llamara-backend/.github/workflows/build.yaml at main · llamara-ai/llamara-backend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
name: CI Build

on:
  # Build container according to ref input:
  workflow_call:
    inputs:
      ref:
        description: "The branch, tag or SHA to checkout"
        required: true
        type: string
      container-image-push:
        description: "Whether to push the container image to the registry"
        required: false
        type: boolean
        default: false
      container-image-name:
        description: "Name for the container image to build"
        required: false
        type: string
      container-image-type:
        description: "Type of the container image to build, e.g. Backend or Distribution"
        required: false
        type: string
    secrets:
      github-token:
        description: "GitHub token with packages:write, id-token:write permissions"
        required: true
  # Dry run on dispatch:
  workflow_dispatch:
  # Dry run for main:
  push:
    branches: ["main"]
    paths-ignore: ["**/*.md"]
    # Build release container:
    tags:
      - "v*.*"
      - "v*.*.*"
  # Dry run for PRs:
  pull_request:
    branches: ["main"]
    paths-ignore: ["**/*.md"]

permissions:
  contents: write

jobs:
  maven:
    name: Maven Build
    runs-on: "ubuntu-24.04"
    # typical duration is ~2min, set a reasonable amount as limit (default is 6h)
    timeout-minutes: 8

    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          repository: llamara-ai/llamara-backend
          ref: ${{ inputs.ref }}

      - name: Download frontend build
        if: github.repository == 'llamara-ai/llamara-distro'
        uses: actions/download-artifact@v5
        with:
          name: vite-dist
          path: src/main/resources/META-INF/resources

      - name: Maven Build
        uses: ./.github/actions/maven-build
        with:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

      # Upload the full dependency graph to improve quality of Dependabot alerts except on PR
      - name: Update dependency graph
        if: github.repository == 'llamara-ai/llamara-backend' && github.event_name == 'push' && github.ref_name == 'main'
        uses: advanced-security/maven-dependency-submission-action@v5

      - name: Upload packaged application
        uses: actions/upload-artifact@v4
        with:
          name: quarkus-app
          path: |
            target/quarkus-app

      - name: Upload OpenAPI schema
        uses: actions/upload-artifact@v4
        with:
          name: openapi-schema
          path: |
            target/openapi

      - name: Upload test coverage report
        uses: actions/upload-artifact@v4
        with:
          name: jacoco-report
          path: |
            target/jacoco-report

      # pinning to SHA to mitigate possible supply chain attack
      - name: Trigger distro build
        if: github.repository == 'llamara-ai/llamara-backend' && github.event_name == 'push' && github.ref_name == 'main'
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
        with:
          token: ${{ secrets.DISTRO_DISPATCH_BUILD_TOKEN }}
          repository: llamara-ai/llamara-distro
          event-type: build

  docker:
    name: Docker Build & Publish
    needs: maven
    runs-on: "ubuntu-24.04"
    # typical duration is ~1min, set a reasonable amount as limit (default is 6h)
    timeout-minutes: 4

    env:
      # Use docker.io for Docker Hub if empty
      REGISTRY: ghcr.io
      # github.repository as <account>/<repo>
      IMAGE_NAME: ${{ inputs.container-image-name || github.repository }}

    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          repository: llamara-ai/llamara-backend
          ref: ${{ inputs.ref }}

      # Install the cosign tool
      # https://github.com/sigstore/cosign-installer
      # pinning to SHA to mitigate possible supply chain attack
      - name: Install cosign
        if: ${{ inputs.container-image-push }}
        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
        with:
          cosign-release: "v2.4.3"

      # Set up BuildKit Docker container builder to be able to build
      # multi-platform images and export cache
      # https://github.com/docker/setup-buildx-action
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Login against a Docker registry
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        if: ${{ inputs.container-image-push }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.github-token || secrets.GITHUB_TOKEN }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.title=LLAMARA ${{ inputs.container-image-type || 'Backend' }}
            org.opencontainers.image.vendor=LLAMARA AI project
            org.opencontainers.image.authors=Contributors to the LLAMARA AI project

      - name: Download packaged application
        uses: actions/download-artifact@v5
        with:
          name: quarkus-app
          path: target/quarkus-app

      # Build and push Docker image with Buildx
      # Push only on workflow_call or pushing a version tag
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64,linux/arm64
          file: src/main/docker/Dockerfile.jvm
          context: .
          push: ${{ inputs.container-image-push || 'false' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      # Sign the resulting Docker image digest.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data.  If you would like to publish
      # transparency data even for private images, pass --force to cosign below.
      # https://github.com/sigstore/cosign
      - name: Sign the published Docker image
        if: ${{ inputs.container-image-push }}
        env:
          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}