Bump the java-production-dependencies group across 1 directory with 3… #2587
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Build | |
| on: | |
| push: | |
| pull_request_target: | |
| types: [labeled] | |
| env: | |
| NODE_VERSION: 22 | |
| JAVA_VERSION: 25 | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| test: | |
| name: Run Tests | |
| runs-on: ubuntu-latest | |
| # gate for dependabot issue, see https://github.com/cryptomator/hub/pull/459 | |
| if: ${{ !(startsWith(github.head_ref, 'dependabot/npm_and_yarn/') || startsWith(github.ref_name, 'dependabot/npm_and_yarn/')) }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 | |
| with: | |
| package_json_file: frontend/package.json | |
| - name: Check lockfile integrity | |
| working-directory: frontend | |
| run: bash scripts/check-lockfile.sh | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'pnpm' | |
| cache-dependency-path: frontend/pnpm-lock.yaml | |
| - name: pnpm install | |
| working-directory: frontend | |
| run: pnpm install --frozen-lockfile | |
| - name: Build and test frontend | |
| working-directory: frontend | |
| run: pnpm run test:coverage | |
| - name: Deploy frontend | |
| working-directory: frontend | |
| run: pnpm run dist | |
| - name: SonarCloud Scan Frontend | |
| uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0 | |
| with: | |
| projectBaseDir: frontend | |
| args: > | |
| -Dsonar.organization=cryptomator | |
| -Dsonar.projectKey=cryptomator_hub_frontend | |
| -Dsonar.typescript.tsconfigPath=tsconfig.json | |
| -Dsonar.sources=src/ | |
| -Dsonar.tests=test/ | |
| -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: ${{ env.JAVA_VERSION }} | |
| cache: 'maven' | |
| - name: Cache SonarCloud packages | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ~/.sonar/cache | |
| key: ${{ runner.os }}-sonar | |
| restore-keys: ${{ runner.os }}-sonar | |
| - name: Build and test backend | |
| working-directory: backend | |
| run: > | |
| ./mvnw -B clean verify | |
| org.sonarsource.scanner.maven:sonar-maven-plugin:sonar | |
| -Dsonar.projectKey=cryptomator_hub_backend | |
| -Dsonar.organization=cryptomator | |
| -Dsonar.host.url=https://sonarcloud.io | |
| --no-transfer-progress | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| build-native-image: | |
| name: Build and Push ${{ matrix.arch }} Image | |
| needs: test | |
| if: startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[build image]') | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| platform: linux/amd64 | |
| arch: amd64 | |
| - os: ubuntu-24.04-arm | |
| platform: linux/arm64 | |
| arch: arm64 | |
| runs-on: ${{ matrix.os }} | |
| outputs: | |
| digest_amd64: ${{ steps.digest.outputs.digest_amd64 }} | |
| digest_arm64: ${{ steps.digest.outputs.digest_arm64 }} | |
| permissions: | |
| contents: read # Required for checkout | |
| packages: write # Required for pushing the image to GHCR | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 | |
| with: | |
| package_json_file: frontend/package.json | |
| - name: Check lockfile integrity | |
| working-directory: frontend | |
| run: bash scripts/check-lockfile.sh | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'pnpm' | |
| cache-dependency-path: frontend/pnpm-lock.yaml | |
| - name: pnpm install | |
| working-directory: frontend | |
| run: pnpm install --frozen-lockfile | |
| - name: Deploy frontend | |
| working-directory: frontend | |
| run: pnpm run dist | |
| - name: Ensure to use tagged version | |
| working-directory: backend | |
| run: ./mvnw versions:set --file pom.xml -DnewVersion=${GITHUB_REF##*/} | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 | |
| with: | |
| images: ghcr.io/cryptomator/hub | |
| tags: | | |
| type=sha,prefix=,format=short | |
| flavor: | | |
