From a19cc9c7a32744eb796fb2a8c625431f1ea5d6b6 Mon Sep 17 00:00:00 2001 From: Simon Anderson Date: Thu, 13 Jun 2024 13:41:15 +1000 Subject: [PATCH] Updated build scripts --- .github/workflows/docker-build.yml | 41 +++++++++++ .github/workflows/maven-build.yml | 91 ++++++++++++++++++++++--- .github/workflows/pull-request-scan.yml | 72 +++++++++++++++++++ .github/workflows/xray-scan.yml | 15 ++++ 4 files changed, 210 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/docker-build.yml create mode 100644 .github/workflows/pull-request-scan.yml create mode 100644 .github/workflows/xray-scan.yml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 000000000..5d7f0d478 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,41 @@ +name: Build and Tag Docker Image + +on: + push: + branches: + - main + +jobs: + build-and-tag: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v3 + env: + JF_URL: ${{ secrets.JF_URL }} + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + - name: Build Tag and push Docker Image + env: + IMAGE_NAME: simonanderson.jfrog.io/petclinic-docker/jfrog-docker-example-image:${{ github.run_number }} + run: | + jf docker build -t $IMAGE_NAME . + jf docker push $IMAGE_NAME + + - name: Publish Build info With JFrog CLI + env: + # Generated and maintained by GitHub + JFROG_CLI_BUILD_NAME: jfrog-docker-build-example + # JFrog organization secret + JFROG_CLI_BUILD_NUMBER : ${{ github.run_number }} + run: | + # Export the build name and build nuber + # Collect environment variables for the build + jf rt build-collect-env + # Collect VCS details from git and add them to the build + jf rt build-add-git + # Publish build info + jf rt build-publish \ No newline at end of file diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml index 4718a6ce5..3b6b891c6 100644 --- a/.github/workflows/maven-build.yml +++ b/.github/workflows/maven-build.yml @@ -1,29 +1,102 @@ -# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven - -name: Java CI with Maven +name: Build Spring Petclinic with JFrog Artifactory on: push: branches: [ main ] pull_request: branches: [ main ] + workflow_dispatch: + jobs: build: - + name: 'Build Spring Petclinic' + env: + JFROG_CLI_BUILD_NAME: 'Petclinic from GitHub workflow' + JFROG_CLI_BUILD_NUMBER: ${{ github.run_number }} + JFROG_CLI_BUILD_PROJECT: ${{ vars.JF_PROJECT }} runs-on: ubuntu-latest strategy: matrix: java: [ '17' ] steps: - - uses: actions/checkout@v4 - - name: Set up JDK ${{matrix.java}} + - + name: Checkout + uses: actions/checkout@v4 + - + name: Set up JDK ${{matrix.java}} uses: actions/setup-java@v4 with: java-version: ${{matrix.java}} distribution: 'adopt' cache: maven - - name: Build with Maven Wrapper - run: ./mvnw -B package + - + name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.JF_URL }} + JF_USER: ${{ secrets.JF_USER }} + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + JF_PROJECT: ${{ vars.JF_PROJECT }} + - + name: Read POM + run: | + echo "petclinicArtifactName=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)" >> $GITHUB_ENV + echo "petclinicVersion=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV + - + name: Run Source Code Audit + run: | + jf audit --licenses --format=table --mvn=true + - + name: Build Maven package + run: | + jf mvn-config --repo-resolve-releases fg-maven --repo-resolve-snapshots fg-maven --repo-deploy-releases fg-maven-dev-local-releases --repo-deploy-snapshots fg-maven-dev-local-snapshots + jf mvn clean package -Dtest=!PostgresIntegrationTests* '-Dspring-javaformat.skip=true' --project ${{ env.JFROG_CLI_BUILD_PROJECT }} + - + name: Scan Maven package + run: | + jf scan --watches fredericg-watch --licenses --format=json ./target/${{ env.petclinicArtifactName }}-${{ env.petclinicVersion }}.jar + - + name: Deploy Maven package to Artifactory + if: github.ref == 'refs/heads/main' + run: | + jf mvn deploy -Dmaven.main.skip=true -Dmaven.install.skip=true -DskipTests --project ${{ env.JFROG_CLI_BUILD_PROJECT }} + - + name: Build Docker image + if: github.ref == 'refs/heads/main' + env: + JF_URL: ${{ vars.JF_URL }} + JF_USER: ${{ secrets.JF_USER }} + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + JF_PROJECT: ${{ vars.JF_PROJECT }} + run: | + jf docker build -t soleng.jfrog.io/fg-docker/${{ env.petclinicArtifactName }}:${{ env.petclinicVersion }} --build-arg petclinicArtifact=./target/${{ env.petclinicArtifactName }}-${{ env.petclinicVersion }}.jar . + jf docker push soleng.jfrog.io/fg-docker/${{ env.petclinicArtifactName }}:${{ env.petclinicVersion }} --project ${{ env.JFROG_CLI_BUILD_PROJECT }} + - + name: Scan Docker image + if: github.ref == 'refs/heads/main' + run: | + jf docker scan soleng.jfrog.io/fg-docker/${{ env.petclinicArtifactName }}:${{ env.petclinicVersion }} --severity='HIGH,CRITICAL' + - + name: Publish build info + if: github.ref == 'refs/heads/main' + run: | + jf rt build-publish --project ${{ env.JFROG_CLI_BUILD_PROJECT }} "${{ env.JFROG_CLI_BUILD_NAME }}" "${{ env.JFROG_CLI_BUILD_NUMBER }}" + - + name: Create Release Bundle + if: github.ref == 'refs/heads/main' + run: | + echo "=== Generating Release Bundle ===" + echo ' + { + "builds": [ + { + "name": "${{ env.JFROG_CLI_BUILD_NAME }}", + "number": "${{ env.JFROG_CLI_BUILD_NUMBER }}", + "project": "${{ env.JFROG_CLI_BUILD_PROJECT }}" + } + ] + } + ' > builds.json + jf release-bundle-create --builds=./builds.json --project ${{ env.JFROG_CLI_BUILD_PROJECT }} --signing-key fredericg-gpg "${{ env.petclinicArtifactName }}" "${{ env.petclinicVersion }}" \ No newline at end of file diff --git a/.github/workflows/pull-request-scan.yml b/.github/workflows/pull-request-scan.yml new file mode 100644 index 000000000..07d90277a --- /dev/null +++ b/.github/workflows/pull-request-scan.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Frogbot Scan Pull Request does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot + +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read + security-events: write +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md + environment: frogbot + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - + name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'adopt' + cache: maven + + # IMPORTANT: + # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix + # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md + - uses: jfrog/frogbot@v2 # v2.10.0 + env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} + JF_USER: ${{ secrets.JF_USER }} + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + JF_PROJECT: "fg" + JF_WATCH: "fredericg-watch" + JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" + JFROG_CLI_LOG_LEVEL: “DEBUG” + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" \ No newline at end of file diff --git a/.github/workflows/xray-scan.yml b/.github/workflows/xray-scan.yml new file mode 100644 index 000000000..ca98960d9 --- /dev/null +++ b/.github/workflows/xray-scan.yml @@ -0,0 +1,15 @@ +# https://github.com/marketplace/actions/xray-action + +- name: xray-action +uses: mikepenz/xray-action@v3 + + +- name: "Import results to Xray" + uses: mikepenz/xray-action@{latest-release} + with: + username: ${{ secrets.XRAY_CLIENT_ID }} + password: ${{ secrets.XRAY_CLIENT_SECRET }} + testFormat: "junit" + testPaths: "**/test/*.xml" + testExecKey: "TEST-1" + projectKey: "TEST" \ No newline at end of file