generated from cybnity/domain-vulnerability-mgt
-
Notifications
You must be signed in to change notification settings - Fork 0
245 lines (225 loc) · 12.7 KB
/
java-project-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
# Main COMMIT STAGE workflow regarding the java projects managed via Maven tool
name: Java Project CI (COMMIT STAGE)
run-name: COMMIT STAGE - Java codes build & quality verification
on:
push:
# execution when development java source codes commit is pushed by a developer of a feature, hotfix, or fix branch
branches:
- 'feature*'
- 'hotfix*'
- 'fix*'
# execute only when changes detected on files or java sub-projects contents
# becarefull, path filters are not evaluated on tags
paths:
- 'pom.xml'
- 'implementations-line/**'
- 'systems-line/**'
- '.github/workflows/java-project-ci.yml'
- '.github/workflows/check-project-technical-quality.yml'
- '.github/workflows/publish-java-packages-version-to-repository.yml'
- '!**/*.md'
# execute when a alpha tag is added on the feature branch as "finished work" (e.g by developer)
tags:
- '[0-9]+.[0-9]+.[0-9]+-*'
- '*-reviewed'
- 'reviewed*'
- '*-alpha'
pull_request:
# execution when pull request is requested by a developer (e.g to reviewer) on his development branch or another branch
types: [opened, reopened, review_requested]
branches:
- 'feature*'
- 'hotfix*'
- 'fix*'
# execute only when reviewed files or java sub-projects
paths:
- 'pom.xml'
- 'implementations-line/**'
- 'systems-line/**'
pull_request_target:
# when a pull request merges, the pull request is automatically closed (so check the merged state)
types: [closed]
# execution when feature's artifacts (e.g implementation doc, java source code) were reviewed
branches:
- 'feature*'
- 'hotfix*'
- 'fix*'
# execute only when reviewed files or java sub-projects
paths:
- 'pom.xml'
- 'implementations-line/**'
- 'systems-line/**'
# The commit stage workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
define_project_release_name:
name: Release name preparation
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
release_name: ${{ env.release_name }}
is_snapshot: ${{ env.is_snapshot }}
latest_release_name: ${{ env.latest_release_name }}
steps:
- name: Check existing project defined version name
if: ${{ github.event.release.tag_name != '' }}
# Read the release name defined into the GitHub project
run: |
echo The current release tag is ${{ github.event.release.tag_name }}
echo "TAG_VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
echo "is_snapshot=${{ contains(github.event.release.tag_name, 'snapshot') || contains(github.event.release.tag_name, 'reviewed') }}" >> $GITHUB_ENV
- name: Set the release name of the project based on GitHub tag name
if: ${{ env.TAG_VERSION != '' }}
run : |
echo "Define the final version identifier from the GitHub project's current tag name"
echo "release_name=$TAG_VERSION" >> $GITHUB_ENV
echo "Development version type is detected from the GitHub tag name as ${{ env.is_snapshot }}"
# Build specific release name because none tag is existing on GitHub project
- name: Define reusable environment variables about current commit
if: ${{ env.TAG_VERSION == '' }}
uses: FranzDiebold/github-env-vars-action@v2
- name: Define an unique revision name (pattern <<feature branch name>>.<<commit id abbrev>>) regarding development release
if: ${{ env.TAG_VERSION == '' }}
run: |
echo "Git commit revision $CI_SHA_SHORT abbreviation based on 7 characters (default) maximum (origin based: $CI_SHA)"
echo "COMMIT_ID=$CI_SHA_SHORT" >> $GITHUB_ENV
echo "FEATURE_NAME=$CI_ACTION_REF_NAME_SLUG" >> $GITHUB_ENV
echo "is_snapshot=true" >> $GITHUB_ENV
echo "Development version type is defined as snapshot based on $CI_SHA_SHORT commit revision number"
- name: Define a snapshot feature name (based on unique commit id) and latest version name
