e5f25f1c2c
CD - Develop / build-and-deploy (push) Failing after 11m31s
- Spring Boot service on port 8095, database hiveiq_aria - Flyway schema: threat_ioc, threat_event, precursor_sequence_alert, device_security_posture - FBI FLASH-20260219-001 IOC seed data (executables, MD5s, directories, registry keys, services) - ThreatEventClassifier — maps 20+ signal keys to severity + attack phase + IOC match - ThreatEventIngestionService — persists events, publishes HIGH/CRITICAL to Kafka - Kafka producer: topic hiveops.aria.threats (AriaThreatEvent payload) - ThreatIocController — CRUD IOC management (MSP_ADMIN/BCOS_ADMIN) - ThreatEventIngestionController — agent-facing ingest endpoint with service secret auth - CI/CD: cd-develop.yml + cd-main.yml
148 lines
5.5 KiB
YAML
148 lines
5.5 KiB
YAML
name: CD - Develop
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- develop
|
|
|
|
jobs:
|
|
build-and-deploy:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
GIT_SSL_NO_VERIFY: 'true'
|
|
MAVEN_OPTS: "-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true"
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Clean runner disk
|
|
run: docker system prune -f 2>/dev/null || true
|
|
|
|
- name: Install Java 21 and Maven
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y -qq wget apt-transport-https gnupg
|
|
wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor -o /usr/share/keyrings/adoptium.gpg
|
|
echo "deb [signed-by=/usr/share/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb $(. /etc/os-release && echo $VERSION_CODENAME) main" | tee /etc/apt/sources.list.d/adoptium.list
|
|
apt-get update -qq
|
|
apt-get install -y -qq temurin-21-jdk maven
|
|
java -version
|
|
mvn -version
|
|
|
|
- name: Configure Maven settings
|
|
run: |
|
|
mkdir -p ~/.m2
|
|
cat > ~/.m2/settings.xml << EOF
|
|
<settings>
|
|
<servers>
|
|
<server>
|
|
<id>gitea</id>
|
|
<username>hiveiq</username>
|
|
<password>${{ secrets.MAVEN_TOKEN }}</password>
|
|
</server>
|
|
</servers>
|
|
<mirrors>
|
|
<mirror>
|
|
<id>maven-default-http-blocker</id>
|
|
<mirrorOf>dummy</mirrorOf>
|
|
<name>Disabled</name>
|
|
<url>http://0.0.0.0/</url>
|
|
<blocked>true</blocked>
|
|
</mirror>
|
|
</mirrors>
|
|
<profiles>
|
|
<profile>
|
|
<id>gitea-registry</id>
|
|
<repositories>
|
|
<repository>
|
|
<id>gitea</id>
|
|
<url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
|
|
<releases><enabled>true</enabled></releases>
|
|
<snapshots><enabled>false</enabled></snapshots>
|
|
</repository>
|
|
</repositories>
|
|
</profile>
|
|
</profiles>
|
|
<activeProfiles>
|
|
<activeProfile>gitea-registry</activeProfile>
|
|
</activeProfiles>
|
|
</settings>
|
|
EOF
|
|
|
|
- name: Build JAR
|
|
run: mvn clean package -DskipTests -B
|
|
|
|
- name: Install Trivy
|
|
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
- name: Trivy vulnerability scan
|
|
run: |
|
|
trivy fs \
|
|
--exit-code 1 \
|
|
--severity HIGH,CRITICAL \
|
|
--ignore-unfixed \
|
|
--scanners vuln \
|
|
--format table \
|
|
target/
|
|
|
|
- name: OWASP Dependency Check
|
|
run: |
|
|
if [ ! -d /opt/owasp-data ]; then
|
|
echo "::warning::OWASP local NVD data not found on this runner — skipping scan"
|
|
exit 0
|
|
fi
|
|
cp -r /opt/owasp-data /tmp/owasp-data
|
|
mvn org.owasp:dependency-check-maven:check \
|
|
-DfailBuildOnCVSS=7 \
|
|
-DautoUpdate=false \
|
|
-DdataDirectory=/tmp/owasp-data \
|
|
-DsuppressionFile=deployment/owasp-suppressions.xml \
|
|
-Dformats=HTML,JSON \
|
|
-B
|
|
|
|
- name: Build and push Docker image
|
|
run: |
|
|
if ! command -v docker &> /dev/null; then
|
|
apt-get update -qq && apt-get install -y -qq docker.io
|
|
fi
|
|
DOCKER_BUILDKIT=0 docker system prune -f 2>/dev/null || true
|
|
export DOCKER_BUILDKIT=0
|
|
echo "${{ secrets.DEV_REGISTRY_PASSWORD }}" | \
|
|
docker login ${{ secrets.DEV_REGISTRY_URL }} \
|
|
-u ${{ secrets.DEV_REGISTRY_USERNAME }} --password-stdin
|
|
docker build -t ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev .
|
|
docker push ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev
|
|
|
|
- name: Deploy to bcos.dev
|
|
continue-on-error: true
|
|
env:
|
|
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
|
|
run: |
|
|
apt-get install -y -qq openssh-client
|
|
mkdir -p ~/.ssh
|
|
echo "$DEPLOY_SSH_KEY" > ~/.ssh/deploy_key
|
|
chmod 600 ~/.ssh/deploy_key
|
|
ssh-keyscan -H ${{ secrets.DEV_HOST }} >> ~/.ssh/known_hosts 2>&1
|
|
ssh -i ~/.ssh/deploy_key ${{ secrets.DEPLOY_USER }}@${{ secrets.DEV_HOST }} \
|
|
"cd ~/hiveiq/hiveops-openmetal/hiveops/instances/dev && \
|
|
REGISTRY_URL=${{ secrets.DEV_REGISTRY_URL }} ARIA_VERSION=dev \
|
|
docker compose pull hiveiq-aria && \
|
|
REGISTRY_URL=${{ secrets.DEV_REGISTRY_URL }} ARIA_VERSION=dev \
|
|
docker compose up -d hiveiq-aria"
|
|
|
|
- name: Notify Slack
|
|
if: always()
|
|
run: |
|
|
STATUS="${{ job.status }}"
|
|
[ "$STATUS" = "success" ] && COLOR="good" || COLOR="danger"
|
|
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
|
|
RUN_URL="https://hiveiq-gitea.directlx.dev/hiveiq-src/hiveops-aria/actions/runs/${{ github.run_id }}"
|
|
curl -s -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"attachments\":[{\"color\":\"$COLOR\",\"text\":\"*<$RUN_URL|hiveops-aria CD Develop — $STATUS>*\n${{ github.ref_name }} · $SHORT_SHA · ${{ github.actor }}\",\"mrkdwn_in\":[\"text\"],\"footer\":\"Gitea Actions\"}]}"
|
|
|
|
- name: Cleanup
|
|
if: always()
|
|
run: rm -f ~/.ssh/deploy_key
|