Skip to content

#405 - Fix code scanning alert - org.hl7.fhir.convertors: org.hl7.fhi… #1437

#405 - Fix code scanning alert - org.hl7.fhir.convertors: org.hl7.fhi…

#405 - Fix code scanning alert - org.hl7.fhir.convertors: org.hl7.fhi… #1437

Workflow file for this run

name: Docker
on:
push:
branches:
- '**'
tags:
- v[0-9]+.[0-9]+.[0-9]+**
pull_request:
branches:
- master
jobs:
tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Docker Meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
labels: |
maintainer=medizininformatik-initiative
org.opencontainers.image.authors=medizininformatik-initiative
org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend
org.opencontainers.image.vendor=medizininformatik-initiative
org.opencontainers.image.title=dataportal backend
org.opencontainers.image.description=The backend for the dataportal, including feasibility query execution as well as data selection and extraction.
- name: Set up JDK 22
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 22
- name: Cache Local Maven Repo
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: tests-maven-${{ hashFiles('pom.xml') }}
- uses: s4u/[email protected]
with:
servers: |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
queries: security-and-quality
- name: Run Tests
run: mvn -Pdownload-ontology -B verify
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
fail_ci_if_error: true
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
- name: Upload Dataportal Backend Jar
uses: actions/upload-artifact@v4
with:
name: backend-jar
path: target/dataportalBackend.jar
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and Export to Docker
uses: docker/build-push-action@v6
with:
context: .
tags: backend:latest
outputs: type=docker,dest=/tmp/dataportalBackend.tar
- name: Upload Dataportal Backend Image
uses: actions/upload-artifact@v4
with:
name: backend-image
path: /tmp/dataportalBackend.tar
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: 21
- name: Cache Local Maven Repo
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: security-scan-maven-${{ hashFiles('pom.xml') }}
- uses: s4u/[email protected]
with:
servers: |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]
- name: Maven Package
run: mvn -Pdownload-ontology -B -DskipTests package
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
tags: security-scan-build:latest
push: false
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: security-scan-build:latest
format: sarif
output: trivy-results.sarif
severity: 'CRITICAL,HIGH'
timeout: '15m0s'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
- name: Upload Trivy Scan Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
integration-test:
needs: tests
runs-on: ubuntu-latest
env:
ONTOLOGY_GIT_TAG: v3.0.0-test.11
ELASTIC_HOST: http://localhost:9200
ELASTIC_FILEPATH: https://github.com/medizininformatik-initiative/fhir-ontology-generator/raw/TAGPLACEHOLDER/example/fdpg-ontology/
ELASTIC_FILENAME: elastic.zip
OVERRIDE_EXISTING: true
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Download Dataportal Backend Image
uses: actions/download-artifact@v4
with:
name: backend-image
path: /tmp
- name: Install jq
uses: dcarbone/[email protected]
- name: Load Dataportal Backend Image
run: docker load --input /tmp/dataportalBackend.tar
- name: Download ontology files from github
run: .github/scripts/download-and-unpack-ontology.sh
- name: Run Dataportal Backend with Database, Elasticsearch, Keycloak and Blaze
run: docker compose -f .github/integration-test/docker-compose.yml up -d
- name: Wait for Dataportal Backend
run: .github/scripts/wait-for-url.sh http://localhost:8091/actuator/health
- name: Check if Dataportal Backend is correctly running with the user with id 10001
run: .github/scripts/check-if-running-as-user-10001.sh
- name: Wait for Blaze
run: .github/scripts/wait-for-url.sh http://localhost:8082/health
- name: Load Data
run: .github/scripts/load-test-data.sh
- name: Wait for Keycloak
run: .github/scripts/wait-for-url.sh http://localhost:8083/auth/
- name: Create Test User in Keycloak
run: .github/scripts/create-keycloak-user.sh
- name: Wait for Elastic
run: .github/scripts/wait-for-url.sh http://localhost:9200/_cluster/health
- name: Create indices and upload data to elastic
run: .github/scripts/init-elasticsearch.sh
- name: Wait for Flare
run: .github/scripts/wait-for-url.sh http://localhost:8092/cache/stats
- name: Post Test Query
run: .github/scripts/post-test-query.sh
- name: Post Elasticsearch Test Queries
run: .github/scripts/post-elastic-test-queries.sh
- name: Dump docker logs on failure
if: failure()
uses: jwalton/gh-docker-logs@v2
release:
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
needs:
- tests
- integration-test
- security-scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 22
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 22
- name: Cache Local Maven Repo
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: release-maven-${{ hashFiles('pom.xml') }}
- uses: s4u/[email protected]
with:
servers: |
[{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]
- name: Prepare Version
id: prep
run: |
echo ::set-output name=repository::$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')
echo ::set-output name=version::${GITHUB_REF#refs/tags/v}
- name: Maven Package
run: mvn -Pdownload-ontology -B -DskipTests package
- name: Login to GitHub Docker Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ steps.prep.outputs.repository }}:latest
ghcr.io/${{ steps.prep.outputs.repository }}:${{ steps.prep.outputs.version }}
push: true