diff --git a/.github/workflows/auto_update_base_image.yml b/.github/workflows/auto_update_base_image.yml index 3048faf15..e47d6d95b 100644 --- a/.github/workflows/auto_update_base_image.yml +++ b/.github/workflows/auto_update_base_image.yml @@ -11,6 +11,7 @@ env: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'OpenBankProject/OBP-API' steps: - name: Checkout repository uses: actions/checkout@v4 @@ -32,4 +33,4 @@ jobs: workflow_id: 'build_container_develop_branch.yml', ref: 'refs/heads/develop' }); - if: steps.baseupdatecheck.outputs.needs-updating == 'true' + if: steps.baseupdatecheck.outputs.needs-updating == 'true' \ No newline at end of file diff --git a/.github/workflows/build_container_develop_branch.yml b/.github/workflows/build_container_develop_branch.yml index 4f82e563b..1fc605d17 100644 --- a/.github/workflows/build_container_develop_branch.yml +++ b/.github/workflows/build_container_develop_branch.yml @@ -13,7 +13,6 @@ env: DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} DOCKER_HUB_REPOSITORY: obp-api - jobs: build: runs-on: ubuntu-latest @@ -36,8 +35,8 @@ jobs: - name: Set up JDK 11 uses: actions/setup-java@v4 with: - java-version: '11' - distribution: 'adopt' + java-version: "11" + distribution: "adopt" cache: maven - name: Build with Maven run: | @@ -126,6 +125,7 @@ jobs: path: push/ - name: Build the Docker image + if: github.repository == 'OpenBankProject/OBP-API' run: | echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop @@ -133,12 +133,14 @@ jobs: docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags echo docker done - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390 - name: Write signing key to disk (only needed for `cosign sign --key`) + if: github.repository == 'OpenBankProject/OBP-API' run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign container image + if: github.repository == 'OpenBankProject/OBP-API' run: | cosign sign -y --key cosign.key \ docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop @@ -151,7 +153,4 @@ jobs: cosign sign -y --key cosign.key \ docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest-OC env: - COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}" - - - + COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}" \ No newline at end of file diff --git a/.github/workflows/build_container_non_develop_branch.yml b/.github/workflows/build_container_non_develop_branch.yml index 946d81de4..61e8bfcd2 100644 --- a/.github/workflows/build_container_non_develop_branch.yml +++ b/.github/workflows/build_container_non_develop_branch.yml @@ -3,8 +3,8 @@ name: Build and publish container non develop on: push: branches: - - '*' - - '!develop' + - "*" + - "!develop" env: DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} @@ -35,11 +35,12 @@ jobs: - name: Set up JDK 11 uses: actions/setup-java@v4 with: - java-version: '11' - distribution: 'adopt' + java-version: "11" + distribution: "adopt" cache: maven - name: Build with Maven run: | + set -o pipefail cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props echo connector=star > obp-api/src/main/resources/props/test.default.props echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props @@ -75,7 +76,44 @@ jobs: echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props - MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod + MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log + + - name: Report failing tests (if any) + if: always() + run: | + echo "Checking build log for failing tests via grep..." + if [ ! -f maven-build.log ]; then + echo "No maven-build.log found; skipping failure scan." + exit 0 + fi + if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then + echo "Failing tests detected above." + exit 1 + else + echo "No failing tests detected in maven-build.log." + fi + + - name: Upload Maven build log + if: always() + uses: actions/upload-artifact@v4 + with: + name: maven-build-log + if-no-files-found: ignore + path: | + maven-build.log + + - name: Upload test reports + if: always() + uses: actions/upload-artifact@v4 + with: + name: test-reports + if-no-files-found: ignore + path: | + obp-api/target/surefire-reports/** + obp-commons/target/surefire-reports/** + **/target/scalatest-reports/** + **/target/site/surefire-report.html + **/target/site/surefire-report/* - name: Save .war artifact run: | @@ -87,6 +125,7 @@ jobs: path: push/ - name: Build the Docker image + if: github.repository == 'OpenBankProject/OBP-API' run: | echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/} @@ -94,12 +133,14 @@ jobs: docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags echo docker done - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390 - name: Write signing key to disk (only needed for `cosign sign --key`) + if: github.repository == 'OpenBankProject/OBP-API' run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign container image + if: github.repository == 'OpenBankProject/OBP-API' run: | cosign sign -y --key cosign.key \ docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/} @@ -108,7 +149,4 @@ jobs: cosign sign -y --key cosign.key \ docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA env: - COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}" - - - + COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}" \ No newline at end of file diff --git a/.github/workflows/build_pull_request.yml b/.github/workflows/build_pull_request.yml index 859d309ec..425177f0c 100644 --- a/.github/workflows/build_pull_request.yml +++ b/.github/workflows/build_pull_request.yml @@ -3,15 +3,15 @@ name: Build on Pull Request on: pull_request: branches: - - '**' + - "**" env: ## Sets environment variable DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} - jobs: build: runs-on: ubuntu-latest + if: github.repository == 'OpenBankProject/OBP-API' services: # Label used to access the service container redis: @@ -31,11 +31,12 @@ jobs: - name: Set up JDK 11 uses: actions/setup-java@v4 with: - java-version: '11' - distribution: 'adopt' + java-version: "11" + distribution: "adopt" cache: maven - name: Build with Maven run: | + set -o pipefail cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props echo connector=star > obp-api/src/main/resources/props/test.default.props echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props @@ -65,14 +66,50 @@ jobs: echo COUNTERPARTY_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props echo SEPA_CREDIT_TRANSFERS_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props - echo allow_oauth2_login=true >> obp-api/src/main/resources/props/test.default.props echo oauth2.jwk_set.url=https://www.googleapis.com/oauth2/v3/certs >> obp-api/src/main/resources/props/test.default.props echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props - MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod + MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log + + - name: Report failing tests (if any) + if: always() + run: | + echo "Checking build log for failing tests via grep..." + if [ ! -f maven-build.log ]; then + echo "No maven-build.log found; skipping failure scan." + exit 0 + fi + if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then + echo "Failing tests detected above." + exit 1 + else + echo "No failing tests detected in maven-build.log." + fi + + - name: Upload Maven build log + if: always() + uses: actions/upload-artifact@v4 + with: + name: maven-build-log + if-no-files-found: ignore + path: | + maven-build.log + + - name: Upload test reports + if: always() + uses: actions/upload-artifact@v4 + with: + name: test-reports + if-no-files-found: ignore + path: | + obp-api/target/surefire-reports/** + obp-commons/target/surefire-reports/** + **/target/scalatest-reports/** + **/target/site/surefire-report.html + **/target/site/surefire-report/* - name: Save .war artifact run: | @@ -81,7 +118,4 @@ jobs: - uses: actions/upload-artifact@v4 with: name: ${{ github.sha }} - path: pull/ - - - + path: pull/ \ No newline at end of file diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml index 4636bd311..e06a801f9 100644 --- a/.github/workflows/run_trivy.yml +++ b/.github/workflows/run_trivy.yml @@ -12,11 +12,10 @@ env: DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }} DOCKER_HUB_REPOSITORY: obp-api - jobs: build: runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} + if: github.repository == 'OpenBankProject/OBP-API' && github.event.workflow_run.conclusion == 'success' steps: - uses: actions/checkout@v4 @@ -38,17 +37,17 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - security-checks: 'vuln' - severity: 'CRITICAL,HIGH' - timeout: '30m' + image-ref: "docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + security-checks: "vuln" + severity: "CRITICAL,HIGH" + timeout: "30m" cache-dir: .trivy - name: Fix .trivy permissions run: sudo chown -R $(stat . -c %u:%g) .trivy - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: "trivy-results.sarif" \ No newline at end of file