a7cff6898d
CD - Develop / build-and-scan (push) Failing after 10m10s
cd-develop built and pushed the image, then said nothing. With no Slack step and no Gitea webhook, the only way to know a build ran was to poll the Actions API (whose run status is unreliable) or list registry tags. 21 of 24 repos were silent this way; only devices, guide and incident notified. Ports the notify step from hiveops-devices verbatim, adapted for a build-only pipeline: the card says built & pushed (not deployed) and names the tag to deploy. if: always() so failures are announced too, and continue-on-error so a Slack hiccup can never fail a build. Short SHA is derived inside the step from github.sha, as most repos have no Short SHA step. No new secret: SLACK_WEBHOOK_URL is already an org secret. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
140 lines
5.7 KiB
YAML
140 lines
5.7 KiB
YAML
name: CD - Develop
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- develop
|
|
|
|
jobs:
|
|
build-and-scan:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
GIT_SSL_NO_VERIFY: 'true'
|
|
MAVEN_OPTS: "-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true"
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Clean runner disk
|
|
run: docker system prune -f 2>/dev/null || true
|
|
|
|
- name: Verify toolchain
|
|
run: java -version && mvn -version && trivy --version
|
|
|
|
- name: Configure Maven settings
|
|
run: |
|
|
mkdir -p ~/.m2
|
|
cat > ~/.m2/settings.xml << EOF
|
|
<settings>
|
|
<servers>
|
|
<server>
|
|
<id>gitea</id>
|
|
<username>hiveiq</username>
|
|
<password>${{ secrets.MAVEN_TOKEN }}</password>
|
|
</server>
|
|
</servers>
|
|
<mirrors>
|
|
<mirror>
|
|
<id>maven-default-http-blocker</id>
|
|
<mirrorOf>dummy</mirrorOf>
|
|
<name>Disabled</name>
|
|
<url>http://0.0.0.0/</url>
|
|
<blocked>true</blocked>
|
|
</mirror>
|
|
</mirrors>
|
|
<profiles>
|
|
<profile>
|
|
<id>gitea-registry</id>
|
|
<repositories>
|
|
<repository>
|
|
<id>gitea</id>
|
|
<url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
|
|
<releases><enabled>true</enabled></releases>
|
|
<snapshots><enabled>false</enabled></snapshots>
|
|
</repository>
|
|
</repositories>
|
|
</profile>
|
|
</profiles>
|
|
<activeProfiles>
|
|
<activeProfile>gitea-registry</activeProfile>
|
|
</activeProfiles>
|
|
</settings>
|
|
EOF
|
|
|
|
- name: Build JAR
|
|
run: mvn clean package -DskipTests -B
|
|
|
|
- name: Trivy vulnerability scan
|
|
run: |
|
|
trivy fs \
|
|
--exit-code 1 \
|
|
--severity HIGH,CRITICAL \
|
|
--ignore-unfixed \
|
|
--skip-db-update \
|
|
--scanners vuln \
|
|
--format table \
|
|
target/
|
|
|
|
- name: OWASP Dependency Check
|
|
run: |
|
|
if [ ! -d /opt/owasp-data ]; then
|
|
echo "::warning::OWASP local NVD data not found on this runner — skipping scan"
|
|
exit 0
|
|
fi
|
|
cp -r /opt/owasp-data /tmp/owasp-data
|
|
mvn org.owasp:dependency-check-maven:check \
|
|
-DfailBuildOnCVSS=7 \
|
|
-DautoUpdate=false \
|
|
-DdataDirectory=/tmp/owasp-data \
|
|
-DsuppressionFile=deployment/owasp-suppressions.xml \
|
|
-Dformats=HTML,JSON \
|
|
-B
|
|
|
|
- name: Build and push Docker image
|
|
run: |
|
|
if ! command -v docker &> /dev/null; then
|
|
apt-get update -qq && apt-get install -y -qq docker.io
|
|
fi
|
|
DOCKER_BUILDKIT=0 docker system prune -f 2>/dev/null || true
|
|
export DOCKER_BUILDKIT=0
|
|
echo "${{ secrets.DEV_REGISTRY_PASSWORD }}" | \
|
|
docker login ${{ secrets.DEV_REGISTRY_URL }} \
|
|
-u ${{ secrets.DEV_REGISTRY_USERNAME }} --password-stdin
|
|
docker build -t ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev .
|
|
docker push ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev
|
|
|
|
# Posts a ✅/🔴 card to #hiveops-dev-deploy on every run, so a build is never silent.
|
|
# if: always() → failures are announced too. continue-on-error → a notify hiccup must
|
|
# NEVER fail the build. SLACK_WEBHOOK_URL is an org secret; unset → the step no-ops.
|
|
- name: Notify Slack (#hiveops-dev-deploy)
|
|
if: always()
|
|
continue-on-error: true
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
JOB_STATUS: ${{ job.status }}
|
|
ACTOR: ${{ github.actor }}
|
|
REF_NAME: ${{ github.ref_name }}
|
|
SHA: ${{ github.sha }}
|
|
RUN_NUMBER: ${{ github.run_number }}
|
|
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
|
COMMIT_MSG: ${{ github.event.head_commit.message }}
|
|
run: |
|
|
[ -z "$SLACK_WEBHOOK_URL" ] && { echo "no SLACK_WEBHOOK_URL secret — skipping"; exit 0; }
|
|
SHORT="${SHA:0:8}"
|
|
FIRST="${COMMIT_MSG%%$'\n'*}"
|
|
SUBJECT="$(printf '%s' "$FIRST" | tr -d '"\\' | cut -c1-100)"
|
|
if [ "$JOB_STATUS" = "success" ]; then
|
|
COLOR="#2eb67d"
|
|
TITLE=":white_check_mark: aria — cd-develop OK · image built & pushed"
|
|
NEXT="*Not deployed* — this pipeline only builds. Deploy \`:dev\` to bcos.dev (.251) when ready."
|
|
else
|
|
COLOR="#e01e5a"
|
|
TITLE=":red_circle: aria — cd-develop FAILED ($JOB_STATUS)"
|
|
NEXT="The image may not have been pushed — check the run before deploying anything."
|
|
fi
|
|
PAYLOAD=$(printf '{"attachments":[{"color":"%s","blocks":[{"type":"section","text":{"type":"mrkdwn","text":"*%s*"}},{"type":"section","fields":[{"type":"mrkdwn","text":"*Commit*\\n`%s` %s"},{"type":"mrkdwn","text":"*Tags*\\n`:dev`"},{"type":"mrkdwn","text":"*By*\\n%s"},{"type":"mrkdwn","text":"*Run*\\n#%s"}]},{"type":"section","text":{"type":"mrkdwn","text":"*Next*\\n%s"}},{"type":"actions","elements":[{"type":"button","text":{"type":"plain_text","text":"View run"},"url":"%s"}]}]}]}' \
|
|
"$COLOR" "$TITLE" "$SHORT" "$SUBJECT" "$ACTOR" "$RUN_NUMBER" "$NEXT" "$RUN_URL")
|
|
code=$(curl -s -o /dev/null -w '%{http_code}' --max-time 15 -X POST -H 'Content-type: application/json' --data "$PAYLOAD" "$SLACK_WEBHOOK_URL" || echo "curl-error")
|
|
echo "slack notify HTTP: $code (200 = card posted)"
|