build: add github action workflows: build, dependency check, release, pr

tomjo · Oct 20, 2023 · d0c761b · d0c761b
1 parent c87668c
commit d0c761b
Show file tree

Hide file tree

Showing 6 changed files with 387 additions and 18 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,19 +1,33 @@
-name: debezium-offsetfile-conv-build
+name: Build
 on:
   workflow_dispatch:
-  push:
-    branches: [ "master" ]
-  pull_request:
-    branches: [ "master" ]
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+      upload:
+        required: false
+        type: boolean
+        default: false
+      sign:
+        required: false
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
 
 permissions:
-  contents: read
-  packages: write
+  contents: write
   pull-requests: write
+  packages: write
+  id-token: write
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -22,7 +36,7 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
-          java-version: '17'
+          java-version: '17.0.7'
           distribution: 'liberica'
           architecture: 'x64'
       - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 #v1.1.0
@@ -31,20 +45,33 @@ jobs:
         with:
           generate-job-summary: true
           dependency-graph: generate-and-submit
+
       - name: Build
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+          QUARKUS_PACKAGE_TYPE: uber-jar
         run: ./gradlew build
-      - name: OWASP dependency check
-        run: ./gradlew dependencyCheckAggregate
+      - name: Integration tests
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+          QUARKUS_PACKAGE_TYPE: uber-jar
+        run: ./gradlew quarkusIntTest
+      - name: Sign
+        if: ${{ inputs.sign }}
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_SECRET }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }}
+        run: ./gradlew sign
       - name: Upload build reports
         if: always()
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: build-reports
           path: build/reports/
-  dependency-review:
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Perform dependency review
-        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
-
+      - name: Upload jar
+        if: ${{ inputs.upload }}
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: debezium-offsetfile-conv-${{ inputs.version }}.jar
+          path: build/quarkus-build/gen/debezium-offsetfile-conv-${{ inputs.version }}-runner.jar
diff --git a/.github/workflows/determine_version.yaml b/.github/workflows/determine_version.yaml
@@ -0,0 +1,39 @@
+name: Determine version
+on:
+  workflow_dispatch:
+  workflow_call:
+    outputs:
+      version:
+        description: "Determined version"
+        value: ${{ jobs.determine_version.outputs.version }}
+jobs:
+  determine_version:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: '0'
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+        with:
+          go-version: 1.21.3
+      - name: Install SVU
+        run: go install github.com/caarlos0/svu@00b733b056534c0fbdb316bbd37c023e7bb80905 #v1.11.0
+      - name: Get branch name (merge)
+        if: github.event_name != 'pull_request'
+        run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
+      - name: Get branch name (pull request)
+        if: github.event_name == 'pull_request'
+        run: echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF} | tr / -)" >> $GITHUB_ENV
+      - name: Determine version (branch)
+        if: env.BRANCH_NAME != 'master'
+        run: 'echo "PROJECT_VERSION=$(svu --pre-release ${{ env.BRANCH_NAME }}-alpha.$(git rev-list origin/master.. --count))" >> "$GITHUB_ENV"'
+      - name: Determine version
+        if: env.BRANCH_NAME == 'master'
+        run: 'echo "PROJECT_VERSION=$(svu)" >> "$GITHUB_ENV"'
+      - run: 'echo "Determined version: $PROJECT_VERSION"'
+      - run: 'echo "PROJECT_VERSION=$PROJECT_VERSION" >> "$GITHUB_OUTPUT"'
+        id: set-version
+    outputs:
+      version: ${{ steps.set-version.outputs.PROJECT_VERSION}}
diff --git a/.github/workflows/native_build.yaml b/.github/workflows/native_build.yaml
@@ -0,0 +1,181 @@
+name: Native Build
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+      upload:
+        required: false
+        type: boolean
+        default: false
+      sign:
+        required: false
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: write
+  id-token: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-native-linux-x64:
+    name: build-native-linux-x64
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: '0'
+      - name: Set up JDK
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        with:
+          java-version: '17.0.7'
+          distribution: 'liberica'
+          architecture: 'x64'
+      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 #v1.1.0
+      - name: Set up Gradle
+        uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0
