diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5c9bc6f..8e79a0b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,24 +1,55 @@
-name: Build with provenance
+name: Build package and images
+
on:
- - push
+ push:
+ branches:
+ - '*'
permissions: read-all
jobs:
- build:
+ build-image:
runs-on: ubuntu-latest
- permissions:
- id-token: write
- contents: read
- actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- - name: Set up JDK 11 for x64
+ - name: Set up JDK 17 for x64
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'liberica'
architecture: x64
- name: Maven build
- run: ./mvnw --batch-mode --update-snapshots verify
\ No newline at end of file
+ run: ./mvnw --batch-mode --update-snapshots verify
+ - name: Run Snyk to check for vulnerabilities
+ uses: snyk/actions/maven-3-jdk-17@master
+ continue-on-error: true # To make sure that SARIF upload gets called
+ env:
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+ with:
+ args: --sarif-file-output=snyk.sarif
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: snyk.sarif
+ - name: Login to Docker Hub
+ uses: docker/login-action@v3
+ with:
+ username: ${{ secrets.DOCKERHUB_USER }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+ - name: Build and push
+ uses: docker/build-push-action@v5
+ with:
+ push: true
+ tags: andifalk/supply-chain-security:latest
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@master
+ with:
+ image-ref: 'docker.io/andifalk/supply-chain-security:latest'
+ severity: 'CRITICAL,HIGH'
+ format: 'sarif'
+ output: 'trivy-results.sarif'
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: 'trivy-results.sarif'
\ No newline at end of file
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
deleted file mode 100644
index 7d42639..0000000
--- a/.github/workflows/provenance.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Generate provenance
-on:
- - workflow_dispatch
-
-permissions: read-all
-
-jobs:
- build:
- permissions:
- id-token: write
- contents: read
- actions: read
- uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@v1.9.0
\ No newline at end of file
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..e195d90
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,21 @@
+name: Publish package and image to GitHub Packages
+
+on:
+ release:
+ types: [created]
+jobs:
+ publish:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-java@v3
+ with:
+ java-version: '17'
+ distribution: 'liberica'
+ - name: Publish package
+ run: mvn --batch-mode deploy
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d1a0a71
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,15 @@
+FROM eclipse-temurin:17-jre as builder
+WORKDIR application
+ARG JAR_FILE=target/*.jar
+COPY ${JAR_FILE} application.jar
+RUN java -Djarmode=layertools -jar application.jar extract
+
+FROM eclipse-temurin:17-jre
+RUN addgroup --system javauser && adduser --gid 101 --home /home/javauser javauser
+USER javauser
+WORKDIR application
+COPY --from=builder application/dependencies/ ./
+COPY --from=builder application/spring-boot-loader/ ./
+COPY --from=builder application/snapshot-dependencies/ ./
+COPY --from=builder application/application/ ./
+ENTRYPOINT ["java", "org.springframework.boot.loader.JarLauncher"]
diff --git a/pom.xml b/pom.xml
index b63a396..8182581 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,6 +16,15 @@
17
+
+
+
+ github
+ GitHub Packages
+ https://maven.pkg.github.com/andifalk/supply-chain-security
+
+
+
org.springframework.boot