mirror of
https://github.com/spring-projects/spring-petclinic.git
synced 2025-12-27 19:07:28 +00:00
1670 lines
No EOL
87 KiB
YAML
Executable file
1670 lines
No EOL
87 KiB
YAML
Executable file
name: "JF-CLI: JAVA"
|
|
on: push
|
|
permissions:
|
|
actions: read # for detecting the Github Actions environment.
|
|
id-token: write # for creating OIDC tokens for signing.
|
|
packages: write # for uploading attestations.
|
|
contents: read
|
|
security-events: write # Required for uploading code scanning.
|
|
attestations: write
|
|
env:
|
|
JF_RT_URL: "https://${{vars.JF_NAME}}.jfrog.io"
|
|
BUILD_NAME: "spring-petclinic" # spring-petclinic-3.5.0-SNAPSHOT.jar
|
|
JOB_SUMMARY: false
|
|
JFROG_CLI_LOG_LEVEL: DEBUG # DEBUG, INFO, WARN, ERROR
|
|
JAVA_DISTRIBUTION: 'temurin'
|
|
JAVA_VERSION: '25'
|
|
EVIDENCE_SPEC_JSON: 'evd-spec-info.json' # ref https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-setup
|
|
RBv2_SPEC_JSON: "rbv2-spec-info.json"
|
|
#RBV2_SIGNING_KEY: "${{secrets.RBV2_SIGNING_KEY}}" # ref https://jfrog.com/help/r/jfrog-artifactory-documentation/create-signing-keys-for-release-bundles-v2
|
|
DEFAULT_WORKSPACE: "${{github.workspace}}" # /home/runner/work/spring-petclinic/spring-petclinic
|
|
PROJECT_KEY_APP_TRUST: "krishna-apptrust"
|
|
jobs:
|
|
dockerPackage:
|
|
name: "Docker"
|
|
env:
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
RT_REPO_MVN_VIRTUAL: "springpetclinic-mvn-virtual"
|
|
# RT_REPO_MVN_DEFAULT_LOCAL: "springpetclinic-mvn-snapshot-local" # springpetclinic-mvn-dev-local, springpetclinic-mvn-qa-local, springpetclinic-mvn-prod-local
|
|
RT_REPO_DOCKER_VIRTUAL: "springpetclinic-docker-virtual"
|
|
RT_REPO_DOCKER_DEFAULT_LOCAL: "springpetclinic-docker-snapshot-local" # springpetclinic-docker-dev-local, springpetclinic-docker-qa-local, springpetclinic-docker-prod-local
|
|
RT_REPO_DEV_LOCAL: "springpetclinic-docker-dev-local"
|
|
RT_REPO_QA_LOCAL: "springpetclinic-docker-qa-local"
|
|
RT_REPO_PROD_LOCAL: "springpetclinic-docker-prod-local"
|
|
DOCKER_BUILDX_PLATFORMS: 'linux/amd64,linux/arm64'
|
|
DOCKER_METADATA_JSON: 'build-metadata.json'
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes
|
|
steps:
|
|
# Use the specific setup-cli branch. Ref https://github.com/marketplace/actions/setup-jfrog-cli
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
JFROG_CLI_RELEASES_REPO: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_MVN_VIRTUAL}}'
|
|
JFROG_CLI_EXTRACTORS_REMOTE: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_MVN_VIRTUAL}}'
|
|
JF_GIT_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Clone VCS"
|
|
uses: actions/checkout@v4 # ref: https://github.com/actions/checkout
|
|
|
|
- name: "setUp JDK provider = ${{env.JAVA_DISTRIBUTION}} with ver = ${{env.JAVA_VERSION}}"
|
|
uses: actions/setup-java@v4 # ref https://github.com/actions/setup-java
|
|
with:
|
|
distribution: ${{env.JAVA_DISTRIBUTION}} # temurin
|
|
java-version: ${{env.JAVA_VERSION}} # 25
|
|
cache: 'maven'
|
|
cache-dependency-path: 'pom.xml'
|
|
|
|
- name: "Software version"
|
|
run: |
|
|
# JFrog CLI version
|
|
jf --version
|
|
# Ping the server
|
|
jf rt ping
|
|
# Java
|
|
java -version
|
|
# MVN
|
|
mvn -version
|
|
# Docker
|
|
docker -v
|
|
# Python
|
|
python3 -V
|
|
pip3 -V
|
|
# jf config
|
|
jf config show
|
|
|
|
- name: "Config jf with mvn repos"
|
|
run: |
|
|
jf mvnc --global --repo-resolve-releases ${{env.RT_REPO_MVN_VIRTUAL}} --repo-resolve-snapshots ${{env.RT_REPO_MVN_VIRTUAL}}
|
|
|
|
- name: "Create ENV variables"
|
|
run: |
|
|
echo "ARTIFACT_NAME=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)" >> $GITHUB_ENV
|
|
echo "ARTIFACT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV
|
|
echo "TODAYS_DATE=$(date +'%Y-%m-%d')" >> $GITHUB_ENV
|
|
echo "RT_REPO_DOCKER_IMG=${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.BUILD_NAME}}" >> $GITHUB_ENV
|
|
echo "JF_REGISTRY=${{env.JF_RT_URL}}/${{env.RT_REPO_DOCKER_VIRTUAL}}" >> $GITHUB_ENV
|
|
echo "RT_REPO_DOCKER_URL=${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.BUILD_NAME}}:${{env.BUILD_ID}}" >> $GITHUB_ENV
|
|
|
|
|
|
- name: "Docker authentication" # ref https://github.com/marketplace/actions/docker-login
|
|
id: config-docker
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{env.JF_REGISTRY}}
|
|
username: ${{steps.setup-cli.outputs.oidc-user}}
|
|
password: ${{steps.setup-cli.outputs.oidc-token}}
|
|
|
|
- name: "Docker buildx instance"
|
|
uses: docker/setup-buildx-action@v3 # ref: https://github.com/marketplace/actions/docker-setup-buildx h
|
|
with:
|
|
use: true
|
|
platforms: ${{env.DOCKER_BUILDX_PLATFORMS}} # linux/amd64,linux/arm64 # ref: https://docs.docker.com/reference/cli/docker/buildx/create/#platform
|
|
install: true
|
|
|
|
- name: "list folder"
|
|
run: |
|
|
pwd
|
|
tree .
|
|
|
|
- name: "Docker: Summary "
|
|
run: |
|
|
echo "# :frog: :ship: Docker: Summary :pushpin:" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Installed JFrog CLI [$(jf --version)](https://jfrog.com/getcli/) and Java [${{env.JAVA_DISTRIBUTION}}](https://github.com/actions/setup-java) v${{env.JAVA_VERSION}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(jf --version) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(mvn -v) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(docker -v) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker buildx configured with platforms: [${{env.DOCKER_BUILDX_PLATFORMS}}](https://docs.docker.com/reference/cli/docker/buildx/create/#platform) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Configured the JFrog Cli and Docker login with SaaS Artifactory OIDC integration " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Variables info" >> $GITHUB_STEP_SUMMARY
|
|
echo " - ID: ${{env.BUILD_ID}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Build Name: ${{env.BUILD_NAME}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Maven Repo URL: ${{env.RT_REPO_MVN_VIRTUAL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker Repo URL: ${{env.RT_REPO_DOCKER_VIRTUAL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker Image: ${{env.RT_REPO_DOCKER_IMG}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker URL: ${{env.RT_REPO_DOCKER_URL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Package
|
|
- name: "Curation: audit" # https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security/cli-for-jfrog-curation
|
|
timeout-minutes: 15 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
rm -rf build.gradle
|
|
jf ca --format=table --threads=100
|
|
|
|
- name: "Xray & JAS: Audit" # https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security
|
|
# scan for Xray: Source code dependencies and JAS: Secrets Detection, IaC, Vulnerabilities Contextual Analysis 'SAST'
|
|
timeout-minutes: 15 # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
# continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf audit --mvn --sast=true --sca=true --secrets=true --licenses=true --validate-secrets=true --vuln=true --format=table --extended-table=true --threads=100 --fail=false
|
|
|
|
- name: "Package: Create MVN Build"
|
|
# jf mvn clean install -DskipTests=true -Denforcer.skip=true --build-name=${{env.BUILD_NAME}} --build-number=${{env.BUILD_ID}}
|
|
run: | # -Djar.finalName=${{env.JAR_FINAL_NAME}}
|
|
mvn clean install -DskipTests=true -Denforcer.skip=true
|
|
|
|
- name: "Package: Xray - mvn Artifact scan"
|
|
timeout-minutes: 15 # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf scan . --format=table --extended-table=true --threads=100 --fail=false
|
|
|
|
- name: "Package: Docker build and push"
