artin/OBP-API
1
0
Fork 0
mirror of https://github.com/OpenBankProject/OBP-API.git synced 2026-02-06 16:56:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature/Tweak GitHub workflows

Browse Source
This commit is contained in:
Marko Milić 2026-01-26 12:54:28 +01:00
parent 18daf8dfb2
commit 87b48fc71d
5 changed files with 110 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/auto_update_base_image.yml vendored
View File

@ -11,6 +11,7 @@ env:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'OpenBankProject/OBP-API'
steps:
- name: Checkout repository
uses: actions/checkout@v4
@ -32,4 +33,4 @@ jobs:
workflow_id: 'build_container_develop_branch.yml',
ref: 'refs/heads/develop'
});
if: steps.baseupdatecheck.outputs.needs-updating == 'true'
if: steps.baseupdatecheck.outputs.needs-updating == 'true'

15
.github/workflows/build_container_develop_branch.yml vendored
View File

@ -13,7 +13,6 @@ env:
DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
DOCKER_HUB_REPOSITORY: obp-api
jobs:
build:
runs-on: ubuntu-latest
@ -36,8 +35,8 @@ jobs:
- name: Set up JDK 11
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'adopt'
java-version: "11"
distribution: "adopt"
cache: maven
- name: Build with Maven
run: |
@ -126,6 +125,7 @@ jobs:
path: push/
- name: Build the Docker image
if: github.repository == 'OpenBankProject/OBP-API'
run: |
echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop
@ -133,12 +133,14 @@ jobs:
docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
echo docker done
- uses: sigstore/cosign-installer@main
- uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390
- name: Write signing key to disk (only needed for `cosign sign --key`)
if: github.repository == 'OpenBankProject/OBP-API'
run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
- name: Sign container image
if: github.repository == 'OpenBankProject/OBP-API'
run: |
cosign sign -y --key cosign.key \
docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop
@ -151,7 +153,4 @@ jobs:
cosign sign -y --key cosign.key \
docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest-OC
env:
COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"

58
.github/workflows/build_container_non_develop_branch.yml vendored
View File

@ -3,8 +3,8 @@ name: Build and publish container non develop
on:
push:
branches:
- '*'
- '!develop'
- "*"
- "!develop"
env:
DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
@ -35,11 +35,12 @@ jobs:
- name: Set up JDK 11
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'adopt'
java-version: "11"
distribution: "adopt"
cache: maven
- name: Build with Maven
run: |
set -o pipefail
cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props
echo connector=star > obp-api/src/main/resources/props/test.default.props
echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props
@ -75,7 +76,44 @@ jobs:
echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props
echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props
MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod
MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log
- name: Report failing tests (if any)
if: always()
run: |
echo "Checking build log for failing tests via grep..."
if [ ! -f maven-build.log ]; then
echo "No maven-build.log found; skipping failure scan."
exit 0
fi
if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then
echo "Failing tests detected above."
exit 1
else
echo "No failing tests detected in maven-build.log."
fi
- name: Upload Maven build log
if: always()
uses: actions/upload-artifact@v4
with:
name: maven-build-log
if-no-files-found: ignore
path: |
maven-build.log
- name: Upload test reports
if: always()
uses: actions/upload-artifact@v4
with:
name: test-reports
if-no-files-found: ignore
path: |
obp-api/target/surefire-reports/**
obp-commons/target/surefire-reports/**
**/target/scalatest-reports/**
**/target/site/surefire-report.html
**/target/site/surefire-report/*
- name: Save .war artifact
run: |
@ -87,6 +125,7 @@ jobs:
path: push/
- name: Build the Docker image
if: github.repository == 'OpenBankProject/OBP-API'
run: |
echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}
@ -94,12 +133,14 @@ jobs:
docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
echo docker done
- uses: sigstore/cosign-installer@main
- uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390
- name: Write signing key to disk (only needed for `cosign sign --key`)
if: github.repository == 'OpenBankProject/OBP-API'
run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
- name: Sign container image
if: github.repository == 'OpenBankProject/OBP-API'
run: |
cosign sign -y --key cosign.key \
docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}
@ -108,7 +149,4 @@ jobs:
cosign sign -y --key cosign.key \
docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA
env:
COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"

54
.github/workflows/build_pull_request.yml vendored
View File

@ -3,15 +3,15 @@ name: Build on Pull Request
on:
pull_request:
branches:
- '**'
- "**"
env:
## Sets environment variable
DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'OpenBankProject/OBP-API'
services:
# Label used to access the service container
redis:
@ -31,11 +31,12 @@ jobs:
- name: Set up JDK 11
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'adopt'
java-version: "11"
distribution: "adopt"
cache: maven
- name: Build with Maven
run: |
set -o pipefail
cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props
echo connector=star > obp-api/src/main/resources/props/test.default.props
echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props
@ -65,14 +66,50 @@ jobs:
echo COUNTERPARTY_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
echo SEPA_CREDIT_TRANSFERS_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
echo allow_oauth2_login=true >> obp-api/src/main/resources/props/test.default.props
echo oauth2.jwk_set.url=https://www.googleapis.com/oauth2/v3/certs >> obp-api/src/main/resources/props/test.default.props
echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props
echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props
MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod
MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log
- name: Report failing tests (if any)
if: always()
run: |
echo "Checking build log for failing tests via grep..."
if [ ! -f maven-build.log ]; then
echo "No maven-build.log found; skipping failure scan."
exit 0
fi
if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then
echo "Failing tests detected above."
exit 1
else
echo "No failing tests detected in maven-build.log."
fi
- name: Upload Maven build log
if: always()
uses: actions/upload-artifact@v4
with:
name: maven-build-log
if-no-files-found: ignore
path: |
maven-build.log
- name: Upload test reports
if: always()
uses: actions/upload-artifact@v4
with:
name: test-reports
if-no-files-found: ignore
path: |
obp-api/target/surefire-reports/**
obp-commons/target/surefire-reports/**
**/target/scalatest-reports/**
**/target/site/surefire-report.html
**/target/site/surefire-report/*
- name: Save .war artifact
run: |
@ -81,7 +118,4 @@ jobs:
- uses: actions/upload-artifact@v4
with:
name: ${{ github.sha }}
path: pull/
path: pull/

19
.github/workflows/run_trivy.yml vendored
View File

@ -12,11 +12,10 @@ env:
DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
DOCKER_HUB_REPOSITORY: obp-api
jobs:
build:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
if: github.repository == 'OpenBankProject/OBP-API' && github.event.workflow_run.conclusion == 'success'
steps:
- uses: actions/checkout@v4
@ -38,17 +37,17 @@ jobs:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
security-checks: 'vuln'
severity: 'CRITICAL,HIGH'
timeout: '30m'
image-ref: "docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
security-checks: "vuln"
severity: "CRITICAL,HIGH"
timeout: "30m"
cache-dir: .trivy
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
sarif_file: "trivy-results.sarif"