Main to Develop #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pipeline | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| snyk: | |
| name: Snyk Security Analysis | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Snyk CLI to check for security issues | |
| uses: snyk/actions/[email protected] | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| - uses: actions/[email protected] | |
| with: | |
| node-version: '22' | |
| # Use || true to not fail the pipeline | |
| - name: Snyk Code test | |
| run: snyk code test --sarif > snyk-code.sarif | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| - name: Snyk Open Source monitor | |
| run: snyk monitor --all-projects | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # Use || true to not fail the pipeline. | |
| #- name: Build a Docker image | |
| # run: docker build -t your/image-to-test . | |
| #- name: Snyk Container monitor | |
| # run: snyk container monitor your/image-to-test --file=Dockerfile | |
| - name: Upload result to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: snyk-code.sarif | |
| build: | |
| name: Build and SonarQube analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - name: Set up JDK 23 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: 23 | |
| distribution: 'zulu' | |
| - name: Cache SonarQube packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.sonar/cache | |
| key: ${{ runner.os }}-sonar | |
| restore-keys: ${{ runner.os }}-sonar | |
| - name: Cache Maven packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Build and analyze | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} -Dsonar.host.url=${{ vars.SONAR_HOST_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }} | |
| deploy: | |
| name: Deploy to Environment | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: ${{ contains(github.ref, 'main') && 'production' || contains(github.ref, 'develop') && 'staging' || 'other' }} | |
| defaults: | |
| run: | |
| shell: bash | |
| needs: | |
| - snyk | |
| - build | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' | |
| steps: | |
| - name: Deploy | |
| run: | | |
| echo "Deploy to Environment: ${{ vars.ENV_NAME }}" | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - name: Set up JDK 23 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: 23 | |
| distribution: 'zulu' |