forked from DependencyTrack/dependency-track
-
Notifications
You must be signed in to change notification settings - Fork 1
134 lines (118 loc) · 4.31 KB
/
_meta-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
on:
workflow_call:
inputs:
app-version:
type: string
required: false
default: "snapshot"
description: "the version that should be set/used as tag for the container image"
publish-container:
type: boolean
required: false
default: false
description: "publish and scan the container image once its built"
secrets:
registry-0-usr:
required: true
registry-0-psw:
required: true
jobs:
build-java:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Set up JDK
uses: actions/[email protected]
with:
distribution: 'temurin'
java-version: '17'
cache: 'maven'
- name: Setup CycloneDX CLI
run: |
mkdir -p "$HOME/.local/bin"
echo "$HOME/.local/bin" >> $GITHUB_PATH
wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
echo "ef0d3b31d176e02bc594f83e19cfcea053c6bc5b197351f71696e189390f851d $HOME/.local/bin/cyclonedx" | sha256sum -c
chmod +x "$HOME/.local/bin/cyclonedx"
- name: Build with Maven
run: |-
mvn clean
mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
mvn clean -P clean-exclude-wars
mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
mvn clean -P clean-exclude-wars
mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
- name: Upload Artifacts
uses: actions/[email protected]
with:
name: assembled-wars
path: |-
target/*.jar
target/bom.json
build-container:
runs-on: ubuntu-latest
needs:
- build-java
strategy:
matrix:
distribution:
- apiserver
- bundled
fail-fast: false
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Download Artifacts
uses: actions/[email protected]
with:
name: assembled-wars
path: target
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
id: buildx
with:
install: true
- name: Login to Docker.io
uses: docker/[email protected]
if: ${{ inputs.publish-container }}
with:
registry: docker.io
username: ${{ secrets.registry-0-usr }}
password: ${{ secrets.registry-0-psw }}
- name: Set Container Tags
id: tags
run: |-
TAGS="docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}"
if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
TAGS="${TAGS},docker.io/dependencytrack/${{ matrix.distribution }}:latest"
fi
echo "::set-output name=tags::${TAGS}"
- name: Build multi-arch Container Image
uses: docker/[email protected]
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
APP_VERSION=${{ inputs.app-version }}
COMMIT_SHA=${{ github.sha }}
WAR_FILENAME=dependency-track-${{ matrix.distribution }}.jar
platforms: linux/amd64,linux/arm64
push: ${{ inputs.publish-container }}
context: .
file: src/main/docker/Dockerfile
- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
uses: aquasecurity/[email protected]
with:
image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os'
- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'