feat: Fiscal code is now protected with encryption (by means of Azure Key Vaule) instead of PDV. #36
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Post-merge workflow | |
on: | |
pull_request: | |
types: | |
- closed | |
branches: | |
- main | |
jobs: | |
post_merge: | |
if: github.event.pull_request.merged == true | |
runs-on: ubuntu-latest | |
environment: dev-cd | |
permissions: | |
id-token: write | |
packages: write | |
contents: write | |
steps: | |
# | |
# Checkout the source code. | |
# | |
- name: Checkout the source code | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | |
with: | |
token: ${{ secrets.GIT_PAT }} | |
fetch-depth: 0 | |
# | |
# Calculate of the new version (dry-run). | |
# | |
- name: Calculate of the new version (dry-run) | |
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d | |
id: semantic | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
semantic_version: 19 | |
branch: main | |
extra_plugins: | | |
@semantic-release/release-notes-generator@10.0.3 | |
@semantic-release/git@10.0.1 | |
dry_run: true | |
# | |
# Cache JDK. | |
# | |
- name: Cache JDK | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 | |
id: cache-jdk | |
with: | |
key: OpenJDK21U-jdk_x64_linux_hotspot_21.0.2_13.tar.gz | |
path: | | |
${{ runner.temp }}/jdk_setup.tar.gz | |
${{ runner.temp }}/jdk_setup.sha256 | |
# | |
# Download JDK and verify its hash. | |
# | |
- name: Download JDK and verify its hash | |
if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-jdk.outputs.cache-hit != 'true' | |
run: | | |
echo "454bebb2c9fe48d981341461ffb6bf1017c7b7c6e15c6b0c29b959194ba3aaa5 ${{ runner.temp }}/jdk_setup.tar.gz" >> ${{ runner.temp }}/jdk_setup.sha256 | |
curl -L "https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.2%2B13/OpenJDK21U-jdk_x64_linux_hotspot_21.0.2_13.tar.gz" -o "${{ runner.temp }}/jdk_setup.tar.gz" | |
sha256sum --check --status "${{ runner.temp }}/jdk_setup.sha256" | |
# | |
# Setup JDK. | |
# | |
- name: Setup JDK | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 | |
with: | |
distribution: "jdkfile" | |
jdkFile: "${{ runner.temp }}/jdk_setup.tar.gz" | |
java-version: "21" | |
cache: maven | |
# | |
# Cache Maven. | |
# | |
- name: Cache Maven | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 | |
id: cache-maven | |
with: | |
key: apache-maven-3.9.6-bin.tar.gz | |
path: | | |
${{ runner.temp }}/maven_setup.tar.gz | |
${{ runner.temp }}/maven_setup.sha256 | |
# | |
# Download Maven and verify its hash. | |
# | |
- name: Download Maven and verify its hash | |
if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-maven.outputs.cache-hit != 'true' | |
run: | | |
echo "6eedd2cae3626d6ad3a5c9ee324bd265853d64297f07f033430755bd0e0c3a4b ${{ runner.temp }}/maven_setup.tar.gz" >> ${{ runner.temp }}/maven_setup.sha256 | |
curl -L "https://archive.apache.org/dist/maven/maven-3/3.9.6/binaries/apache-maven-3.9.6-bin.tar.gz" -o "${{ runner.temp }}/maven_setup.tar.gz" | |
sha256sum --check --status "${{ runner.temp }}/maven_setup.sha256" | |
# | |
# Setup Maven. | |
# | |
- name: Setup Maven | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: | | |
mkdir ${{ runner.temp }}/maven | |
tar -xvf ${{ runner.temp }}/maven_setup.tar.gz -C ${{ runner.temp }}/maven --strip-components=1 | |
echo "<settings><servers><server><id>github</id><username>${{ secrets.GIT_USER }}</username><password>${{ secrets.GIT_PAT }}</password></server></servers></settings>" >> ${{ runner.temp }}/settings.xml | |
# | |
# RELEASE CANDIDATE - Update of pom.xml with the new version. | |
# | |
- name: RELEASE CANDIDATE - Update of pom.xml with the new version | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: ${{ runner.temp }}/maven/bin/mvn versions:set -DnewVersion=${{ steps.semantic.outputs.new_release_version }}-RC -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
# | |
# RELEASE CANDIDATE - Execute unit-test + Calculate test coverage + SCA with Sonar. | |
# | |
- name: RELEASE CANDIDATE - Execute unit-test + Calculate test coverage + SCA with Sonar | |
if: steps.semantic.outputs.new_release_published == 'true' | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
run: ${{ runner.temp }}/maven/bin/mvn verify -Pvalidate -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
# | |
# RELEASE CANDIDATE - Build native executable. | |
# | |
- name: RELEASE CANDIDATE - Build native executable | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=true -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:ce70e1a8016471ff0fc9c8f048cd9e37afddacd3de37ed0bca74201d102e45f5 -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
