Skip to content

Commit

Permalink
Merge pull request #302 from bcgov/feature/springboot2github-actions
Browse files Browse the repository at this point in the history
Feature/springboot2github actions
  • Loading branch information
arcshiftsolutions authored Oct 23, 2023
2 parents 320f062 + 145430e commit e279f2a
Show file tree
Hide file tree
Showing 15 changed files with 560 additions and 579 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: API CI

on:
workflow_dispatch:
workflow_dispatch:
push:
branches:
- master
Expand All @@ -18,51 +18,51 @@ on:
jobs:
quality_profile:

runs-on: ubuntu-latest
runs-on: ubuntu-20.04

defaults:
run:
working-directory: api

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-java@v1
- uses: actions/setup-java@v3
with:
java-version: 11
- uses: actions/cache@v1
java-version: 17
distribution: oracle
- uses: actions/cache@v3
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Run unit tests
run: mvn -f pom.xml clean test
run: mvn -f pom.xml clean package
- name: Cache SonarCloud packages
uses: actions/cache@v1
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
#- name: Run Sonar Analysis
# run: mvn -f pom.xml sonar:sonar
# -Dsonar.login=${{ secrets.SONAR_TOKEN }}
# -Dsonar.host.url=https://sonarcloud.io
#-Dsonar.organization=bcgov-sonarcloud
#-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
- name: Run Sonar Analysis
run: mvn -f pom.xml sonar:sonar
-Dsonar.login=${{ secrets.SONAR_TOKEN }}
-Dsonar.host.url=https://sonarcloud.io
-Dsonar.organization=bcgov-sonarcloud
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.10.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'LOW'
severity: 'CRITICAL'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
sarif_file: 'trivy-results.sarif'
170 changes: 170 additions & 0 deletions .github/workflows/deploy-to.openshift-dev.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
name: Build & Deploy to DEV

env:
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_NAMESPACE_DEV: ${{ secrets.PEN_NAMESPACE_NO_ENV }}-dev

DB_JDBC_CONNECT_STRING: ${{ secrets.DB_JDBC_CONNECT_STRING }}
DB_PWD: ${{ secrets.DB_PWD }}
DB_USER: ${{ secrets.DB_USER }}
SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

# 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
IMAGE_TAGS: ""

SPRING_BOOT_IMAGE_NAME: pen-reg-batch-api-master
DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca

APP_NAME: "pen-reg-batch-api"
REPO_NAME: "educ-pen-reg-batch-api"
BRANCH: "master"
APP_NAME_FULL: "pen-reg-batch-api-master"
NAMESPACE: ${{ secrets.PEN_NAMESPACE_NO_ENV }}
COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}
TAG: "latest"
MIN_REPLICAS_DEV: "1"
MAX_REPLICAS_DEV: "1"
MIN_CPU: "250m"
MAX_CPU: "500m"
MIN_MEM: "1Gi"
MAX_MEM: "2Gi"

on:
push:
branches:
- master
workflow_dispatch:

jobs:
build-and-deploy-dev:
name: Build and deploy to OpenShift DEV
# ubuntu-20.04 can also be used.
runs-on: ubuntu-20.04
environment: dev

outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

steps:
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}
const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});
if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}
- name: Check out repository
uses: actions/checkout@v3

- name: Determine image tags
if: env.IMAGE_TAGS == ''
run: |
echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
registry: ${{ env.DOCKER_ARTIFACTORY_REPO }}
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

# https://github.com/redhat-actions/buildah-build#readme
- name: Build from Dockerfile
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.APP_NAME_FULL }}
tags: ${{ env.IMAGE_TAGS }}

# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
dockerfiles: |
./Dockerfile
# https://github.com/redhat-actions/push-to-registry#readme
- name: Push to registry
id: push-image
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.IMAGE_REGISTRY_USER }}
password: ${{ env.IMAGE_REGISTRY_PASSWORD }}

