forked from halestudio/hale
-
Notifications
You must be signed in to change notification settings - Fork 0
162 lines (137 loc) · 5.47 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: Publish
on:
push:
branches:
- master
workflow_dispatch: {}
concurrency:
# only run one publishing at a time to avoid conflicts
group: publish-${{ github.ref }}
# env:
# instead of embedded Maven use local Maven CLI
# HALE_BUILD_MAVEN_EMBEDDED: 'false'
jobs:
build:
# Only on main repository (don't publish on forks)
if: github.repository_owner == 'halestudio'
runs-on: ubuntu-latest
steps:
- name: Setup Maven
uses: s4u/setup-maven-action@489441643219d2b93ee2a127b2402eb640a1b947 # v1.13.0
# uses: stempler/setup-maven-action@feat/cache-save-always
with:
java-version: 17
java-distribution: temurin
maven-version: 3.9.6
# Note: currently not working because of https://github.com/actions/cache/issues/1315
# Fix in https://github.com/actions/cache/pull/1325 not merged yet
# cache-save-always: true
- name: Install genisoimage # required for Mac build
run: sudo apt-get install -y genisoimage
- name: Login to Docker Hub
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Clean
run: ./build.sh clean
working-directory: ./build
- name: Create hale-docker.conf file
run: |
mkdir -p ~/.hale
cat <<EOF > ~/.hale/hale-docker.conf
global {
dockerHost="unix:///var/run/docker.sock"
}
EOF
- name: Test
run: ./build.sh integrationStage
working-directory: ./build
- name: Product
run: |
./build.sh product --arch x86_64 --os linux HALE
./build.sh product --arch x86_64 --os windows HALE
./build.sh product --arch x86_64 --os macosx HALE
./build.sh product --arch x86_64 --os linux --publish Infocenter
working-directory: ./build
- name: Upload hale studio build (Linux)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: hale studio (Linux)
path: build/target/hale-studio-*linux*.tar.gz
retention-days: 90
- name: Upload hale studio build (Windows)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: hale studio (Windows)
path: build/target/hale-studio-*win32*.zip
retention-days: 90
- name: Upload hale studio build (macos)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: hale studio (macos)
path: build/target/hale-studio-*macosx*.dmg
retention-days: 90
- name: Install AWS CLI
uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1.0.7
with:
version: 1
- name: Update site
env:
AWS_ACCESS_KEY_ID: ${{ secrets.BUILD_ARCHIVE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.BUILD_ARCHIVE_SECRET_KEY }}
run: ./upload-site.sh
working-directory: ./build
- name: Deploy Artifacts
env:
WETF_ARTIFACTORY_USER: ${{ secrets.WETF_ARTIFACTORY_USER }}
WETF_ARTIFACTORY_PASSWORD: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
JAVA_TOOL_OPTIONS: '-Dmaven.wagon.httpconnectionManager.ttlSeconds=120'
run: ./build.sh deployArtifacts
working-directory: ./build
- name: Publish Test Report
uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
if: always() # always run even if the previous step fails
with:
# fail if there are no test results
require_tests: true
# Workaround for check that is additionally created being associated
# to the wrong workflow/run. Instead no additional check is created.
# See https://github.com/mikepenz/action-junit-report/issues/40
annotate_only: true
detailed_summary: true
report_paths: 'build/target/testReports/*.xml'
# https://github.com/marketplace/actions/slack-notify-build
- name: Notify failure to Slack
if: failure()
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_NOTIFICATIONS_BOT_TOKEN }}
uses: voxmedia/github-action-slack-notify-build@3665186a8c1a022b28a1dbe0954e73aa9081ea9e # v1.6.0
with:
channel: build-failures
status: FAILED
color: danger
trivy:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Download hale studio build (Linux)
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: hale studio (Linux)
- name: Extract the archive file
run: |
mkdir -p hale-studio-linux-trivy
tar -xzf hale-studio-*linux*.tar.gz -C hale-studio-linux-trivy
- name: Run Trivy vulnerability scanner in rootfs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'rootfs'
scan-ref: 'hale-studio-linux-trivy'
format: 'sarif'
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy SARIF report
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
with:
sarif_file: trivy-results.sarif