forked from DependencyTrack/dependency-track
-
Notifications
You must be signed in to change notification settings - Fork 0
138 lines (121 loc) · 4.92 KB
/
_meta-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
on:
workflow_call:
inputs:
app-version:
type: string
required: false
default: "snapshot"
description: "the version that should be set/used as tag for the container image"
publish-container:
type: boolean
required: false
default: false
description: "publish and scan the container image once its built"
secrets:
registry-0-usr:
required: true
registry-0-psw:
required: true
permissions: { }
jobs:
build-java:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
- name: Set up JDK
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # tag=v4.0.0
with:
distribution: 'temurin'
java-version: '17'
cache: 'maven'
- name: Setup CycloneDX CLI
run: |
mkdir -p "$HOME/.local/bin"
echo "$HOME/.local/bin" >> $GITHUB_PATH
wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
echo "ef0d3b31d176e02bc594f83e19cfcea053c6bc5b197351f71696e189390f851d $HOME/.local/bin/cyclonedx" | sha256sum -c
chmod +x "$HOME/.local/bin/cyclonedx"
- name: Build with Maven
run: |-
mvn clean
mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
mvn clean -P clean-exclude-wars
mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
mvn clean -P clean-exclude-wars
mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
- name: Upload Artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
with:
name: assembled-wars
path: |-
target/*.jar
target/bom.json
build-container:
runs-on: ubuntu-latest
permissions:
security-events: write # Required to upload trivy's SARIF output
needs:
- build-java
strategy:
matrix:
distribution:
- apiserver
- bundled
fail-fast: false
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
- name: Download Artifacts
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # tag=v4.1.2
with:
name: assembled-wars
path: target
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # tag=v3.0.0
id: buildx
with:
install: true
- name: Login to Docker.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # tag=v3.0.0
if: ${{ inputs.publish-container }}
with:
registry: docker.io
username: ${{ secrets.registry-0-usr }}
password: ${{ secrets.registry-0-psw }}
- name: Set Container Tags
id: tags
run: |-
TAGS="docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}"
if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
TAGS="${TAGS},docker.io/dependencytrack/${{ matrix.distribution }}:latest"
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # tag=v5.1.0
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
APP_VERSION=${{ inputs.app-version }}
COMMIT_SHA=${{ github.sha }}
WAR_FILENAME=dependency-track-${{ matrix.distribution }}.jar
platforms: linux/amd64,linux/arm64
push: ${{ inputs.publish-container }}
context: .
file: src/main/docker/Dockerfile
- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # tag=0.17.0
with:
image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os'
- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # tag=v3.24.5
with:
sarif_file: 'trivy-results.sarif'