+        with:
+          generate-job-summary: true
+          dependency-graph: generate-and-submit
+      - name: Install cosign
+        if: ${{ inputs.sign }}
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        with:
+          cosign-release: 'v2.1.1'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - name: Build native (linux x64)
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+          QUARKUS_PACKAGE_TYPE: native
+          QUARKUS_NATIVE_CONTAINERBUILD: true
+        run: ./gradlew -x test build
+      - name: Upload binary
+        if: ${{ inputs.upload }}
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: debezium-offsetfile-conv-linux-amd64-${{ inputs.version }}
+          path: build/debezium-offsetfile-conv-${{ inputs.version }}-runner
+      - name: Registry login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract docker metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ inputs.upload }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Sign image
+        if: ${{ inputs.sign }}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+  build-native-windows-x64:
+    name: build-native-windows-x64
+    runs-on: windows-2022
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: '0'
+      - name: Set up JDK
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        with:
+          java-version: '17.0.7'
+          distribution: 'liberica'
+          architecture: 'x64'
+      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 #v1.1.0
+      - name: Set up Gradle
+        uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0
+        with:
+          generate-job-summary: true
+          dependency-graph: generate-and-submit
+      - name: Set up GraalVM (Java ${{ matrix.java-version }})
+        uses: graalvm/setup-graalvm@6c7d417a1ef253f4d667a69e6a5716927746e251 # v1.1.4.2
+        with:
+          distribution: 'graalvm'
+          java-version: '17.0.7'
+          components: 'native-image'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          native-image-job-reports: 'true'
+      - name: Build native (windows x64)
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+          QUARKUS_PACKAGE_TYPE: native
+        run: ./gradlew -x test build
+      - name: Upload binary
+        if: ${{ inputs.upload }}
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: debezium-offsetfile-conv-windows-amd64-${{ inputs.version }}.exe
+          path: build/debezium-offsetfile-conv-${{ inputs.version }}-runner.exe
+
+  build-native-macos:
+    name: build-native-macos
+    runs-on: macos-12
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: '0'
+      - name: Set up JDK
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        with:
+          java-version: '17.0.7'
+          distribution: 'liberica'
+          architecture: 'x64'
+      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 #v1.1.0
+      - name: Set up Gradle
+        uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0
+        with:
+          generate-job-summary: true
+          dependency-graph: generate-and-submit
+      - name: Set up GraalVM (Java ${{ matrix.java-version }})
+        uses: graalvm/setup-graalvm@6c7d417a1ef253f4d667a69e6a5716927746e251 # v1.1.4.2
+        with:
+          distribution: 'graalvm'
+          java-version: '17.0.7'
+          components: 'native-image'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          native-image-job-reports: 'true'
+      - name: Build native (macOS)
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+          QUARKUS_PACKAGE_TYPE: native
+        run: ./gradlew -x test build
+      - name: Upload binary
+        if: ${{ inputs.upload }}
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: debezium-offsetfile-conv-darwin-amd64-${{ inputs.version }}
+          path: build/debezium-offsetfile-conv-${{ inputs.version }}-runner
diff --git a/.github/workflows/owasp.yaml b/.github/workflows/owasp.yaml
@@ -0,0 +1,49 @@
+name: OWASP
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: '0'
+      - name: Set up JDK
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        with:
+          java-version: '17.0.7'
+          distribution: 'liberica'
+          architecture: 'x64'
+      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 #v1.1.0
+      - name: Set up Gradle
+        uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0
+        with:
+          generate-job-summary: true
+          dependency-graph: generate-and-submit
+
+      - name: OWASP dependency check
+        env:
+          ORG_GRADLE_PROJECT_projectVersion: ${{ inputs.version }}
+        run: ./gradlew dependencyCheckAggregate
+      - name: Upload build reports
+        if: always()
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: build-reports
+          path: build/reports/
+      - name: Perform dependency review
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0