chore: Added trufflehog secret scanning tool #1358
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: IRS build | |
| on: | |
| workflow_dispatch: # Trigger manually | |
| pull_request: | |
| paths-ignore: | |
| - '**/*.md' | |
| - '**/*.txt' | |
| - 'charts/**' | |
| - '.config/**' | |
| - 'docs/**' | |
| - '!docs/src/api/**' | |
| - 'local/**' | |
| - 'CHANGELOG.md' | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '**' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Cache maven packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Build with Maven | |
| run: | | |
| mvn clean verify --batch-mode | |
| check_sonar_configured: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: check_sonar_configured | |
| run: | | |
| echo "Checking if sonar is configured: ${{ env.SONAR_CONFIGURED }}" | |
| env: | |
| SONAR_CONFIGURED: ${{ secrets.SONAR_TOKEN != '' && secrets.SONAR_PROJECT_KEY != '' && secrets.SONAR_ORGANIZATION != '' }} | |
| outputs: | |
| sonar_configured: ${{ env.SONAR_CONFIGURED }} | |
| analyze_with_Sonar: | |
| needs: [check_sonar_configured] | |
| # No need to run if we cannot use the sonar token | |
| if: >- | |
| needs.check_sonar_configured.outputs.sonar_configured == 'true' | |
| && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) | |
| && github.actor != 'dependabot[bot]' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of sonar analysis | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Cache maven packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Cache SonarCloud packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.sonar/cache | |
| key: ${{ runner.os }}-sonar | |
| restore-keys: ${{ runner.os }}-sonar | |
| - name: Analyze with Sonar | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| mvn --batch-mode --update-snapshots verify \ | |
| org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ | |
| -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} \ | |
| -Dcheckstyle.skip -Dpmd.skip=true | |
| build_images: | |
| env: | |
| IMAGE_NAMESPACE: tractusx | |
| IMAGE_NAME: irs-api | |
| TARGET_PLATFORMS: "linux/amd64" # add 'linux/arm64' once the upgrade to JDK 21 is done | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-tag: ${{ steps.version.outputs.image_tag }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Needed to create multi-platform image | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Needed to create multi-platform image | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| # Create SemVer or ref tags dependent of trigger event | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} | |
| # Automatically prepare image tags; See action docs for more examples. | |
| # semver patter will generate tags like these for example :1 :1.2 :1.2.3 | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha,prefix=,format=long | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| - name: DockerHub login | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| # Use existing DockerHub credentials present as secrets | |
| username: ${{ secrets.DOCKER_HUB_USER }} | |
| password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| # Needed to create multi-platform image | |
| platforms: ${{ env.TARGET_PLATFORMS }} | |
| # Build image for verification purposes on every trigger event. Only push if event is not a PR | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| # https://github.com/peter-evans/dockerhub-description | |
| - name: Update Docker Hub description | |
| if: github.event_name != 'pull_request' | |
| uses: peter-evans/dockerhub-description@v4 | |
| with: | |
| username: ${{ secrets.DOCKER_HUB_USER }} | |
| password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
| repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} | |
| readme-filepath: ./DOCKER_NOTICE.md | |
| trigger-trivy-image-scan: | |
| if: github.event_name != 'pull_request' | |
| needs: | |
| - build_images | |
| uses: ./.github/workflows/trivy-docker-hub-scan.yml |