feature/Tweak GitHub workflows

constantine2nd · constantine2nd · commit 87b48fc71d93 · 2026-01-26T12:54:28.000+01:00
diff --git a/.github/workflows/auto_update_base_image.yml b/.github/workflows/auto_update_base_image.yml
@@ -11,6 +11,7 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository == 'OpenBankProject/OBP-API'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -32,4 +33,4 @@ jobs:
               workflow_id: 'build_container_develop_branch.yml',
               ref: 'refs/heads/develop'
             });
-        if: steps.baseupdatecheck.outputs.needs-updating == 'true'
+        if: steps.baseupdatecheck.outputs.needs-updating == 'true'
diff --git a/.github/workflows/build_container_develop_branch.yml b/.github/workflows/build_container_develop_branch.yml
@@ -13,7 +13,6 @@ env:
   DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
   DOCKER_HUB_REPOSITORY: obp-api
 
-
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -36,8 +35,8 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v4
         with:
-          java-version: '11'
-          distribution: 'adopt'
+          java-version: "11"
+          distribution: "adopt"
           cache: maven
       - name: Build with Maven
         run: |
@@ -126,19 +125,22 @@ jobs:
           path: push/
 
       - name: Build the Docker image
+        if: github.repository == 'OpenBankProject/OBP-API'
         run: |
           echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
           docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop
           docker build . --file .github/Dockerfile_PreBuild_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}-OC
           docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
           echo docker done
 
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390
 
       - name: Write signing key to disk (only needed for `cosign sign --key`)
+        if: github.repository == 'OpenBankProject/OBP-API'
         run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
 
       - name: Sign container image
+        if: github.repository == 'OpenBankProject/OBP-API'
         run: |
           cosign sign -y --key cosign.key \
             docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop
@@ -151,7 +153,4 @@ jobs:
           cosign sign -y --key cosign.key \
                       docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest-OC
         env:
-          COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
-
-
-
+          COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
diff --git a/.github/workflows/build_container_non_develop_branch.yml b/.github/workflows/build_container_non_develop_branch.yml
@@ -3,8 +3,8 @@ name: Build and publish container non develop
 on:
   push:
     branches:
-      - '*'
-      - '!develop'
+      - "*"
+      - "!develop"
 
 env:
   DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
@@ -35,11 +35,12 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v4
         with:
-          java-version: '11'
-          distribution: 'adopt'
+          java-version: "11"
+          distribution: "adopt"
           cache: maven
       - name: Build with Maven
         run: |
+          set -o pipefail
           cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props
           echo connector=star > obp-api/src/main/resources/props/test.default.props
           echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props
@@ -75,7 +76,44 @@ jobs:
           echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props
 
           echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props
-          MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod
+          MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log
+
+      - name: Report failing tests (if any)
+        if: always()
+        run: |
+          echo "Checking build log for failing tests via grep..."
+          if [ ! -f maven-build.log ]; then
+            echo "No maven-build.log found; skipping failure scan."
+            exit 0
+          fi
+          if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then
+            echo "Failing tests detected above."
+            exit 1
+          else
+            echo "No failing tests detected in maven-build.log."
+          fi
+
+      - name: Upload Maven build log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: maven-build-log
+          if-no-files-found: ignore
+          path: |
+            maven-build.log
+
+      - name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports
+          if-no-files-found: ignore
+          path: |
+            obp-api/target/surefire-reports/**
+            obp-commons/target/surefire-reports/**
+            **/target/scalatest-reports/**
+            **/target/site/surefire-report.html
+            **/target/site/surefire-report/*
 
       - name: Save .war artifact
         run: |
@@ -87,19 +125,22 @@ jobs:
           path: push/
 
       - name: Build the Docker image
+        if: github.repository == 'OpenBankProject/OBP-API'
         run: |
           echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io
           docker build . --file .github/Dockerfile_PreBuild --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA  --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}
           docker build . --file .github/Dockerfile_PreBuild_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA-OC  --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}-OC
           docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
           echo docker done
 
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@4d14d7f17e7112af04ea6108fbb4bfc714c00390
 
