Files
hiveops-aria/.gitea/workflows/cd-develop.yml
T
johannes 59a7e1187e
CD - Develop / build-and-deploy (push) Failing after 2m49s
chore: remove Slack notification from CI workflows
2026-06-23 06:35:58 -04:00

136 lines
4.8 KiB
YAML

name: CD - Develop
on:
push:
branches:
- develop
jobs:
build-and-deploy:
runs-on: ubuntu-latest
env:
GIT_SSL_NO_VERIFY: 'true'
MAVEN_OPTS: "-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Clean runner disk
run: docker system prune -f 2>/dev/null || true
- name: Install Java 21 and Maven
run: |
apt-get update -qq
apt-get install -y -qq wget apt-transport-https gnupg
wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor -o /usr/share/keyrings/adoptium.gpg
echo "deb [signed-by=/usr/share/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb $(. /etc/os-release && echo $VERSION_CODENAME) main" | tee /etc/apt/sources.list.d/adoptium.list
apt-get update -qq
apt-get install -y -qq temurin-21-jdk maven
java -version
mvn -version
- name: Configure Maven settings
run: |
mkdir -p ~/.m2
cat > ~/.m2/settings.xml << EOF
<settings>
<servers>
<server>
<id>gitea</id>
<username>hiveiq</username>
<password>${{ secrets.MAVEN_TOKEN }}</password>
</server>
</servers>
<mirrors>
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>dummy</mirrorOf>
<name>Disabled</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>
</mirrors>
<profiles>
<profile>
<id>gitea-registry</id>
<repositories>
<repository>
<id>gitea</id>
<url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
<releases><enabled>true</enabled></releases>
<snapshots><enabled>false</enabled></snapshots>
</repository>
</repositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>gitea-registry</activeProfile>
</activeProfiles>
</settings>
EOF
- name: Build JAR
run: mvn clean package -DskipTests -B
- name: Install Trivy
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Trivy vulnerability scan
run: |
trivy fs \
--exit-code 1 \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--scanners vuln \
--format table \
target/
- name: OWASP Dependency Check
run: |
if [ ! -d /opt/owasp-data ]; then
echo "::warning::OWASP local NVD data not found on this runner — skipping scan"
exit 0
fi
cp -r /opt/owasp-data /tmp/owasp-data
mvn org.owasp:dependency-check-maven:check \
-DfailBuildOnCVSS=7 \
-DautoUpdate=false \
-DdataDirectory=/tmp/owasp-data \
-DsuppressionFile=deployment/owasp-suppressions.xml \
-Dformats=HTML,JSON \
-B
- name: Build and push Docker image
run: |
if ! command -v docker &> /dev/null; then
apt-get update -qq && apt-get install -y -qq docker.io
fi
DOCKER_BUILDKIT=0 docker system prune -f 2>/dev/null || true
export DOCKER_BUILDKIT=0
echo "${{ secrets.DEV_REGISTRY_PASSWORD }}" | \
docker login ${{ secrets.DEV_REGISTRY_URL }} \
-u ${{ secrets.DEV_REGISTRY_USERNAME }} --password-stdin
docker build -t ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev .
docker push ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev
- name: Deploy to bcos.dev
continue-on-error: true
env:
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
apt-get install -y -qq openssh-client
mkdir -p ~/.ssh
echo "$DEPLOY_SSH_KEY" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key
ssh-keyscan -H ${{ secrets.DEV_HOST }} >> ~/.ssh/known_hosts 2>&1
ssh -i ~/.ssh/deploy_key ${{ secrets.DEPLOY_USER }}@${{ secrets.DEV_HOST }} \
"cd ~/hiveiq/hiveops-openmetal/hiveops/instances/dev && \
REGISTRY_URL=${{ secrets.DEV_REGISTRY_URL }} ARIA_VERSION=dev \
docker compose pull hiveiq-aria && \
REGISTRY_URL=${{ secrets.DEV_REGISTRY_URL }} ARIA_VERSION=dev \
docker compose up -d hiveiq-aria"
- name: Cleanup
if: always()
run: rm -f ~/.ssh/deploy_key