Skip to content

Commit

Permalink
Refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
@andifalk
andifalk committed Oct 8, 2023
1 parent ee6f1c1 commit 4def432
Show file tree
Hide file tree
Showing 5 changed files with 85 additions and 22 deletions.
49 changes: 40 additions & 9 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,55 @@
name: Build with provenance
name: Build package and images

on:
- push
push:
branches:
- '*'

permissions: read-all

jobs:
build:
build-image:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up JDK 11 for x64
- name: Set up JDK 17 for x64
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'liberica'
architecture: x64
- name: Maven build
run: ./mvnw --batch-mode --update-snapshots verify
run: ./mvnw --batch-mode --update-snapshots verify
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven-3-jdk-17@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
push: true
tags: andifalk/supply-chain-security:latest
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/andifalk/supply-chain-security:latest'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
13 changes: 0 additions & 13 deletions .github/workflows/provenance.yml
View file

This file was deleted.

21 changes: 21 additions & 0 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Publish package and image to GitHub Packages

on:
release:
types: [created]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'liberica'
- name: Publish package
run: mvn --batch-mode deploy
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
15 changes: 15 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
FROM eclipse-temurin:17-jre as builder
WORKDIR application
ARG JAR_FILE=target/*.jar
COPY ${JAR_FILE} application.jar
RUN java -Djarmode=layertools -jar application.jar extract

FROM eclipse-temurin:17-jre
RUN addgroup --system javauser && adduser --gid 101 --home /home/javauser javauser
USER javauser
WORKDIR application
COPY --from=builder application/dependencies/ ./
COPY --from=builder application/spring-boot-loader/ ./
COPY --from=builder application/snapshot-dependencies/ ./
COPY --from=builder application/application/ ./
ENTRYPOINT ["java", "org.springframework.boot.loader.JarLauncher"]
9 changes: 9 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,15 @@
<properties>
<java.version>17</java.version>
</properties>

<distributionManagement>
<repository>
<id>github</id>
<name>GitHub Packages</name>
<url>https://maven.pkg.github.com/andifalk/supply-chain-security</url>
</repository>
</distributionManagement>

<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
Expand Down

0 comments on commit 4def432

Please sign in to comment.