release 3.9.12 #49
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Upload to Google Artifact registry | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "*" | |
| env: | |
| PROJECT_ID: ahdis-ch | |
| GAR_LOCATION: europe-west6 | |
| REPOSITORY: ahdis | |
| IMAGE: matchbox | |
| jobs: | |
| setup-build-publish-deploy: | |
| name: Setup, Build, Publish, and Deploy | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| contents: read | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Build Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: 21 | |
| distribution: adopt | |
| cache: maven | |
| - run: mvn --batch-mode --update-snapshots package -DskipTests -P release | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@master | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@master | |
| # Configure Workload Identity Federation and generate an access token. | |
| - id: "auth" | |
| name: "Authenticate to Google Cloud" | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| token_format: "access_token" | |
| workload_identity_provider: "projects/1022310475153/locations/global/workloadIdentityPools/github-wif-pool/providers/oidc-github-provider" | |
| service_account: "[email protected]" | |
| - name: Docker configuration | |
| run: |- | |
| echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev | |
| # Build the Docker image for arm and amd | |
| - name: Build | |
| run: |- | |
| docker buildx build \ | |
| --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_REF_NAME" \ | |
| --build-arg GITHUB_SHA="$GITHUB_SHA" \ | |
| --build-arg GITHUB_REF="$GITHUB_REF" \ | |
| --push \ | |
| --platform=linux/arm64,linux/amd64 \ | |
| -f matchbox-server/Dockerfile \ | |
| matchbox-server | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: '${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.IMAGE }}:${{ github.ref_name }}' | |
| format: 'sarif' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@main | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Send a stream message to Zulip | |
| uses: zulip/github-actions-zulip/send-message@v1 | |
| with: | |
| api-key: ${{ secrets.ZULIPAPIKEY }} | |
| email: "[email protected]" | |
| organization-url: "https://chat.fhir.org" | |
| to: "matchbox" | |
| type: "stream" | |
| topic: "new matchbox version published" | |
| content: | | |
| :rocket: ${{ env.REPOSITORY }}/${{ env.IMAGE }}:${{ github.ref_name }} published :rocket: | |
| see also https://github.com/ahdis/matchbox/releases/tag/${{ github.ref_name }} | |
| docker pull ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.IMAGE }}:${{ github.ref_name }} | |
| - name: Send a stream message to Zulip | |
| uses: zulip/github-actions-zulip/send-message@v1 | |
| if: failure() | |
| with: | |
| api-key: ${{ secrets.ZULIPAPIKEY }} | |
| email: "[email protected]" | |
| organization-url: "https://chat.fhir.org" | |
| to: "ahdis" | |
| type: "stream" | |
| topic: "failed publishing matchbox" | |
| content: | | |
| failure ${{ env.REPOSITORY }}/${{ env.IMAGE }}:${{ github.ref_name }} | |
| see https://github.com/ahdis/matchbox/actions/runs/${{ github.run_id }} |