       - name: Write signing key to disk (only needed for `cosign sign --key`)
+        if: github.repository == 'OpenBankProject/OBP-API'
         run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
 
       - name: Sign container image
+        if: github.repository == 'OpenBankProject/OBP-API'
         run: |
           cosign sign -y --key cosign.key \
             docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${GITHUB_REF##*/}
@@ -108,7 +149,4 @@ jobs:
           cosign sign -y --key cosign.key \
                       docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA
         env:
-          COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
-
-
-
+          COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
diff --git a/.github/workflows/build_pull_request.yml b/.github/workflows/build_pull_request.yml
@@ -3,15 +3,15 @@ name: Build on Pull Request
 on:
   pull_request:
     branches:
-      - '**'
+      - "**"
 env:
   ## Sets environment variable
   DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
 
-
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository == 'OpenBankProject/OBP-API'
     services:
       # Label used to access the service container
       redis:
@@ -31,11 +31,12 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v4
         with:
-          java-version: '11'
-          distribution: 'adopt'
+          java-version: "11"
+          distribution: "adopt"
           cache: maven
       - name: Build with Maven
         run: |
+          set -o pipefail
           cp obp-api/src/main/resources/props/sample.props.template obp-api/src/main/resources/props/production.default.props
           echo connector=star > obp-api/src/main/resources/props/test.default.props
           echo starConnector_supported_types=mapped,internal >> obp-api/src/main/resources/props/test.default.props
@@ -65,14 +66,50 @@ jobs:
           echo COUNTERPARTY_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
           echo SEPA_CREDIT_TRANSFERS_OTP_INSTRUCTION_TRANSPORT=dummy >> obp-api/src/main/resources/props/test.default.props
 
-
           echo allow_oauth2_login=true >> obp-api/src/main/resources/props/test.default.props
           echo oauth2.jwk_set.url=https://www.googleapis.com/oauth2/v3/certs >> obp-api/src/main/resources/props/test.default.props
 
           echo ResetPasswordUrlEnabled=true >> obp-api/src/main/resources/props/test.default.props
 
           echo consents.allowed=true >> obp-api/src/main/resources/props/test.default.props
-          MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod
+          MAVEN_OPTS="-Xmx3G -Xss2m" mvn clean package -Pprod 2>&1 | tee maven-build.log
+
+      - name: Report failing tests (if any)
+        if: always()
+        run: |
+          echo "Checking build log for failing tests via grep..."
+          if [ ! -f maven-build.log ]; then
+            echo "No maven-build.log found; skipping failure scan."
+            exit 0
+          fi
+          if grep -n "\*\*\* FAILED \*\*\*" maven-build.log; then
+            echo "Failing tests detected above."
+            exit 1
+          else
+            echo "No failing tests detected in maven-build.log."
+          fi
+
+      - name: Upload Maven build log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: maven-build-log
+          if-no-files-found: ignore
+          path: |
+            maven-build.log
+
+      - name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-reports
+          if-no-files-found: ignore
+          path: |
+            obp-api/target/surefire-reports/**
+            obp-commons/target/surefire-reports/**
+            **/target/scalatest-reports/**
+            **/target/site/surefire-report.html
+            **/target/site/surefire-report/*
 
       - name: Save .war artifact
         run: |
@@ -81,7 +118,4 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ github.sha }}
-          path: pull/
-
-
-
+          path: pull/
diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml
@@ -12,11 +12,10 @@ env:
   DOCKER_HUB_ORGANIZATION: ${{ vars.DOCKER_HUB_ORGANIZATION }}
   DOCKER_HUB_REPOSITORY: obp-api
 
-
 jobs:
   build:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: github.repository == 'OpenBankProject/OBP-API' && github.event.workflow_run.conclusion == 'success'
 
     steps:
       - uses: actions/checkout@v4
@@ -38,17 +37,17 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          security-checks: 'vuln'
-          severity: 'CRITICAL,HIGH'
-          timeout: '30m'
+          image-ref: "docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          security-checks: "vuln"
+          severity: "CRITICAL,HIGH"
+          timeout: "30m"
           cache-dir: .trivy
       - name: Fix .trivy permissions
         run: sudo chown -R $(stat . -c %u:%g) .trivy
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
