-
Notifications
You must be signed in to change notification settings - Fork 0
381 lines (362 loc) · 14.6 KB
/
Copy pathci-pr-checks.yml
File metadata and controls
381 lines (362 loc) · 14.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
# Workflow Name: PR checks
#
# Owner: Digdir Platform team
#
# DEPRECATED:
# This workflow is deprecated and replaced by the split golden path workflows
# ci-pr-checks-lib.yml (Maven libraries) and ci-pr-checks-image.yml
# (containerized applications). Migrate to the workflow that matches your
# project type.
#
# Purpose:
# This is the golden path for PRs towards main branch. This workflow handles
# both Maven library builds and containerized builds. It works as a proxy
# workflow for the container image build and scan steps, but Maven library
# builds are handled within this workflow without calling other workflows.
#
#. Flow:
# 1. Verifies PR title
# 2. Builds and runs application from root pom with mvn lifecycle chosen in
# inputs (default: test).
# 3. Scans with Trivy FS scan to fail fast on library vulnerabilities
# 4. Builds image using paketo buildpacks (if 'enable-image-build' is true)
# 5. Scans image with Trivy image scan for containerized/image-build
#. workflows (gated by 'enable-image-build' and 'application-type'; OS
# scanning is separately controlled by trivy-os-disable-scan)
# 6. Auto-merges Dependabot PRs (optional)
#
# If you are building a library project, you can set 'enable-image-build' to
# false to skip the image build and image scan steps. If you have a
# multi-module project, the mvn lifecycle will first be executed in the root
# of the project, then the container build will be executed for the module
# specified with the 'module-name' input. If your multi-module project has
# multiple bootable modules that you want in separate containers, you can
# reference this workflow multiple times with different module-name inputs.
# For non-containerized applications, you can set 'enable-image-build' to .
# 'false' to skip the image build and image scan steps. This will allow you to
# use this workflow for library projects as well.
#
# Trigger:
# Triggered by workflow calls (workflow_call)
#
# Inputs:
# See input section
#
# Outputs:
# None
name: PR Checks
permissions: {}
on:
workflow_call:
inputs:
enable-image-build:
description: Set to false to skip the image build and image scan steps
type: boolean
default: true
application-type:
description: Type of application to determine container build and scan steps. Supported values are 'spring-boot' and 'quarkus'
type: string
required: true
enable-auto-merge-dependabot:
description: Set to true to enable auto-merge for Dependabot PRs
type: boolean
default: false
enable-pr-title-verify:
description: Set to true to enable PR title verification
type: boolean
default: true
java-version:
description: Java version to use
default: "25"
required: false
type: string
java-distribution:
description: Java distribution to use
default: "liberica"
required: false
type: string
image-name:
description: Name of Docker image
required: false
type: string
image-pack:
description: Paketo builder image to use. See https://paketo.io/docs/reference/builders-reference/ for choices
default: builder-noble-java-tiny
required: false
type: string
image-pack-tag:
description: "Docker image pack version tag"
default: "latest"
required: false
type: string
auto-merge-types:
description: "Comma-separated list of update types to auto-merge when 'enable-auto-merge-dependabot' is true. Supported values can be seen in 'update-types' under https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#ignore--"
type: string
pull-request-title:
description: Optional override for PR title (defaults to actual PR title)
type: string
required: false
default: ''
pull-request-allowed-prefixes:
description: Override allowed prefixes (defaults to standard prefixes)
type: string
required: false
default: ''
pull-request-min-length-title:
description: Override minimum length (defaults to 10)
type: string
required: false
default: ''
pull-request-max-length-title:
description: Override maximum length (defaults to 100, -1 to disable)
type: string
required: false
default: ''
pull-request-case-sensitive-prefix:
description: Override case sensitivity ('true' or 'false'). Leave empty to use the standard default (false)
type: string
required: false
default: ''
artifact-name:
description: Name of artifact to upload after build and test step. If empty, no artifact will be uploaded
type: string
required: false
artifact-path:
description: Path to the artifact to upload
type: string
required: false
native:
description: Whether to build a native image with Quarkus (only applicable if application-type is 'quarkus')
required: false
type: boolean
default: false
cache-path:
description: Path to the file used for caching Maven dependencies. Default is set to root pom.xml, but can be set to a specific module pom.xml in multi-module projects to only cache dependencies for that module
default: "**/pom.xml"
required: false
type: string
maven-lifecycle:
description: Maven lifecycle phase (test, package, verify, install)
type: string
required: false
default: "test"
maven-clean:
description: Run the clean phase before the lifecycle phase
type: boolean
default: false
maven-update-snapshots:
description: Force update of SNAPSHOT dependencies (-U)
type: boolean
default: false
application-path:
description: 'Path to the application to scan with Trivy. Default is root of the repository, but can be set to a specific module in multi-module projects.'