| suffix=-${{ matrix.arch }} | |
| labels: | | |
| org.opencontainers.image.title=Cryptomator Hub | |
| org.opencontainers.image.vendor=Skymatic GmbH | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - name: Login to GHCR | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and Push Container Image | |
| id: push | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| context: backend | |
| file: backend/src/main/docker/Dockerfile.native | |
| platforms: ${{ matrix.platform }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: true | |
| - name: Export Digest | |
| id: digest | |
| run: | | |
| echo "digest_${{ matrix.arch }}=${{ steps.push.outputs.digest }}" >> "$GITHUB_OUTPUT" | |
| multi-arch-image: | |
| name: Build and Push Multi-Arch Image | |
| needs: build-native-image | |
| runs-on: ubuntu-latest | |
| outputs: | |
| app_version: ${{ steps.version.outputs.app_version }} | |
| chart_version: ${{ steps.version.outputs.chart_version }} | |
| permissions: | |
| contents: read # Required for checkout | |
| id-token: write # Required for the attestations step | |
| attestations: write # Required for the attestations step | |
| artifact-metadata: write # Required for the attestations step | |
| packages: write # Required for pushing the image to GHCR | |
| steps: | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - name: Determine versions | |
| id: version | |
| run: | | |
| set -euo pipefail | |
| short_sha="${GITHUB_SHA::7}" | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| version="${GITHUB_REF_NAME#v}" | |
| # Tag names can contain shell metacharacters and these values flow into later `run:` interpolations, | |
| # so allow only OCI-tag-safe characters and fail fast otherwise. | |
| if [[ ! "$version" =~ ^[0-9A-Za-z._-]+$ ]]; then | |
| echo "::error::Refusing unsafe version '${version}' derived from tag '${GITHUB_REF_NAME}' (allowed: [0-9A-Za-z._-])" >&2 | |
| exit 1 | |
| fi | |
| app_version="$version" | |
| chart_version="$version" | |
| else | |
| app_version="$short_sha" | |
| chart_version="0.0.0-${short_sha}" | |
| fi | |
| echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT" | |
| echo "app_version=${app_version}" >> "$GITHUB_OUTPUT" | |
| echo "chart_version=${chart_version}" >> "$GITHUB_OUTPUT" | |
| - name: Login to GHCR | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create Multi-Arch Manifest for ghcr.io/cryptomator/hub:${{ steps.version.outputs.app_version }} | |
| run: > | |
| docker buildx imagetools create | |
| --tag "ghcr.io/cryptomator/hub:${{ steps.version.outputs.app_version }}" | |
| --tag "ghcr.io/cryptomator/hub:${{ steps.version.outputs.short_sha }}" | |
| "ghcr.io/cryptomator/hub@${{ needs.build-native-image.outputs.digest_amd64 }}" | |
| "ghcr.io/cryptomator/hub@${{ needs.build-native-image.outputs.digest_arm64 }}" | |
| - name: Retrieve Multi-Arch Digest | |
| id: inspect | |
| run: | | |
| DIGEST=$(docker buildx imagetools inspect ghcr.io/cryptomator/hub:${{ steps.version.outputs.app_version }} --format "{{json .Manifest}}" | jq -r .digest) | |
| echo "digest_multiarch=${DIGEST}" >> "$GITHUB_OUTPUT" | |
| - name: Generate artifact attestation | |
| uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 | |
| with: | |
| subject-name: ghcr.io/cryptomator/hub | |
| subject-digest: ${{ steps.inspect.outputs.digest_multiarch }} | |
| push-to-registry: true | |
| publish-helm-chart: | |
| name: Publish Helm Chart | |
| needs: multi-arch-image | |
| uses: ./.github/workflows/helm-chart.yml | |
| with: | |
| appVersion: ${{ needs.multi-arch-image.outputs.app_version }} | |
| version: ${{ needs.multi-arch-image.outputs.chart_version }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| artifact-metadata: write | |
| packages: write | |
| secrets: inherit |