|
|
env:
|
|
JAR_FILE: "./target/${{env.ARTIFACT_NAME}}-${{env.ARTIFACT_VERSION}}.jar"
|
|
TAG10: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:${{env.ARTIFACT_VERSION}}"
|
|
TAG11: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:${{env.TODAYS_DATE}}"
|
|
TAG12: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:${{env.BUILD_ID}}"
|
|
TAG13: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:latest"
|
|
run: |
|
|
docker image build -f ./jfrog/Dockerfile --build-arg JAR_FILE=${{env.JAR_FILE}} --platform "${{env.DOCKER_BUILDX_PLATFORMS}}" --metadata-file "${{env.DOCKER_METADATA_JSON}}" --push . -t ${{env.TAG10}} -t ${{env.TAG11}} -t ${{env.TAG12}} -t ${{env.TAG13}}
|
|
|
|
|
|
- name: "Optional: Docker pull image"
|
|
run: |
|
|
docker pull ${{env.RT_REPO_DOCKER_URL}}
|
|
|
|
- name: "Package: Docker image list"
|
|
run: |
|
|
docker image ls
|
|
|
|
# Evidence - Package references
|
|
# Docs# https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management
|
|
# CLI# https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/evidence-service
|
|
- name: "Evidence: Package"
|
|
# continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions","build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd":"Evidence-Package", "package":"${{env.RT_REPO_DOCKER_URL}}" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --package-name ${{env.BUILD_NAME}} --package-version ${{env.BUILD_ID}} --package-repo-name ${{env.RT_REPO_DOCKER_VIRTUAL}} --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1
|
|
#echo " - Evidence for PACKAGE attached. Info available SaaS >> tab: Application >> left menu: Artifactory >> Packages >> ${{env.BUILD_NAME}} " >> $GITHUB_STEP_SUMMARY
|
|
|
|
- name: "Package: Xray - docker Artifact scan"
|
|
timeout-minutes: 15 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf docker scan ${{env.RT_REPO_DOCKER_URL}} --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --format=table --extended-table=true --threads=100 --fail=false --detailed-summary=true --vuln=true --licenses=true
|
|
|
|
- name: "Optional: Set env vars for BuildInfo" # These properties were captured in Builds >> spring-petclinic >> version >> Environment tab
|
|
run: |
|
|
export job="github-action" org="ps" team="architecture" product="jfrog-saas"
|
|
|
|
# Build Info
|
|
# US
|
|
# Executive Order:
|
|
# https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
|
|
# https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
|
|
# US Dept of Commerce: https://www.ntia.gov/page/software-bill-materials
|
|
# US Cyber Defence Agency: https://www.cisa.gov/sbom
|
|
# NIST: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
|
|
# NITA: https://www.ntia.gov/page/software-bill-materials
|
|
# Centers for Medicare & Medicaid Services: https://security.cms.gov/learn/software-bill-materials-sbom
|
|
# India
|
|
# CERT-IN: https://www.cert-in.org.in/sbom/
|
|
- name: "BuildInfo: Collect env"
|
|
run: jf rt bce ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Adds dependencies"
|
|
continue-on-error: true
|
|
run: jf rt bad ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Add VCS info"
|
|
run: jf rt bag ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Docker build create"
|
|
run: |
|
|
imageDigest=$(cat "${{env.DOCKER_METADATA_JSON}}" | jq '.["containerimage.digest"]')
|
|
echo "DOCKER_IMAGE_DIGEST: ${imageDigest}"
|
|
|
|
echo "DOCKER_IMAGE_DIGEST=${imageDigest}" >> $GITHUB_ENV. # set env var for next steps
|
|
|
|
echo "${{env.RT_REPO_DOCKER_URL}}@${imageDigest}" > ${{env.DOCKER_METADATA_JSON}}
|
|
|
|
jf rt bdc ${{env.RT_REPO_DOCKER_VIRTUAL}} --image-file ${{env.DOCKER_METADATA_JSON}} --build-name=${{env.BUILD_NAME}} --build-number=${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Build Publish"
|
|
run: jf rt bp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --detailed-summary=true
|
|
|
|
# Evidence - Build references
|
|
# Docs# https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management
|
|
# CLI# https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/evidence-service
|
|
- name: "Evidence: Build Publish"
|
|
# continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions","build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-BuildPublish"}' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
#echo " - Evidence for BUILD Publish attached. " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# curl -L 'https://psazuse.jfrog.io/xray/api/v1/binMgr/builds' -H 'Content-Type: application/json' -H 'Authorization: ••••••' -d '{ "names": ["spring-petclinic"] }'
|
|
- name: "Optional: Add Builds to Indexing Configuration"
|
|
run: |
|
|
jf xr curl "/api/v1/binMgr/builds" -H 'Content-Type: application/json' -d '{"names": ["${{env.BUILD_NAME}}"] }'
|
|
# Set properties
|
|
- name: "Optional: Set prop for Artifact" # These properties were captured Artifacts >> repo path 'spring-petclinic.---.jar' >> Properties
|
|
run: |
|
|
ts="cmd.$(date '+%Y-%m-%d-%H-%M')"
|
|
jf rt sp "job=github-action;env=demo;org=ps;team=arch;pack_cat=webapp;build=maven;product=artifactory;features=package,buildinfo;ts=ts-${BUILD_ID}" --build="${{env.BUILD_NAME}}/${{env.BUILD_ID}}"
|
|
|
|
- name: "Optional: Query build info"
|
|
env:
|
|
BUILD_INFO_JSON: "BuildInfo-${{env.BUILD_ID}}.json"
|
|
run: |
|
|
jf rt curl "/api/build/${{env.BUILD_NAME}}/${{env.BUILD_ID}}" -o $BUILD_INFO_JSON
|
|
cat $BUILD_INFO_JSON
|
|
|
|
- name: "Sleep for few seconds"
|
|
env:
|
|
SLEEP_TIME: 30
|
|
run: |
|
|
echo "Sleeping for ${{env.SLEEP_TIME}} seconds..."
|
|
sleep ${{env.SLEEP_TIME}} # Sleeping for 20 seconds before executing the build publish seems to have resolved the build-scan issue. This delay might be helping with synchronization or resource availability, ensuring a smooth build process.
|
|
echo "Awake now!"
|
|
|
|
- name: "Optional: Query - Build Scan status"
|
|
run: |
|
|
jf xr curl "/api/v1/build/status" -H 'Content-Type: application/json' -d '{"name": "${{env.BUILD_NAME}}", "number": "${{env.BUILD_ID}}" }'
|
|
|
|
# ref https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security/enrich-your-sbom
|
|
# MVN plugin '<artifactId>cyclonedx-maven-plugin</artifactId>' is used to generate SBOM information in the CycloneDX format# target/classes/META-INF/sbom/application.cdx.json
|
|
# ref https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3
|
|
- name: "Optional: Xray sbom-enrich"
|
|
run: |
|
|
jf se "target/classes/META-INF/sbom/application.cdx.json" --threads=100
|
|
|
|
- name: "BuildInfo: Xray - Build scan"
|
|
timeout-minutes: 15 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf bs ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --fail=false --format=table --extended-table=true --rescan=false --vuln=true
|
|
|
|
- name: "Optional: Build Scan V2" # https://jfrog.com/help/r/xray-rest-apis/scan-build-v2
|
|
# jf xr curl /api/v2/ci/build -H 'Content-Type: application/json' -d '{"build_name": "spring-petclinic", "build_number": "ga-gdl-xray-50","rescan":true }'
|
|
run: |
|
|
jf xr curl /api/v2/ci/build -H 'Content-Type: application/json' -d '{"build_name": "${{env.BUILD_NAME}}", "build_number": "${{env.BUILD_ID}}","rescan":false }'
|
|
|
|
# Release Bundle v2
|
|
- name: "RLM: RBv2 spec - create"
|
|
run: |
|
|
echo "{ \"files\": [ {\"build\": \"${{env.BUILD_NAME}}/${{env.BUILD_ID}}\", \"includeDeps\":\"true\"} ] }" > ${{env.RBv2_SPEC_JSON}}
|
|
|
|
- name: "RLM: RBv2 Create NEW"
|
|
run: |
|
|
cat ${{env.RBv2_SPEC_JSON}}
|
|
jf rbc ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}} --spec=${{env.RBv2_SPEC_JSON}}
