feat: mTLS security scope restriction #1376
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Main build pipeline, operates on `dev` branch which is our integration branch | |
name: CI Dev branch | |
on: | |
push: | |
branches: [ "dev" ] # trap each push to dev branch | |
paths: # but react only to changes in code or pipeline definition | |
- evita*/**/*.java | |
- evita*/**/pom.xml | |
- evita_external_api/evita_external_api_lab/src/main/resources/META-INF/lab/gui/dist/** | |
- jacoco/**/pom.xml | |
- docker/** | |
- .github/** | |
pull_request_target: | |
branches: [ "dev" ] # also trap pull requests to dev branch | |
paths: # but react only to changes in code or pipeline definition | |
- evita*/**/*.java | |
- evita*/**/pom.xml | |
- .github/**.* | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
checks: write | |
pull-requests: read | |
security-events: write | |
statuses: write | |
concurrency: | |
group: ${{ github.head_ref || github.ref_name }} # for the same branch (dev or PR) | |
cancel-in-progress: true # run only one workflow at a time (cancel the previous) | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 # checkout sources | |
- name: Setup Java JDK | |
uses: actions/setup-java@v3 # setup JDK 17 for building | |
with: | |
distribution: 'temurin' | |
java-version: '17' | |
cache: 'maven' | |
server-id: ossrh | |
server-username: MAVEN_USERNAME | |
server-password: MAVEN_CENTRAL_TOKEN | |
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} | |
gpg-passphrase: MAVEN_GPG_PASSPHRASE | |
- name: Build with Maven # run Maven with tests | |
run: | | |
mvn -T 1C -B package -P unitAndFunctional jacoco:report-aggregate -V --fail-at-end -Dmaven.test.skip=false --file pom.xml | |
jacoco/jacoco-summary.sh jacoco/target/site/jacoco-aggregate/jacoco.csv | |
- name: Upload test results # upload XML with unit test results to artifact `test-results` for `test-report.yml` | |
uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: test-results | |
path: 'evita*/**/target/surefire-reports/TEST-*.xml' | |
- name: Upload evitaDB server artifact # upload `evita-server.jar` for `docker-canary.yml` to deploy to DockerHub | |
uses: actions/upload-artifact@v4 | |
if: success() | |
with: | |
name: evita-server.jar | |
path: 'evita_server/target/evita-server.jar' | |
- name: Upload coverage to Codecov # upload code coverage from Jacoco to codecov | |
uses: codecov/codecov-action@v3 | |
# Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive | |
- name: Update dependency graph | |
uses: advanced-security/maven-dependency-submission-action@v3 | |
- name: Deploy with Maven # deploy SNAPSHOTS to Maven repository | |
run: | | |
mvn -T 1C -B deploy -DdeployAtEnd=true -Dmaven.test.skip=true --file pom.xml | |
continue-on-error: true | |
env: | |
MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }} | |
MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }} | |
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} |