Build OCI image to use CLI in containers (#208) #524
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - release/** | |
| - develop | |
| - feature/** | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| branches: | |
| - release/** | |
| - develop | |
| - feature/** | |
| merge_group: | |
| schedule: | |
| # Nightly build at 4:00 AM UTC (after liboscal-java) | |
| - cron: '0 4 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| linkcheck_fail_on_error: | |
| description: 'a boolean flag that determines if bad links found by the link checker fail fast and stop a complete build' | |
| required: false | |
| default: true | |
| type: boolean | |
| linkcheck_create_issue: | |
| description: 'create new GitHub issue if broken links found' | |
| required: false | |
| default: false | |
| type: boolean | |
| name: Build and Test | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| INPUT_FAIL_ON_ERROR: ${{ github.event.inputs.linkcheck_fail_on_error || 'true' }} | |
| INPUT_ISSUE_ON_ERROR: ${{ github.event.inputs.linkcheck_create_issue || 'false' }} | |
| MAVEN_VERSION: 3.9.8 | |
| JAVA_DISTRO: 'temurin' | |
| JAVA_VERSION_FILE: .java-version | |
| # Post Maven artifacts to the artifact repo if the branch is 'develop' or 'release/*'. This avoids publishing artifacts for pull requests | |
| COMMIT_MAVEN_ARTIFACTS: ${{ (github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) && github.repository_owner == 'metaschema-framework' }} | |
| # Upload CodeQL results if the branch is 'develop' or 'release/*' or a pull request targeting these branches. | |
| UPLOAD_CODEQL: ${{ ((github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/')) || (github.event_name == 'pull_request' && (github.base_ref == 'refs/heads/develop' || startsWith(github.base_ref, 'refs/heads/release/')))) && 'always' || 'never' }} | |
| jobs: | |
| build-code: | |
| name: Code | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | |
| with: | |
| submodules: recursive | |
| filter: tree:0 | |
| - name: Checkout maven2 branch | |
| if: env.COMMIT_MAVEN_ARTIFACTS == 'true' | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | |
| with: | |
| path: maven2 | |
| ref: main | |
| repository: metaschema-framework/maven2 | |
| token: ${{ secrets.ACCESS_TOKEN }} | |
| fetch-depth: 2 | |
| persist-credentials: true | |
| # ------------------------- | |
| # Java Environment Setup | |
| # ------------------------- | |
| - name: Set up Maven | |
| uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 | |
| with: | |
| maven-version: ${{ env.MAVEN_VERSION }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e | |
| with: | |
| java-version-file: ${{ env.JAVA_VERSION_FILE }} | |
| distribution: ${{ env.JAVA_DISTRO }} | |
| cache: 'maven' | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 | |
| with: | |
| languages: java | |
| # ------------------------- | |
| # Maven Build | |
| # ------------------------- | |
| - name: Build and Test Code | |
| run: | | |
| mvn -B -e -Prelease -Psnapshots -DaltDeploymentRepository=repo-snapshot::file://${GITHUB_WORKSPACE}/maven2/ -DaltSnapshotDeploymentRepository=repo-snapshot::file://${GITHUB_WORKSPACE}/maven2/ -DrepositoryId=repo-snapshot deploy | |
| - name: Deploy Artifacts | |
| if: env.COMMIT_MAVEN_ARTIFACTS == 'true' | |
| run: | | |
| MVN_COORDS=$(echo '${project.groupId}:${project.artifactId}:${project.version}' | mvn -N -q -DforceStdout help:evaluate) | |
| cd maven2 | |
| echo "Configuring git identity" | |
| git config user.name "GitHub Action" | |
| git config user.email "action@github.com" | |
| echo "Comitting artifacts" | |
| git add -A | |
| git commit -m "[CI SKIP] Deploying artifacts for $MVN_COORDS." | |
| echo "Syncing with latest" | |
| git pull -r -s ours | |
| echo "Pushing changes" | |
| git push --force-with-lease | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 | |
| with: | |
| upload: ${{ env.UPLOAD_CODEQL }} | |
| - name: Upload build zip archive | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f | |
| with: | |
| name: build_zip | |
| path: ./target/*oscal-cli.zip | |
| build-container: | |
| name: Container | |
| # Skip container build for fork PRs (no write access to org container registry) | |
| if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| needs: build-code | |
| uses: ./.github/workflows/container.yml | |
| with: | |
| push: true | |
| build-website: | |
| name: Website | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: read | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | |
| with: | |
| submodules: recursive | |
| filter: tree:0 | |
| # ------------------------- | |
| # Java Environment Setup | |
| # ------------------------- | |
| - name: Set up Maven | |
| uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 | |
| with: | |
| maven-version: ${{ env.MAVEN_VERSION }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e | |
| with: | |
| java-version-file: ${{ env.JAVA_VERSION_FILE }} | |
| distribution: ${{ env.JAVA_DISTRO }} | |
| cache: 'maven' | |
| # ------------------------- | |
| # Maven Build | |
| # ------------------------- | |
| - name: Build and Test Website | |
| run: | | |
| mvn -B -e -PCI -Prelease install site site:stage -Dmaven.test.skip=true | |
| - name: Zip Artifacts for Upload | |
| run: | | |
| zip ${{ runner.temp }}/website.zip -r target/staging | |
| - name: Upload generated site | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f | |
| with: | |
| name: website | |
| path: | | |
| ${{ runner.temp }}/website.zip | |
| retention-days: 5 | |
| - id: linkchecker | |
| name: Link Checker | |
| uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 | |
| with: | |
| args: --verbose --no-progress --accept 200,206,429 './target/staging/**/*.html' --remap "https://github.com/metaschema-framework/oscal-cli/tree/develop/ file://${GITHUB_WORKSPACE}/" --remap "https://oscal-cli.metaschema.dev/ file://${GITHUB_WORKSPACE}/target/staging/" | |
| format: markdown | |
| output: html-link-report.md | |
| debug: true | |
| fail: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| continue-on-error: true | |
| - name: Upload link check report | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f | |
| with: | |
| name: html-link-report | |
| path: html-link-report.md | |
| retention-days: 5 | |
| - name: Create issue if bad links detected | |
| if: ${{ !cancelled() && env.lychee_exit_code != 0 && env.INPUT_ISSUE_ON_ERROR == 'true' }} | |
| uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 | |
| with: | |
| title: Scheduled Check of Website Content Found Bad Hyperlinks | |
| content-filepath: ./lychee/out.md | |
| labels: | | |
| bug | |
| documentation | |
| - name: Fail on link check error | |
| if: ${{ !cancelled() && env.lychee_exit_code != 0 && env.INPUT_FAIL_ON_ERROR == 'true' }} | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd | |
| with: | |
| script: | | |
| core.setFailed('Link checker detected broken or invalid links, read attached report.') |