Adjust pipeline to build docker image without gradle #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time | |
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle | |
name: Pipeline | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# Allow to run this workflow manually | |
workflow_dispatch: | |
env: | |
CONTAINER_REGISTRY: ghcr.io | |
CONTAINER_IMAGE_NAME: ${{ github.repository }} | |
CONTAINER_IMAGE_VERSION: ${{ github.sha }} | |
jobs: | |
vulnerability-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build Docker Image | |
run: | | |
docker build -t ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} . | |
- name: Run Trivy vulnerability scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
# Uploading sarif files only works for public repos, in case you have a private repo, please remove the lines below | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "vuln.json" | |
path: "vuln.json" | |
if-no-files-found: error | |
- name: Send status to Slack | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
build-and-push-image: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: [vulnerability-scan] | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build Docker Image | |
run: | | |
docker build -t ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} . | |
- name: Login to container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: "ghcr.io" | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push image | |
run: | | |
docker tag ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} ghcr.io/${{ env.CONTAINER_IMAGE_NAME }} | |
docker tag ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} ghcr.io/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
docker push --all-tags ghcr.io/${{ env.CONTAINER_IMAGE_NAME }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Sign the published Docker image | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Download cosign vulnerability scan record | |
uses: actions/download-artifact@v4 | |
with: | |
name: "vuln.json" | |
- name: Attest vulnerability scan | |
run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> $GITHUB_OUTPUT | |
- name: Create SBOM | |
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 | |
with: | |
image_name: ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Send status to Slack | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |