wenqiglantz · November 21, 2022 04:22
diff --git a/ci-jvm.yml b/ci-jvm.yml
 name: CI JVM workflow

 on:
  workflow_dispatch:
    inputs:
      environment:
        description: 'Environment to run the workflow against'
        type: environment
        required: true
  pull_request:
    branches: [ main ]
  push:
    branches: [ main ]

 jobs:

  build:

    runs-on: ubuntu-latest

    permissions:
      id-token: write # need this for OIDC
      contents: read

    environment: ${{ github.event.inputs.environment || 'dev' }}

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - name: Checkout Code
        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2
        with:
          role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Setup jdk
        uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
        with:
          java-version: 17
          distribution: 'adopt'
          cache: maven

      - name: Print debug info
        run: |
          echo "JAVA_HOME: $JAVA_HOME"
          java --version

      - name: Build with Maven and Buildpacks
        run: mvn clean spring-boot:build-image -Dspring-boot.build-image.imageName=${{ secrets.ECR_REPOSITORY_NAME }}:latest

      - name: Set project version as environment variable
        run: echo "PROJECT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV

      - name: Print debug info
        run: |
          echo project version is ${{ env.PROJECT_VERSION }}

      - name: Scan ECR image with Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
        with:
          image-ref: ${{ secrets.ECR_REPOSITORY_NAME }}:latest
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

      - name: Tag and push image to AWS ECR
        env:
          AWS_REGION: ${{ secrets.AWS_REGION }}
          ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }}
          ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY_NAME }}
          IMAGE_TAG: ${{ env.PROJECT_VERSION }}
        run: |
          # Build a docker container and push it to ECR so that it can be deployed to ECS.
          aws ecr get-login-password --region $AWS_REGION | docker login -u AWS --password-stdin $ECR_REGISTRY
          docker tag $ECR_REPOSITORY:latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
	name: CI JVM workflow

	on:
	workflow_dispatch:
	inputs:
	environment:
	description: 'Environment to run the workflow against'
	type: environment
	required: true
	pull_request:
	branches: [ main ]
	push:
	branches: [ main ]

	jobs:

	build:

	runs-on: ubuntu-latest

	permissions:
	id-token: write # need this for OIDC
	contents: read

	environment: ${{ github.event.inputs.environment \|\| 'dev' }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Checkout Code
	uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2
	with:
	role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
	aws-region: ${{ secrets.AWS_REGION }}

	- name: Setup jdk
	uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
	with:
	java-version: 17
	distribution: 'adopt'
	cache: maven

	- name: Print debug info
	run: \|
	echo "JAVA_HOME: $JAVA_HOME"
	java --version

	- name: Build with Maven and Buildpacks
	run: mvn clean spring-boot:build-image -Dspring-boot.build-image.imageName=${{ secrets.ECR_REPOSITORY_NAME }}:latest

	- name: Set project version as environment variable
	run: echo "PROJECT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV

	- name: Print debug info
	run: \|
	echo project version is ${{ env.PROJECT_VERSION }}

	- name: Scan ECR image with Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
	with:
	image-ref: ${{ secrets.ECR_REPOSITORY_NAME }}:latest
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'

	- name: Tag and push image to AWS ECR
	env:
	AWS_REGION: ${{ secrets.AWS_REGION }}
	ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }}
	ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY_NAME }}
	IMAGE_TAG: ${{ env.PROJECT_VERSION }}
	run: \|
	# Build a docker container and push it to ECR so that it can be deployed to ECS.
	aws ecr get-login-password --region $AWS_REGION \| docker login -u AWS --password-stdin $ECR_REGISTRY
	docker tag $ECR_REPOSITORY:latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
	docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
	echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"