-
Notifications
You must be signed in to change notification settings - Fork 1
176 lines (152 loc) · 5.13 KB
/
build-and-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Build and Test
on:
push:
branches:
- main
paths-ignore:
- '*.md'
- '.github/**'
pull_request:
branches: [ '**' ]
# There is an issue with GitHub required checks and paths-ignore. We don't really need to
# run the tests if there are only irrelevant changes (see paths-ignore above). However,
# we require tests to pass by making a "required check" rule on the branch. If the action
# is not triggered, the required check never passes and you are stuck. Therefore, we have
# to run tests even when we only change a markdown file. So don't do what I did and put a
# paths-ignore right here!
workflow_dispatch: {}
jobs:
bump-check:
runs-on: ubuntu-latest
outputs:
is-bump: ${{ steps.skiptest.outputs.is-bump }}
steps:
- uses: actions/checkout@v2
- name: Skip version bump merges
id: skiptest
uses: ./.github/actions/bump-skip
with:
event-name: ${{ github.event_name }}
build:
needs: [ bump-check ]
runs-on: ubuntu-latest
if: needs.bump-check.outputs.is-bump == 'no'
steps:
- uses: actions/checkout@v2
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
- name: Build the test harness and, by dependency, the library
run: ./gradlew --build-cache build -x test
- name: Upload spotbugs results
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: library/build/reports/spotbugs/main.sarif
tests-and-sonarqube:
needs: [ bump-check, build ]
runs-on: ubuntu-latest
if: needs.bump-check.outputs.is-bump == 'no'
permissions:
contents: 'read'
id-token: 'write'
services:
postgres:
image: postgres:13.1
env:
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- uses: actions/checkout@v2
# Needed by sonar to get the git history for the branch the PR will be merged into.
with:
fetch-depth: 0
- name: Set up JDK
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'temurin'
- name: Initialize the database
env:
PGPASSWORD: postgres
run: |
psql -h localhost -U postgres -f ./scripts/postgres-init.sql
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
# use a federated credential to connect w/azure
- name: Azure CLI login
uses: azure/login@v1
with:
client-id: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_ID }}
tenant-id: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_TENANT_ID }}
subscription-id: f557c728-871d-408c-a28b-eb6b2141a087
# Run tests
- name: Test Library and Library with coverage
run: ./gradlew --build-cache library:test --scan
- name: Test Harness Tests with coverage
run: ./gradlew --build-cache testharness:test --scan
- name: Integration Test with coverage
run: ./gradlew --build-cache library:integration --scan
- name: Upload Test Harness Test Reports
uses: actions/upload-artifact@v1
if: always()
with:
name: Test Harness Reports
path: testharness/build/reports/tests
- name: Upload Library Test Reports
uses: actions/upload-artifact@v1
if: always()
with:
name: Test Reports
path: library/build/reports/tests
# The SonarQube scan is done here, so it can upload the coverage report generated by the tests.
- name: SonarQube scan
run: ./gradlew --build-cache sonarqube
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Azure logout
uses: azure/CLI@v1
if: always()
with:
inlineScript: |
az logout
az cache purge
az account clear
jib:
#disable until we need it
if: false
needs: [ build ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
cache: 'gradle'
- name: Construct docker image name and tag
id: image-name
run: |
GITHUB_REPO=$(basename ${{ github.repository }})
GIT_SHORT_HASH=$(git rev-parse --short HEAD)
echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT
- name: Build image locally with jib
run: |
./gradlew --build-cache :service:jibDockerBuild \
--image=${{ steps.image-name.outputs.name }} \
-Djib.console=plain
- name: Run Trivy vulnerability scanner
uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.image-name.outputs.name }}