.github/workflows/java.yaml

name: java

on:
  push:
    branches:
      - main
      - develop
      - feature/**
  pull_request:
    branches:
      - main
      - develop
      - feature/**

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}

      - name: Setup Task
        uses: arduino/setup-task@v2
        with:
          version: 3.x
          repo-token: ${{ secrets.GH_TOKEN }}

      - name: Setup Dockle
        run: |
          VERSION=$(
           curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
           grep '"tag_name":' | \
           sed -E 's/.*"v([^"]+)".*/\1/' \
          ) && curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb
          sudo dpkg -i dockle.deb && rm dockle.deb

      - name: Setup Trivy
        run: |
          sudo apt-get install wget apt-transport-https gnupg
          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
          sudo apt-get update
          sudo apt-get install trivy

      - name: Build Java Image
        run: |
          docker buildx create --name my-builder --use
          docker buildx build \
            --platform linux/amd64,linux/arm64 \
            --tag java:21-graalvm \
            --file java/Dockerfile \
            .

      - name: Verify the built image follows the best practises
        run: task java:verify

      - name: Scan the built image for vulnerabilities
        run: task java:scan

      - name: Push the built image to docker hub
        if: success()
        run: task java:push