Skip to content

Feature/79895 Split build and release in two separate Github Actions jobs #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bogdandina wants to merge 9 commits into
base: main
Choose a base branch
from
+133 −113
Open

Feature/79895 Split build and release in two separate Github Actions jobs #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f1bfe06
feat(79894): add zizmor workflow security audit and pin all action SHAs
bogdandina May 12, 2026
252d354
feat(79897): fix security alerts
bogdandina May 13, 2026
f41e8bb
feat(79897): fix TS cache poison issue
bogdandina May 13, 2026
bed8a86
feat(79897): one more fix for cache poisoning issue
bogdandina May 13, 2026
c06b655
feat(79896): disable cache usage
bogdandina May 13, 2026
48e333e
feat(79897): fix
bogdandina May 19, 2026
32395d3
feat(79895): split job in ci & cd
bogdandina May 19, 2026
e529057
feat(79895): fixes for zizmor
bogdandina May 21, 2026
a901418
feat(79895): more zizmor fixes
bogdandina May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 36 additions & 41 deletions .github/workflows/ci-cd-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
name: ci-cd-java.yml

permissions:
contents: read
packages: read
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -32,15 +30,19 @@ env:
IMAGE_NAME_MIXED_CASE: "${{ github.repository }}"

jobs:
build-check-test-push:
name: Build, check, test, push
ci:
name: Build, check, test
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
clean: 'true'
fetch-depth: 2
persist-credentials: false

# Required since custom scripts from /scripts are being used
- name: Resolve shared workflow ref
Expand All @@ -66,6 +68,7 @@ jobs:
repository: HSLdevcom/transitdata-shared-workflows
ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }}
path: .shared-workflows
persist-credentials: false

- name: Setup JDK
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
Expand Down Expand Up @@ -161,45 +164,44 @@ jobs:
name: 'app.jar'
path: '/app/app.jar'

release:
name: Build & push Docker image
needs: ci
if: >-
github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/aks-dev' ||
startsWith(github.ref, 'refs/tags/') ||
inputs.performRelease == true
runs-on: ubuntu-latest
environment: docker-hub-release
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
clean: 'true'
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
persist-credentials: false

- name: Set Docker Image Name
env:
IMAGE_NAME_INPUT: ${{ inputs.imageName }}
run: |
OWNER="${GITHUB_REPOSITORY%%/*}"

if [[ -n "${{ inputs.imageName }}" ]]; then
IMAGE_NAME="${OWNER,,}/${{ inputs.imageName }}"
if [[ -n "${IMAGE_NAME_INPUT}" ]]; then
IMAGE_NAME="${OWNER,,}/${IMAGE_NAME_INPUT}"
else
IMAGE_NAME="${GITHUB_REPOSITORY,,}"
fi

echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"

- name: Build Docker Image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: ${{ inputs.workingDirectory }}
push: 'false'
tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
build-args:
GITHUB_ACTOR=${{ github.actor }}

- name: Check if perform release
id: perform_release
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract Docker metadata
if: ${{ env.PERFORM_RELEASE == 'true' }}
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
Expand All @@ -212,26 +214,19 @@ jobs:
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.vendor=hsldevcom

- name: Setup Docker Buildx
if: ${{ env.PERFORM_RELEASE == 'true' }}
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Login to Docker Hub
if: ${{ env.PERFORM_RELEASE == 'true' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build & Push Docker image
if: ${{ env.PERFORM_RELEASE == 'true' }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: ${{ inputs.workingDirectory }}
push: ${{ env.PERFORM_RELEASE }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
build-args: |
GITHUB_ACTOR=${{ github.actor }}
github_actor=${{ github.actor }}
67 changes: 33 additions & 34 deletions .github/workflows/ci-cd-kotlin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
name: ci-cd-kotlin.yml

permissions:
contents: read
packages: read
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -34,15 +32,19 @@ env:
IMAGE_NAME_MIXED_CASE: "${{ github.repository }}"

jobs:
build-check-test-push:
name: Build, check, test, push
ci:
name: Build, check, test
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
clean: 'true'
fetch-depth: 2
persist-credentials: false

# Required since custom scripts from /scripts are being used
- name: Resolve shared workflow ref
Expand All @@ -67,6 +69,7 @@ jobs:
repository: HSLdevcom/transitdata-shared-workflows
ref: ${{ env.SHARED_WORKFLOW_REF }}
path: .shared-workflows
persist-credentials: false

- name: Setup JDK
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
Expand All @@ -90,24 +93,24 @@ jobs:
if: ${{ inputs.runTestsInsideDocker }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_ACTOR_ARG: ${{ github.actor }}
GITHUB_ACTOR: ${{ github.actor }}
DOCKER_BUILDKIT: "1"
run: |
cat > /tmp/Dockerfile.test << DOCKERFILE
# syntax=docker/dockerfile:1
# check=error=true
FROM ${TEST_BASE_IMAGE}
WORKDIR /usr/app
ARG GITHUB_ACTOR=github-actions
COPY . .
RUN --mount=type=secret,id=github_token \
--mount=type=secret,id=github_actor \
export GITHUB_TOKEN="\$(cat /run/secrets/github_token)" && \
export GITHUB_ACTOR="\$GITHUB_ACTOR" && \
export GITHUB_ACTOR="\$(cat /run/secrets/github_actor)" && \
./gradlew test --stacktrace --no-daemon
DOCKERFILE
docker build \
--secret id=github_token,env=GITHUB_TOKEN \
--build-arg "GITHUB_ACTOR=${GITHUB_ACTOR_ARG}" \
--secret id=github_actor,env=GITHUB_ACTOR \
-f /tmp/Dockerfile.test \
.

Expand Down Expand Up @@ -153,36 +156,34 @@ jobs:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Lowercase Docker Image Name
run: |
echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"
- name: Build Docker Image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
release:
name: Build & push Docker image
needs: ci
if: >-
github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/aks-dev' ||
startsWith(github.ref, 'refs/tags/') ||
inputs.performRelease == true
runs-on: ubuntu-latest
environment: docker-hub-release
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
context: .
push: 'false'
tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'
clean: 'true'
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
persist-credentials: false

- name: Check if perform release
id: perform_release
- name: Lowercase Docker Image Name
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"
echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"

- name: Setup Docker Buildx
if: env.PERFORM_RELEASE == 'true'
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract Docker metadata
if: env.PERFORM_RELEASE == 'true'
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
Expand All @@ -196,17 +197,15 @@ jobs:
org.opencontainers.image.vendor=hsldevcom

- name: Login to Docker Hub
if: env.PERFORM_RELEASE == 'true'
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build & Push Docker image
if: env.PERFORM_RELEASE == 'true'
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: ${{ env.PERFORM_RELEASE }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Loading
Loading