Skip to content

Commit 62ea217

Browse files
committed
SONAR-25648 start gh migration
1 parent dd56642 commit 62ea217

14 files changed

+759
-0
lines changed
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
name: GCP build production
2+
3+
on:
4+
schedule:
5+
- cron: '0 2 * * *'
6+
workflow_dispatch:
7+
inputs:
8+
trigger_type:
9+
description: 'Trigger type'
10+
required: false
11+
default: 'dry-run'
12+
type: choice
13+
options:
14+
- dry-run
15+
- PUSH_GCP_PROD_IMAGES
16+
release:
17+
types: [published]
18+
19+
jobs:
20+
gcp-build-production-app:
21+
permissions:
22+
id-token: write
23+
contents: read
24+
name: GCP build production (app)
25+
if: |
26+
github.event_name == 'schedule' ||
27+
github.event_name == 'release' ||
28+
(github.event_name == 'workflow_dispatch' && github.event.inputs.trigger_type == 'PUSH_GCP_PROD_IMAGES')
29+
uses: ./.github/workflows/gcp-build-template.yml
30+
with:
31+
gcp_registry: gcr.io/sonarsource-public
32+
gcp_product_name: official-sonarqube-data-center-edition
33+
build_type: production
34+
platforms: linux/amd64
35+
current_version: 2025.4.1
36+
public_image_name: sonarqube
37+
component_type: app
38+
39+
gcp-build-production-search:
40+
permissions:
41+
id-token: write
42+
contents: read
43+
name: GCP build production (search)
44+
if: |
45+
github.event_name == 'schedule' ||
46+
github.event_name == 'release' ||
47+
(github.event_name == 'workflow_dispatch' && github.event.inputs.trigger_type == 'PUSH_GCP_PROD_IMAGES')
48+
uses: ./.github/workflows/gcp-build-template.yml
49+
with:
50+
gcp_registry: gcr.io/sonarsource-public
51+
gcp_product_name: official-sonarqube-data-center-edition
52+
build_type: production
53+
platforms: linux/amd64
54+
current_version: 2025.4.1
55+
public_image_name: sonarqube
56+
component_type: search
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
name: GCP build staging
2+
3+
on:
4+
push:
5+
# branches:
6+
# - main
7+
schedule:
8+
- cron: '0 2 * * *'
9+
workflow_dispatch:
10+
inputs:
11+
trigger_type:
12+
description: 'Trigger type'
13+
required: false
14+
default: 'dry-run'
15+
type: choice
16+
options:
17+
- dry-run
18+
- PUSH_GCP_STAGING_IMAGES
19+
20+
jobs:
21+
gcp-build-staging-app:
22+
if: |
23+
github.event_name == 'schedule' ||
24+
(github.event_name == 'workflow_dispatch' && github.event.inputs.trigger_type == 'PUSH_GCP_STAGING_IMAGES') ||
25+
(github.event_name == 'push' && contains(github.event.head_commit.message, 'Update docker-sonarqube-server-releases'))
26+
permissions:
27+
id-token: write
28+
contents: read
29+
name: GCP build staging (app)
30+
uses: ./.github/workflows/gcp-build-template.yml
31+
with:
32+
gcp_registry: gcr.io/sonarqube-marketplace-provider
33+
gcp_product_name: sonarqube-dce-staging
34+
build_type: staging
35+
platforms: linux/amd64,linux/arm64
36+
extra_docker_build_args: "--provenance=false --annotation=manifest,manifest-descriptor:com.googleapis.cloudmarketplace.product.service.name=services/official-sonarqube-data-center-edition.endpoints.sonarsource-public.cloud.goog"
37+
current_version: 2025.4.1
38+
component_type: app
39+
40+
gcp-build-staging-search:
41+
if: |
42+
github.event_name == 'schedule' ||
43+
(github.event_name == 'workflow_dispatch' && github.event.inputs.trigger_type == 'PUSH_GCP_STAGING_IMAGES') ||
44+
(github.event_name == 'push' && contains(github.event.head_commit.message, 'Update docker-sonarqube-server-releases'))
45+
permissions:
46+
id-token: write
47+
contents: read
48+
name: GCP build staging (search)
49+
uses: ./.github/workflows/gcp-build-template.yml
50+
with:
51+
gcp_registry: gcr.io/sonarqube-marketplace-provider
52+
gcp_product_name: sonarqube-dce-staging
53+
build_type: staging
54+
platforms: linux/amd64,linux/arm64
55+
extra_docker_build_args: "--provenance=false --annotation=manifest,manifest-descriptor:com.googleapis.cloudmarketplace.product.service.name=services/official-sonarqube-data-center-edition.endpoints.sonarsource-public.cloud.goog"
56+
current_version: 2025.4.1
57+
component_type: search
Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
name: GCP build template
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