# Build final name about featureX name, but avoiding COMMIT_ID and SNAPSHOT suffix
if: ${{ env.TAG_VERSION == '' && ( !contains(env.FEATURE_NAME, 'alpha') && !contains(env.FEATURE_NAME, 'reviewed') ) }}
# Build unique name including commit_id suffix based
# Example of output name: feature-133.9efbb506-SNAPSHOT
# Example of latest version name: feature-133-SNAPSHOT
run: |
echo "release_name=$FEATURE_NAME.$COMMIT_ID-SNAPSHOT" >> $GITHUB_ENV
echo "latest_release_name=$FEATURE_NAME-SNAPSHOT" >> $GITHUB_ENV
- name: Set a snapshot reviewed version name of the project based on CYBNITY versioning strategy
# Build final name about any tag named branch (maybe don't include feature name including -reviewed or -alpha)
if: ${{ env.TAG_VERSION == '' && env.release_name == '' }}
# Build name based on a potential included tag (e.g 0.0.7-reviewed, 0.0.7-alpha, 0.0.7) without commit_id suffix
# Example of output name 0.0.7-reviewed-SNAPSHOT, feature133-alpha-SNAPSHOT
run: echo "release_name=$FEATURE_NAME-SNAPSHOT" >> $GITHUB_ENV
binary_build:
name: Java components build & test
if: success() && github.event_name == 'push'
needs: [define_project_release_name]
runs-on: ubuntu-latest
permissions:
contents: read
env:
RELEASE_NAME: ${{ needs.define_project_release_name.outputs.release_name }}
DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_ACCESS_ACCOUNT }}
DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_ACCESS_TOKEN }}
MAVEN_USERNAME: ${{ secrets.AGNET_REPO_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.AGNET_REPO_PASSWORD }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
GITHUB_TOKEN: ${{ github.token }} # GITHUB_TOKEN is the default env for the password
outputs:
release_name: ${{ env.RELEASE_NAME }}
steps:
- name: Checkout source codes from branch
id: checkout_step
uses: actions/checkout@v4
with:
repository: ${{ github.repository }}
token: ${{ github.token }}
ref: ${{ inputs.branch_name }}
- name: Set up java runtime (Temurin JDK)
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
cache: maven
# defined settings.xml values allowing use of CYBNITY Maven remote repository
server-id: agnet
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value (without an modification than exported by the gpg --export-secret-keys command) of the GPG private key (33105BFD367D25B3) to import
gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
- name: Install gpg secret key used for artefacts signing
run: |
# Install gpg secret key
cat <(echo -e "${{ secrets.MAVEN_GPG_PRIVATE_KEY }}") | gpg --batch --import
# Verify gpg secret key
gpg --list-secret-keys --keyid-format LONG
- name: Validate all necessary information and compile source code
run: |
echo "Set the project artifacts version in pom files"
mvn -B -DgenerateBackupPoms=true -DprocessAllModules=true versions:set -DnewVersion=${{ env.RELEASE_NAME }}
echo "Execute the java project(s) build via Maven tool"
mvn --batch-mode --update-snapshots --show-version -Drevision=${{ env.RELEASE_NAME }} --fail-fast --file pom.xml -Dstage=commit clean compile -Dmaven.test.skip=true
- name: Execute unit tests validating the java compiled source code
run: |
echo "Compile unit tests and java project(s), and execute tests via Maven tool"
mvn --batch-mode --update-snapshots --show-version -Drevision=${{ env.RELEASE_NAME }} -Dmaven.test.skip=false --fail-fast --file pom.xml -Dstage=commit test
- name: Package compiled java code in its distributable format (e.g JAR, Docker image)
run: |
mvn --batch-mode --update-snapshots --show-version -Drevision=${{ env.RELEASE_NAME }} -Ddocker.username=${{ env.DOCKER_REGISTRY_USERNAME }} -Ddocker.password=${{ env.DOCKER_REGISTRY_PASSWORD }} -Ddocker.cleanup=none --fail-fast --file pom.xml -Dstage=commit package -Dmaven.test.skip=true
- name: Verify packaged components
run: |
echo "Run any checks to verify the package is valid and meets quality criteria (including test resources) without unit test execution"
