.github/workflows/commit-stage.yml

name: Commit Stage
on: push

jobs:
  build:
    name: Build and Test
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        project: [
          mall-catalog,
          mall-config,
          mall-dispatcher,
          mall-edge,
          mall-order
        ]
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4
      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 17
          cache: gradle
      - name: Code vulnerability scanning
        uses: anchore/scan-action@v3
        id: scan
        with:
          path: "${{ github.worspace }}"
          fail-build: false
          severity-cutoff: high
          acs-report-enable: true
      - name: Upload vulnerability report
        uses: github/codeql-action/upload-sarif@v3
        if: success() || failure()
        with:
          sarif_file: "${{ steps.scan.outputs.sarif }}"
      - name: Build, unit tests and integration tests
        run: |
          chmod +x gradlew
          ./gradlew :${{ matrix.project }}:build
      - name: Setup tools
        uses: alexellis/setup-arkade@v3
      - name: Install tools
        uses: alexellis/arkade-get@master
        with:
          kustomize: latest
          kubeconform: latest
      - name: Validate Kubernetes manifests
        run: |
          kustomize build ${{ matrix.project }}/k8s | kubeconform --strict -
  package:
    name: Package and Publish
    if: ${{ github.ref == 'refs/heads/main' }}
    needs: [ build ]
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        project: [
          mall-catalog,
          mall-config,
          mall-dispatcher,
          mall-edge,
          mall-order
        ]
    steps:
      - name: checkout source code
        uses: actions/checkout@v4
      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 17
          cache: gradle
      - name: Build container image
        run: |
          chmod +x gradlew
          ./gradlew :${{ matrix.project }}:bootBuildImage \
          --imageName ghcr.io/arch/${{ matrix.project }}:${{github.sha}}
      - name: OCI image vulnerability scanning
        uses: anchore/scan-action@v3
        id: scan
        with:
          image: ghcr.io/arch/${{ matrix.project }}:${{github.sha}}
          fail-build: false
          severity-cutoff: high
          acs-report-enable: true
      - name: Upload vulnerability report
        uses: github/codeql-action/upload-sarif@v3
        if: success() || failure()
        with:
          sarif_file: "${{ steps.scan.outputs.sarif }}"
      - name: Log into container registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Publish container image
        run: docker push ghcr.io/arch/${{ matrix.project }}:${{ github.sha }}
      - name: Publish container image (latest)
        run: |
          docker tag ghcr.io/arch/${{ matrix.project }}:${{ github.sha }} \
            ghcr.io/arch/${{ matrix.project }}:latest
          docker push ghcr.io/arch/${{ matrix.project }}:latest