Merge pull request #194 from sir-gon/feature/ga-docker

sir-gon · web-flow · commit f132a2e73d20 · 2024-07-10T23:52:58.000-04:00
Feature/ga docker
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -21,6 +21,7 @@ A clear and concise description of what the bug is.
 
 **To Reproduce**
 Steps to reproduce the behavior:
+
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
@@ -33,8 +34,10 @@ A clear and concise description of what you expected to happen.
 If applicable, add screenshots to help explain your problem.
 
 **Desktop (please complete the following information):**
- - OS: [e.g. MacOS, Windows, Linux <distribution>]
- - Version [e.g. 10]
+
+- OS: [e.g. MacOS, Windows, Linux \<distribution\>]
+- Version [e.g. 10]
 
 **Additional context**
-Add any other context about the problem here. Consider environment variables, IDE (+ version), framework version, runtime version, command and parameters of execution.
+Add any other context about the problem here. Consider environment variables,
+IDE (+ version), framework version, runtime version, command and parameters of execution.
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -8,30 +8,127 @@ on: # yamllint disable-line rule:truthy
   pull_request:
     branches: ["main"]
 
-permissions: read-all
+env:
+  IMAGE_NAME: algorithm-exercises-java
+  ARTIFACT_NAME: algorithm-exercises-java_${{ github.sha }}
 
 jobs:
 
   build:
-    name: Build & Test in Docker
+    name: "Build Docker images"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: "LINT: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: lint
+          outputs: |
+            type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_lint.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:lint
+      - name: "LINT: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_lint
+          path: /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
+
+      - name: "TEST: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: testing
+          outputs: |
+            type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_test.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:test
+      - name: "TEST: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_test
+          path: /tmp/${{ env.ARTIFACT_NAME }}_test.tar
 
+      - name: "PRODUCTION: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: production
+          outputs: |
+            type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+      - name: "PRODUCTION: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_prod
+          path: /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+
+  lint:
+    name: "Run in docker: LINT"
     runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_lint
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
+          docker image ls -a
 
+      - name: Run lint
+        run: |
+          docker run --rm ${{ env.IMAGE_NAME }}:lint make lint
+
+  test:
+    name: "Run in docker: TEST"
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_test
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_test.tar
+          docker image ls -a
+
+      - name: Run test
+        run: |
+          docker run --rm ${{ env.IMAGE_NAME }}:test make test
+
+  security:
+    name: "Snyk Container"
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - name: Build the Docker image
-        run: make compose/rebuild
-      - name: Lint in Docker image
-        run: make compose/lint
-      - name: Test in Docker image
-        run: make compose/test
-      - name: Run in Docker image
-        run: make compose/run
-      - name: Tag Docker image
-        run: >
-          docker tag
-          algorithm-exercises-java:latest
-          algorithm-exercises-java:${{ github.sha }}
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_prod
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+          docker image ls -a
 
       - name: Run Snyk to check Docker image for vulnerabilities
         # Snyk can be used to break the build when it detects vulnerabilities.
@@ -46,11 +143,47 @@ jobs:
           # yamllint enable rule:line-length
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          image: algorithm-exercises-java:latest
+          image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
           args: --file=Dockerfile
-      # yamllint disable rule:comments-indentation
-      # - name: Upload result to GitHub Code Scanning
-      #   uses: github/codeql-action/upload-sarif@v2
-      #   with:
-      #     sarif_file: snyk.sarif
-      # yamllint enable rule:comments-indentation
+      # yamllint disable rule:line-length
+      # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
+      - name: Replace security-severity undefined for license-related findings
+        run: |
+          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+      # yamllint enable rule:line-length
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'snyk.sarif'
+  scan:
+    name: "Trivy"
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_prod
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+          docker image ls -a
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/java-gradle-coverage.yml b/.github/workflows/java-gradle-coverage.yml
@@ -28,7 +28,7 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@v4
         with:
-          java-version: 21
+          java-version: 22
           # Alternative distribution options are available
           distribution: temurin
       - name: Validate Gradle wrapper
diff --git a/.github/workflows/java-gradle.yml b/.github/workflows/java-gradle.yml
@@ -24,7 +24,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        java: ['20', '21']
+        java: ['20', '21', '22']
     runs-on: ${{ matrix.os }}
 
     steps:
diff --git a/.github/workflows/snyk-code.yml b/.github/workflows/snyk-code.yml
@@ -0,0 +1,27 @@
+---
+
+name: Snyk Code (Java gradle-jdk17)
+
+on: push # yamllint disable-line rule:truthy
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: code test
+          args: --sarif-file-output=snyk-code.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'snyk-code.sarif'
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@v4
         with: # Alternative distribution options are available
-          java-version: 21
+          java-version: 22
           distribution: temurin
       - name: Cache SonarCloud packages
         uses: actions/cache@v4
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
diff --git a/Dockerfile b/Dockerfile