|
|
|
|
- name: "RLM: Xray Indexing"
|
|
run: |
|
|
jf xr curl "/api/v1/binMgr/release_bundle_v2" -H 'Content-Type: application/json' -d "{\"names\": [\"${{env.BUILD_NAME}}\"] }"
|
|
|
|
# Evidence - RBv2 new references
|
|
# Docs# https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management
|
|
# CLI# https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/evidence-service
|
|
- name: "Evidence: RBv2 state NEW"
|
|
# continue-on-error: true
|
|
env:
|
|
# https://psazuse.jfrog.io/ui/artifactory/lifecycle/?bundleName=spring-petclinic&bundleToFlash=spring-petclinic&repositoryKey=release-bundles-v2&activeKanbanTab=promotion
|
|
NAME_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName=${{env.BUILD_NAME}}&bundleToFlash=${{env.BUILD_NAME}}&repositoryKey=release-bundles-v2&activeKanbanTab=promotion"
|
|
VER_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName='${{env.BUILD_NAME}}'&bundleToFlash='${{env.BUILD_NAME}}'&releaseBundleVersion='${{env.BUILD_ID}}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "NEW" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
#echo " - Evidence for RBv2 attached at [${{env.BUILD_NAME}}](${{env.VER_LINK}}) " >> $GITHUB_STEP_SUMMARY
|
|
|
|
dockerRBv2PromoteDev:
|
|
name: "Docker: RBv2 Promote DEV"
|
|
needs: dockerPackage
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
RBv2_ENV_VAL: "DEV"
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
RT_REPO_DEV_LOCAL: "springpetclinic-docker-dev-local"
|
|
TYPE_PROMOTE: "COPY"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "RLM: RBv2 promote ${{env.RBv2_ENV_VAL}}"
|
|
run: |
|
|
jf rbp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} ${{env.RBv2_ENV_VAL}} --include-repos=${{env.RT_REPO_DEV_LOCAL}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}}
|
|
|
|
- name: "Evidence: RBv2 state ${{env.RBv2_ENV_VAL}}"
|
|
continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "${{env.RBv2_ENV_VAL}}", "unittests": "100/100" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
dockerRBv2PromoteQA:
|
|
name: "Docker: RBv2 Promote QA"
|
|
needs: dockerRBv2PromoteDev
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
RBv2_ENV_VAL: "QA"
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
RT_REPO_QA_LOCAL: "springpetclinic-docker-qa-local"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "RLM: RBv2 promote ${{env.RBv2_ENV_VAL}}"
|
|
run: |
|
|
jf rbp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} ${{env.RBv2_ENV_VAL}} --include-repos=${{env.RT_REPO_QA_LOCAL}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}}
|
|
|
|
- name: "Evidence: RBv2 state ${{env.RBv2_ENV_VAL}}"
|
|
continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "${{env.RBv2_ENV_VAL}}", "QA-validation": "99/100" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
dockerRBv2PromoteProd:
|
|
name: "Docker: RBv2 Promote Prod"
|
|
needs: dockerRBv2PromoteQA
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
RBv2_ENV_VAL: "PROD"
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
RT_REPO_PROD_LOCAL: "springpetclinic-docker-prod-local"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "RLM: RBv2 promote ${{env.RBv2_ENV_VAL}}"
|
|
run: |
|
|
jf rbp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} ${{env.RBv2_ENV_VAL}} --include-repos=${{env.RT_REPO_PROD_LOCAL}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}}
|
|
|
|
- name: "Evidence: RBv2 state ${{env.RBv2_ENV_VAL}}"
|
|
continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "${{env.RBv2_ENV_VAL}}", "prod-validation": "100/100"}' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
- name: "Optional: rbv2-summary"
|
|
# continue-on-error: true
|
|
env:
|
|
NAME_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName=${{env.BUILD_NAME}}&bundleToFlash=${{env.BUILD_NAME}}&repositoryKey=release-bundles-v2&activeKanbanTab=promotion"
|
|
VER_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName='${{env.BUILD_NAME}}'&bundleToFlash='${{env.BUILD_NAME}}'&releaseBundleVersion='${{env.BUILD_ID}}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
|
|
CURL_URL: "${{env.JF_RT_URL}}/lifecycle/api/v2/promotion/records/${{env.BUILD_NAME}}/${{env.BUILD_ID}}?async=false"
|
|
run: |
|
|
echo "# 📦 Release Lifecycle Management (RLM): RBv2 Summary :rocket: " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo "The Build Artifacts has elevated to the subsequent stages" >> $GITHUB_STEP_SUMMARY
|
|
RB2_STATUS_RESP=$(curl -v -G ${{env.CURL_URL}} -H 'Content-Type: application/json' -H "Authorization: Bearer ${{steps.setup-cli.outputs.oidc-token}}")
|
|
echo $RB2_STATUS_RESP > RBv2_STATUS-${{env.BUILD_ID}}.json
|
|
cat RBv2_STATUS-${{env.BUILD_ID}}.json
|
|
items=$(echo "$RB2_STATUS_RESP" | jq -c -r '.promotions[]')
|
|
for item in ${items[@]}; do
|
|
envVal=$(echo $item | jq -r '.environment')
|
|
crtVal=$(echo $item | jq -r '.created')
|
|
echo " - ${envVal} on ${crtVal} " >> $GITHUB_STEP_SUMMARY
|
|
done
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Release bundle [${{env.BUILD_NAME}}](${{env.NAME_LINK}}):[${{env.BUILD_ID}}](${{env.VER_LINK}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Query build
|
|
- name: "Optional: Query build info"
|
|
env:
|
|
BUILD_INFO_JSON: "BuildInfo-${{env.BUILD_ID}}.json"
|
|
run: |
|
|
jf rt curl "/api/build/${{env.BUILD_NAME}}/${{env.BUILD_ID}}" -o $BUILD_INFO_JSON
|
|
cat $BUILD_INFO_JSON
|
|
|
|
dockerSaasDistribute:
|
|
name: "Docker: Distribute to SaaS JPDs & Edges"
|
|
needs: dockerRBv2PromoteProd
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
# ref: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/release-lifecycle-management#distribute-a-release-bundle-v2
|
|
- name: "RBv2 Distribute to SaaS Artifactory and edges"
|
|
continue-on-error: true
|
|
run: |
|
|
jf rbd ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --sync=true --create-repo=true
|
|
|
|
# refer: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/release-lifecycle-management#download-release-bundle-v2-content
|
|
- name: "Download RBv2 from SaaS Artifactory"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Query Distribution status" # https://psazuse.jfrog.io/lifecycle/api/v2/distribution/trackers/spring-petclinic/ga-49
|
|
run: |
|
|
jf rt curl "/lifecycle/api/v2/distribution/trackers/${{env.BUILD_NAME}}/${{env.BUILD_ID}}"
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
- name: "Optional Saas Artifactory summary"
|
|
continue-on-error: true
|
|
env:
|
|
CURL_URL: "${{env.JF_RT_URL}}/lifecycle/api/v2/distribution/trackers/${{env.BUILD_NAME}}/${{env.BUILD_ID}}"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from Artifactory [${{env.JF_RT_URL}}](${{env.JF_RT_URL}}) to " >> $GITHUB_STEP_SUMMARY
|
|
RB2_DISTRIBUTE_RESP=$(curl -v -G ${{env.CURL_URL}} -H 'Content-Type: application/json' -H "Authorization: Bearer ${{steps.setup-cli.outputs.oidc-token}}")
|
|
echo $RB2_DISTRIBUTE_RESP > RB2_DISTRIBUTE-${{env.BUILD_ID}}.json
|
|
cat RB2_DISTRIBUTE-${{env.BUILD_ID}}.json
|
|
items=$(echo "$RB2_DISTRIBUTE_RESP" | jq -c -r '.[] .targets[]')
|
|
for item in ${items[@]}; do
|
|
echo $item
|
|
echo " - [${item}.jfrog.io](https://${item}.jfrog.io) " >> $GITHUB_STEP_SUMMARY
|
|
done
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
dockerSleepAfterDistribution:
|
|
name: "Docker: SYNC Sleep few seconds"
|
|
needs: dockerSaasDistribute
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SLEEP_TIME: 60
|
|
steps:
|
|
- name: "Sleep for ${{env.SLEEP_TIME}} seconds"
|
|
run: |
|
|
echo "Sleeping for ${{env.SLEEP_TIME}} seconds..."
|
|
sleep ${{env.SLEEP_TIME}}
|
|
echo "Awake now!"