default: "./"
required: false
type: string
module-name:
description: 'Only for container builds, the module in multi module projects which is bootable inside the container.'
type: string
required: false
default: ''
trivy-library-disable-scan:
description: Disable Trivy library scan
type: boolean
required: false
default: false
trivy-library-ignore-unfixed:
description: Ignore unfixed vulnerabilities in Trivy library scan
type: boolean
required: false
default: true
trivy-library-severity:
description: When to fail the scan with Trivy library vulnerabilities
type: string
required: false
default: 'HIGH,CRITICAL'
trivy-os-disable-scan:
description: Disable Trivy OS scan
type: boolean
required: false
default: false
trivy-os-ignore-unfixed:
description: Ignore unfixed vulnerabilities in Trivy OS scan
type: boolean
required: false
default: true
trivy-os-severity:
description: When to fail the scan with Trivy OS vulnerabilities
type: string
required: false
default: 'CRITICAL'
trivy-version:
description: Version of Trivy to use for scanning
type: string
required: false
default: ''
jobs:
validate-pr-title:
if: |
inputs.enable-pr-title-verify == true &&
github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Validate PR title
uses: felleslosninger/github-workflows/.github/actions/validate-pr-title@main
with:
pull-request-title: ${{ inputs.pull-request-title }}
allowed-prefixes: ${{ inputs.pull-request-allowed-prefixes }}
min-length-title: ${{ inputs.pull-request-min-length-title }}
max-length-title: ${{ inputs.pull-request-max-length-title }}
case-sensitive-prefix: ${{ inputs.pull-request-case-sensitive-prefix }}
build-and-test-java:
if: |
inputs.application-type == 'spring-boot' ||
inputs.application-type == 'quarkus'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # pin@v5.2.0
with:
distribution: "${{ inputs.java-distribution }}"
java-version: ${{ inputs.java-version }}
cache: maven
cache-dependency-path: ${{ inputs.cache-path }}
server-id: github
server-username: GH_PACKAGES_READ_USER
server-password: GH_PACKAGES_READ_PAT
- name: Run mvn ${{ inputs.maven-lifecycle }}
env:
GH_PACKAGES_READ_USER: ${{ secrets.GH_PACKAGES_READ_USER }}
GH_PACKAGES_READ_PAT: ${{ secrets.GH_PACKAGES_READ_PAT }}
LIFECYCLE: ${{ inputs.maven-lifecycle }}
MAVEN_CLEAN: ${{ inputs.maven-clean }}
UPDATE_SNAPSHOTS: ${{ inputs.maven-update-snapshots }}
run: |
case "$LIFECYCLE" in
test|package|verify|install)
;;
*)
echo "Invalid Maven lifecycle: $LIFECYCLE"
exit 1
;;
esac
# Build the Maven command dynamically
ARGS=("-B")
if [ "$MAVEN_CLEAN" == "true" ]; then
ARGS+=("clean")
fi
ARGS+=("$LIFECYCLE")
if [ "$UPDATE_SNAPSHOTS" == "true" ]; then
ARGS+=("--update-snapshots")
fi
# Execute the Maven command
mvn "${ARGS[@]}"
- name: Run Trivy vulnerability scanner (fs)
uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main
if: inputs.trivy-library-disable-scan == false
with:
scan-type: "fs"
application-path: ${{ inputs.application-path }}
library-disable-scan: ${{ inputs.trivy-library-disable-scan }}
library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }}
library-severity: ${{ inputs.trivy-library-severity }}
trivy-version: ${{ inputs.trivy-version }}
- name: Upload artifact
if: |
!cancelled() &&
inputs.artifact-path != ''
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
with:
name: ${{ inputs.artifact-name }}
path: ${{ inputs.artifact-path }}
call-spring-boot-container-scan:
name: Call Spring Boot container scan
