Skip to content

Commit d7d03ee

Browse files
hhundhhund
committed
Merge remote-tracking branch 'origin/issue/434_Automate_Builds' into
develop
2 parents 62f8a52 + d8dc81e commit d7d03ee

10 files changed

Lines changed: 399 additions & 111 deletions

File tree

.github/dependabot.yml

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
version: 2
2+
updates:
3+
# Java / Maven dependencies
4+
- package-ecosystem: "maven"
5+
directory: "/"
6+
target-branch: "develop"
7+
schedule:
8+
interval: "weekly"
9+
day: "sunday"
10+
open-pull-requests-limit: 15
11+
ignore:
12+
- dependency-name: "*"
13+
update-types: ["version-update:semver-major"]
14+
groups:
15+
spring-framework:
16+
patterns:
17+
- "org.springframework*"
18+
jetty:
19+
patterns:
20+
- "org.eclipse.jetty*"
21+
jersey:
22+
patterns:
23+
- "org.glassfish.jersey*"
24+
jackson:
25+
patterns:
26+
- "com.fasterxml.jackson*"
27+
tyrus:
28+
patterns:
29+
- "org.glassfish.tyrus*"
30+
operaton:
31+
patterns:
32+
- "org.operaton*"
33+
slf4j:
34+
patterns:
35+
- "org.slf4j*"
36+
bouncycastle:
37+
patterns:
38+
- "org.bouncycastle*"
39+
fhir:
40+
patterns:
41+
- "hapi-fhir*"
42+
- "org.hl7.fhir*"
43+
testing-tools:
44+
patterns:
45+
- "org.junit*"
46+
- "org.mockito*"
47+
safe-patch-updates:
48+
update-types:
49+
- "patch"
50+
remaining-minor-updates:
51+
update-types:
52+
- "minor"
53+
54+
# GitHub Actions
55+
- package-ecosystem: "github-actions"
56+
directory: "/"
57+
target-branch: "develop"
58+
schedule:
59+
interval: "weekly"
60+
day: "sunday"
61+
open-pull-requests-limit: 10
62+
63+
# Dockerfile base image updates
64+
- package-ecosystem: "docker"
65+
directories:
66+
- "/dsf-bpe/dsf-bpe-server-jetty/docker"
67+
- "/dsf-docker/bpe_proxy"
68+
- "/dsf-docker/fhir_proxy"
69+
- "/dsf-fhir/dsf-fhir-server-jetty/docker"
70+
target-branch: "develop"
71+
schedule:
72+
interval: "weekly"
73+
day: "sunday"
74+
groups:
75+
dockerfiles:
76+
patterns:
77+
- "*"
78+
79+
# docker-compose image updates
80+
- package-ecosystem: "docker-compose"
81+
directories:
82+
- "/dsf-docker-dev-setup/bpe"
83+
- "/dsf-docker-dev-setup/fhir"
84+
- "/dsf-docker-dev-setup-3dic-ttp"
85+
target-branch: "develop"
86+
schedule:
87+
interval: "weekly"
88+
day: "sunday"
89+
groups:
90+
docker-compose:
91+
patterns:
92+
- "*"

