upload, download y docker login #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Workflow | |
| on: | |
| push: | |
| branches: | |
| - feature-clase1 | |
| jobs: | |
| SAST: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| - name: Set Environment Variables | |
| run: echo "BRANCH_NAME=${{ github.ref_name }}" >> $GITHUB_ENV | |
| - name: Validate and Configure build.gradle | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| if [ -f "build.gradle" ]; then | |
| echo "Encontró el archivo" | |
| echo "Verificando configuracion del plugin sonar" | |
| if ! grep -q 'id "org.sonarqube" version "3.3"' build.gradle; then | |
| echo "No se encuentra Plugin configurado" | |
| sed -i '/id '\''java'\''/a \ \ \ \ id '\''org.sonarqube'\'' version '\''3.3'\''' build.gradle | |
| echo "Plugin de Sonarcloud acaba de ser añadido a build.gradle" | |
| cat build.gradle | |
| else | |
| echo "Plugin de sonarcloud ya está configurado en build.gradle" | |
| fi | |
| else | |
| echo "no se encontró archivo build.gradle" | |
| exit 1 | |
| fi | |
| - name: Validando existencia de proyecto en SonarCloud | |
| id: validateProjectOnSonar | |
| run: | | |
| #pwd | |
| #ls -R | |
| set +e | |
| echo "Siguiente" | |
| #curl -f -X POST -u '${{ secrets.SONAR_TOKEN }}:' 'https://sonarcloud.io/api/projects/create' -d 'name=${{ github.event.repository.name }}' -d 'project=${{ github.event.repository.name }}' -d 'organization=devsecopsusach' -d 'visibility=public' | |
| #if [ $? -ne 0 ]; then | |
| # echo "Proyecto ya existe en Sonarcloud" | |
| # echo "project_created=false" >> $GITHUB_ENV | |
| #else | |
| # echo "Proyecto ${{ github.event.repository.name }} creado exitosamente en Sonarcloud" | |
| # | |
| # echo "Se establece rama main como rama por defecto" | |
| # curl -X POST -u '${{ secrets.SONAR_TOKEN }}:' 'https://sonarcloud.io/api/project_branches/rename' -d 'name=main' -d 'project=${{ github.event.repository.name }}' | |
| # echo "project_created=true" >> $GITHUB_ENV | |
| #fi | |
| #set -e | |
| # name: Validate or Create SonarCloud Project | |
| # id: validate-project | |
| # env: | |
| # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # REPO_NAME: ${{ github.event.repository.name }} | |
| # run: | | |
| # echo "Verificando si el proyecto $REPO_NAME existe en SonarCloud..." | |
| # response=$(curl -s -o /dev/null -w "%{http_code}" -u "$SONAR_TOKEN:" \ | |
| # "https://sonarcloud.io/api/projects/search?projects=$REPO_NAME") | |
| # if [ "$response" -ne 200 ]; then | |
| # echo "El proyecto no existe. Creándolo en SonarCloud..." | |
| # create_response=$(curl -s -w "%{http_code}" -o /dev/null -X POST -u "$SONAR_TOKEN:" \ | |
| # "https://sonarcloud.io/api/projects/create" \ | |
| # -d "name=$REPO_NAME" \ | |
| # -d "project=$REPO_NAME" \ | |
| # -d "organization=devsecopsusach" \ | |
| # -d "visibility=public") | |
| # if [ "$create_response" -ne 201 ]; then | |
| # echo "¨Proyecto creado exitosamente (HTTP $create_response)." | |
| # fi | |
| # echo "Estableciendo la rama main como predeterminada..." | |
| # curl -s -f -X POST -u "$SONAR_TOKEN:" \ | |
| # "https://sonarcloud.io/api/project_branches/rename" \ | |
| # -d "name=main" \ | |
| # -d "project=$REPO_NAME" | |
| # echo "project_created=true" >> $GITHUB_ENV | |
| # else | |
| # echo "El proyecto ya existe en SonarCloud." | |
| # echo "project_created=false" >> $GITHUB_ENV | |
| # fi | |
| - name: Enable execution gradlew | |
