Skip to content

chore(deps): update github-actions (major) #659

chore(deps): update github-actions (major)

chore(deps): update github-actions (major) #659

Workflow file for this run

name: ci
on:
push:
branches: [master]
release:
types: [created]
pull_request:
branches: [master]
permissions: read-all
env:
IMAGE_NAME: ghcr.io/${{ github.repository }}
jobs:
trivy:
name: trivy scan Code Base
runs-on: ubuntu-22.04
permissions:
security-events: write
steps:
- name: Checkout Code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
with:
scan-type: "fs"
ignore-unfixed: true
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
with:
sarif_file: "trivy-results.sarif"
build:
name: build
runs-on: ubuntu-22.04
permissions:
packages: write
outputs:
image-tags: ${{ steps.container_meta.outputs.tags }}
image-digest: ${{ steps.build.outputs.digest }}
image-name: ${{ env.IMAGE_NAME }}
steps:
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2
- name: Container meta
id: container_meta
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4
with:
images: |
${{ env.IMAGE_NAME }}
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
if: ${{ github.event_name != 'pull_request' }}
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get platforms to build
id: platforms
run: |
if [ "$IS_PULL_REQUEST" == "true" ]; then
echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT"
else
echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT"
fi
env:
IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
- name: Build and push
id: build
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4
with:
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.container_meta.outputs.tags }}
labels: ${{ steps.container_meta.outputs.labels }}
load: ${{ github.event_name == 'pull_request' }}
platforms: ${{ steps.platforms.outputs.platforms }}
- name: Run E2E tests
env:
FHIR_GATEWAY_IMAGE_NAME: "${{ fromJson(steps.container_meta.outputs.json).tags[0] }}"
run: |
docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e build
docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml --project-directory=tests/e2e up -d
docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e run tester
- name: Print E2E logs
env:
FHIR_GATEWAY_IMAGE_NAME: "${{ fromJson(steps.container_meta.outputs.json).tags[0] }}"
if: ${{ always() }}
run: |
docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml logs
docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml down --volumes --remove-orphans
sign-images:
name: sign images
runs-on: ubuntu-22.04
if: ${{ github.event_name != 'pull_request' }}
needs:
- build
permissions:
id-token: write
packages: write
steps:
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Sign image
env:
IMAGES: ${{ needs.build.outputs.image-tags }}
DIGEST: ${{ needs.build.outputs.image-digest }}
COSIGN_EXPERIMENTAL: "true"
run: |
while read -r image; do
echo "Signing '$image' using keyless approach"
cosign sign "$image@$DIGEST"
done <<< "$IMAGES"
container-provenance:
if: ${{ startsWith(github.ref, 'refs/tags/') }}
needs:
- build
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build.outputs.image-name }}
digest: ${{ needs.build.outputs.image-digest }}
registry-username: ${{ github.actor }}
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
release:
needs:
- build
name: release
runs-on: ubuntu-22.04
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
with:
fetch-depth: 0
- name: Semantic Release
uses: cycjimmy/semantic-release-action@3b88c82b34098e8b51e401c1082c9170b0a3ec3c # tag=v3
with:
extra_plugins: |
[email protected]
env:
GITHUB_TOKEN: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}