|
|
|
|
dockerDownloadRBv2FromSaasPsAzUse:
|
|
name: "Docker: Download RBv2 from SaaS ${{vars.JF_NAME}} Artifactory"
|
|
needs: dockerSaasDistribute
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
env:
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Artifactory config show"
|
|
run: |
|
|
jf config show
|
|
|
|
- name: "Download RBv2 from ${{vars.JF_NAME}} SaaS"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
|
|
- name: "Optional: Saas ${{vars.JF_RT_URL}} Artifactory summary"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS ${{vars.JF_URL}} 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from SaaS Artifactory [${{env.JF_URL}}](${{env.JF_URL}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
dockerDownloadRBv2FromSaasSolEng:
|
|
name: "Docker: Download RBv2 from SaaS ${{vars.JF_NAME_2}} Artifactory"
|
|
needs: dockerSleepAfterDistribution
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
env:
|
|
JF_URL: "https://${{vars.JF_NAME_2}}.jfrog.io"
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: "${{env.JF_URL}}"
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Artifactory config show"
|
|
run: |
|
|
jf config show
|
|
|
|
- name: "Download RBv2 from ${{vars.JF_NAME_2}} SaaS"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
|
|
- name: "Optional: Saas ${{vars.JF_NAME_2}} Artifactory summary"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS ${{vars.JF_URL}} 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from SaaS Artifactory [${{vars.JF_NAME_2}}](${{env.JF_URL}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
dockerDownloadRBv2FromSaasEdge:
|
|
name: "Docker: Download RBv2 from SaaS ${{vars.JF_EDGE_NAME}} Edge"
|
|
needs: dockerSleepAfterDistribution
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
env:
|
|
JF_EDGE_URL: "https://${{vars.JF_EDGE_NAME}}.jfrog.io"
|
|
BUILD_ID: "psj-dkr-${{github.run_number}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_EDGE_URL}}
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Edge config show"
|
|
run: |
|
|
jf config show
|
|
|
|
# refer: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/release-lifecycle-management#download-release-bundle-v2-content
|
|
- name: "Download RBv2 from SaaS Edge"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
|
|
- name: "Optional: Saas ${{vars.JF_EDGE_NAME}} Edge summary"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS ${{vars.JF_EDGE_URL}} 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from Edge [${{vars.JF_EDGE_NAME}}](${{env.JF_EDGE_URL}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
mvnPackage:
|
|
name: "MVN Package"
|
|
env:
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
RT_REPO_MVN_VIRTUAL: "springpetclinic-mvn-virtual"
|
|
RT_REPO_MVN_DEFAULT_LOCAL: "springpetclinic-mvn-snapshot-local" # springpetclinic-mvn-dev-local, springpetclinic-mvn-qa-local, springpetclinic-mvn-prod-local
|
|
RT_REPO_DEV_LOCAL: "springpetclinic-mvn-dev-local"
|
|
RT_REPO_QA_LOCAL: "springpetclinic-mvn-qa-local"
|
|
RT_REPO_PROD_LOCAL: "springpetclinic-mvn-prod-local"
|
|
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
JFROG_CLI_RELEASES_REPO: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_MVN_VIRTUAL}}'
|
|
JFROG_CLI_EXTRACTORS_REMOTE: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_MVN_VIRTUAL}}'
|
|
JF_GIT_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Clone VCS"
|
|
uses: actions/checkout@v4 # ref: https://github.com/actions/checkout
|
|
|
|
- name: "setUp JDK provider = ${{env.JAVA_DISTRIBUTION}} with ver = ${{env.JAVA_VERSION}}"
|
|
uses: actions/setup-java@v4 # ref https://github.com/actions/setup-java
|
|
with:
|
|
distribution: ${{env.JAVA_DISTRIBUTION}} # temurin
|
|
java-version: ${{env.JAVA_VERSION}} # 25
|
|
cache: 'maven'
|
|
cache-dependency-path: 'pom.xml'
|
|
|
|
- name: "Software version"
|
|
run: |
|
|
# JFrog CLI version
|
|
jf --version
|
|
# Ping the server
|
|
jf rt ping
|
|
# Java
|
|
java -version
|
|
# MVN
|
|
mvn -version
|
|
# Docker
|
|
docker -v
|
|
# Python
|
|
python3 -V
|
|
pip3 -V
|
|
# jf config
|
|
jf config show
|
|
|
|
- name: "Config jf with mvn repos"
|
|
run: |
|
|
jf mvnc --global --repo-resolve-releases ${{env.RT_REPO_MVN_VIRTUAL}} --repo-resolve-snapshots ${{env.RT_REPO_MVN_VIRTUAL}} --repo-deploy-releases ${{env.RT_REPO_MVN_VIRTUAL}} --repo-deploy-snapshots ${{env.RT_REPO_MVN_VIRTUAL}}
|
|
|
|
- name: "list folder"
|
|
run: |
|
|
rm -rf build.gradle
|
|
pwd
|
|
tree .
|
|
|
|
- name: "MVN: Summary"
|
|
run: |
|
|
echo "# :frog: MVN: Summary :pushpin:" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Installed JFrog CLI [$(jf --version)](https://jfrog.com/getcli/) and Java [${{env.JAVA_PROVIDER}}](https://github.com/actions/setup-java) v${{env.JAVA_VERSION}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(jf --version) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(mvn -v) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Configured the JFrog Cli and Docker login with SaaS Artifactory OIDC integration " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Variables info" >> $GITHUB_STEP_SUMMARY
|
|
echo " - ID: ${{env.BUILD_ID}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Build Name: ${{env.BUILD_NAME}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Maven Repo URL: ${{env.RT_REPO_MVN_VIRTUAL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
# echo " - Evidence Info: " >> $GITHUB_STEP_SUMMARY
|
|
|
|
- name: "Curation: audit"
|
|
timeout-minutes: 15
|
|
continue-on-error: true
|
|
run: |
|
|
jf ca --format=table --threads=100
|
|
|
|
- name: "Xray & JAS: Audit"
|
|
timeout-minutes: 15
|
|
# continue-on-error: true
|
|
run: |
|
|
jf audit --mvn --sast=true --sca=true --secrets=true --licenses=true --validate-secrets=true --vuln=true --format=table --extended-table=true --threads=100 --fail=false
|
|
|
|
- name: "Package: Create MVN Build"
|
|
run: | # -Djar.finalName=${{env.JAR_FINAL_NAME}}
|
|
export MAVEN_OPTS="--add-opens jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED"
|
|
|
|
jf mvn clean install -DskipTests=true -Denforcer.skip=true -f pom.xml --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}}
|
|
|
|
- name: "Package: Xray - mvn Artifact scan"
|
|
timeout-minutes: 15 # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf scan . --format=table --extended-table=true --threads=100 --fail=false
|
|
|
|
# Build Info
|
|
- name: "BuildInfo: Collect env"
|
|
run: jf rt bce ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Add Dependencies"
|
|
continue-on-error: true
|
|
run: jf rt bad ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Add VCS info"
|
|
run: jf rt bag ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Build Publish"
|
|
run: jf rt bp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --detailed-summary=true
|
|
|
|
- name: "Create artifact digest"
|
|
id: create_artifact_digest
|
|
run: |
|
|
ARTIFACT_DIGEST=$(sha256sum target/spring-petclinic-*.jar | awk '{print "sha256:"$1}')
|
|
echo "artifact_digest=$ARTIFACT_DIGEST" >> $GITHUB_OUTPUT
|
|
|
|
|
|
- name: "Evidence: Build Info"
|
|
# continue-on-error: true
|
|
env:
|
|
EVD_JSON: "target/build-info.json"
|
|
run: |
|
|
cat ./${{env.EVD_JSON}}
|
|
jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVD_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
- name: "Evidence: cdx"
|
|
continue-on-error: true
|
|
env:
|
|
EVD_JSON: "target/classes/META-INF/sbom/application.cdx.json" # https://jfrog.com/evidence/signature/v1
|
|
run: |
|
|
cat ./${{env.EVD_JSON}}
|
|
jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVD_JSON}} --predicate-type https://cyclonedx.org/bom/v1.4 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
|
|
# - name: "Evidence: Build Publish"
|
|
# # continue-on-error: true
|
|
# run: |
|
|
# echo '{ "actor": "${{github.actor}}", "pipeline": "github actions","build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-BuildPublish"}' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
# cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
# jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
# # echo " - Evidence for BUILD Publish attached. " >> $GITHUB_STEP_SUMMARY
|
|
|
|
- name: "Optional: Add Builds to Indexing Configuration"
|
|
run: |
|
|
jf xr curl "/api/v1/binMgr/builds" -H 'Content-Type: application/json' -d '{"names": ["${{env.BUILD_NAME}}"] }'
|
|
|
|
- name: "Optional: Query build info"
|
|
env:
|
|
BUILD_INFO_JSON: "BuildInfo-${{env.BUILD_ID}}.json"
|
|
run: |
|
|
jf rt curl "/api/build/${{env.BUILD_NAME}}/${{env.BUILD_ID}}" -o ${{env.BUILD_INFO_JSON}}
|
|
cat ${{env.BUILD_INFO_JSON}}
|
|
|
|
- name: "Sleep for few seconds"
|
|
env:
|
|
SLEEP_TIME: 30
|
|
run: |
|
|
echo "Sleeping for ${{env.SLEEP_TIME}} seconds..."
|
|
sleep ${{env.SLEEP_TIME}} # Sleeping for 20 seconds before executing the build publish seems to have resolved the build-scan issue. This delay might be helping with synchronization or resource availability, ensuring a smooth build process.
|
|
echo "Awake now!"
