Skip to content

Commit

Permalink
feat: add first version of Play framework workflows
Browse files Browse the repository at this point in the history 
ING-4068
  • Loading branch information
@stempler
stempler committed Nov 22, 2023
1 parent 85ac57e commit ae3be41
Show file tree
Hide file tree
Showing 4 changed files with 198 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/gradle-service.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ on:
DOCKER_HUB_EMAIL:
WETF_ARTIFACTORY_USER:
WETF_ARTIFACTORY_PASSWORD:
SLACK_NOTIFICATIONS_BOT_TOKEN:
ENV_VARS: # secret for passing on additional env variables based on https://github.com/orgs/community/discussions/26671#discussioncomment-6776498

jobs:
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/play-service-check.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
on:
workflow_call:
inputs:
commmand:
description: Custom command to run
default: ''
required: false
java-version:
description: Java version to use for build
required: true
type: string
image-tag:
description: Image tag to scan after build
required: true
type: string
secrets:
DOCKER_HUB_USERNAME:
DOCKER_HUB_PASSWORD:
DOCKER_HUB_EMAIL:
WETF_ARTIFACTORY_USER:
WETF_ARTIFACTORY_PASSWORD:
# SLACK_NOTIFICATIONS_BOT_TOKEN:

jobs:
check:
uses: ./.github/workflows/play-service.yml
with:
command: ${{ inputs.command != '' && inputs.command || './sbt clean update test docker:publishLocal' }}
java-version: ${{ inputs.java-version }}
image-tag: ${{ inputs.image-tag }}
notify-failure: false
push-image: false
secrets: inherit
33 changes: 33 additions & 0 deletions .github/workflows/play-service-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
on:
workflow_call:
inputs:
commmand:
description: Custom command to run
default: ''
required: false
java-version:
description: Java version to use for build
required: true
type: string
image-tag:
description: Image tag to scan after build
required: true
type: string
secrets:
DOCKER_HUB_USERNAME:
DOCKER_HUB_PASSWORD:
DOCKER_HUB_EMAIL:
WETF_ARTIFACTORY_USER:
WETF_ARTIFACTORY_PASSWORD:
# SLACK_NOTIFICATIONS_BOT_TOKEN:

jobs:
check:
uses: ./.github/workflows/play-service.yml
with:
command: ${{ inputs.command != '' && inputs.command || './sbt clean update test docker:publishLocal' }}
java-version: ${{ inputs.java-version }}
image-tag: ${{ inputs.image-tag }}
notify-failure: true
push-image: true
secrets: inherit
131 changes: 131 additions & 0 deletions .github/workflows/play-service.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
on:
workflow_call:
inputs:
command:
description: Custom command to run
required: true
type: string
java-version:
description: Java version to use for build
required: true
type: string
notify-failure:
description: Notify on build failure to Slack
default: true
type: boolean
junit-test-folder:
description: Location where JUnit tests are stored, if any
default: 'play/target/test-reports'
type: string
expect-tests:
description: If JUnit test results are expected
default: true
type: boolean
image-tag:
description: Image tag to scan after build
required: true
type: string
push-image:
description: If the configure image should be pushed
required: false
default: false
secrets:
DOCKER_HUB_USERNAME:
required: true
DOCKER_HUB_PASSWORD:
required: true
DOCKER_HUB_EMAIL:
WETF_ARTIFACTORY_USER:
WETF_ARTIFACTORY_PASSWORD:
SLACK_NOTIFICATIONS_BOT_TOKEN:

jobs:
run:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- uses: actions/setup-java@v3
with:
distribution: temurin
java-version: ${{ inputs.java-version }}
cache: sbt

- name: Set up artifactory credentials
if: env.WETF_ARTIFACTORY_USER
env:
WETF_ARTIFACTORY_USER: ${{ secrets.WETF_ARTIFACTORY_USER }}
WETF_ARTIFACTORY_PASSWORD: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
run: |
cat <<EOF > ~/.wetfArtifactory
realm=Artifactory Realm
host=artifactory.wetransform.to
user=$WETF_ARTIFACTORY_USER
password=$WETF_ARTIFACTORY_PASSWORD
EOF
- name: Login to DockerHub
if: env.DOCKER_HUB_USERNAME
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
env:
DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}

- name: Run command
run: ${{ inputs.command }}

- name: Push image
if: ${{ inputs.push-image }}
run: docker push ${{ inputs.image-tag }}

#
# Security scans
#

- name: Make sure test-results folder exists
run: mkdir -p ${{ inputs.junit-test-folder }}

- name: Vulnerability scan
uses: wetransform/gha-trivy@master
with:
image-ref: 'docker.io/${{ inputs.image-tag }}'
junit-test-output: "${{ inputs.junit-test-folder }}/trivy.xml" # added to unit test report
report-retention-days: 30
report-tag: ${{ inputs.image-tag }}

#
# Report on unit tests and critical vulnerabilities
#

# https://github.com/marketplace/actions/junit-report-action
- name: Publish Test Report
uses: mikepenz/action-junit-report@v3
if: always() # always run even if the previous step fails
with:
report_paths: "${{ inputs.junit-test-folder }}/*.xml"
require_tests: ${{ inputs.expect-tests }}

# Workaround for check that is additionally created being associated
# to the wrong workflow/run. Instead not additional check is created.
# See https://github.com/mikepenz/action-junit-report/issues/40
annotate_only: true
detailed_summary: true
fail_on_failure: true # in case of critical security vulnerabilities, also required for Slack notification if only tests fail

#
# Report build failure to Slack
#

# https://github.com/marketplace/actions/slack-notify-build
- name: Notify slack fail
if: ${{ inputs.notify-failure && failure() }}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_NOTIFICATIONS_BOT_TOKEN }}
uses: voxmedia/github-action-slack-notify-build@v1
with:
channel: build-failures
status: FAILED
color: danger

0 comments on commit ae3be41

Please sign in to comment.