Merge pull request #397 from medizininformatik-initiative/release/v6.… #1412
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker | |
on: | |
push: | |
branches: | |
- '**' | |
tags: | |
- v[0-9]+.[0-9]+.[0-9]+** | |
pull_request: | |
branches: | |
- master | |
jobs: | |
tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Docker Meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
labels: | | |
maintainer=medizininformatik-initiative | |
org.opencontainers.image.authors=medizininformatik-initiative | |
org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend | |
org.opencontainers.image.vendor=medizininformatik-initiative | |
org.opencontainers.image.title=dataportal backend | |
org.opencontainers.image.description=The backend for the dataportal, including feasibility query execution as well as data selection and extraction. | |
- name: Set up JDK 22 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 22 | |
- name: Cache Local Maven Repo | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2/repository | |
key: tests-maven-${{ hashFiles('pom.xml') }} | |
- uses: s4u/[email protected] | |
with: | |
servers: | | |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}] | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: java | |
queries: security-and-quality | |
- name: Run Tests | |
run: mvn -Pdownload-ontology -B verify | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
with: | |
fail_ci_if_error: true | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
- name: Upload Dataportal Backend Jar | |
uses: actions/upload-artifact@v4 | |
with: | |
name: backend-jar | |
path: target/dataportalBackend.jar | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build and Export to Docker | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
tags: backend:latest | |
outputs: type=docker,dest=/tmp/dataportalBackend.tar | |
- name: Upload Dataportal Backend Image | |
uses: actions/upload-artifact@v4 | |
with: | |
name: backend-image | |
path: /tmp/dataportalBackend.tar | |
security-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 21 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'zulu' | |
java-version: 21 | |
- name: Cache Local Maven Repo | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2/repository | |
key: security-scan-maven-${{ hashFiles('pom.xml') }} | |
- uses: s4u/[email protected] | |
with: | |
servers: | | |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}] | |
- name: Maven Package | |
run: mvn -Pdownload-ontology -B -DskipTests package | |
- name: Build and push Docker image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
tags: security-scan-build:latest | |
push: false | |
- name: Run Trivy Vulnerability Scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: security-scan-build:latest | |
format: sarif | |
output: trivy-results.sarif | |
severity: 'CRITICAL,HIGH' | |
timeout: '15m0s' | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | |
- name: Upload Trivy Scan Results to GitHub Security Tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: trivy-results.sarif | |
integration-test: | |
needs: tests | |
runs-on: ubuntu-latest | |
env: | |
ONTOLOGY_GIT_TAG: v3.0.0-test.11 | |
ELASTIC_HOST: http://localhost:9200 | |
ELASTIC_FILEPATH: https://github.com/medizininformatik-initiative/fhir-ontology-generator/raw/TAGPLACEHOLDER/example/fdpg-ontology/ | |
ELASTIC_FILENAME: elastic.zip | |
OVERRIDE_EXISTING: true | |
steps: | |
- name: Check out Git repository | |
uses: actions/checkout@v4 | |
- name: Download Dataportal Backend Image | |
uses: actions/download-artifact@v4 | |
with: | |
name: backend-image | |
path: /tmp | |
- name: Install jq | |
uses: dcarbone/[email protected] | |
- name: Load Dataportal Backend Image | |
run: docker load --input /tmp/dataportalBackend.tar | |
- name: Download ontology files from github | |
run: .github/scripts/download-and-unpack-ontology.sh | |
- name: Run Dataportal Backend with Database, Elasticsearch, Keycloak and Blaze | |
run: docker compose -f .github/integration-test/docker-compose.yml up -d | |
- name: Wait for Dataportal Backend | |
run: .github/scripts/wait-for-url.sh http://localhost:8091/actuator/health | |
- name: Check if Dataportal Backend is correctly running with the user with id 10001 | |
run: .github/scripts/check-if-running-as-user-10001.sh | |
- name: Wait for Blaze | |
run: .github/scripts/wait-for-url.sh http://localhost:8082/health | |
- name: Load Data | |
run: .github/scripts/load-test-data.sh | |
- name: Wait for Keycloak | |
run: .github/scripts/wait-for-url.sh http://localhost:8083/auth/ | |
- name: Create Test User in Keycloak | |
run: .github/scripts/create-keycloak-user.sh | |
- name: Wait for Elastic | |
run: .github/scripts/wait-for-url.sh http://localhost:9200/_cluster/health | |
- name: Create indices and upload data to elastic | |
run: .github/scripts/init-elasticsearch.sh | |
- name: Wait for Flare | |
run: .github/scripts/wait-for-url.sh http://localhost:8092/cache/stats | |
- name: Post Test Query | |
run: .github/scripts/post-test-query.sh | |
- name: Post Elasticsearch Test Queries | |
run: .github/scripts/post-elastic-test-queries.sh | |
- name: Dump docker logs on failure | |
if: failure() | |
uses: jwalton/gh-docker-logs@v2 | |
release: | |
if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
needs: | |
- tests | |
- integration-test | |
- security-scan | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 22 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 22 | |
- name: Cache Local Maven Repo | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2/repository | |
key: release-maven-${{ hashFiles('pom.xml') }} | |
- uses: s4u/[email protected] | |
with: | |
servers: | | |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}] | |
- name: Prepare Version | |
id: prep | |
run: | | |
echo ::set-output name=repository::$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]') | |
echo ::set-output name=version::${GITHUB_REF#refs/tags/v} | |
- name: Maven Package | |
run: mvn -Pdownload-ontology -B -DskipTests package | |
- name: Login to GitHub Docker Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build and push Docker image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
platforms: linux/amd64,linux/arm64 | |
tags: | | |
ghcr.io/${{ steps.prep.outputs.repository }}:latest | |
ghcr.io/${{ steps.prep.outputs.repository }}:${{ steps.prep.outputs.version }} | |
push: true |