|
|
|
|
- name: "Optional: Query - Build Scan status"
|
|
run: |
|
|
jf xr curl "/api/v1/build/status" -H 'Content-Type: application/json' -d '{"name": "${{env.BUILD_NAME}}", "number": "${{env.BUILD_ID}}" }'
|
|
|
|
- name: "Optional: Xray sbom-enrich"
|
|
run: |
|
|
jf se "target/classes/META-INF/sbom/application.cdx.json" --threads=100
|
|
|
|
- name: "BuildInfo: Xray - Build scan"
|
|
timeout-minutes: 15
|
|
continue-on-error: true
|
|
run: |
|
|
jf bs ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --fail=false --format=table --extended-table=true --rescan=false --vuln=true
|
|
|
|
- name: "Optional: Build Scan V2" # https://jfrog.com/help/r/xray-rest-apis/scan-build-v2
|
|
run: |
|
|
jf xr curl /api/v2/ci/build -H 'Content-Type: application/json' -d '{"build_name": "${{env.BUILD_NAME}}", "build_number": "${{env.BUILD_ID}}","rescan":false }'
|
|
|
|
# Release Bundle v2
|
|
- name: "RLM: RBv2 spec - create"
|
|
run: |
|
|
echo "{ \"files\": [ {\"build\": \"${{env.BUILD_NAME}}/${{env.BUILD_ID}}\", \"includeDeps\":\"false\"} ] }" > ${{env.RBv2_SPEC_JSON}}
|
|
|
|
- name: "RLM: RBv2 Create NEW"
|
|
run: |
|
|
cat ${{env.RBv2_SPEC_JSON}}
|
|
|
|
jf rbc ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}} --spec=${{env.RBv2_SPEC_JSON}}
|
|
|
|
- name: "RLM: Xray Indexing"
|
|
run: |
|
|
jf xr curl "/api/v1/binMgr/release_bundle_v2" -H 'Content-Type: application/json' -d "{\"names\": [\"${{env.BUILD_NAME}}\"] }"
|
|
|
|
- name: "Evidence: RBv2 state NEW"
|
|
continue-on-error: true
|
|
env:
|
|
VER_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName='${{env.BUILD_NAME}}'&bundleToFlash='${{env.BUILD_NAME}}'&releaseBundleVersion='${{env.BUILD_ID}}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "NEW" }' > ${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ${{env.EVIDENCE_SPEC_JSON}}
|
|
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
|
|
mvnRBv2PromoteDev:
|
|
name: "MVN: RBv2 Promote DEV"
|
|
needs: mvnPackage
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
RBv2_ENV_VAL: "DEV"
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
RT_REPO_MVN_VIRTUAL: "springpetclinic-mvn-virtual"
|
|
RT_REPO_DEV_LOCAL: "springpetclinic-mvn-dev-local"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "RLM: RBv2 promote ${{env.RBv2_ENV_VAL}}"
|
|
run: |
|
|
jf rbp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} ${{env.RBv2_ENV_VAL}} --include-repos=${{env.RT_REPO_DEV_LOCAL}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}}
|
|
|
|
- name: "Evidence: RBv2 state ${{env.RBv2_ENV_VAL}}"
|
|
continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "${{env.RBv2_ENV_VAL}}", "unittests": "100/100" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
mvnRBv2PromoteQA:
|
|
name: "MVN: RBv2 Promote QA"
|
|
needs: mvnRBv2PromoteDev
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
RBv2_ENV_VAL: "QA"
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
RT_REPO_QA_LOCAL: "springpetclinic-mvn-qa-local"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "RLM: RBv2 promote ${{env.RBv2_ENV_VAL}}"
|
|
run: |
|
|
jf rbp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} ${{env.RBv2_ENV_VAL}} --include-repos=${{env.RT_REPO_QA_LOCAL}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}}
|
|
|
|
- name: "Evidence: RBv2 state ${{env.RBv2_ENV_VAL}}"
|
|
continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "${{env.RBv2_ENV_VAL}}", "QA-validation": "99/100" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
mvnRBv2PromoteProd:
|
|
name: "MVN: RBv2 Promote Prod"
|
|
needs: mvnRBv2PromoteQA
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
RBv2_ENV_VAL: "PROD"
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
RT_REPO_PROD_LOCAL: "springpetclinic-mvn-prod-local"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "RLM: RBv2 promote ${{env.RBv2_ENV_VAL}}"
|
|
run: |
|
|
jf rbp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} ${{env.RBv2_ENV_VAL}} --include-repos=${{env.RT_REPO_PROD_LOCAL}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}}
|
|
|
|
- name: "Evidence: RBv2 state ${{env.RBv2_ENV_VAL}}"
|
|
continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "${{env.RBv2_ENV_VAL}}", "prod-validation": "100/100"}' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
- name: "Optional: rbv2-summary"
|
|
continue-on-error: true
|
|
env:
|
|
NAME_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName=${{env.BUILD_NAME}}&bundleToFlash=${{env.BUILD_NAME}}&repositoryKey=release-bundles-v2&activeKanbanTab=promotion"
|
|
VER_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName='${{env.BUILD_NAME}}'&bundleToFlash='${{env.BUILD_NAME}}'&releaseBundleVersion='${{env.BUILD_ID}}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
|
|
CURL_URL: "${{env.JF_RT_URL}}/lifecycle/api/v2/promotion/records/${{env.BUILD_NAME}}/${{env.BUILD_ID}}?async=false"
|
|
run: |
|
|
echo "# 📦 Release Lifecycle Management (RLM): RBv2 Summary :rocket: " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo "The Build Artifacts has elevated to the subsequent stages" >> $GITHUB_STEP_SUMMARY
|
|
RB2_STATUS_RESP=$(curl -v -G ${{env.CURL_URL}} -H 'Content-Type: application/json' -H "Authorization: Bearer ${{steps.setup-cli.outputs.oidc-token}}")
|
|
echo $RB2_STATUS_RESP > RBv2_STATUS-${{env.BUILD_ID}}.json
|
|
cat RBv2_STATUS-${{env.BUILD_ID}}.json
|
|
items=$(echo "$RB2_STATUS_RESP" | jq -c -r '.promotions[]')
|
|
for item in ${items[@]}; do
|
|
envVal=$(echo $item | jq -r '.environment')
|
|
crtVal=$(echo $item | jq -r '.created')
|
|
echo " - ${envVal} on ${crtVal} " >> $GITHUB_STEP_SUMMARY
|
|
done
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Release bundle [${{env.BUILD_NAME}}](${{env.NAME_LINK}}):[${{env.BUILD_ID}}](${{env.VER_LINK}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Query build
|
|
- name: "Optional: Query build info"
|
|
env:
|
|
BUILD_INFO_JSON: "BuildInfo-${{env.BUILD_ID}}.json"
|
|
run: |
|
|
jf rt curl "/api/build/${{env.BUILD_NAME}}/${{env.BUILD_ID}}" -o $BUILD_INFO_JSON
|
|
cat $BUILD_INFO_JSON
|
|
|
|
mvnSaasDistribute:
|
|
name: "MVN: Distribute to SaaS JPDs & Edges"
|
|
needs: mvnRBv2PromoteProd
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
# ref: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/release-lifecycle-management#distribute-a-release-bundle-v2
|
|
- name: "RBv2 Distribute to SaaS Artifactory and edges"
|
|
continue-on-error: true
|
|
run: |
|
|
jf rbd ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --sync=true --create-repo=true
|
|
|
|
# refer: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/release-lifecycle-management#download-release-bundle-v2-content
|
|
- name: "Download RBv2 from SaaS Artifactory"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Query Distribution status" # https://psazuse.jfrog.io/lifecycle/api/v2/distribution/trackers/spring-petclinic/ga-49
|
|
run: |
|
|
jf rt curl "/lifecycle/api/v2/distribution/trackers/${{env.BUILD_NAME}}/${{env.BUILD_ID}}"
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
- name: "Optional Saas Artifactory summary"
|
|
continue-on-error: true
|
|
env:
|
|
CURL_URL: "${{env.JF_RT_URL}}/lifecycle/api/v2/distribution/trackers/${{env.BUILD_NAME}}/${{env.BUILD_ID}}"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from Artifactory [${{env.JF_RT_URL}}](${{env.JF_RT_URL}}) to " >> $GITHUB_STEP_SUMMARY
|
|
RB2_DISTRIBUTE_RESP=$(curl -v -G ${{env.CURL_URL}} -H 'Content-Type: application/json' -H "Authorization: Bearer ${{steps.setup-cli.outputs.oidc-token}}")
|
|
echo $RB2_DISTRIBUTE_RESP > RB2_DISTRIBUTE-${{env.BUILD_ID}}.json
|
|
cat RB2_DISTRIBUTE-${{env.BUILD_ID}}.json
|
|
items=$(echo "$RB2_DISTRIBUTE_RESP" | jq -c -r '.[] .targets[]')
|
|
for item in ${items[@]}; do
|
|
echo $item
|
|
echo " - [${item}.jfrog.io](https://${item}.jfrog.io) " >> $GITHUB_STEP_SUMMARY
|
|
done
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
mvnSleepAfterDistribution:
|
|
name: "MVN: SYNC Sleep few seconds"
|
|
needs: mvnSaasDistribute
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SLEEP_TIME: 60
|
|
steps:
|
|
- name: "Sleep for ${{env.SLEEP_TIME}} seconds"
|
|
run: |
|
|
echo "Sleeping for ${{env.SLEEP_TIME}} seconds..."
|
|
sleep ${{env.SLEEP_TIME}}
|
|
echo "Awake now!"
|
|
|
|
mvnDownloadRBv2FromSaasPsAzUse:
|
|
name: "MVN: Download RBv2 from SaaS ${{vars.JF_NAME}} Artifactory"
|
|
needs: mvnSaasDistribute
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
env:
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Artifactory config show"
|
|
run: |
|
|
jf config show
|
|
|
|
- name: "Download RBv2 from ${{vars.JF_NAME}} SaaS"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
|
|
- name: "Optional: Saas ${{vars.JF_RT_URL}} Artifactory summary"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS ${{vars.JF_URL}} 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from SaaS Artifactory [${{env.JF_URL}}](${{env.JF_URL}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
mvnDownloadRBv2FromSaasSolEng:
|
|
name: "MVN: Download RBv2 from SaaS ${{vars.JF_NAME_2}} Artifactory"
|
|
needs: mvnSleepAfterDistribution
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
env:
|
|
JF_URL: "https://${{vars.JF_NAME_2}}.jfrog.io"
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: "${{env.JF_URL}}"
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Artifactory config show"
|
|
run: |
|
|
jf config show
|
|
|
|
- name: "Download RBv2 from ${{vars.JF_NAME_2}} SaaS"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
|
|
- name: "Optional: Saas ${{vars.JF_NAME_2}} Artifactory summary"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS ${{vars.JF_URL}} 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from SaaS Artifactory [${{vars.JF_NAME_2}}](${{env.JF_URL}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
mvnDownloadRBv2FromSaasEdge:
|
|
name: "MVN: Download RBv2 from SaaS ${{vars.JF_EDGE_NAME}} Edge"
|
|
needs: mvnSleepAfterDistribution
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
env:
|
|
JF_EDGE_URL: "https://${{vars.JF_EDGE_NAME}}.jfrog.io"
|
|
BUILD_ID: "psj-mvn-${{github.run_number}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_EDGE_URL}}
|
|
JFROG_CLI_LOG_LEVEL: "ERROR"
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Edge config show"
|
|
run: |
|
|
jf config show
|
|
|
|
# refer: https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/release-lifecycle-management#download-release-bundle-v2-content
|
|
- name: "Download RBv2 from SaaS Edge"
|
|
run: |
|
|
jf rt dl --bundle ${{env.BUILD_NAME}}/${{env.BUILD_ID}} --detailed-summary=true --threads=100
|
|
|
|
- name: "Info list"
|
|
run: |
|
|
pwd
|
|
ls -lR .