needs: build-and-test-java
if: |
inputs.enable-image-build == true &&
inputs.application-type == 'spring-boot'
uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-container-scan.yml@main
permissions:
contents: read
with:
image-name: ${{ inputs.image-name }}
image-pack: ${{ inputs.image-pack }}
image-pack-tag: ${{ inputs.image-pack-tag }}
java-version: ${{ inputs.java-version }}
application-path: ${{ inputs.application-path }}
module-name: ${{ inputs.module-name }}
trivy-library-disable-scan: ${{ inputs.trivy-library-disable-scan }}
trivy-library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }}
trivy-library-severity: ${{ inputs.trivy-library-severity }}
trivy-os-disable-scan: ${{ inputs.trivy-os-disable-scan }}
trivy-os-ignore-unfixed: ${{ inputs.trivy-os-ignore-unfixed }}
trivy-os-severity: ${{ inputs.trivy-os-severity }}
trivy-version: ${{ inputs.trivy-version }}
secrets: inherit
call-quarkus-container-scan:
name: Call Quarkus container scan
needs: build-and-test-java
if: |
inputs.enable-image-build == true &&
inputs.application-type == 'quarkus'
uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-container-scan.yml@main
permissions:
contents: read
with:
image-name: ${{ inputs.image-name }}
image-pack: ${{ inputs.image-pack }}
image-pack-tag: ${{ inputs.image-pack-tag }}
java-version: ${{ inputs.java-version }}
native: ${{ inputs.native }}
application-path: ${{ inputs.application-path }}
trivy-library-disable-scan: ${{ inputs.trivy-library-disable-scan }}
trivy-library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }}
trivy-library-severity: ${{ inputs.trivy-library-severity }}
trivy-os-disable-scan: ${{ inputs.trivy-os-disable-scan }}
trivy-os-ignore-unfixed: ${{ inputs.trivy-os-ignore-unfixed }}
trivy-os-severity: ${{ inputs.trivy-os-severity }}
trivy-version: ${{ inputs.trivy-version }}
secrets: inherit
call-auto-merge:
name: Call auto-merge
if: |
always() &&
inputs.enable-auto-merge-dependabot == true &&
(needs.build-and-test-java.result == 'success' || needs.build-and-test-java.result == 'skipped') &&
(needs.call-spring-boot-container-scan.result == 'success' || needs.call-spring-boot-container-scan.result == 'skipped') &&
(needs.call-quarkus-container-scan.result == 'success' || needs.call-quarkus-container-scan.result == 'skipped')
needs:
[
build-and-test-java,
call-spring-boot-container-scan,
call-quarkus-container-scan,
]
uses: felleslosninger/github-workflows/.github/workflows/misc-approve-and-merge-dependabot-pr.yml@main
permissions:
contents: write
pull-requests: write
with:
update-types: ${{ inputs.auto-merge-types }}
secrets: inherit
# PS! At some point, after GitHub made changes to how Dependabot permissions
# worked, this step was skipped automatically. The Platform team thinks this
# is actually good, as we do not really want to support this behaviour because
# of supply-chain security concerns. It means that the Platform team do not
# want to encourage automatic image deployment of automatically merged
# Dependabot PRs without human oversight. This step will probably be removed
# in the future, but for now it is left in the workflow until it has been
# discussed further.
call-build-image:
name: Call build image
if: needs.call-auto-merge.outputs.merged == 'true'
runs-on: ubuntu-latest
needs: call-auto-merge
steps:
- name: call-build-publish-image
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # pin@v4.0.1
with:
event-type: build-publish-image