# | |
# RELEASE CANDIDATE - Build Docker image. | |
# | |
- name: RELEASE CANDIDATE - Build Docker image | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC . | |
# | |
# RELEASE CANDIDATE - Push Docker image. | |
# | |
- name: RELEASE CANDIDATE - Push Docker image | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
docker push -a ghcr.io/${{ github.repository }} | |
# | |
# Login to Azure. | |
# | |
- name: Login to Azure | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
# | |
# RELEASE CANDIDATE - Update Container App + OpenAPI descriptor on APIM | |
# | |
- name: RELEASE CANDIDATE - Update Container App + OpenAPI descriptor on APIM | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: azure/CLI@fa0f960f00db49b95fdb54328a767aee31e80105 | |
with: | |
inlineScript: | | |
az config set extension.use_dynamic_install=yes_without_prompt | |
az containerapp update -n ${{ secrets.AZURE_CONTAINER_APP_NAME }} -g ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} -i ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC | |
API_DATA=$(az apim api show --resource-group ${{ secrets.AZURE_APIM_RESOURCE_GROUP }} --service-name ${{ secrets.AZURE_APIM_NAME }} --api-id ${{ secrets.AZURE_APIM_API_ID }} --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} --query "{path:path, serviceUrl:serviceUrl}") | |
API_PATH=$(echo $API_DATA | jq -r '.path') | |
API_SERVICE_URL=$(echo $API_DATA | jq -r '.serviceUrl') | |
az apim api import \ | |
--resource-group ${{ secrets.AZURE_APIM_RESOURCE_GROUP }} \ | |
--service-name ${{ secrets.AZURE_APIM_NAME }} \ | |
--api-id ${{ secrets.AZURE_APIM_API_ID }} \ | |
--specification-format OpenApi \ | |
--specification-path src/main/resources/META-INF/openapi.yaml \ | |
--path $API_PATH \ | |
--service-url $API_SERVICE_URL \ | |
--subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
# | |
# Install Node. | |
# | |
- name: Install Node | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c | |
with: | |
node-version: "18.16.0" | |
# | |
# Install Newman. | |
# | |
- name: Install Newman | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: npm install -g newman | |
# | |
# Run Postman collection. | |
# | |
- name: Run Postman collection | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: newman run src/test/postman/mil-auth.postman_collection.json -e src/test/postman/dev.postman_environment.json | |
# | |
# STABLE - Update of pom.xml with the new version. | |
# | |
- name: STABLE - Update of pom.xml with the new version | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: | | |
${{ runner.temp }}/maven/bin/mvn versions:set -DnewVersion=${{ steps.semantic.outputs.new_release_version }} -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
git config user.name "GitHub Workflow" | |
git config user.email "<>" | |
git add pom.xml | |
git commit -m "pom.xml updated with new version ${{ steps.semantic.outputs.new_release_version }}" | |
git push origin main | |
# | |
# Calculation of the new version (again) with tagging + releasing + etc. | |
# | |
- name: Calculation of the new version (w/o dry_run) and put tag | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
semantic_version: 19 | |
branch: main | |
extra_plugins: | | |
@semantic-release/release-notes-generator@10.0.3 | |
@semantic-release/git@10.0.1 | |
dry_run: false | |
# | |
# STABLE - Build native executable. | |
# | |
- name: STABLE - Build native executable | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=true -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:ce70e1a8016471ff0fc9c8f048cd9e37afddacd3de37ed0bca74201d102e45f5 -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
# | |
# STABLE - Build Docker image. | |
# | |
- name: STABLE - Build Docker image | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:latest -t ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }} . | |
# | |
# STABLE - Push Docker image. | |
# | |
- name: STABLE - Push Docker image | |
if: steps.semantic.outputs.new_release_published == 'true' | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
docker push -a ghcr.io/${{ github.repository }} | |
# | |
# STABLE - Update Container App. | |
# | |
- name: STABLE - Update Container App | |
if: steps.semantic.outputs.new_release_published == 'true' | |
uses: azure/CLI@fa0f960f00db49b95fdb54328a767aee31e80105 | |
with: | |
inlineScript: | | |
az config set extension.use_dynamic_install=yes_without_prompt | |
az containerapp update -n ${{ secrets.AZURE_CONTAINER_APP_NAME }} -g ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} -i ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }} |