# The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }}

- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4

# https://github.com/redhat-actions/oc-login#readme
- uses: actions/checkout@v3

- name: Deploy API
run: |
set -eu
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE_DEV }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
|| true && echo "No rollout in progress"
oc tag ${{ steps.push-image.outputs.registry-path }} ${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ env.TAG }}
# Process and apply deployment template
oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
| oc apply -f -
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin dev ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}.apps.silver.devops.gov.bc.ca/v3/api-docs'
131 changes: 131 additions & 0 deletions .github/workflows/deploy-to.openshift-prod.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
name: Deploy to PROD

env:
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
# Added this comment
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_NAMESPACE: ${{ secrets.PEN_NAMESPACE_NO_ENV }}-prod

DB_JDBC_CONNECT_STRING: ${{ secrets.DB_JDBC_CONNECT_STRING }}
DB_PWD: ${{ secrets.DB_PWD }}
DB_USER: ${{ secrets.DB_USER }}
SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

# 🖊️ EDIT to change the image registry settings.
# Registries such as GHCR, Quay.io, and Docker Hub are supported.
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_REGISTRY_USER: ${{ github.actor }}
IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

SPRING_BOOT_IMAGE_NAME: pen-reg-batch-api-master

APP_NAME: "pen-reg-batch-api"
REPO_NAME: "educ-pen-reg-batch-api"
BRANCH: "master"
NAMESPACE: ${{ secrets.PEN_NAMESPACE_NO_ENV }}
COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}
TAG: "latest"
TARGET_ENV: "prod"
MIN_REPLICAS: "3"
MAX_REPLICAS: "3"
MIN_CPU: "250m"
MAX_CPU: "500m"
MIN_MEM: "1Gi"
MAX_MEM: "2Gi"

on:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
workflow_dispatch:

jobs:
openshift-ci-cd:
name: Deploy to OpenShift PROD
# ubuntu-20.04 can also be used.
runs-on: ubuntu-20.04
environment: production

outputs:
ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

steps:
- name: Check for required secrets
uses: actions/github-script@v6
with:
script: |
const secrets = {
OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
};
const GHCR = "ghcr.io";
if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
core.info(`Image registry is ${GHCR} - no registry password required`);
}
else {
core.info("A registry password is required");
secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
}

const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
if (value.length === 0) {
core.error(`Secret "${name}" is not set`);
return true;
}
core.info(`✔️ Secret "${name}" is set`);
return false;
});

if (missingSecrets.length > 0) {
core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
"You can add it using:\n" +
"GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
"GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
"Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
}
else {
core.info(`✅ All the required secrets are set`);
}

- name: Check out repository
uses: actions/checkout@v3

- name: Get latest tag
uses: actions-ecosystem/action-get-latest-tag@v1
id: get-latest-tag

- name: Install oc
uses: redhat-actions/openshift-tools-installer@v1
with:
oc: 4

# https://github.com/redhat-actions/oc-login#readme
- uses: actions/checkout@v3

- name: Deploy API
run: |
set -eux
# Login to OpenShift and select project
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
oc project ${{ env.OPENSHIFT_NAMESPACE }}
# Cancel any rollouts in progress
oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
|| true && echo "No rollout in progress"
oc tag ${{ env.NAMESPACE }}-test/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }} ${{ env.NAMESPACE }}-prod/${{ env.REPO_NAME }}-${{ env.BRANCH }}:${{ steps.get-latest-tag.outputs.tag }}
# Process and apply deployment template
oc process -f tools/openshift/api.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ steps.get-latest-tag.outputs.tag }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} \
| oc apply -f -
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ steps.get-latest-tag.outputs.tag }}/tools/config/update-configmap.sh | bash /dev/stdin ${{ env.TARGET_ENV }} ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }}
# Start rollout (if necessary) and follow it
oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \
|| true && echo "Rollout in progress"
oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
# Get status, returns 0 if rollout is successful
oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
Loading

0 comments on commit e279f2a

Please sign in to comment.