.github/workflows/build.yml

Lines changed: 301 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,301 @@
1+
name: DSF 2.x Full Build
2+
3+
on:
4+
push:
5+
branches: [ "release/*", "hotfix/*" ]
6+
tags:
7+
- v[0-9]+.[0-9]+.[0-9]+
8+
- v[0-9]+.[0-9]+.[0-9]+-M[0-9]+
9+
- v[0-9]+.[0-9]+.[0-9]+-RC[0-9]+
10+
pull_request:
11+
branches: [ "main", "develop" ]
12+
types: [opened, synchronize, reopened, closed]
13+
schedule:
14+
- cron: '11 15 * * 0' # Sundays, 15:11
15+
16+
permissions: {}
17+
18+
concurrency:
19+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
20+
cancel-in-progress: true
21+
22+
env:
23+
MVN_BATCH_MODE_FAIL_AT_END: --batch-mode --fail-at-end
24+
MVN_SKIP_MOST: -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true
25+
26+
jobs:
27+
codeql:
28+
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
31+
security-events: write
32+
strategy:
33+
fail-fast: false
34+
matrix:
35+
language: [ 'java-kotlin', 'javascript-typescript' ]
36+
name: ${{ matrix.language }}
37+
steps:
38+
- name: Checkout repository
39+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
40+
- name: Set up JDK 25
41+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
42+
with:
43+
distribution: 'zulu'
44+
java-version: 25
45+
cache: 'maven'
46+
- name: Initialize CodeQL
47+
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
48+
with:
49+
languages: ${{ matrix.language }}
50+
queries: security-extended, security-and-quality
51+
- name: Minimal Maven Build
52+
run: mvn package $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -DskipTests
53+
- name: Perform CodeQL Analysis
54+
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
55+
with:
56+
category: "/language:${{matrix.language}}"
57+
58+
maven-quick:
59+
runs-on: ubuntu-latest
60+
permissions:
61+
contents: read
62+
outputs:
63+
version: ${{ steps.version.outputs.version }}
64+
main: ${{ steps.main.outputs.main }}
65+
steps:
66+
- name: Checkout repository
67+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
68+
- name: Set up JDK 25
69+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
70+
with:
71+
distribution: 'zulu'
72+
java-version: 25
73+
cache: 'maven'
74+
- name: Minimal Maven Build
75+
run: mvn install $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -DskipTests -DbuildNumber=${GITHUB_SHA} -DscmBranch=${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}
76+
- name: Upload quick-build results
77+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
78+
with:
79+
name: quick_build
80+
path: |
81+
./**/target
82+
dsf-docker/bpe_proxy/ca/client_ca_chains/*.crt
83+
dsf-docker/bpe_proxy/ca/client_issuing_cas/*.crt
84+
dsf-docker/fhir_proxy/ca/client_ca_chains/*.crt
85+
dsf-docker/fhir_proxy/ca/client_issuing_cas/*.crt
86+
dsf-bpe/dsf-bpe-server-jetty/docker/api/v1/*.jar
87+
dsf-bpe/dsf-bpe-server-jetty/docker/api/v2/*.jar
88+
dsf-bpe/dsf-bpe-server-jetty/docker/ca/client_ca_chains/*.crt
89+
dsf-bpe/dsf-bpe-server-jetty/docker/ca/server_root_cas/*.crt
90+
dsf-bpe/dsf-bpe-server-jetty/docker/lib/*.jar
91+
dsf-bpe/dsf-bpe-server-jetty/docker/dsf_bpe.jar
92+
dsf-fhir/dsf-fhir-server-jetty/docker/ca/client_ca_chains/*.crt
93+
dsf-fhir/dsf-fhir-server-jetty/docker/ca/server_root_cas/*.crt
94+
dsf-fhir/dsf-fhir-server-jetty/docker/lib/*.jar
95+
dsf-fhir/dsf-fhir-server-jetty/docker/dsf_fhir.jar
96+
- name: Get Maven project version
97+
id: version
98+
run: echo "version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:3.6.3:exec)" >> $GITHUB_OUTPUT
99+
- name: Checkout main branch
100+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
101+
with:
102+
ref: main
103+
- name: Check if ref is main HEAD
104+
id: main
105+
run: echo "main=$( [ "$GITHUB_SHA" = "$(git rev-parse HEAD)" ] && echo true || echo false )" >> $GITHUB_OUTPUT
106+
107+
maven-full:
108+
runs-on: ubuntu-latest
109+
needs: maven-quick
110+
permissions:
111+
contents: read
112+
strategy:
113+
fail-fast: false
114+
matrix:
115+
mvn:
116+
- name: JavaDoc
117+
cmd: mvn javadoc:javadoc $MVN_BATCH_MODE_FAIL_AT_END -Dformatter.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true
118+
- name: Formatter, Impsort, Enforcer, License Check
119+
cmd: mvn compile test-compile license:check $MVN_BATCH_MODE_FAIL_AT_END -Dmaven.buildNumber.skip=true
120+
- name: DAO Tests (not Binary)
121+
cmd: mvn failsafe:integration-test $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -Dfailsafe.includes=**/*DaoTest -Dfailsafe.excludes=**/BinaryDaoTest -DforkCount=2
122+
- name: DAO Tests (Binary only)
123+
cmd: mvn failsafe:integration-test $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -Dfailsafe.includes=**/BinaryDaoTest
124+
- name: Integration Tests (FHIR, not Binary)
125+
cmd: mvn failsafe:integration-test $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -Dfailsafe.includes=dev/dsf/fhir/**/*IntegrationTest -Dfailsafe.excludes=**/BinaryIntegrationTest -DforkCount=2
126+
- name: Integration Tests (FHIR, Binary only)
127+
cmd: mvn failsafe:integration-test $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -Dfailsafe.includes=dev/dsf/fhir/**/BinaryIntegrationTest -DforkCount=2
128+
- name: Integration Tests (BPE)
129+
cmd: mvn failsafe:integration-test $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST -Dfailsafe.includes=dev/dsf/bpe/**/*IntegrationTest -DforkCount=2
130+
- name: Unit Tests
131+
cmd: mvn dependency:properties surefire:test $MVN_BATCH_MODE_FAIL_AT_END $MVN_SKIP_MOST
132+
name: ${{ matrix.mvn.name }}
133+
timeout-minutes: 8
134+
steps:
135+
- name: Checkout repository
136+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
137+
- name: Download quick-build results
138+
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
139+
with:
140+
name: quick_build
141+
path: ./
142+
- name: Set up JDK 25
143+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
144+
with:
145+
distribution: 'zulu'
146+
java-version: 25
147+
cache: 'maven'