|
|
|
|
- name: "Optional: Saas ${{vars.JF_EDGE_NAME}} Edge summary"
|
|
run: |
|
|
echo "# :frog: Download package from SaaS ${{vars.JF_EDGE_URL}} 📦 " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Download RBv2 from Edge [${{vars.JF_EDGE_NAME}}](${{env.JF_EDGE_URL}}) " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
|
|
# Gradle using Federated repositories
|
|
gradlePackage:
|
|
name: "Gradle"
|
|
env:
|
|
RT_REPO_GRADLE_VIRTUAL: 'springpetclinic-gradle-virtual'
|
|
RT_REPO_GRADLE_DEFAULT_LOCAL: 'springpetclinic-gradle-snapshot-fed-local' # springpetclinic-gradle-dev-fed-local
|
|
BUILD_ID: "psj-gdl-${{github.run_number}}"
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 20 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
steps:
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
JFROG_CLI_RELEASES_REPO: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_GRADLE_VIRTUAL}}'
|
|
JFROG_CLI_EXTRACTORS_REMOTE: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_GRADLE_VIRTUAL}}'
|
|
JF_GIT_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
with:
|
|
version: latest
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Clone VCS"
|
|
uses: actions/checkout@v4 # ref: https://github.com/actions/checkout
|
|
|
|
- name: "setUp JDK provider = ${{env.JAVA_DISTRIBUTION}} with ver = ${{env.JAVA_VERSION}}"
|
|
uses: actions/setup-java@v4 # ref https://github.com/actions/setup-java
|
|
with:
|
|
distribution: ${{env.JAVA_DISTRIBUTION}} # temurin
|
|
java-version: ${{env.JAVA_VERSION}} # 25
|
|
|
|
- name: "Setup Gradle" # ref https://docs.github.com/en/enterprise-cloud@latest/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle
|
|
uses: gradle/actions/setup-gradle@v4 # v4.0.0
|
|
with:
|
|
gradle-version: release-candidate
|
|
- name: "Software version"
|
|
run: |
|
|
# JFrog CLI version
|
|
jf --version
|
|
# Ping the server
|
|
jf rt ping
|
|
# Java
|
|
java -version
|
|
# Gradle
|
|
gradle -v
|
|
# jf config
|
|
jf config show
|
|
|
|
- name: "Config jf with gradle repos"
|
|
# jf gradlec --repo-deploy springpetclinic-gradle-virtual --repo-resolve springpetclinic-gradle-virtual --repo-deploy springpetclinic-gradle-virtual
|
|
run: |
|
|
jf gradlec --repo-deploy ${{env.RT_REPO_GRADLE_VIRTUAL}} --repo-resolve ${{env.RT_REPO_GRADLE_VIRTUAL}}
|
|
|
|
- name: "list folder"
|
|
run: |
|
|
pwd
|
|
tree .
|
|
|
|
- name: "Gradle: summary"
|
|
run: |
|
|
echo "# :frog: Gradle: Summary :pushpin:" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Installed JFrog CLI [${jfcliv}](https://jfrog.com/getcli/) and Java [${{env.JAVA_DISTRIBUTION}}](https://github.com/actions/setup-java) v${{env.JAVA_VERSION}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(jf --version) " >> $GITHUB_STEP_SUMMARY
|
|
# echo " - $(gradle -v) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Configured the JFrog Cli with SaaS Artifactory OIDC integration " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Variables info" >> $GITHUB_STEP_SUMMARY
|
|
echo " - ID: ${{env.BUILD_ID}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Build Name: ${{env.BUILD_NAME}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Gradle Repo URL: ${{env.RT_REPO_GRADLE_VIRTUAL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Package https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/package-managers-integration#running-gradle-builds
|
|
- name: "Package: Create Build"
|
|
run: |
|
|
jf gradle clean artifactoryPublish -x test --build-name=${{env.BUILD_NAME}} --build-number=${{env.BUILD_ID}}
|
|
|
|
- name: "list folder"
|
|
run: |
|
|
pwd
|
|
tree build/
|
|
|
|
- name: "Evidence: Artifact"
|
|
env:
|
|
REPO_JAR: "${{env.RT_REPO_GRADLE_DEFAULT_LOCAL}}/org/springframework/samples/${{env.BUILD_NAME}}/3.5.0/${{env.BUILD_NAME}}-3.5.0-plain.jar" # /krishnam-gdl-dev-fed/org/springframework/samples/spring-petclinic/3.5.0/
|
|
# REPO_JAR: "${{env.RT_REPO_GRADLE_VIRTUAL}}/org/springframework/samples/${{env.BUILD_NAME}}/3.5.0/${{env.BUILD_NAME}}-3.5.0-plain.jar" # krishnam-gradle-virtual/org/springframework/samples/spring-petclinic/3.5.0/spring-petclinic-3.5.0-plain.jar
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-Artifact", "artifact": "${{env.REPO_JAR}}" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --subject-repo-path ${{env.REPO_JAR}} --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1
|
|
|
|
# Build Info
|
|
# US
|
|
# Executive Order:
|
|
# https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
|
|
# https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
|
|
# US Dept of Commerce: https://www.ntia.gov/page/software-bill-materials
|
|
# US Cyber Defence Agency: https://www.cisa.gov/sbom
|
|
# NIST: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
|
|
# NITA: https://www.ntia.gov/page/software-bill-materials
|
|
# Centers for Medicare & Medicaid Services: https://security.cms.gov/learn/software-bill-materials-sbom
|
|
# India
|
|
# CERT-IN: https://www.cert-in.org.in/sbom/
|
|
- name: "BuildInfo: Collect env"
|
|
run: jf rt bce ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Add VCS info"
|
|
run: jf rt bag ${{env.BUILD_NAME}} ${{env.BUILD_ID}}
|
|
|
|
- name: "BuildInfo: Build Publish"
|
|
run: jf rt bp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --detailed-summary=true
|
|
|
|
- name: "Evidence: GitHub Build Attestation"
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@v3 # https://github.com/marketplace/actions/attest-build-provenance
|
|
with:
|
|
subject-name: "${{env.JF_RT_URL}}/${{env.RT_REPO_GRADLE_VIRTUAL}}/${{env.BUILD_NAME}}"
|
|
subject-path: |
|
|
"${{ github.workspace }}/build/libs/spring-petclinic-*.jar"
|
|
"${{ github.workspace }}/build/build-info.json"
|
|
"${{ github.workspace }}/build/reports/application.cdx.json"
|
|
show-summary: true
|
|
github-token: ${{secrets.GITHUB_TOKEN}}
|
|
|
|
# - name: "Evidence: Build Info"
|
|
# continue-on-error: true
|
|
# env:
|
|
# EVD_JSON: "build/build-info.json"
|
|
# run: |
|
|
# cat ./${{env.EVD_JSON}}
|
|
# jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVD_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
- name: "Evidence: cdx"
|
|
continue-on-error: true
|
|
env:
|
|
EVD_JSON: "build/reports/application.cdx.json" # https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-payload
|
|
run: |
|
|
cat ./${{env.EVD_JSON}}
|
|
jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVD_JSON}} --predicate-type https://cyclonedx.org/bom/v1.4 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
|
|
|
|
appTrustdockerPackage:
|
|
name: "AppTrustDocker"
|
|
env:
|
|
BUILD_ID: "psj-at-dkr-${{github.run_number}}"
|
|
RT_REPO_MVN_VIRTUAL: "krishna-apptrust-java-virtual"
|
|
# RT_REPO_MVN_DEFAULT_LOCAL: "springpetclinic-mvn-snapshot-local" # springpetclinic-mvn-dev-local, springpetclinic-mvn-qa-local, springpetclinic-mvn-prod-local
|
|
RT_REPO_DOCKER_VIRTUAL: "krishna-apptrust-docker-virtual"
|
|
RT_REPO_DOCKER_DEFAULT_LOCAL: "krishna-apptrust-docker-init-local" # krishna-apptrust-docker-dev-local, krishna-apptrust-docker-prod-local, krishna-apptrust-docker-qa-local
|
|
RT_REPO_DEV_LOCAL: "krishna-apptrust-docker-dev-local"
|
|
RT_REPO_QA_LOCAL: "krishna-apptrust-docker-qa-local"
|
|
RT_REPO_PROD_LOCAL: "krishna-apptrust-docker-prod-local"
|
|
DOCKER_BUILDX_PLATFORMS: 'linux/amd64,linux/arm64'
|
|
DOCKER_METADATA_JSON: 'build-metadata.json'
|
|
defaults:
|
|
run:
|
|
working-directory: "${{env.DEFAULT_WORKSPACE}}"
|
|
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes
|
|
steps:
|
|
# Use the specific setup-cli branch. Ref https://github.com/marketplace/actions/setup-jfrog-cli
|
|
- name: "Setup JFrog CLI"
|
|
uses: jfrog/setup-jfrog-cli@v4
|
|
id: setup-cli
|
|
env:
|
|
JF_URL: ${{env.JF_RT_URL}}
|
|
JFROG_CLI_LOG_LEVEL: ${{env.JFROG_CLI_LOG_LEVEL}}