mvn -Drevision=${{ env.RELEASE_NAME }} --batch-mode --update-snapshots --show-version -Ddocker.username=${{ env.DOCKER_REGISTRY_USERNAME }} -Ddocker.password=${{ env.DOCKER_REGISTRY_PASSWORD }} -Ddocker.cleanup=none --fail-fast --file pom.xml -Dstage=commit verify -DskipTests
# Verify the technical quality of the version
check_technical_quality:
name: Technical quality check
if: success() && github.event_name == 'push'
needs: [binary_build]
uses: ./.github/workflows/check-project-technical-quality.yml
with:
config-path: ${{ needs.binary_build.steps.checkout_step.ref }}
package_release_name: ${{ needs.binary_build.outputs.release_name }}
secrets: inherit
# Prepare a release for remote repository installation (published in place of old equals release name in remote repository, reviewed or not)
# Publish release of parent pom.xml and sub-projects (reusable by other development, or for processing by Automated Acceptance Test stage) that potentially replace previous equals version named
publish_version_to_release_remote_repository:
name: Release publishing
if: ${{ success() && needs.define_project_release_name.outputs.is_snapshot == 'false' }}
needs: [define_project_release_name, binary_build]
uses: ./.github/workflows/publish-java-packages-version-to-repository.yml
with:
config-path: ${{ needs.binary_build.steps.checkout_step.ref }}
target_repository: RELEASE
package_release_name: ${{ needs.binary_build.outputs.release_name }}
secrets: inherit
# Prepare only a snapshot version for remote repository installation
publish_tagged_version_to_snapshot_remote_repository:
name: Tagged snapshot version publishing
# By default, don't publish snapshot version on other repository than the local developer workstation's maven repository
# The Pull Request (PR) of development revision was approved and merged, but maybe work is not finished
# Publish TAGGED snapshot version (parent pom.xml and sub-projects available for other features' developers) on remote repository
# it's a development version publishable as 'snapshot'
# only when approved, merged and tagged as 'reviewed' (e.g by reviewer)
# or only when a reviewed tag is pushed only on the branch (e.g after a review already executed after closed PR)
# or only when a alpha tag is pushed only on the branch (e.g when feature developer or reviewer indicate that work is finished)
if: ${{ success()
&& needs.define_project_release_name.outputs.is_snapshot == 'true'
&& (
(github.event.pull_request.merged == true && github.event.pull_request.reviewDecision == 'approved')
||
( github.event_name == 'push' && github.ref_type == 'tag' && ( contains(github.ref_name, 'reviewed') || contains(github.ref_name, 'alpha') ))
)
}}
needs: [define_project_release_name, binary_build]
uses: ./.github/workflows/publish-java-packages-version-to-repository.yml
with:
config-path: ${{ needs.binary_build.steps.checkout_step.ref }}
target_repository: SNAPSHOT
package_release_name: ${{ needs.binary_build.outputs.release_name }}
secrets: inherit
# Prepare only a snapshot latest version for remote repository installation
publish_latest_version_to_snapshot_remote_repository:
name: Latest version publishing
# Publish not tagged snapshot version but as a common name equals to latest version of feature branche available for other domain application projects managed in other repositories
if: ${{ success()
&& needs.define_project_release_name.outputs.is_snapshot == 'true'
&& (github.event_name == 'push' && needs.define_project_release_name.outputs.latest_release_name != '' && contains(github.ref_name, 'feature'))
}}
needs: [define_project_release_name, binary_build]
uses: ./.github/workflows/publish-java-packages-version-to-repository.yml
with:
config-path: ${{ needs.binary_build.steps.checkout_step.ref }}
target_repository: SNAPSHOT
package_release_name: ${{ needs.define_project_release_name.outputs.latest_release_name }}
secrets: inherit