gcp_registry:
7+
required: true
8+
type: string
9+
description: "GCP registry URL (e.g., gcr.io/sonarsource-public)"
10+
gcp_product_name:
11+
required: true
12+
type: string
13+
description: "GCP product name"
14+
build_type:
15+
required: true
16+
type: string
17+
description: "Type of build: 'staging' or 'production'"
18+
platforms:
19+
required: false
20+
type: string
21+
description: "Platforms to build for"
22+
default: "linux/amd64,linux/arm64"
23+
extra_docker_build_args:
24+
required: false
25+
type: string
26+
description: "Extra docker build arguments"
27+
default: ""
28+
current_version:
29+
required: true
30+
type: string
31+
description: "Current version to build/promote"
32+
public_image_name:
33+
required: false
34+
type: string
35+
description: "Public image name for production builds"
36+
default: "sonarqube"
37+
component_type:
38+
required: true
39+
type: string
40+
description: "Component type: 'app' or 'search'"
41+
42+
jobs:
43+
gcp-build:
44+
name: GCP build ${{ inputs.build_type }} (${{ inputs.component_type }})
45+
runs-on: ubuntu-24.04-large
46+
47+
steps:
48+
- name: Checkout repository
49+
uses: actions/checkout@v4
50+
51+
- name: Set up variables
52+
id: vars
53+
run: |
54+
# Construct version path
55+
VERSION_PATH="commercial-editions/datacenter/${{ inputs.component_type }}"
56+
57+
# Construct image name based on component type
58+
if [ "${{ inputs.component_type }}" == "search" ]; then
59+
IMAGE_NAME="${{ inputs.gcp_registry }}/${{ inputs.gcp_product_name }}/sonarqube-dce-search"
60+
else
61+
IMAGE_NAME="${{ inputs.gcp_registry }}/${{ inputs.gcp_product_name }}"
62+
fi
63+
64+
# Calculate minor version
65+
MINOR_VERSION=$(echo "${{ inputs.current_version }}" | cut -d '.' -f 1,2)
66+
67+
echo "version_path=${VERSION_PATH}" >> $GITHUB_OUTPUT
68+
echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
69+
echo "minor_version=${MINOR_VERSION}" >> $GITHUB_OUTPUT
70+
71+
- id: secrets
72+
name: Retrieve secrets from Vault
73+
uses: SonarSource/vault-action-wrapper@v3
74+
with:
75+
secrets: |
76+
development/team/sonarqube/kv/data/gcp-marketplace-registry-staging key | gcp_sa_key;
77+
78+
- name: Pull public datacenter images (production only)
79+
if: ${{ inputs.build_type == 'production' }}
80+
env:
81+
PUBLIC_IMAGE_NAME: ${{ inputs.public_image_name }}
82+
CURRENT_VERSION: ${{ inputs.current_version }}
83+
COMPONENT_TYPE: ${{ inputs.component_type }}
84+
run: |
85+
echo "Pull the ${PUBLIC_IMAGE_NAME} datacenter public images"
86+
docker pull "${PUBLIC_IMAGE_NAME}:${CURRENT_VERSION}-datacenter-${COMPONENT_TYPE}"
87+
88+
- name: Login to GCP registry
89+
run: |
90+
export DOCKER_GCLOUD_PASSWORD=$(echo '${{ fromJSON(steps.secrets.outputs.vault).gcp_sa_key }}' | base64 -d)
91+
echo "${DOCKER_GCLOUD_PASSWORD}" | docker login -u _json_key --password-stdin https://${{ inputs.gcp_registry }}
92+
93+
- name: Set up Docker Buildx
94+
uses: docker/setup-buildx-action@v3
95+
with:
96+
name: multibuilder
97+
driver: docker-container
98+
install: true
99+
100+
- name: Set up QEMU for multi-arch builds (staging only)
101+
if: ${{ inputs.build_type == 'staging' }}
102+
uses: docker/setup-qemu-action@v3
103+
with:
104+
platforms: all
105+
106+
- name: Build and push to GCP staging
107+
if: ${{ inputs.build_type == 'staging' }}
108+
env:
109+
STAGING_IMAGE_NAME: ${{ steps.vars.outputs.image_name }}
110+
TAG: ${{ inputs.current_version }}
111+
MINOR_TAG: ${{ steps.vars.outputs.minor_version }}
112+
VERSION: ${{ steps.vars.outputs.version_path }}
113+
EXTRA_DOCKER_BUILD_ARGS: ${{ inputs.extra_docker_build_args }}
114+
run: |
115+
echo "Build and promote the ${STAGING_IMAGE_NAME}:${TAG} and ${STAGING_IMAGE_NAME}:${MINOR_TAG} image supporting two architectures, linux/amd64 and linux/arm64"
116+
.cirrus/multi-arch-build.sh "${STAGING_IMAGE_NAME}" "${TAG}" "${VERSION}"
117+
.cirrus/multi-arch-build.sh "${STAGING_IMAGE_NAME}" "${MINOR_TAG}" "${VERSION}"
118+
119+
- name: Promote datacenter image to GCP production
120+
if: ${{ inputs.build_type == 'production' }}
121+
env:
122+
PUBLIC_IMAGE_NAME: ${{ inputs.public_image_name }}
123+
CURRENT_VERSION: ${{ inputs.current_version }}