|
|
JFROG_CLI_RELEASES_REPO: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_MVN_VIRTUAL}}'
|
|
JFROG_CLI_EXTRACTORS_REMOTE: '${{env.JF_RT_URL}}/artifactory/${{env.RT_REPO_MVN_VIRTUAL}}'
|
|
JF_GIT_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
with:
|
|
version: latest #2.71.0
|
|
oidc-provider-name: ${{vars.JF_OIDC_PROVIDER_NAME}}
|
|
disable-job-summary: ${{env.JOB_SUMMARY}}
|
|
|
|
- name: "Clone VCS"
|
|
uses: actions/checkout@v4 # ref: https://github.com/actions/checkout
|
|
|
|
- name: "setUp JDK provider = ${{env.JAVA_DISTRIBUTION}} with ver = ${{env.JAVA_VERSION}}"
|
|
uses: actions/setup-java@v4 # ref https://github.com/actions/setup-java
|
|
with:
|
|
distribution: ${{env.JAVA_DISTRIBUTION}} # temurin
|
|
java-version: ${{env.JAVA_VERSION}} # 25
|
|
cache: 'maven'
|
|
cache-dependency-path: 'pom.xml'
|
|
|
|
- name: "Software version"
|
|
run: |
|
|
# JFrog CLI version
|
|
jf --version
|
|
# Ping the server
|
|
jf rt ping
|
|
# Java
|
|
java -version
|
|
# MVN
|
|
mvn -version
|
|
# Docker
|
|
docker -v
|
|
# Python
|
|
python3 -V
|
|
pip3 -V
|
|
# jf config
|
|
jf config show
|
|
|
|
- name: "Config jf with mvn repos"
|
|
run: |
|
|
jf mvnc --global --repo-resolve-releases ${{env.RT_REPO_MVN_VIRTUAL}} --repo-resolve-snapshots ${{env.RT_REPO_MVN_VIRTUAL}}
|
|
|
|
- name: "Create ENV variables"
|
|
run: |
|
|
echo "ARTIFACT_NAME=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)" >> $GITHUB_ENV
|
|
echo "ARTIFACT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV
|
|
echo "TODAYS_DATE=$(date +'%Y-%m-%d')" >> $GITHUB_ENV
|
|
echo "RT_REPO_DOCKER_IMG=${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.BUILD_NAME}}" >> $GITHUB_ENV
|
|
echo "JF_REGISTRY=${{env.JF_RT_URL}}/${{env.RT_REPO_DOCKER_VIRTUAL}}" >> $GITHUB_ENV
|
|
echo "RT_REPO_DOCKER_URL=${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.BUILD_NAME}}:${{env.BUILD_ID}}" >> $GITHUB_ENV
|
|
|
|
|
|
- name: "Docker authentication" # ref https://github.com/marketplace/actions/docker-login
|
|
id: config-docker
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{env.JF_REGISTRY}}
|
|
username: ${{steps.setup-cli.outputs.oidc-user}}
|
|
password: ${{steps.setup-cli.outputs.oidc-token}}
|
|
|
|
- name: "Docker buildx instance"
|
|
uses: docker/setup-buildx-action@v3 # ref: https://github.com/marketplace/actions/docker-setup-buildx h
|
|
with:
|
|
use: true
|
|
platforms: ${{env.DOCKER_BUILDX_PLATFORMS}} # linux/amd64,linux/arm64 # ref: https://docs.docker.com/reference/cli/docker/buildx/create/#platform
|
|
install: true
|
|
|
|
- name: "list folder"
|
|
run: |
|
|
pwd
|
|
tree .
|
|
|
|
- name: "Docker: Summary "
|
|
run: |
|
|
echo "# :frog: :ship: Docker: Summary :pushpin:" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Installed JFrog CLI [$(jf --version)](https://jfrog.com/getcli/) and Java [${{env.JAVA_DISTRIBUTION}}](https://github.com/actions/setup-java) v${{env.JAVA_VERSION}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(jf --version) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(mvn -v) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - $(docker -v) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker buildx configured with platforms: [${{env.DOCKER_BUILDX_PLATFORMS}}](https://docs.docker.com/reference/cli/docker/buildx/create/#platform) " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Configured the JFrog Cli and Docker login with SaaS Artifactory OIDC integration " >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Variables info" >> $GITHUB_STEP_SUMMARY
|
|
echo " - App Trust project key: ${{env.PROJECT_KEY_APP_TRUST}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - ID: ${{env.BUILD_ID}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Build Name: ${{env.BUILD_NAME}} " >> $GITHUB_STEP_SUMMARY
|
|
echo " - Maven Repo URL: ${{env.RT_REPO_MVN_VIRTUAL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker Repo URL: ${{env.RT_REPO_DOCKER_VIRTUAL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker Image: ${{env.RT_REPO_DOCKER_IMG}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " - Docker URL: ${{env.RT_REPO_DOCKER_URL}}" >> $GITHUB_STEP_SUMMARY
|
|
echo " " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# Package
|
|
- name: "Curation: audit" # https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security/cli-for-jfrog-curation
|
|
timeout-minutes: 15 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
rm -rf build.gradle
|
|
jf ca --format=table --threads=100
|
|
|
|
- name: "Xray & JAS: Audit" # https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security
|
|
# scan for Xray: Source code dependencies and JAS: Secrets Detection, IaC, Vulnerabilities Contextual Analysis 'SAST'
|
|
timeout-minutes: 15 # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
# continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf audit --mvn --sast=true --sca=true --secrets=true --licenses=true --validate-secrets=true --vuln=true --format=table --extended-table=true --threads=100 --fail=false --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "Package: Create MVN Build"
|
|
# jf mvn clean install -DskipTests=true -Denforcer.skip=true --build-name=${{env.BUILD_NAME}} --build-number=${{env.BUILD_ID}}
|
|
run: | # -Djar.finalName=${{env.JAR_FINAL_NAME}}
|
|
mvn clean install -DskipTests=true -Denforcer.skip=true
|
|
|
|
- name: "Package: Xray - mvn Artifact scan"
|
|
timeout-minutes: 15 # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf scan . --format=table --extended-table=true --threads=100 --fail=false --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "Package: Docker build and push"
|
|
env:
|
|
JAR_FILE: "./target/${{env.ARTIFACT_NAME}}-${{env.ARTIFACT_VERSION}}.jar"
|
|
TAG10: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:${{env.ARTIFACT_VERSION}}"
|
|
TAG11: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:${{env.TODAYS_DATE}}"
|
|
TAG12: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:${{env.BUILD_ID}}"
|
|
TAG13: "${{vars.JF_NAME}}.jfrog.io/${{env.RT_REPO_DOCKER_VIRTUAL}}/${{env.ARTIFACT_NAME}}:latest"
|
|
run: |
|
|
docker image build -f ./jfrog/AppTrustDockerfile --build-arg JAR_FILE=${{env.JAR_FILE}} --platform "${{env.DOCKER_BUILDX_PLATFORMS}}" --metadata-file "${{env.DOCKER_METADATA_JSON}}" --push . -t ${{env.TAG10}} -t ${{env.TAG11}} -t ${{env.TAG12}} -t ${{env.TAG13}}
|
|
|
|
- name: "Optional: Docker pull image"
|
|
run: |
|
|
docker pull ${{env.RT_REPO_DOCKER_URL}}
|
|
|
|
- name: "Package: Docker image list"
|
|
run: |
|
|
docker image ls
|
|
|
|
# Evidence - Package references
|
|
# Docs# https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management
|
|
# CLI# https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/evidence-service
|
|
- name: "Evidence: Package"
|
|
# continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions","build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd":"Evidence-Package", "package":"${{env.RT_REPO_DOCKER_URL}}" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --package-name ${{env.BUILD_NAME}} --package-version ${{env.BUILD_ID}} --package-repo-name ${{env.RT_REPO_DOCKER_VIRTUAL}} --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1
|
|
#echo " - Evidence for PACKAGE attached. Info available SaaS >> tab: Application >> left menu: Artifactory >> Packages >> ${{env.BUILD_NAME}} " >> $GITHUB_STEP_SUMMARY
|
|
|
|
- name: "Package: Xray - docker Artifact scan"
|
|
timeout-minutes: 15 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf docker scan ${{env.RT_REPO_DOCKER_URL}} --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --format=table --extended-table=true --detailed-summary=true --vuln=true --licenses=true --threads=100 --fail=false
|
|
|
|
