chore: configuring Jfrog OIDC #171

Workflow file for this run

.github/workflows/java-app.yml at e036d90


	name: Simple Java Build and Security Scan

	on:
	workflow_dispatch:
	push:
	branches: [main]
	paths:
	- "examples/java-app/**"
	- ".github/workflows/java-app.yml"
	pull_request:
	branches: [main]
	paths:
	- "examples/java-app/**"
	- ".github/workflows/java-app.yml"

	env:
	REGISTRY: artifacts-artefacts.devops.cloud-nuage.canada.ca
	IMAGE_NAME: ssc-aurora-docker-local/java-app

	jobs:
	build-and-scan:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	security-events: write
	pull-requests: write
	strategy:
	matrix:
	dockerfile: [standard, chainguard]

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup JFrog CLI with OIDC
	uses: jfrog/setup-jfrog-cli@v4
	id: setup-jfrog-cli
	env:
	JF_URL: https://${{ env.REGISTRY }}
	JF_PROJECT: ssc-aurora
	JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
	with:
	oidc-provider-name: github-oidc
	version: 2.79.0

	- name: Docker login via OIDC
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}
	password: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}

	- name: Scan Dependencies for Vulnerabilities
	run: \|
	echo "Scanning dependencies for security issues..."
	cd examples/java-app
	jf audit --format=table --project=ssc-aurora \|\| echo "Issues found - check output above"
	echo ""
	echo "Developer tip: Run 'jf audit --fix' locally to auto-fix vulnerabilities"

	- name: Build image
	run: \|
	IMAGE_TAG=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.dockerfile }}
	docker build -f examples/java-app/Dockerfile.${{ matrix.dockerfile }} -t $IMAGE_TAG examples/java-app

	- name: Push image
	run: \|
	IMAGE_TAG=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.dockerfile }}
	docker push $IMAGE_TAG

	- name: Publish Build Info
	run: \|
	jf rt build-add-git ${{ matrix.dockerfile }}-app ${{ github.run_number }}
	jf rt build-publish ${{ matrix.dockerfile }}-app ${{ github.run_number }}

	- name: Scan with JFrog Xray
	run: \|
	IMAGE_TAG=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.dockerfile }}
	echo "Scanning ${{ matrix.dockerfile }} image..."
	jf docker scan $IMAGE_TAG --project=ssc-aurora \|\| echo "Scan completed with issues - check output above"

	cleanup:
	runs-on: ubuntu-latest
	if: github.event_name == 'push'
	needs: [build-and-scan]
	permissions:
	id-token: write
	contents: read

	steps:
	- name: Setup JFrog CLI with OIDC
	uses: jfrog/setup-jfrog-cli@v4
	id: setup-jfrog-cli
	env:
	JF_URL: https://${{ env.REGISTRY }}
	JF_PROJECT: ssc-aurora
	JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
	with:
	oidc-provider-name: github-oidc
	version: 2.79.0

	- name: Cleanup Old Images (Cost Savings)
	run: \|
	echo "Running automated cleanup to save storage costs..."
	echo "Checking for images older than 30 days..."

	CLEANUP_COUNT=$(jf rt search "ssc-aurora-docker-local/*" \
	--older-than=30d --count 2>/dev/null \|\| echo "0")

	echo "Found $CLEANUP_COUNT old images that could be cleaned up"
	echo "Cleanup saves storage costs and improves performance"
	echo "Run 'jf rt delete \"repo/*\" --older-than=30d' to clean manually"

	frogbot:
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request' \|\| github.event_name == 'push'
	permissions:
	id-token: write
	contents: read
	pull-requests: write
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup JFrog CLI with OIDC
	uses: jfrog/setup-jfrog-cli@v4
	id: setup-jfrog-cli
	env:
	JF_URL: https://${{ env.REGISTRY }}
	JF_PROJECT: ssc-aurora
	JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
	with:
	oidc-provider-name: github-oidc
	version: 2.79.0

	- name: Run Frogbot
	uses: jfrog/frogbot@v2
	env:
	JF_URL: https://${{ env.REGISTRY }}
	JF_PROJECT: ssc-aurora
	JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
	JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	JF_GIT_USE_GITHUB_ENVIRONMENT: "false"
	JF_INCLUDE_ALL_VULNERABILITIES: "true"
	JF_ENABLE_SAST: "false"
	JF_ENABLE_SECRETS: "false"
	JF_ENABLE_IAC: "false"

	summary:
	needs: [build-and-scan, cleanup]
	runs-on: ubuntu-latest
	if: always() && github.event_name == 'push'
	permissions:
	contents: read

	steps:
	- name: Build Summary
	run: \|
	echo "Build ${{ github.run_number }} completed" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Both images built, pushed, and scanned successfully" >> $GITHUB_STEP_SUMMARY
	echo "Check the scan results in the build logs above" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "## JFrog Developer Tools Used:" >> $GITHUB_STEP_SUMMARY
	echo "- Dependency Audit: Scanned source code for vulnerabilities" >> $GITHUB_STEP_SUMMARY
	echo "- Automated Cleanup: Checked for old images to save storage costs" >> $GITHUB_STEP_SUMMARY
	echo "- Frogbot: Automated security comments on pull requests" >> $GITHUB_STEP_SUMMARY
	echo "- Image Scanning: JFrog Xray scanned container images" >> $GITHUB_STEP_SUMMARY
	echo "- OIDC Authentication: Secure credential-less authentication" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: configuring Jfrog OIDC #171

Workflow file

chore: configuring Jfrog OIDC #171

Uh oh!

Jobs

Run details

Workflow file for this run