diff --git a/.github/workflows/ci-build-publish.yml b/.github/workflows/ci-build-publish.yml new file mode 100644 index 0000000..db10cb6 --- /dev/null +++ b/.github/workflows/ci-build-publish.yml @@ -0,0 +1,166 @@ +name: CI Build and Publish + +on: + workflow_call: + secrets: + AZURE_DEVOPS_ARTIFACT_USERNAME: + required: true + AZURE_DEVOPS_ARTIFACT_TOKEN: + required: true + HMCTS_ADO_PAT: + required: true + inputs: + is_release: + required: false + type: boolean + default: false + is_publish: + required: true + type: boolean + trigger_docker: + required: true + type: boolean + trigger_deploy: + required: true + type: boolean + +jobs: + Artefact-Version: + runs-on: ubuntu-latest + outputs: + artefact_version: ${{ inputs.is_release && steps.artefact.outputs.release_version || steps.artefact.outputs.draft_version }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Generate Artefact Version + id: artefact + uses: hmcts/artefact-version-action@v1 + with: + release: ${{ inputs.is_release }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + Build: + needs: [Artefact-Version] + runs-on: ubuntu-latest + outputs: + repo_name: ${{ steps.repo_vars.outputs.repo_name }} + artefact_name: ${{ steps.repo_vars.outputs.artefact_name }} + steps: + - name: Checkout source code + uses: actions/checkout@v4 + + - name: Set up JDK + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '21' + + - name: Set up Gradle + uses: gradle/actions/setup-gradle@v4 + with: + gradle-version: current + + - name: Gradle Build and Publish + env: + ARTEFACT_VERSION: ${{ needs.Artefact-Version.outputs.artefact_version }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }} + AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }} + run: | + echo "Building with ARTEFACT_VERSION=$ARTEFACT_VERSION" + + gradle build -DARTEFACT_VERSION=$ARTEFACT_VERSION + + if [ -z "AZURE_DEVOPS_ARTIFACT_USERNAME" ]; then + echo "::warning::AZURE_DEVOPS_ARTIFACT_USERNAME is null or not set" + fi + + if [ -z "$AZURE_DEVOPS_ARTIFACT_TOKEN" ]; then + echo "::warning::AZURE_DEVOPS_ARTIFACT_TOKEN is null or not set" + fi + + if [ "${{ inputs.is_publish }}" == "true" ]; then + echo "Publishing artefact for version: $ARTEFACT_VERSION" + + gradle publish \ + -DARTEFACT_VERSION=$ARTEFACT_VERSION \ + -DGITHUB_REPOSITORY=${{ github.repository }} \ + -DGITHUB_ACTOR=${{ github.actor }} \ + -DGITHUB_TOKEN=$GITHUB_TOKEN \ + -DAZURE_DEVOPS_ARTIFACT_USERNAME=$AZURE_DEVOPS_ARTIFACT_USERNAME \ + -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN + fi + + - name: Extract repo name + id: repo_vars + run: | + repo_name=${GITHUB_REPOSITORY##*/} + echo "repo_name=${repo_name}" >> $GITHUB_OUTPUT + echo "artefact_name=${repo_name}-${{ needs.Artefact-Version.outputs.artefact_version }}" >> $GITHUB_OUTPUT + + - name: Upload JAR Artefact + uses: actions/upload-artifact@v4 + with: + name: app-jar + path: build/libs/${{ steps.repo_vars.outputs.artefact_name }}.jar + + Build-Docker: + needs: [ Build, Artefact-Version ] + if: ${{ inputs.trigger_docker }} + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Download JAR Artefact + uses: actions/download-artifact@v4 + with: + name: app-jar + path: build/libs + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Packages + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and Push Docker Image to GitHub + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile + push: true + tags: | + ghcr.io/${{ github.repository }}:${{ needs.Artefact-Version.outputs.artefact_version }} + build-args: | + BASE_IMAGE=openjdk:21-jdk-slim + JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar + + Deploy: + needs: [ Build, Artefact-Version ] + if: ${{ inputs.trigger_deploy }} + runs-on: ubuntu-latest + steps: + - name: Extract repo name + run: echo "REPO_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV + + - name: Trigger ADO pipeline + uses: hmcts/trigger-ado-pipeline@v1 + with: + pipeline_id: 460 + ado_pat: ${{ secrets.HMCTS_ADO_PAT }} + template_parameters: > + { + "GROUP_ID": "uk.gov.hmcts.cp", + "ARTIFACT_ID": "${{ env.REPO_NAME }}", + "ARTIFACT_VERSION": "${{ needs.Artefact-Version.outputs.artefact_version }}", + "TARGET_REPOSITORY": "${{ github.repository }}" + } \ No newline at end of file diff --git a/.github/workflows/ci-draft.yml b/.github/workflows/ci-draft.yml index c9e77d3..e8d3dee 100644 --- a/.github/workflows/ci-draft.yml +++ b/.github/workflows/ci-draft.yml @@ -1,4 +1,4 @@ -name: CI Build and Publish Increments Draft +name: Build and Publish (Non-Release) on: pull_request: @@ -11,166 +11,14 @@ on: - main jobs: - Artefact-Version: - runs-on: ubuntu-latest - outputs: - draft_version: ${{ steps.vars.outputs.draft_version }} - latest_tag: ${{ steps.vars.outputs.latest_tag }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 + ci-draft: + uses: ./.github/workflows/ci-build-publish.yml + secrets: + AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }} + AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }} + HMCTS_ADO_PAT: ${{ secrets.HMCTS_ADO_PAT }} + with: + is_publish: ${{ github.event_name == 'push' }} + trigger_docker: ${{ github.event_name == 'push' }} + trigger_deploy: ${{ github.event_name == 'push' }} - - name: Get short SHA for versioning - id: vars - run: | - if LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null); then - : - else - LATEST_TAG="v0.0.0" - fi - echo "🏷️ Latest Git tag resolved to: $LATEST_TAG" - LATEST_TAG="${LATEST_TAG#v}" - - echo "latest_tag=$LATEST_TAG" >> $GITHUB_OUTPUT - - SHORT_SHA=$(git rev-parse --short HEAD) - DRAFT_VERSION="${LATEST_TAG}-${SHORT_SHA}" - - echo "draft_version=$DRAFT_VERSION" - echo "draft_version=$DRAFT_VERSION" >> $GITHUB_OUTPUT - - Build: - needs: [Artefact-Version] - runs-on: ubuntu-latest - outputs: - repo_name: ${{ steps.repo_vars.outputs.repo_name }} - artefact_name: ${{ steps.repo_vars.outputs.artefact_name }} - - steps: - - name: Checkout source code - uses: actions/checkout@v4 - - - name: Set up JDK - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - - - name: Set up Gradle - uses: gradle/actions/setup-gradle@v4 - with: - gradle-version: current - - - name: Gradle Build and Publish on Push [Merge] - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }} - AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }} - run: | - VERSION=${{ needs.Artefact-Version.outputs.draft_version }} - - gradle build -DAPI_SPEC_VERSION=$VERSION - - if [ "${{ github.event_name }}" == "push" ]; then - echo "Push event trigger - Publishing artefact" - gradle publish \ - -DAPI_SPEC_VERSION=$VERSION \ - -DGITHUB_REPOSITORY=${{ github.repository }} \ - -DGITHUB_ACTOR=${{ github.actor }} \ - -DGITHUB_TOKEN=$GITHUB_TOKEN \ - -DAZURE_DEVOPS_ARTIFACT_USERNAME=$AZURE_DEVOPS_ARTIFACT_USERNAME \ - -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN - else - echo "Skipping publish because this is a pull_request" - fi - - - name: Extract repo name - if: github.event_name == 'push' - id: repo_vars - run: | - repo_name=${GITHUB_REPOSITORY##*/} - echo "repo_name=${repo_name}" >> $GITHUB_OUTPUT - echo "artefact_name=${repo_name}-${{ needs.Artefact-Version.outputs.draft_version }}" >> $GITHUB_OUTPUT - - - name: Upload JAR Artefact - uses: actions/upload-artifact@v4 - if: github.event_name == 'push' - with: - name: app-jar - path: build/libs/${{ steps.repo_vars.outputs.artefact_name }}.jar - - Build-Docker: - needs: [ Build, Artefact-Version ] - runs-on: ubuntu-latest - if: github.event_name == 'push' - - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Download JAR Artefact - uses: actions/download-artifact@v4 - with: - name: app-jar - path: build/libs - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Packages - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Push Docker Image to GitHub - uses: docker/build-push-action@v6 - with: - context: . - file: Dockerfile - push: true - tags: | - ghcr.io/${{ github.repository }}:${{ needs.Artefact-Version.outputs.draft_version }} - build-args: | - BASE_IMAGE=openjdk:21-jdk-slim - JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar - - Deploy: - needs: [ Build, Artefact-Version ] - runs-on: ubuntu-latest - if: github.event_name == 'push' - - steps: - - name: Trigger ADO pipeline - env: - ADO_ORG: 'hmcts-cpp' - ADO_PROJECT: 'cpp-apps' - PIPELINE_ID: 460 #cp-gh-artifact-to-acr - ADO_PAT: ${{ secrets.HMCTS_ADO_PAT }} - run: | - ARTEFACT_VERSION="${{ needs.Artefact-Version.outputs.draft_version }}" - REPO_NAME="${GITHUB_REPOSITORY##*/}" - TARGET_REPOSITORY="${GITHUB_REPOSITORY}" - - curl -X POST \ - -u ":${ADO_PAT}" \ - -H "Content-Type: application/json" \ - https://dev.azure.com/${ADO_ORG}/${ADO_PROJECT}/_apis/pipelines/${PIPELINE_ID}/runs?api-version=7.0 \ - -d "{ - \"resources\": { - \"repositories\": { - \"self\": { - \"refName\": \"refs/heads/main\" - } - } - }, - \"templateParameters\": { - \"GROUP_ID\": \"uk.gov.hmcts.cp\", - \"ARTIFACT_ID\": \"${REPO_NAME}\", - \"ARTIFACT_VERSION\": \"${ARTEFACT_VERSION}\", - \"TARGET_REPOSITORY\": \"${TARGET_REPOSITORY}\" - } - }" diff --git a/.github/workflows/ci-released.yml b/.github/workflows/ci-released.yml index a0d7291..aac7797 100644 --- a/.github/workflows/ci-released.yml +++ b/.github/workflows/ci-released.yml @@ -1,146 +1,19 @@ -name: CI Gradle +name: CI Build and Publish – Release on: release: types: [published] - # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - Artefact-Version: - runs-on: ubuntu-latest - outputs: - RELEASED_VERSION: ${{ steps.vars.outputs.RELEASED_VERSION }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Get version from tag - id: vars - run: | - TAG_NAME="${GITHUB_REF#refs/tags/}" - VERSION="${TAG_NAME#v}" - echo "RELEASED_VERSION=$VERSION" >> $GITHUB_OUTPUT - - Build: - needs: [Artefact-Version] - runs-on: ubuntu-latest - outputs: - repo_name: ${{ steps.repo_vars.outputs.repo_name }} - artefact_name: ${{ steps.repo_vars.outputs.artefact_name }} - - steps: - - name: Checkout source code - uses: actions/checkout@v4 - - - name: Set up JDK - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - - - name: Set up Gradle - uses: gradle/actions/setup-gradle@v4 - with: - gradle-version: current - - - name: Gradle Build and Publish - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }} - AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }} - run: | - VERSION=${{ needs.Artefact-Version.outputs.RELEASED_VERSION }} - - gradle publish \ - -DAPI_SPEC_VERSION=$VERSION \ - -DGITHUB_REPOSITORY=${{ github.repository }} \ - -DGITHUB_ACTOR=${{ github.actor }} \ - -DGITHUB_TOKEN=$GITHUB_TOKEN \ - -DAZURE_DEVOPS_ARTIFACT_USERNAME=$AZURE_DEVOPS_ARTIFACT_USERNAME \ - -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN - - - name: Extract repo name - id: repo_vars - run: | - repo_name=${GITHUB_REPOSITORY##*/} - echo "repo_name=${repo_name}" >> $GITHUB_OUTPUT - echo "artefact_name=${repo_name}-${{ needs.Artefact-Version.outputs.RELEASED_VERSION }}" >> $GITHUB_OUTPUT - - - name: Upload JAR Artefact - uses: actions/upload-artifact@v4 - with: - name: app-jar - path: build/libs/${{ steps.repo_vars.outputs.artefact_name }}.jar - - Build-Docker: - needs: [ Build, Artefact-Version ] - runs-on: ubuntu-latest - - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Download JAR Artefact - uses: actions/download-artifact@v4 - with: - name: app-jar - path: build/libs - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Packages - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Push Docker Image to GitHub - uses: docker/build-push-action@v6 - with: - context: . - file: Dockerfile - push: true - tags: | - ghcr.io/${{ github.repository }}:${{ needs.Artefact-Version.outputs.RELEASED_VERSION }} - build-args: | - BASE_IMAGE=openjdk:21-jdk-slim - JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar - - Deploy: - needs: [ Build, Artefact-Version ] - runs-on: ubuntu-latest - - steps: - - name: Trigger ADO pipeline - env: - ADO_ORG: 'hmcts-cpp' - ADO_PROJECT: 'cpp-apps' - PIPELINE_ID: 460 #cp-gh-artifact-to-acr - ADO_PAT: ${{ secrets.HMCTS_ADO_PAT }} - run: | - ARTEFACT_VERSION="${{ needs.Artefact-Version.outputs.RELEASED_VERSION }}" - REPO_NAME="${GITHUB_REPOSITORY##*/}" - TARGET_REPOSITORY="${GITHUB_REPOSITORY}" - - curl -X POST \ - -u ":${ADO_PAT}" \ - -H "Content-Type: application/json" \ - https://dev.azure.com/${ADO_ORG}/${ADO_PROJECT}/_apis/pipelines/${PIPELINE_ID}/runs?api-version=7.0 \ - -d "{ - \"resources\": { - \"repositories\": { - \"self\": { - \"refName\": \"refs/heads/main\" - } - } - }, - \"templateParameters\": { - \"GROUP_ID\": \"uk.gov.hmcts.cp\", - \"ARTIFACT_ID\": \"${REPO_NAME}\", - \"ARTIFACT_VERSION\": \"${ARTEFACT_VERSION}\", - \"TARGET_REPOSITORY\": \"${TARGET_REPOSITORY}\" - } - }" + ci-release: + uses: ./.github/workflows/ci-build-publish.yml + secrets: + AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }} + AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }} + HMCTS_ADO_PAT: ${{ secrets.HMCTS_ADO_PAT }} + with: + is_release: true + is_publish: true + trigger_docker: true + trigger_deploy: true diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 6c0b61e..0e4bd91 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -57,3 +57,15 @@ jobs: echo "PMD violations found" exit 1 fi + + secret-scanning: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Secret Scanning + uses: trufflesecurity/trufflehog@main + with: + extra_args: --results=verified,unknown \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e06affb..e331522 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,10 +5,6 @@ on: branches: - master - main - push: - branches: - - master - - main schedule: - cron: '36 5 * * 4' @@ -40,7 +36,6 @@ jobs: languages: ${{ matrix.language }} queries: security-extended - - uses: actions/setup-java@v4 with: distribution: 'temurin' @@ -51,14 +46,9 @@ jobs: with: gradle-version: current - - name: Gradle Build and Publish - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Gradle Build run: | - gradle build cyclonedxBom -x test \ - -DGITHUB_REPOSITORY=${{ github.repository }} \ - -DGITHUB_ACTOR=${{ github.actor }} \ - -DGITHUB_TOKEN=$GITHUB_TOKEN + gradle build cyclonedxBom -x test # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun diff --git a/build.gradle b/build.gradle index 2191771..dd4d180 100644 --- a/build.gradle +++ b/build.gradle @@ -10,7 +10,7 @@ plugins { } group = 'uk.gov.hmcts.cp' -version = System.getProperty('API_SPEC_VERSION') ?: '0.0.999' +version = System.getProperty('ARTEFACT_VERSION') ?: '0.0.999' def githubActor = project.findProperty("github.actor") ?: System.getenv("GITHUB_ACTOR") def githubToken = project.findProperty("github.token") ?: System.getenv("GITHUB_TOKEN") @@ -29,10 +29,9 @@ def azureADOArtifactToken = System.getenv("AZURE_DEVOPS_ARTIFACT_TOKEN") // println " - GITHUB_TOKEN=${githubToken != null ? ' ✔ FOUND' : '❌'}" // println " - GITHUB_REPOSITORY=${githubRepo != null ? ' ✔ FOUND' : '❌'}" -// println "Azure ADO publishing required environment variables:" -// println " - AZURE_DEVOPS_ARTIFACT_USERNAME=${azureADOArtifactActor != null ? ' ✔ FOUND' : '❌'}" -// println " - AZURE_DEVOPS_ARTIFACT_TOKEN=${azureADOArtifactToken != null ? ' ✔ FOUND' : '❌'}" - +//println "Azure ADO publishing required environment variables:" +//println " - AZURE_DEVOPS_ARTIFACT_USERNAME=${!azureADOArtifactActor || azureADOArtifactActor.isBlank() ? '❌NULL or EMPTY' : ' ✔ FOUND'}" +//println " - AZURE_DEVOPS_ARTIFACT_USERNAME=${!azureADOArtifactToken || azureADOArtifactToken.isBlank() ? '❌NULL or EMPTY' : ' ✔ FOUND'}" java { sourceCompatibility = JavaVersion.VERSION_21 @@ -239,7 +238,7 @@ ext { dependencies { implementation "uk.gov.hmcts.cp:api-cp-crime-schedulingandlisting-courtschedule:$apiCourtScheduleVersion" - implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.8' + implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.9' implementation 'io.swagger.core.v3:swagger-core:2.2.32' implementation 'org.springframework.boot:spring-boot-starter-web'