: - - select_helm_version_generation_and_image_tag_generation - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} - uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7 - secrets: inherit - with: - chart_name: dbildungs-iam-keycloak - image_tag_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} - helm_chart_version_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION }} - - wait_for_helm_chart_to_get_published: - needs: - - release_helm - runs-on: ubuntu-latest steps: - - shell: bash - run: sleep 1m - - branch_meta: - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3 - - create_branch_identifier: - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} - needs: - - branch_meta - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 - with: - branch: ${{ needs.branch_meta.outputs.branch }} - - deploy: - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} - needs: - - branch_meta - - create_branch_identifier - - wait_for_helm_chart_to_get_published - - build_image_on_push - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 - with: - dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} - schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} - dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} - dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} - namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} - secrets: inherit - - # On Delete - create_branch_identifier_for_deletion: - if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 - with: - branch: ${{ github.event.ref }} - - delete_namespace: - if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} - needs: - - create_branch_identifier_for_deletion - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5 - with: - namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} - secrets: - SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} - - delete_successful: - if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} - needs: - - delete_namespace - - create_branch_identifier_for_deletion - runs-on: ubuntu-latest - steps: - - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" + - name: Checkout repository + uses: actions/checkout@v2 + ref: ${{ github.ref_name }} - # Scheduled - scheduled_trivy_scan: - name: "Scheduled trivy scan of latest image" - if: ${{ github.event_name == 'schedule' }} - permissions: - packages: read - security-events: write - uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7 - with: - image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-keycloak:latest' - fail_on_vulnerabilites: false - report_location: "Dockerfile" \ No newline at end of file + - name: Set up JDK 11 + uses: actions/setup-java@v2 + with: + java-version: '11' + distribution: 'temurin' + + - name: Build Jars with Maven + run: mvn -f providers/privacyidea/pom.xml clean package + + - name: 'Checkout repository' + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/image-publish-trivy.yaml@DBP-1196-adjust-dev-release-piepline + with: + image_name: "dbildungs-iam-keycloak" + run_trivy_scan: true + image_tag_generation: ${{ github.ref_name == 'main' && 'commit_hash' || 'ticket_from_branch' }} + add_latest_tag: ${{ github.ref_name == 'main' }} + container_registry: "ghcr.io" + fail_on_vulnerabilites: false + report_location: "Dockerfile" + target: "deployment" + github_branch: ${{ github.ref_name }} + + # scan_helm: + # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + # uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 + # permissions: + # contents: read + + # select_helm_version_generation_and_image_tag_generation: + # if: ${{ github.event_name == 'push'}} + # runs-on: ubuntu-latest + # outputs: + # SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} + # SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} + # steps: + # - id: select_generation + # shell: bash + # run: | + # if ${{ github.ref_name == 'main' }}; then + # echo "SELECT_HELM_VERION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" + # echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" + # else + # echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT" + # echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT" + # fi + + # release_helm: + # needs: + # - select_helm_version_generation_and_image_tag_generation + # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + # uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7 + # secrets: inherit + # with: + # chart_name: dbildungs-iam-keycloak + # image_tag_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} + # helm_chart_version_generation: ${{ needs.select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION }} + + # wait_for_helm_chart_to_get_published: + # needs: + # - release_helm + # runs-on: ubuntu-latest + # steps: + # - shell: bash + # run: sleep 1m + + # branch_meta: + # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3 + + # create_branch_identifier: + # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + # needs: + # - branch_meta + # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 + # with: + # branch: ${{ needs.branch_meta.outputs.branch }} + + # deploy: + # if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + # needs: + # - branch_meta + # - create_branch_identifier + # - wait_for_helm_chart_to_get_published + # - build_image_on_push + # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 + # with: + # dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} + # schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} + # dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} + # dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} + # namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} + # secrets: inherit + + # # On Delete + # create_branch_identifier_for_deletion: + # if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} + # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 + # with: + # branch: ${{ github.event.ref }} + + # delete_namespace: + # if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} + # needs: + # - create_branch_identifier_for_deletion + # uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@5 + # with: + # namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} + # secrets: + # SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} + + # delete_successful: + # if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} + # needs: + # - delete_namespace + # - create_branch_identifier_for_deletion + # runs-on: ubuntu-latest + # steps: + # - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" + + # # Scheduled + # scheduled_trivy_scan: + # name: "Scheduled trivy scan of latest image" + # if: ${{ github.event_name == 'schedule' }} + # permissions: + # packages: read + # security-events: write + # uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7 + # with: + # image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-keycloak:latest' + # fail_on_vulnerabilites: false + # report_location: "Dockerfile" \ No newline at end of file