angular-17-spring-boot-mysql-example/.github/workflows/build-and-push.yml at 069f6754b7156617a77f124bedc7760282213494 · bezkoder/angular-17-spring-boot-mysql-example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Docker Build and Push

on:
  push:
    branches: [ "main", "master" ]
  workflow_dispatch:

env:
  GHCR_REGISTRY: ghcr.io
  HARBOR_REGISTRY: demo.goharbor.io
  HARBOR_PROJECT: angular-17-spring-boot-mysql-example
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        include:
          - service: backend
            context: ./spring-boot-server
            dockerfile: ./spring-boot-server/Dockerfile
          - service: frontend
            context: ./angular-17-client
            dockerfile: ./angular-17-client/Dockerfile

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx with Container Driver
        uses: docker/setup-buildx-action@v3
        with:
          driver: docker-container

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.GHCR_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Harbor Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.HARBOR_REGISTRY }}
          username: ${{ secrets.HARBOR_USERNAME }}
          password: ${{ secrets.HARBOR_PASSWORD }}

      - name: Define image metadata for GHCR
        id: meta-ghcr
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.service }}
          tags: |
            type=sha,format=long,prefix=
            type=raw,value=latest,enable={{is_default_branch}}
            type=ref,event=tag

      - name: Define image metadata for Harbor
        id: meta-harbor
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_PROJECT }}/${{ matrix.service }}
          tags: |
            type=sha,format=long,prefix=
            type=raw,value=latest,enable={{is_default_branch}}
            type=ref,event=tag

      - name: Lint Dockerfile
        uses: hadolint/[email protected]
        with:
          dockerfile: ${{ matrix.dockerfile }}

      - name: Build and push to GHCR
        uses: docker/build-push-action@v5
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
          push: true
          tags: ${{ steps.meta-ghcr.outputs.tags }}
          labels: ${{ steps.meta-ghcr.outputs.labels }}
          cache-from: type=gha,scope=${{ matrix.service }}
          cache-to: type=gha,mode=max,scope=${{ matrix.service }}

      - name: Build and push to Harbor
        id: harbor-build
        uses: docker/build-push-action@v5
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
          push: true
          tags: ${{ steps.meta-harbor.outputs.tags }}
          labels: ${{ steps.meta-harbor.outputs.labels }}
          cache-from: type=gha,scope=${{ matrix.service }}

      - name: Extract Harbor image details
        id: harbor-image
        run: |
          FIRST_TAG=$(echo "${{ steps.meta-harbor.outputs.tags }}" | head -n 1)
          REPO_TAG=$(echo "$FIRST_TAG" | cut -d'/' -f3-)
          REPO=$(echo "$REPO_TAG" | cut -d':' -f1)
          TAG=$(echo "$REPO_TAG" | cut -d':' -f2)

          echo "project=${{ env.HARBOR_PROJECT }}" >> $GITHUB_OUTPUT
          echo "repo=$REPO" >> $GITHUB_OUTPUT
          echo "tag=$TAG" >> $GITHUB_OUTPUT
          echo "full_image=$FIRST_TAG" >> $GITHUB_OUTPUT

      - name: Wait for Harbor deployment
        uses: kyberorg/[email protected]
        with:
          hostname: ${{ env.HARBOR_REGISTRY }}
          schema: 'https'
          robot: ${{ secrets.HARBOR_USERNAME }}
          token: ${{ secrets.HARBOR_PASSWORD }}
          imageProject: ${{ steps.harbor-image.outputs.project }}
          imageRepo: ${{ steps.harbor-image.outputs.repo }}
          imageTag: ${{ steps.harbor-image.outputs.tag }}
          imageSha: ${{ steps.harbor-build.outputs.digest }}
          interval: 5
          timeout: 300

      - name: Extract first GHCR tag for security scan
        id: first_tag
        run: |
          FIRST_TAG=$(echo "${{ steps.meta-ghcr.outputs.tags }}" | head -n 1)
          echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT

      - name: Run Trivy vulnerability scanner (fail only on CRITICAL)
        uses: aquasecurity/trivy-action@master
        continue-on-error: true
        with:
          image-ref: ${{ steps.first_tag.outputs.tag }}
          format: table
          exit-code: 1
          vuln-type: 'os,library'
          severity: 'CRITICAL'