mirror of
https://github.com/spring-projects/spring-petclinic.git
synced 2026-02-02 20:51:10 +00:00
82 lines
No EOL
3.1 KiB
YAML
82 lines
No EOL
3.1 KiB
YAML
name: Build and Scan with JFrog
|
|
|
|
on:
|
|
push:
|
|
branches: [ "main", "develop" ]
|
|
pull_request:
|
|
branches: [ "main" ]
|
|
|
|
jobs:
|
|
build-and-scan:
|
|
runs-on: ubuntu-latest
|
|
|
|
# Environment variables are applied to all steps in this job.
|
|
# This ensures every JFrog CLI command is associated with the same build record.
|
|
env:
|
|
JFROG_CLI_BUILD_NAME: jesseh-spring-petclinic
|
|
JFROG_CLI_BUILD_NUMBER: ${{ github.run_id }}
|
|
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: 'temurin'
|
|
java-version: '17'
|
|
|
|
# This action installs the JFrog CLI and configures the connection to your Artifactory server.
|
|
# It uses your provided secrets to create a server configuration named 'my-jfrog-server'.
|
|
- name: Setup JFrog CLI
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
with:
|
|
server-id: my-jfrog-server
|
|
url: ${{ secrets.JF_RT_URL }}
|
|
user: ${{ secrets.ARTIFACTORY_USERNAME }}
|
|
password: ${{ secrets.ARTIFACTORY_IDENTITY_TOKEN }}
|
|
|
|
- name: Configure Maven Repositories
|
|
run: |
|
|
jf mvnc \
|
|
--server-id-resolve=my-jfrog-server \
|
|
--repo-resolve-releases=jesseh-maven-dev-virtual
|
|
|
|
# This is a "shift-left" security scan. It runs SAST and SCA on your source code
|
|
# before the build to provide fast feedback on vulnerabilities.
|
|
- name: Run JFrog SAST & SCA Audit
|
|
run: |
|
|
jf audit --fail=false --watches=jesseh-security
|
|
|
|
# The 'jf' prefix wraps the Maven command, allowing the JFrog CLI to
|
|
# resolve dependencies from Artifactory and collect build-info.
|
|
- name: Build Application with Maven
|
|
run: |
|
|
jf mvn clean install -DskipTests=true
|
|
|
|
# The standard Docker login action is used for authentication.
|
|
- name: Login to JFrog Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ secrets.JF_RT_URL | sed 's|https://||' }}
|
|
username: ${{ secrets.ARTIFACTORY_USERNAME }}
|
|
password: ${{ secrets.ARTIFACTORY_IDENTITY_TOKEN }}
|
|
|
|
# The 'jf docker push' command pushes the image and adds the Docker layers to the build-info.
|
|
- name: Build and Push Docker Image
|
|
run: |
|
|
export DOCKER_IMAGE_NAME=$(echo "${{ secrets.JF_RT_URL }}" | sed 's|https://||')/jesseh-docker-dev-local/spring-petclinic:${{ github.run_id }}
|
|
docker build -t $DOCKER_IMAGE_NAME .
|
|
jf docker push $DOCKER_IMAGE_NAME
|
|
|
|
# This command publishes all the collected information (Maven dependencies, environment variables, git context, Docker layers)
|
|
# to Artifactory as a single, immutable build record.
|
|
- name: Publish Build Info
|
|
run: |
|
|
jf rt build-publish
|
|
|
|
# This is the final and most comprehensive security scan. It scans the entire build record
|
|
# published in the previous step, giving you a complete security report for your release candidate.
|
|
- name: Scan Build with Xray
|
|
run: |
|
|
jf bs --fail=false --vuln |