.github/workflows/ci.yml

name: Docker

on:
  push:
    branches:
    - '**'
    tags:
    - v[0-9]+.[0-9]+.[0-9]+**
  pull_request:
    branches:
    - master

jobs:

  tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Docker Meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=sha
          labels: |
            maintainer=medizininformatik-initiative
            org.opencontainers.image.authors=medizininformatik-initiative
            org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend
            org.opencontainers.image.vendor=medizininformatik-initiative
            org.opencontainers.image.title=dataportal backend
            org.opencontainers.image.description=The backend for the dataportal, including feasibility query execution as well as data selection and extraction.

      - name: Set up JDK 22
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 22

      - name: Cache Local Maven Repo
        uses: actions/cache@v4
        with:
          path: ~/.m2/repository
          key: tests-maven-${{ hashFiles('pom.xml') }}

      - uses: s4u/maven-settings-action@v3.0.0
        with:
          servers: |
            [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: java
          queries: security-and-quality

      - name: Run Tests
        run: mvn -Pdownload-ontology -B verify

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v4
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
          fail_ci_if_error: true

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

      - name: Upload Dataportal Backend Jar
        uses: actions/upload-artifact@v4
        with:
          name: backend-jar
          path: target/dataportalBackend.jar

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and Export to Docker
        uses: docker/build-push-action@v6
        with:
          context: .
          tags: backend:latest
          outputs: type=docker,dest=/tmp/dataportalBackend.tar

      - name: Upload Dataportal Backend Image
        uses: actions/upload-artifact@v4
        with:
          name: backend-image
          path: /tmp/dataportalBackend.tar

  security-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up JDK 21
      uses: actions/setup-java@v4
      with:
        distribution: 'zulu'
        java-version: 21

    - name: Cache Local Maven Repo
      uses: actions/cache@v4
      with:
        path: ~/.m2/repository
        key: security-scan-maven-${{ hashFiles('pom.xml') }}

    - uses: s4u/maven-settings-action@v3.0.0
      with:
        servers: |
          [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

    - name: Maven Package
      run: mvn -Pdownload-ontology -B -DskipTests package

    - name: Build and push Docker image
      uses: docker/build-push-action@v6
      with:
        context: .
        tags: security-scan-build:latest
        push: false

    - name: Run Trivy Vulnerability Scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: security-scan-build:latest
        format: sarif
        output: trivy-results.sarif
        severity: 'CRITICAL,HIGH'
        timeout: '15m0s'
      env:
        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1

    - name: Upload Trivy Scan Results to GitHub Security Tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: trivy-results.sarif

  integration-test:
    needs: tests
    runs-on: ubuntu-latest
    env:
      ONTOLOGY_GIT_TAG: v3.0.0-test.11
      ELASTIC_HOST: http://localhost:9200
      ELASTIC_FILEPATH: https://github.com/medizininformatik-initiative/fhir-ontology-generator/raw/TAGPLACEHOLDER/example/fdpg-ontology/
      ELASTIC_FILENAME: elastic.zip
      OVERRIDE_EXISTING: true

    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Download Dataportal Backend Image
        uses: actions/download-artifact@v4
        with:
          name: backend-image
          path: /tmp

      - name: Install jq
        uses: dcarbone/install-jq-action@v2.1.0

      - name: Load Dataportal Backend Image
        run: docker load --input /tmp/dataportalBackend.tar

      - name: Download ontology files from github
        run: .github/scripts/download-and-unpack-ontology.sh

      - name: Run Dataportal Backend with Database, Elasticsearch, Keycloak and Blaze
        run: docker compose -f .github/integration-test/docker-compose.yml up -d

      - name: Wait for Dataportal Backend
        run: .github/scripts/wait-for-url.sh  http://localhost:8091/actuator/health

      - name: Check if Dataportal Backend is correctly running with the user with id 10001
        run: .github/scripts/check-if-running-as-user-10001.sh

      - name: Wait for Blaze
        run: .github/scripts/wait-for-url.sh  http://localhost:8082/health

      - name: Load Data
        run: .github/scripts/load-test-data.sh

      - name: Wait for Keycloak
        run: .github/scripts/wait-for-url.sh  http://localhost:8083/auth/

      - name: Create Test User in Keycloak
        run: .github/scripts/create-keycloak-user.sh

      - name: Wait for Elastic
        run: .github/scripts/wait-for-url.sh  http://localhost:9200/_cluster/health

      - name: Create indices and upload data to elastic
        run: .github/scripts/init-elasticsearch.sh

      - name: Wait for Flare
        run: .github/scripts/wait-for-url.sh  http://localhost:8092/cache/stats

      - name: Post Test Query
        run: .github/scripts/post-test-query.sh

      - name: Post Elasticsearch Test Queries
        run: .github/scripts/post-elastic-test-queries.sh

      - name: Dump docker logs on failure
        if: failure()
        uses: jwalton/gh-docker-logs@v2

  release:
    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
    needs:
      - tests
      - integration-test
      - security-scan
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up JDK 22
      uses: actions/setup-java@v4
      with:
        distribution: 'temurin'
        java-version: 22

    - name: Cache Local Maven Repo
      uses: actions/cache@v4
      with:
        path: ~/.m2/repository
        key: release-maven-${{ hashFiles('pom.xml') }}

    - uses: s4u/maven-settings-action@v3.0.0
      with:
        servers: |
          [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

    - name: Prepare Version
      id: prep
      run: |
        echo ::set-output name=repository::$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')
        echo ::set-output name=version::${GITHUB_REF#refs/tags/v}

    - name: Maven Package
      run: mvn -Pdownload-ontology -B -DskipTests package

    - name: Login to GitHub Docker Registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Build and push Docker image
      uses: docker/build-push-action@v6
      with:
        context: .
        platforms: linux/amd64,linux/arm64
        tags: |
          ghcr.io/${{ steps.prep.outputs.repository }}:latest
          ghcr.io/${{ steps.prep.outputs.repository }}:${{ steps.prep.outputs.version }}
        push: true