| run: | | |
| chmod 777 gradlew | |
| - name: Perform Initial Analysis (if Project Created) | |
| if: env.project_created == 'true' | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| run: | | |
| echo "Realizando análisis inicial en la rama main..." | |
| ./gradlew sonarqube \ | |
| -Dsonar.projectKey=$REPO_NAME \ | |
| -Dsonar.organization=devsecopsusach \ | |
| -Dsonar.host.url=https://sonarcloud.io \ | |
| -Dsonar.token=$SONAR_TOKEN \ | |
| -Dsonar.branch.name=main | |
| - name: Perform Branch Analysis | |
| if: env.project_created == 'false' | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| BRANCH_NAME: ${{ github.ref_name }} | |
| run: | | |
| echo "Realizando análisis en la rama actual: $BRANCH_NAME..." | |
| ./gradlew sonarqube \ | |
| -Dsonar.projectKey=$REPO_NAME \ | |
| -Dsonar.organization=devsecopsusach \ | |
| -Dsonar.host.url=https://sonarcloud.io \ | |
| -Dsonar.token=$SONAR_TOKEN \ | |
| -Dsonar.branch.name=${{ github.ref_name }} | |
| - name: Validate Quality Gate | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| run: | | |
| echo "Validando el estado del Quality Gate..." | |
| analysisId=$(curl -s -u "$SONAR_TOKEN:" \ | |
| "https://sonarcloud.io/api/ce/component?component=$REPO_NAME" | jq -r '.current.analysisId') | |
| qualityGateStatus=$(curl -s -u "$SONAR_TOKEN:" \ | |
| "https://sonarcloud.io/api/qualitygates/project_status?analysisId=$analysisId" | jq -r '.projectStatus.status') | |
| if [ "$qualityGateStatus" != "OK" ]; then | |
| echo "El proyecto no cumple con el Quality Gate: $qualityGateStatus." | |
| echo "Verificando vulnerabilidades críticas..." | |
| vulnerabilities=$(curl -s -u "$SONAR_TOKEN:" \ | |
| "https://sonarcloud.io/api/issues/search?componentKeys=$REPO_NAME&types=VULNERABILITY&severities=CRITICAL,BLOCKER" | jq -r '.total') | |
| if [ "$vulnerabilities" -gt 0 ]; then | |
| echo "Se encontraron $vulnerabilities vulnerabilidades críticas. El proyecto no cumple con los estándares de seguridad." | |
| #exit 1 | |
| fi | |
| else | |
| echo "El proyecto cumple con el Quality Gate y no tiene vulnerabilidades críticas. Continuando sin problemas." | |
| fi | |
| SCA: | |
| needs: SAST | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Build | |
| run: | | |
| if [ -f "build.gradle" ]; then | |
| echo "Proyecto utiliza archivo build.gradle" | |
| echo "Se habilita permiso de ejecución de archivo gradlew" | |
| chmod 777 gradlew | |
| ./gradlew build | |
| ls -R | |
| else | |
| echo "Otro tipo de proyecto" | |
| fi | |
| - name: Dependency Check | |
| uses: dependency-check/[email protected] | |
| env: | |
| JAVA_HOME: /opt/jdk | |
| id: Depcheck | |
| with: | |
| project: '${{ github.event.repository.name }}' | |
| path: '.' | |
| format: 'HTML' | |
| args: > | |
| --out ./reports | |
| --failOnCVSS 7 | |
| --enableRetired | |
| - name: Upload Test Result | |
| uses: actions/upload-artifact@master | |
| with: | |
| name: Depcheck Report | |
| path: ./reports | |
| - name: Upload JAR | |
| uses: actions/upload-artifact@master | |
| with: | |
| name: JAR | |
| path: ${{github.workspace}}/build/libs/spring-petclinic-2.6.0.jar | |
| DockerBuild: | |
| needs: SCA | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Docker Login | |
| uses: docker/[email protected] | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Download JAR | |
| uses: actions/download-artifact@master | |
| with: | |
| name: JAR | |
| path: ${{github.workspace}} |