[Security] Vulnerability fixes and prepare for 2.4.3 release #621
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Continuous integration, including test and integration test | |
name: CI | |
# Run in master and dev branches and in all pull requests to those branches, as well as on workflow dispatch for downstream testing | |
on: | |
workflow_dispatch: | |
push: | |
branches: [ master, dev ] | |
pull_request: | |
branches: [ master, dev ] | |
env: | |
DOCKER_IMAGE: radarbase/radar-appserver | |
jobs: | |
# Build and test the code | |
build: | |
# The type of runner that the job will run on | |
runs-on: ubuntu-latest | |
# Steps represent a sequence of tasks that will be executed as part of the job | |
steps: | |
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-java@v3 | |
with: | |
java-version: 17 | |
distribution: temurin | |
- uses: gradle/gradle-build-action@v2 | |
# Compile the code | |
- name: Compile code | |
run: ./gradlew assemble | |
# Use 'docker compose' instead of 'docker-compose' to use v2 | |
- name: Setup docker services | |
run: | | |
sudo mkdir -p /usr/local/var/lib/radar/appserver/logs/ | |
sudo chown -R $(whoami) /usr/local/var/lib/radar/appserver/logs | |
docker compose -f src/integrationTest/resources/docker/non_appserver/docker-compose.yml up -d | |
# Wait for services to start up. | |
sleep 50 | |
- name: Install gpg secret key | |
run: | | |
cat <(echo -e "${{ secrets.GPG_SECRET_KEY }}") | gpg --batch --import | |
gpg --list-secret-keys --keyid-format LONG | |
- name: Decrypt google application credentials | |
run: | | |
gpg --pinentry-mode loopback --local-user "Yatharth Ranjan" --batch --yes --passphrase "${{ secrets.GPG_SECRET_KEY_PASSPHRASE }}" --output src/integrationTest/resources/google-credentials.json --decrypt src/integrationTest/resources/google-credentials.enc.gpg | |
# Gradle check | |
- name: Check | |
run: GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/src/integrationTest/resources/google-credentials.json ./gradlew check | |
- name: Upload build artifacts | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
path: build/reports | |
if-no-files-found: ignore | |
retention-days: 5 | |
# Build and test the code against the :dev docker image of parent repositories | |
test-downstream: | |
# The type of runner that the job will run on | |
runs-on: ubuntu-latest | |
# only run this on 'ready for review' PRs or when triggered by an upstream job | |
if: github.event.pull_request.draft == false || github.event_name == 'workflow_dispatch' | |
# Steps represent a sequence of tasks that will be executed as part of the job | |
steps: | |
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-java@v3 | |
with: | |
java-version: 17 | |
distribution: temurin | |
# Use 'docker compose' instead of 'docker-compose' to use v2 | |
- name: Setup docker services (:dev) | |
run: | | |
sudo mkdir -p /usr/local/var/lib/radar/appserver/logs/ | |
sudo chown -R $(whoami) /usr/local/var/lib/radar/appserver/logs | |
# call docker compose without args to include the override file | |
cd src/integrationTest/resources/docker/appserver_downstream | |
docker compose up -d | |
# Wait for services to start up. | |
sleep 50 | |
- name: Install gpg secret key | |
run: | | |
cat <(echo -e "${{ secrets.GPG_SECRET_KEY }}") | gpg --batch --import | |
gpg --list-secret-keys --keyid-format LONG | |
- name: Decrypt google application credentials | |
run: | | |
gpg --pinentry-mode loopback --local-user "Yatharth Ranjan" --batch --yes --passphrase "${{ secrets.GPG_SECRET_KEY_PASSPHRASE }}" --output src/integrationTest/resources/google-credentials.json --decrypt src/integrationTest/resources/google-credentials.enc.gpg | |
# Gradle check | |
- name: Check | |
run: GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/src/integrationTest/resources/google-credentials.json ./gradlew check | |
# Check that the docker image builds correctly | |
docker: | |
# The type of runner that the job will run on | |
runs-on: ubuntu-latest | |
if: github.event_name != 'workflow_dispatch' | |
# Steps represent a sequence of tasks that will be executed as part of the job | |
steps: | |
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
- uses: actions/checkout@v3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
# Add Docker labels and tags | |
- name: Docker meta | |
id: docker_meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: ${{ env.DOCKER_IMAGE }} | |
# Setup docker build environment | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Cache Docker layers | |
id: cache-buildx | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', '**/*.gradle.kts', 'gradle.properties', 'src/main/**') }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Cache parameters | |
id: cache-parameters | |
run: | | |
if [ "${{ steps.cache-buildx.outputs.cache-hit }}" = "true" ]; then | |
echo "::set-output name=cache-to::" | |
else | |
echo "::set-output name=cache-to::type=local,dest=/tmp/.buildx-cache-new,mode=max" | |
fi | |
- name: Build docker | |
uses: docker/build-push-action@v3 | |
with: | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: ${{ steps.cache-parameters.outputs.cache-to }} | |
load: true | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
# Use runtime labels from docker_meta as well as fixed labels | |
labels: | | |
${{ steps.docker_meta.outputs.labels }} | |
maintainer=Yatharth Ranjan <[email protected]>, Pauline Conde <[email protected]> | |
org.opencontainers.image.authors=Yatharth Ranjan <[email protected]>, Pauline Conde <[email protected]> | |
org.opencontainers.image.vendor=RADAR-base | |
org.opencontainers.image.licenses=Apache-2.0 | |
- name: Inspect docker image | |
run: docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} | |
# Push the image on the dev and master branches | |
- name: Push image | |
if: ${{ github.event_name != 'pull_request' }} | |
run: docker push ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} | |
# Temp fix | |
# https://github.com/docker/build-push-action/issues/252 | |
# https://github.com/moby/buildkit/issues/1896 | |
- name: Move docker build cache | |
if: steps.cache-buildx.outputs.cache-hit != 'true' | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |