-
-
Notifications
You must be signed in to change notification settings - Fork 55
342 lines (291 loc) · 16.2 KB
/
Copy pathrelease.yml
File metadata and controls
342 lines (291 loc) · 16.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
name: Verify and Release
on:
workflow_dispatch:
inputs:
release:
description: 'Version to release'
required: true
permissions: read-all
env:
javaVersion: java26
jobs:
release:
name: Release
runs-on: ubuntu-26.04
timeout-minutes: 60
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: write # Needed for checkout, git-auto-commit-action, and creating releases
packages: write # Needed for publishing packages
id-token: write # Required for SLSA provenance and SBOM attestation
actions: read # Basic read access to actions
security-events: write # Needed for SBOM attestation
statuses: write # Required for commit statuses updated by actions
issues: write # Updated to write for release-drafter
pull-requests: write # Updated to write for release-drafter
pages: read
deployments: write
attestations: write # Required to create and persist attestations
strategy:
fail-fast: false
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: block
allowed-endpoints: >
api.adoptopenjdk.net:443
api.adoptium.net:443
api.github.com:443
archive.apache.org:443
azure.archive.ubuntu.com:80
azure.archive.ubuntu.com:443
security.ubuntu.com:80
security.ubuntu.com:443
github.com:443
maven.java.net:443
maven.vaadin.com:443
objects.githubusercontent.com:443
oss.sonatype.org:443
raw.githubusercontent.com:443
repo.maven.apache.org:443
maven.mirrors.opennms.org:443
repo1.maven.org:443
repository.mulesoft.org:443
tools.google.com:80
tools.vaadin.com:443
uploads.github.com:443
spdx.org:443
sonarcloud.io:443
repository.jboss.org:443
repository.sonatype.org:443
files.pythonhosted.org:443
pypi.org:443
www.bridgecrew.cloud:443
docs.github.com:443
dlcdn.apache.org:443
archive.apache.org:443
esm.ubuntu.com:443
fulcio.sigstore.dev:443
packages.microsoft.com:443
rekor.sigstore.dev:443
release-drafter.github.io:443
release-assets.githubusercontent.com:443
motd.ubuntu.com:443
dl.google.com:443
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 2
- name: Set up JDK 26
uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
with:
distribution: 'temurin'
java-version: '26'
java-package: 'jdk' # Explicitly specify JDK package
check-latest: true # Always get latest patch version
# Disable built-in cache - we use optimized manual caching below
cache: ''
server-id: 'github' # Optional: For GitHub Packages authentication
architecture: 'x64' # Explicitly specify architecture
# Optimized Maven caching with multiple fallback levels for better resilience
- name: Cache Maven dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.m2/repository
~/.m2/wrapper
~/.sonar/cache
# Include Maven version in key for isolation
key: ${{ runner.os }}-maven-3.9.16-${{ hashFiles('**/pom.xml', '.mvn/**') }}
restore-keys: |
${{ runner.os }}-maven-3.9.16-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-maven-3.9.16-
${{ runner.os }}-maven-
- name: APT update
run: sudo apt-get update
- name: Install buildtools
run: sudo apt-get install -y graphviz build-essential fakeroot devscripts debhelper dh-make wget
- name: Install PostgreSQL
run: sudo apt-get install -y postgresql-18 postgresql-contrib-18 postgresql-18-pgaudit postgresql-18-pgvector
- name: Create PostgreSQL 18 cluster
run: |
# Drop pre-installed PostgreSQL clusters that block port 5432
sudo pg_dropcluster --stop 14 main || true
sudo pg_dropcluster --stop 16 main || true
# Create and start PostgreSQL 18 cluster (idempotent)
if sudo pg_lsclusters 18 main >/dev/null 2>&1; then
sudo pg_ctlcluster 18 main start
else
sudo pg_createcluster 18 main --start
fi
- name: Configure PostgreSQL
run: |
# Enable prepared transactions and required extensions
sudo sed -i "s/#max_prepared_transactions = 0/max_prepared_transactions = 100/" /etc/postgresql/18/main/postgresql.conf
sudo sed -i "s/#shared_preload_libraries = ''/shared_preload_libraries = 'pg_stat_statements, pgaudit, pgcrypto'/" /etc/postgresql/18/main/postgresql.conf
echo "pgaudit.log = ddl" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "pg_stat_statements.track = all" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "pg_stat_statements.max = 10000" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
# Performance optimization settings per README-SCHEMA-MAINTENANCE.md
# Memory settings (adjusted for GitHub Actions ~7GB RAM, lower than production recommendations)
echo "shared_buffers = '1GB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "effective_cache_size = '4GB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "work_mem = '32MB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "maintenance_work_mem = '256MB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
# Checkpoint settings for write performance
echo "checkpoint_completion_target = 0.9" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "wal_buffers = '16MB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "max_wal_size = '2GB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "min_wal_size = '512MB'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
# Query planning optimizations (SSD storage on GitHub Actions)
echo "random_page_cost = 1.1" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "effective_io_concurrency = 200" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
# Connection settings (reduced for CI environment)
echo "max_connections = 100" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
# Add IPv6 loopback access
echo "host all all ::1/128 md5" | sudo tee -a /etc/postgresql/18/main/pg_hba.conf
- name: Generate SSL certificates for PostgreSQL
run: |
# Generate secure random passphrase
openssl rand -base64 48 > passphrase.txt
# Create passphrase-protected private key
openssl genrsa -des3 -passout file:passphrase.txt -out server.pass.key 2048
# Remove passphrase protection from private key
openssl rsa -passin file:passphrase.txt -in server.pass.key -out server.key
rm server.pass.key
# Create Certificate Signing Request
openssl req -new -key server.key -out server.csr \
-subj "/C=UK/ST=PostgreSQL/L=Docker/O=Hack23/OU=demo/CN=127.0.0.1"
# Self-sign the certificate (valid for 10 years)
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
# Clean up temporary files
rm passphrase.txt server.csr
- name: Deploy SSL certificate and key for PostgreSQL
run: |
# Copy certificate and key to PostgreSQL data directory
sudo cp server.crt /var/lib/postgresql/18/main/server.crt
sudo cp server.key /var/lib/postgresql/18/main/server.key
# Secure the certificate and key
sudo chmod 600 /var/lib/postgresql/18/main/server.key
sudo chmod 644 /var/lib/postgresql/18/main/server.crt
sudo chown postgres:postgres /var/lib/postgresql/18/main/server.key
sudo chown postgres:postgres /var/lib/postgresql/18/main/server.crt
# Enable SSL in PostgreSQL
echo "ssl = on" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "ssl_cert_file = '/var/lib/postgresql/18/main/server.crt'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
echo "ssl_key_file = '/var/lib/postgresql/18/main/server.key'" | sudo tee -a /etc/postgresql/18/main/postgresql.conf
# Provide SSL certificate to the runner user
mkdir -p $HOME/.postgresql
cp server.crt $HOME/.postgresql/root.crt
chmod 600 $HOME/.postgresql/root.crt
# Clean up
rm server.key server.crt
# Restart PostgreSQL to apply all changes
sudo systemctl restart postgresql
- name: Create CIA database and user
run: |
sudo -u postgres psql -c "CREATE USER eris WITH PASSWORD 'discord';"
sudo -u postgres psql -c "CREATE DATABASE cia_dev;"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE cia_dev TO eris;"
sudo -u postgres psql -d cia_dev -c "CREATE EXTENSION IF NOT EXISTS pg_stat_statements;"
sudo -u postgres psql -d cia_dev -c "CREATE EXTENSION IF NOT EXISTS pgaudit;"
sudo -u postgres psql -d cia_dev -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;"
sudo -u postgres psql -d cia_dev -c "GRANT ALL ON SCHEMA public TO eris;"
- name: Load database schema
run: |
# Load the full schema into the database
sudo -u postgres psql -d cia_dev -f service.data.impl/src/main/resources/full_schema.sql || echo "Schema load completed with warnings (expected for first-time setup)"
- name: Remove localtime
run: sudo rm /etc/localtime
- name: Set Swedish localtime
run: sudo ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
- name: Update tzdata
run: sudo dpkg-reconfigure -f noninteractive tzdata
- name: Set up Maven
uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: 3.9.16
- name: Set Version for release
run: mvn -B --file parent-pom/pom.xml versions:set -DnewVersion="${{ github.event.inputs.release }}" -Pall-modules versions:commit -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.pool=true
- uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
with:
commit_message: Automated Release ${{ github.event.inputs.release }}
branch: release-${{ github.event.inputs.release }}
tagging_message: '${{ github.event.inputs.release }}'
create_branch: true
- name: Build with Maven
run: mvn -B --file pom.xml clean install -Prelease-site,all-modules -DforkMode=once '-Dtest=!**ITest*,!**DocumentationTest*' -Dmaven.test.skip=true -DfailIfNoTests=false -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.pool=true
# Rename SPDX files to align with artifact naming convention
- name: Rename SPDX files to match artifact names
run: |
cp -v cia-dist-deb/target/site/com.hack23.cia_cia-dist-deb-${{ github.event.inputs.release }}.spdx.json cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.spdx.json
cp -v citizen-intelligence-agency/target/site/com.hack23.cia_citizen-intelligence-agency-${{ github.event.inputs.release }}.spdx.json citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.spdx.json
# Generate artifact attestation for DEB package
- name: Generate artifact attestation for deb package
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
id: attest_deb
with:
subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb'
- name: Copy artifact attestation for deb package
run: cp ${{ steps.attest_deb.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl
# Generate SBOM attestation for DEB package (actions/attest with sbom-path replaces deprecated actions/attest-sbom)
- name: Generate SBOM attestation for deb package
id: attestsbom_deb
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb'
sbom-path: 'cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.spdx.json'
- name: Copy SBOM attestation for deb package
run: cp ${{ steps.attestsbom_deb.outputs.bundle-path }} cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.spdx.json.intoto.jsonl
# Generate artifact attestation for WAR
- name: Generate artifact attestation for WAR
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
id: attest_war
with:
subject-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war'
- name: Copy artifact attestation for WAR
run: cp ${{ steps.attest_war.outputs.bundle-path }} citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.intoto.jsonl
# Generate SBOM attestation for WAR (actions/attest with sbom-path replaces deprecated actions/attest-sbom)
- name: Generate SBOM attestation for WAR
id: attestsbom_war
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war'
sbom-path: 'citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.spdx.json'
- name: Copy SBOM attestation for WAR
run: cp ${{ steps.attestsbom_war.outputs.bundle-path }} citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.spdx.json.intoto.jsonl
- name: Draft Release Notes
id: release-notes
uses: release-drafter/release-drafter@ed4bc48ec97379be2258e7b7ac2624a3e26ab809 # v7.4.0
with:
config-name: release-drafter.yml
version: ${{ github.event.inputs.release }}
tag: ${{ github.event.inputs.release }}
name: Release ${{ github.event.inputs.release }}
publish: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create a GitHub release
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
tag: '${{ github.event.inputs.release }}'
generateReleaseNotes: false
immutableCreate: true
name: Release ${{ github.event.inputs.release }}
body: ${{ steps.release-notes.outputs.body }}
artifacts: |
cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb
cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.intoto.jsonl
cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.spdx.json
cia-dist-deb/target/cia-dist-deb-${{ github.event.inputs.release }}.all.deb.spdx.json.intoto.jsonl
citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war
citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.intoto.jsonl
citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.spdx.json
citizen-intelligence-agency/target/citizen-intelligence-agency-${{ github.event.inputs.release }}.war.spdx.json.intoto.jsonl
cia-dist-cloudformation/src/main/resources/cia-dist-cloudformation.json
- name: Submit Dependency Release
uses: advanced-security/maven-dependency-submission-action@b275d12641ac2d2108b2cbb7598b154ad2f2cee8 # v5.0.0