Skip to content
Build and deploy main

Merge pull request #50 from nais/dependabot/gradle/all-deps-61ca3f4c88 #295

Sign in to view logs

Merge pull request #50 from nais/dependabot/gradle/all-deps-61ca3f4c88

Merge pull request #50 from nais/dependabot/gradle/all-deps-61ca3f4c88 #295

Workflow file for this run

.github/workflows/main.yaml at 62b1e82
name: Build and deploy main
on:
push:
branches:
- main
paths-ignore:
- "*.md"
env:
BASEIMAGE: "cgr.dev/chainguard/jdk"
jobs:
build:
name: Build all the things
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
security-events: write
outputs:
tag: "${{ steps.build-push-sign.outputs.tag }}"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
- uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # ratchet:actions/setup-java@v3
with:
java-version: "21"
distribution: "temurin"
cache: "gradle"
- uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # ratchet:gradle/wrapper-validation-action@v1
- name: Setup Gradle
uses: gradle/gradle-build-action@915a66c096a03101667f9df2e56c9efef558b165 # ratchet:gradle/gradle-build-action@v2
with:
dependency-graph: generate-and-submit
- name: Build and test the app
run: ./gradlew test shadowJar
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.2.0'
- name: Verify distroless base image
run: cosign verify --certificate-identity "https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" $BASEIMAGE
- name: Create SBOM
run: ./gradlew cyclonedxBom
- name: "Build and push image"
uses: nais/platform-build-push-sign@main # ratchet:exclude
id: build-push-sign
with:
name: start.nais.io
google_service_account: gh-start-nais-io
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
sbom: build/reports/bom.json
multi-platform: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # ratchet:aquasecurity/trivy-action@master
with:
image-ref: "${{ steps.build-push-sign.outputs.tag }}"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # ratchet:github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
deploy_to_prod:
name: Deploy to prod-gcp
needs: build
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
- uses: nais/deploy/actions/deploy@913eb0f92e9d132dbe0cbba3390a340675849f30 # ratchet:nais/deploy/actions/deploy@v1
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: prod-gcp
RESOURCE: .nais/nais.yaml,.nais/alerts.yaml
VARS: .nais/prod.yaml
IMAGE: ${{ needs.build.outputs.tag }}