diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml deleted file mode 100644 index 0b56428aa..000000000 --- a/.github/workflows/build-push-docker-image.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: build-push-docker-image - -#on: workflow_dispatch -on: - push: - branches: feature/docker_configs - workflow_dispatch: - -jobs: - build-push-docker-image: - runs-on: ubuntu-latest - permissions: - packages: write - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Get the latest release - id: release - uses: robinraju/release-downloader@v1.7 - with: - latest: true - fileName: "*.tar.bz2" - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push the Production image - uses: docker/build-push-action@v4 - with: - context: . - file: docker/Dockerfile.prod - platforms: linux/amd64,linux/arm64 - push: true - tags: | - ghcr.io/openconext/stepup-middleware/stepup-middleware:prod - ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ github.sha }} - ghcr.io/openconext/stepup-middleware/stepup-middleware:${{ steps.release.outputs.tag_name }} diff --git a/.github/workflows/daily-security-check.yml b/.github/workflows/daily-security-check.yml index 51d7d58ba..57031b017 100644 --- a/.github/workflows/daily-security-check.yml +++ b/.github/workflows/daily-security-check.yml @@ -6,97 +6,6 @@ on: workflow_dispatch: jobs: - security: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - # PHP checks - - name: Check for php composer project - id: check_composer - uses: andstor/file-existence-action@v2 - with: - files: "composer.lock" - - name: Run php local security checker - if: steps.check_composer.outputs.files_exists == 'true' - uses: symfonycorp/security-checker-action@v4 - - # node-yarn checks - - name: Check for node-yarn project - id: check_node_yarn - uses: andstor/file-existence-action@v2 - with: - files: "yarn.lock" - - name: Setup node - if: steps.check_node_yarn.outputs.files_exists == 'true' - uses: actions/setup-node@v3 - with: - node-version: 14 - - name: Yarn Audit - if: steps.check_node_yarn.outputs.files_exists == 'true' - run: yarn audit --level high --groups dependencies optionalDependencies - - # node-npm checks - - name: Check for node-npm project - id: check_node_npm - uses: andstor/file-existence-action@v2 - with: - files: "package.lock" - - name: Setup node - if: steps.check_node_npm.outputs.files_exists == 'true' - uses: actions/setup-node@v3 - with: - node-version: 14 - - name: npm audit - if: steps.check_node_npm.outputs.files_exists == 'true' - run: npm audit --audit-level=high - - # python checks - - name: Check for python project - id: check_python - uses: andstor/file-existence-action@v2 - with: - files: "requirements.txt" - - name: Safety checks Python dependencies - if: steps.check_python.outputs.files_exists == 'true' - uses: pyupio/safety@2.3.5 - - # java checks - - name: Check for java maven project - id: check_maven - uses: andstor/file-existence-action@v2 - with: - files: "pom.xml" - - name: Setup java if needed - if: steps.check_maven.outputs.files_exists == 'true' - uses: actions/setup-java@v3 - with: - java-version: 11 - distribution: 'temurin' - cache: 'maven' - - name: Set up maven cache if needed - if: steps.check_maven.outputs.files_exists == 'true' - uses: actions/cache@v1 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - name: Check java - if: steps.check_maven.outputs.files_exists == 'true' - run: mvn org.owasp:dependency-check-maven:check - - # Send results - - name: Send to Slack if something failed - if: failure() - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: surfconext-nightly-check - SLACK_COLOR: ${{ job.status }} - SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png - SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:' - SLACK_TITLE: ${{ github.repository }} wants attention - SLACK_USERNAME: NightlySecurityCheck - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} \ No newline at end of file + call-workflow-passing-data: + name: Daily security check (Reusable Workflow) + uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..3339be756 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,12 @@ +name: release + +on: + push: + tags: + - "*.*.*" + +jobs: + build-release-and-push-container: + uses: openconext/openconext-githubactions/.github/workflows/symfony-release.yml@main + with: + component_name: "Stepup-Middleware" diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml deleted file mode 100644 index c10aedc0d..000000000 --- a/.github/workflows/tag-release.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: tag-release -on: - push: - tags: - - "*.*.*" -jobs: - build: - runs-on: ubuntu-latest - timeout-minutes: 10 - env: - COMPONENT_NAME: Stepup-Middleware - if: always() - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - repository: OpenConext/Stepup-Build - ref: master - - name: Output the semver tag to the tag variable - id: vars - run: echo ::set-output name=tag::${GITHUB_REF#refs/*/} - - name: Run release script - run: ./stepup-build.sh ${COMPONENT_NAME} --tag ${{ steps.vars.outputs.tag }} - - name: Grab the archive filename - id: archive - run: | - echo ::set-output name=archive::$(find . -maxdepth 1 -name "$COMPONENT_NAME*.tar.bz2" -printf '%f\n') - echo ::set-output name=shasum::$(find . -maxdepth 1 -name "$COMPONENT_NAME*.sha" -printf '%f\n') - - name: Build Changelog - id: changelog - uses: ardalanamini/auto-changelog@v3 - with: - default-commit-type: New Features - - name: Create Draft Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ steps.vars.outputs.tag }} - release_name: ${{ steps.vars.outputs.tag }} - body: | - ${{ steps.changelog.outputs.changelog }} - draft: true - prerelease: false - - uses: actions/upload-release-asset@v1.0.1 - name: Upload the release artefact tarbal - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ steps.archive.outputs.archive }} - asset_name: ${{ steps.archive.outputs.archive }} - asset_content_type: application/gzip - - uses: actions/upload-release-asset@v1.0.1 - name: Upload the release artefact verification shasum - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ steps.archive.outputs.shasum }} - asset_name: ${{ steps.archive.outputs.shasum }} - asset_content_type: text/plain - - uses: eregon/publish-release@v1 - name: Publish the new release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_id: ${{ steps.create_release.outputs.id }} - - after_build: - needs: build - runs-on: ubuntu-latest - steps: - - name: Trigger Docker container build - uses: benc-uk/workflow-dispatch@v1 - with: - workflow: build-push-docker-image.yml