- name: "Optional: Set env vars for BuildInfo" # These properties were captured in Builds >> spring-petclinic >> version >> Environment tab
|
|
run: |
|
|
export job="github-action" org="ps" team="architecture" product="jfrog-saas"
|
|
|
|
# Build Info
|
|
# US
|
|
# Executive Order:
|
|
# https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
|
|
# https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
|
|
# US Dept of Commerce: https://www.ntia.gov/page/software-bill-materials
|
|
# US Cyber Defence Agency: https://www.cisa.gov/sbom
|
|
# NIST: https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1
|
|
# NITA: https://www.ntia.gov/page/software-bill-materials
|
|
# Centers for Medicare & Medicaid Services: https://security.cms.gov/learn/software-bill-materials-sbom
|
|
# India
|
|
# CERT-IN: https://www.cert-in.org.in/sbom/
|
|
- name: "BuildInfo: Collect env"
|
|
run: jf rt bce ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "BuildInfo: Adds dependencies"
|
|
continue-on-error: true
|
|
run: jf rt bad ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "BuildInfo: Add VCS info"
|
|
run: jf rt bag ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "BuildInfo: Docker build create"
|
|
run: |
|
|
imageDigest=$(cat "${{env.DOCKER_METADATA_JSON}}" | jq '.["containerimage.digest"]')
|
|
echo "DOCKER_IMAGE_DIGEST: ${imageDigest}"
|
|
|
|
echo "DOCKER_IMAGE_DIGEST=${imageDigest}" >> $GITHUB_ENV. # set env var for next steps
|
|
|
|
echo "${{env.RT_REPO_DOCKER_URL}}@${imageDigest}" > ${{env.DOCKER_METADATA_JSON}}
|
|
|
|
jf rt bdc ${{env.RT_REPO_DOCKER_VIRTUAL}} --image-file ${{env.DOCKER_METADATA_JSON}} --build-name=${{env.BUILD_NAME}} --build-number=${{env.BUILD_ID}} --project=${{env.PROJECT_KEY_APP_TRUST}} --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "BuildInfo: Build Publish"
|
|
run: jf rt bp ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --detailed-summary=true --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
# Evidence - Build references
|
|
# Docs# https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management
|
|
# CLI# https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/evidence-service
|
|
- name: "Evidence: Build Publish"
|
|
# continue-on-error: true
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions","build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-BuildPublish"}' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --build-name ${{env.BUILD_NAME}} --build-number ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/signature/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}}
|
|
#echo " - Evidence for BUILD Publish attached. " >> $GITHUB_STEP_SUMMARY
|
|
|
|
# curl -L 'https://psazuse.jfrog.io/xray/api/v1/binMgr/builds' -H 'Content-Type: application/json' -H 'Authorization: ••••••' -d '{ "names": ["spring-petclinic"] }'
|
|
- name: "Optional: Add Builds to Indexing Configuration"
|
|
run: |
|
|
jf xr curl "/api/v1/binMgr/builds" -H 'Content-Type: application/json' -d '{"names": ["${{env.BUILD_NAME}}"] }'
|
|
# Set properties
|
|
- name: "Optional: Set prop for Artifact" # These properties were captured Artifacts >> repo path 'spring-petclinic.---.jar' >> Properties
|
|
run: |
|
|
ts="cmd.$(date '+%Y-%m-%d-%H-%M')"
|
|
jf rt sp "job=github-action;env=demo;org=ps;team=arch;pack_cat=webapp;build=maven;product=artifactory;features=package,buildinfo;ts=ts-${BUILD_ID}" --build="${{env.BUILD_NAME}}/${{env.BUILD_ID}}"
|
|
|
|
- name: "Optional: Query build info"
|
|
env:
|
|
BUILD_INFO_JSON: "BuildInfo-${{env.BUILD_ID}}.json"
|
|
run: |
|
|
jf rt curl "/api/build/${{env.BUILD_NAME}}/${{env.BUILD_ID}}" -o $BUILD_INFO_JSON
|
|
cat $BUILD_INFO_JSON
|
|
|
|
- name: "Sleep for few seconds"
|
|
env:
|
|
SLEEP_TIME: 30
|
|
run: |
|
|
echo "Sleeping for ${{env.SLEEP_TIME}} seconds..."
|
|
sleep ${{env.SLEEP_TIME}} # Sleeping for 20 seconds before executing the build publish seems to have resolved the build-scan issue. This delay might be helping with synchronization or resource availability, ensuring a smooth build process.
|
|
echo "Awake now!"
|
|
|
|
- name: "Optional: Query - Build Scan status"
|
|
run: |
|
|
jf xr curl "/api/v1/build/status" -H 'Content-Type: application/json' -d '{"name": "${{env.BUILD_NAME}}", "number": "${{env.BUILD_ID}}" }'
|
|
|
|
# ref https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-security/enrich-your-sbom
|
|
# MVN plugin '<artifactId>cyclonedx-maven-plugin</artifactId>' is used to generate SBOM information in the CycloneDX format# target/classes/META-INF/sbom/application.cdx.json
|
|
# ref https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3
|
|
- name: "Optional: Xray sbom-enrich"
|
|
run: |
|
|
jf se "target/classes/META-INF/sbom/application.cdx.json" --threads=100
|
|
|
|
- name: "BuildInfo: Xray - Build scan"
|
|
timeout-minutes: 15 # ref https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
|
|
continue-on-error: true # ref: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
|
|
run: |
|
|
jf bs ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --fail=false --format=table --extended-table=true --rescan=false --vuln=true --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "Optional: Build Scan V2" # https://jfrog.com/help/r/xray-rest-apis/scan-build-v2
|
|
# jf xr curl /api/v2/ci/build -H 'Content-Type: application/json' -d '{"build_name": "spring-petclinic", "build_number": "ga-gdl-xray-50","rescan":true }'
|
|
run: |
|
|
jf xr curl /api/v2/ci/build -H 'Content-Type: application/json' -d '{"build_name": "${{env.BUILD_NAME}}", "build_number": "${{env.BUILD_ID}}","rescan":false }'
|
|
|
|
# Release Bundle v2
|
|
- name: "RLM: RBv2 spec - create"
|
|
run: |
|
|
echo "{ \"files\": [ {\"build\": \"${{env.BUILD_NAME}}/${{env.BUILD_ID}}\", \"includeDeps\":\"true\"} ] }" > ${{env.RBv2_SPEC_JSON}}
|
|
|
|
- name: "RLM: RBv2 Create NEW"
|
|
run: |
|
|
cat ${{env.RBv2_SPEC_JSON}}
|
|
jf rbc ${{env.BUILD_NAME}} ${{env.BUILD_ID}} --sync=true --signing-key=${{secrets.RBV2_SIGNING_KEY}} --spec=${{env.RBv2_SPEC_JSON}} --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
- name: "RLM: Xray Indexing"
|
|
run: |
|
|
jf xr curl "/api/v1/binMgr/release_bundle_v2" -H 'Content-Type: application/json' -d "{\"names\": [\"${{env.BUILD_NAME}}\"] }"
|
|
|
|
# Evidence - RBv2 new references
|
|
# Docs# https://jfrog.com/help/r/jfrog-artifactory-documentation/evidence-management
|
|
# CLI# https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/binaries-management-with-jfrog-artifactory/evidence-service
|
|
- name: "Evidence: RBv2 state NEW"
|
|
# continue-on-error: true
|
|
env:
|
|
# https://psazuse.jfrog.io/ui/artifactory/lifecycle/?bundleName=spring-petclinic&bundleToFlash=spring-petclinic&repositoryKey=release-bundles-v2&activeKanbanTab=promotion
|
|
NAME_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName=${{env.BUILD_NAME}}&bundleToFlash=${{env.BUILD_NAME}}&repositoryKey=release-bundles-v2&activeKanbanTab=promotion"
|
|
VER_LINK: "${{env.JF_RT_URL}}/ui/artifactory/lifecycle/?bundleName='${{env.BUILD_NAME}}'&bundleToFlash='${{env.BUILD_NAME}}'&releaseBundleVersion='${{env.BUILD_ID}}'&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
|
|
run: |
|
|
echo '{ "actor": "${{github.actor}}", "pipeline": "github actions", "build_name": "${{env.BUILD_NAME}}", "build_id": "${{env.BUILD_ID}}", "evd": "Evidence-RBv2", "rbv2_stage": "NEW" }' > ./${{env.EVIDENCE_SPEC_JSON}}
|
|
cat ./${{env.EVIDENCE_SPEC_JSON}}
|
|
jf evd create --release-bundle ${{env.BUILD_NAME}} --release-bundle-version ${{env.BUILD_ID}} --predicate ./${{env.EVIDENCE_SPEC_JSON}} --predicate-type https://jfrog.com/evidence/promotion/v1 --key "${{secrets.KRISHNAM_JFROG_EVD_PRIVATEKEY}}" --key-alias ${{secrets.EVIDENCE_KEY_ALIAS}} --project=${{env.PROJECT_KEY_APP_TRUST}}
|
|
|
|
|
|
|
|
|