❔ About
As many organizations, we have to develop & maintain (aka. BUILD & RUN
) common software.
☝️ This process involves a lot of things that have to be achieved... (if you want to get a robust and secured software release pipeline).
I'll showcase here how we achieved all theses challenges on a common Java library dedicated to logging :
opt-nc / opt-logging
La librairie de référence pour générer des logs bien formatées à l'OPT.
❔ opt-logging
Cette librairie contient les 2 fichiers de configuration de logback préconisés pour les développements d'application à l'OPT-NC.
Toutes les logs sont dans le même fichier .log (${LOG_FILE})
à l'exception des logs métiers qui se
trouvent dans un seul fichier .json
(${LOG_FILE_JSON})
si le besoin est exprimé.
⬇️ Import de la dépendance publique
Cette dépendance est disponible publiquement via Jitpack.
🪶 Maven
Ajouter la repo Jitpack :
<repositories>
<repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository>
</repositories>
Puis la dépedance :
<dependency>
<groupId>com.github.opt-nc</groupId>
<artifactId>opt-logging</artifactId>
<version>Tag</version>
</dependency>
🐘 Gradle
Ajouter la repo :
allprojects {
repositories {
...
maven { url 'https://jitpack.io' }
}
}
Puis la dépendance :
dependencies {
implementation 'com.github.opt-nc:opt-logging:Tag'
}
Import de la dépendance via
…🏎️ Time to Market
Software release pipeline gains everyday a shorter Time To Market.
In fact there is no real option :
maintenance & release tasks have to be drastically automated... and should embed security concerns on the left side of the pipeline.
🛡️ Security
We have three complementary ways of achieving security tasks on our pipeline :
- Dependabot alerts : so we get Pull Requests to notify us what are the risks
-
CodeQL
Scan as part of GitHub Advanced Security (aka. GHAS) - Docker Image scan (see previous dedicated post)
Then to release software we rely on semantic-release
to implement a solid Semantic Versioning scheme and get a
fully automated version management and package publishing pipeline.
🍿 Démo
Here is the full secured & automated release process 👇
🧰 Stack
🔖 Related contents
⛯ Scan Docker images 🛡️
⚖️ Bench (and choose) Java-8 docker images with anchore/grype
adriens for opt-nc ・ Apr 25 '22
🔂 Semantic release demo 🎞️
Semantic release intro demo :
Top comments (0)