148+
- name: ${{ matrix.mvn.name }}
149+
run: ${{ matrix.mvn.cmd }}
150+
151+
trivy:
152+
runs-on: ubuntu-latest
153+
needs: maven-quick
154+
permissions:
155+
contents: read
156+
security-events: write
157+
strategy:
158+
fail-fast: false
159+
matrix:
160+
image:
161+
- name: bpe_proxy
162+
context: dsf-docker/bpe_proxy
163+
- name: fhir_proxy
164+
context: dsf-docker/fhir_proxy
165+
- name: bpe
166+
context: dsf-bpe/dsf-bpe-server-jetty/docker
167+
- name: fhir
168+
context: dsf-fhir/dsf-fhir-server-jetty/docker
169+
name: ${{ matrix.image.name }}
170+
steps:
171+
- name: Checkout repository
172+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
173+
- name: Download quick-build results
174+
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
175+
with:
176+
name: quick_build
177+
path: ./
178+
- name: Set up Buildx
179+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
180+
- name: Build Docker image
181+
run: docker build -t ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} ${{ matrix.image.context }}
182+
- name: Scan Docker image with Trivy
183+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
184+
with:
185+
image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }}
186+
format: 'sarif'
187+
output: 'trivy-results.sarif'
188+
- name: Upload Trivy scan results to GitHub Security tab
189+
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
190+
if: always()
191+
with:
192+
sarif_file: 'trivy-results.sarif'
193+
194+
docker-deploy:
195+
if: ${{ (!endsWith(needs.maven-quick.outputs.version, '-SNAPSHOT') && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) || (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'develop') }}
196+
runs-on: ubuntu-latest
197+
needs: [codeql, maven-quick, maven-full, trivy]
198+
permissions:
199+
contents: read
200+
packages: write
201+
id-token: write
202+
strategy:
203+
fail-fast: false
204+
matrix:
205+
image:
206+
- name: bpe
207+
context: dsf-bpe/dsf-bpe-server-jetty/docker
208+
- name: fhir
209+
context: dsf-fhir/dsf-fhir-server-jetty/docker
210+
- name: bpe_proxy
211+
context: dsf-docker/bpe_proxy
212+
- name: fhir_proxy
213+
context: dsf-docker/fhir_proxy
214+
name: ${{ matrix.image.name }}
215+
steps:
216+
- name: Checkout repository
217+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
218+
- name: Download quick-build results
219+
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
220+
with:
221+
name: quick_build
222+
path: ./
223+
- name: Set up QEMU
224+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
225+
- name: Set up Buildx
226+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
227+
- name: Login to GitHub Container Registry
228+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
229+
with:
230+
registry: ghcr.io
231+
username: ${{ github.actor }}
232+
password: ${{ secrets.GITHUB_TOKEN }}
233+
- name: Docker metadata
234+
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
235+
id: meta
236+
with:
237+
images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}
238+
flavor: latest=false
239+
tags: |
240+
type=semver,pattern={{version}}
241+
type=semver,pattern={{major}}.{{minor}}
242+
type=raw,value=latest,enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-') && needs.maven-quick.outputs.main == 'true' }}
243+
type=raw,value=develop,enable=${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'develop' }}
244+
# full version (1.2.3, 1.2.3-RC1, etc)
245+
# minor version (1.2)
246+
# latest only for stable releases
247+
# develop builds
248+
- name: Build and Push
249+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
250+
id: push
251+
with:
252+
push: true
253+
tags: ${{ steps.meta.outputs.tags }}
254+
context: ${{ matrix.image.context }}
255+
platforms: linux/amd64,linux/arm64
256+
cache-from: type=gha,scope=${{ matrix.image.name }}
257+
cache-to: type=gha,mode=max,scope=${{ matrix.image.name }}
258+
- name: Export digest
259+
run: echo "DIGEST=${{ steps.push.outputs.digest }}" >> $GITHUB_ENV
260+
- name: Set up syft
261+
uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
262+
- name: Generate SBOM
263+
run: syft ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST} -o cyclonedx-json > sbom.json
264+
- name: Set up cosign
265+
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
266+
- name: Attach SBOM
267+
run: cosign attest --yes --predicate sbom.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST}
268+
- name: Sign image
269+
run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST}
270+
271+
maven-deploy:
272+
if: ${{ !endsWith(needs.maven-quick.outputs.version, '-SNAPSHOT') && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
273+
runs-on: ubuntu-latest
274+
needs: [codeql, maven-quick, maven-full, trivy]
275+
permissions:
276+
contents: read
277+
steps:
278+
- name: Checkout repository
279+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
280+
- name: Download quick-build results
281+
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
282+
with:
283+
name: quick_build
284+
path: ./
285+
- name: Set up JDK 25
286+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
287+
with:
288+
distribution: 'zulu'
289+
java-version: 25
290+
cache: 'maven'
291+
server-id: central
292+
server-username: MAVEN_CENTRAL_USERNAME
293+
server-password: MAVEN_CENTRAL_TOKEN
294+
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
295+
gpg-passphrase: MAVEN_GPG_PASSPHRASE
296+
- name: Deploy to Maven Central
297+
run: mvn deploy -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -DskipTests -Ppublish-to-maven-central -Dmaven.buildNumber.skip=true -DbuildNumber=${GITHUB_SHA} -DscmBranch=${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}
298+
env:
299+
MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
300+
MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
301+
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}

0 commit comments

Comments
 (0)