chore: Add SECURITY.md (#5768) #359
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build CI | |
| on: | |
| push: | |
| branches: [ 'main', 'build/**', 'release/v*' ] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| server: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup JDK 11 | |
| id: setup-java-11 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '11' | |
| - name: Setup JDK 17 | |
| id: setup-java-17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Set JAVA_HOME | |
| run: echo "JAVA_HOME=${{ steps.setup-java-11.outputs.path }}" >> $GITHUB_ENV | |
| - name: Setup gradle properties | |
| run: | | |
| .github/scripts/gradle-properties.sh >> gradle.properties | |
| cat gradle.properties | |
| - name: Get Semver | |
| id: semver | |
| if: ${{ startsWith(github.ref, 'refs/heads/release/v') }} | |
| run: | | |
| semver=$(echo ${{ github.ref }} | tail -c +21) | |
| echo "semver=$semver" >> $GITHUB_OUTPUT | |
| - name: Docker meta server | |
| id: docker_meta_server | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository_owner }}/server-netty | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge,branch=main | |
| type=raw,priority=950,enable=${{ startsWith(github.ref, 'refs/heads/release/v') }},value=${{ steps.semver.outputs.semver }} | |
| type=raw,enable=${{ startsWith(github.ref, 'refs/heads/release/v0.19.') }},value=latest | |
| type=ref,event=branch | |
| - name: Docker meta server slim | |
| id: docker_meta_server_slim | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository_owner }}/server-slim-netty | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge,branch=main | |
| type=raw,priority=950,enable=${{ startsWith(github.ref, 'refs/heads/release/v') }},value=${{ steps.semver.outputs.semver }} | |
| type=raw,enable=${{ startsWith(github.ref, 'refs/heads/release/v0.19.') }},value=latest | |
| type=ref,event=branch | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| driver: docker | |
| - name: Login to ghcr.io | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create Dockerfile and context | |
| uses: burrunan/gradle-cache-action@v1 | |
| with: | |
| job-id: build-server | |
| arguments: --scan outputVersion docker-server-slim:prepareDocker docker-server:prepareDockerAll | |
| gradle-version: wrapper | |
| - name: Get Deephaven Version | |
| id: deephaven_version | |
| run: | | |
| echo "deephaven_version=$(cat build/version)" >> $GITHUB_OUTPUT | |
| # TODO: switch to new GitHub cache backend when available | |
| # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#github-cache | |
| # https://github.com/docker/buildx/pull/535 | |
| - name: Docker build server | |
| uses: docker/build-push-action@v6 | |
| with: | |
| build-args: | | |
| BASE=deephaven/server-base:local-build | |
| SERVER=server-netty | |
| DEEPHAVEN_VERSION=${{ steps.deephaven_version.outputs.deephaven_version }} | |
| tags: ${{ steps.docker_meta_server.outputs.tags }} | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: ./docker/server/build/context/ | |
| push: false | |
| # Note: server-slim does not need BASE/SERVER build-args like the other server images | |
| - name: Docker build server slim | |
| uses: docker/build-push-action@v6 | |
| with: | |
| build-args: | | |
| DEEPHAVEN_VERSION=${{ steps.deephaven_version.outputs.deephaven_version }} | |
| tags: ${{ steps.docker_meta_server_slim.outputs.tags }} | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: ./docker/server-slim/build/context/ | |
| push: false | |
| web-plugin-packager: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Get Semver | |
| id: semver | |
| if: ${{ startsWith(github.ref, 'refs/heads/release/v') }} | |
| run: | | |
| semver=$(echo ${{ github.ref }} | tail -c +21) | |
| echo "semver=$semver" >> $GITHUB_OUTPUT | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/web-plugin-packager | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge,branch=main | |
| type=raw,priority=950,enable=${{ startsWith(github.ref, 'refs/heads/release/v') }},value=${{ steps.semver.outputs.semver }} | |
| type=raw,enable=${{ startsWith(github.ref, 'refs/heads/release/v0.19.') }},value=latest | |
| type=ref,event=branch | |
| - name: Setup JDK 11 | |
| id: setup-java-11 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '11' | |
| - name: Set JAVA_HOME | |
| run: echo "JAVA_HOME=${{ steps.setup-java-11.outputs.path }}" >> $GITHUB_ENV | |
| - name: Setup gradle properties | |
| run: | | |
| .github/scripts/gradle-properties.sh >> gradle.properties | |
| cat gradle.properties | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| driver: docker | |
| - name: Login to ghcr.io | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create Dockerfile and context | |
| uses: burrunan/gradle-cache-action@v1 | |
| with: | |
| job-id: build-web | |
| arguments: --scan outputVersion docker-web-plugin-packager:prepareDocker | |
| gradle-version: wrapper | |
| - name: Get Deephaven Version | |
| id: deephaven_version | |
| run: | | |
| echo "deephaven_version=$(cat build/version)" >> $GITHUB_OUTPUT | |
| - name: Docker build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| build-args: | | |
| DEEPHAVEN_VERSION=${{ steps.deephaven_version.outputs.deephaven_version }} | |
| tags: ${{ steps.docker_meta.outputs.tags }} | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: ./docker/web-plugin-packager/build/context/ | |
| push: false | |
| ### Notes about `driver: docker` | |
| ### | |
| ### By default, the driver used is `docker-container`. This does not allow the Dockerfile to | |
| ### reference images that were built in earlier steps. Since our server and web Dockerfiles | |
| ### reference earlier images (built during the gradle step), we need to change the driver to | |
| ### `docker`. | |
| ### | |
| ### See https://github.com/docker/buildx/blob/master/docs/reference/buildx_create.md#driver |