124+
CURRENT_MINOR_VERSION: ${{ steps.vars.outputs.minor_version }}
125+
GCP_REGISTRY: ${{ inputs.gcp_registry }}
126+
GCP_PRODUCT_NAME: ${{ inputs.gcp_product_name }}
127+
COMPONENT_TYPE: ${{ inputs.component_type }}
128+
TARGET_IMAGE_NAME: ${{ steps.vars.outputs.image_name }}
129+
run: |
130+
echo "Promote the ${PUBLIC_IMAGE_NAME}:${CURRENT_VERSION}-datacenter-${COMPONENT_TYPE} images supporting one architecture (linux/amd64) to the GCP registry ${GCP_REGISTRY}"
131+
echo -e "FROM ${PUBLIC_IMAGE_NAME}:${CURRENT_VERSION}-datacenter-${COMPONENT_TYPE}" | docker buildx build \
132+
--platform linux/amd64 \
133+
--provenance=false \
134+
--annotation "manifest,manifest-descriptor:com.googleapis.cloudmarketplace.product.service.name=services/official-sonarqube-data-center-edition.endpoints.sonarsource-public.cloud.goog" \
135+
--tag "${TARGET_IMAGE_NAME}:${CURRENT_VERSION}" \
136+
--tag "${TARGET_IMAGE_NAME}:${CURRENT_MINOR_VERSION}" \
137+
--push -
Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
name: Mend scan template
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
image_name:
7+
required: true
8+
type: string
9+
description: "The image name to scan (e.g., sonarsource/sonarqube or sonarqube)"
10+
tags:
11+
required: true
12+
type: string
13+
description: "JSON array of tags to scan"
14+
scan_type:
15+
required: true
16+
type: string
17+
description: "Type of scan (private or public)"
18+
platform:
19+
required: false
20+
type: string
21+
description: "Platform to scan"
22+
default: "amd64"
23+
ws_product_name:
24+
required: false
25+
type: string
26+
description: "WhiteSource product name"
27+
default: "SonarSource/docker-sonarqube"
28+
needs_docker_login:
29+
required: false
30+
type: boolean
31+
description: "Whether Docker login is needed"
32+
default: true
33+
34+
jobs:
35+
mend-scan:
36+
name: Mend scan (${{ matrix.tag }})
37+
runs-on: ubuntu-24.04-large
38+
strategy:
39+
matrix:
40+
tag: ${{ fromJSON(inputs.tags) }}
41+
42+
env:
43+
IMAGE_NAME: ${{ inputs.image_name }}
44+
WS_PRODUCTNAME: ${{ inputs.ws_product_name }}
45+
platform: ${{ inputs.platform }}
46+
47+
steps:
48+
- name: Checkout repository
49+
uses: actions/checkout@v4
50+
51+
- id: secrets
52+
name: Retrieve secrets from Vault
53+
uses: SonarSource/vault-action-wrapper@v3
54+
with:
55+
secrets: |
56+
development/kv/data/docker/sonardockerrw username | docker_username;
57+
development/kv/data/docker/sonardockerrw access_token_rwd | docker_password;
58+
development/kv/data/mend apikey | mend_api_key;
59+
60+
- name: Login to Docker Hub
61+
if: ${{ inputs.needs_docker_login }}
62+
uses: docker/login-action@v3
63+
with:
64+
username: ${{ fromJSON(steps.secrets.outputs.vault).docker_username }}
65+
password: ${{ fromJSON(steps.secrets.outputs.vault).docker_password }}
66+
67+
- name: Pull Docker image for scanning
68+
env:
69+
TAG: ${{ matrix.tag }}
70+
run: |
71+
echo "Scan the ${IMAGE_NAME}:${TAG} image supporting linux/${platform}"
72+
if [[ "${{ inputs.needs_docker_login }}" == "true" ]]; then
73+
.cirrus/pull.sh "${IMAGE_NAME}" "${TAG}" "${platform}"
74+
else
75+
# For public images, use direct docker pull
76+
docker pull --platform linux/"${platform}" "${IMAGE_NAME}:${TAG}"
77+
fi
78+
79+
- name: Set up Java for Mend agent
80+
uses: actions/setup-java@v4
81+
with:
82+
distribution: 'temurin'
83+
java-version: '11'
84+
85+
- name: Download Mend Unified Agent
86+
run: |
87+
wget -O wss-unified-agent.jar https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
88+
89+
- name: Configure Mend scan
90+
env:
91+
TAG: ${{ matrix.tag }}
92+
run: |
93+
echo "docker.includes=${TAG}" >> .cirrus/wss-unified-agent.config
94+
95+
- name: Run Mend scan
96+
env:
97+
TAG: ${{ matrix.tag }}
98+
MEND_API_KEY: ${{ fromJSON(steps.secrets.outputs.vault).mend_api_key }}
99+
WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent
100+
run: |
101+
java -jar wss-unified-agent.jar \
102+
-c .cirrus/wss-unified-agent.config \
103+
-apiKey "${MEND_API_KEY}" \
104+
-product "${WS_PRODUCTNAME}" \
105+
-project "${IMAGE_NAME}:${TAG}" \
106+
-wss.url "${WS_WSS_URL}" \
107+
-docker.scanImages true

0 commit comments

Comments
 (0)