❔ About
As many organizations, we have to develop & maintain (aka. BUILD & RUN
) common software.
☝️ This process involves a lot of things that have to be achieved... (if you want to get a robust and secured software release pipeline).
I'll showcase here how we achieved all theses challenges on a common Java library dedicated to logging :
opt-nc
/
opt-logging
La librairie de référence pour générer des logs bien formatées à l'OPT.
❔ opt-logging
Cette librairie contient les 2 fichiers de configuration de logback préconisés pour les développements d'application à l'OPT-NC.
Toutes les logs sont dans le même fichier .log (${LOG_FILE})
à l'exception des logs métiers qui se
trouvent dans un seul fichier .json
(${LOG_FILE_JSON})
si le besoin est exprimé.
⬇️ Import de la dépendance publique
Cette dépendance est disponible publiquement via Jitpack.
🪶 Maven
Ajouter la repo Jitpack :
<repositories>
<repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository>
</repositories>
Puis la dépedance :
<dependency>
<groupId>com.github.opt-nc</groupId>
<artifactId>opt-logging</artifactId>
<version>Tag</version>
</dependency>
🐘 Gradle
Ajouter la repo :
allprojects {
repositories {
...
maven { url 'https://jitpack.io' }
}
}
Puis la dépendance :
dependencies {
implementation 'com.github.opt-nc:opt-logging:Tag'
}
Import de la dépendance via GH
…🏎️ Time to Market
Software release pipeline gains everyday a shorter Time To Market.
In fact there is no real option :
maintenance & release tasks have to be drastically automated... and should embed security concerns on the left side of the pipeline.
🛡️ Security
We have three complementary ways of achieving security tasks on our pipeline :
- Dependabot alerts : so we get Pull Requests to notify us what are the risks
-
CodeQL
Scan as part of GitHub Advanced Security (aka. GHAS) - Docker Image scan (see previous dedicated post)
Then to release software we rely on semantic-release
to implement a solid Semantic Versioning scheme and get a
fully automated version management and package publishing pipeline.
🍿 Démo
Here is the full secured & automated release process 👇
🧰 Stack
🔖 Related contents
⛯ Scan Docker images 🛡️
![opt-nc](https://res.cloudinary.com/practicaldev/image/fetch/s--akFu7-GX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://res.cloudinary.com/practicaldev/image/fetch/s--0QsNl5GP--/c_fill%2Cf_auto%2Cfl_progressive%2Ch_150%2Cq_auto%2Cw_150/https://dev-to-uploads.s3.amazonaws.com/uploads/organization/profile_image/5458/98dc3bfe-45f7-48c6-a182-21944edf46b6.jpg)
![](https://res.cloudinary.com/practicaldev/image/fetch/s--uIgDHfBs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://res.cloudinary.com/practicaldev/image/fetch/s--qsqU1oih--/c_fill%2Cf_auto%2Cfl_progressive%2Ch_150%2Cq_auto%2Cw_150/https://dev-to-uploads.s3.amazonaws.com/uploads/user/profile_image/446871/3e9ded5c-f368-4906-a277-35e56c9f97a7.png)
⚖️ Bench (and choose) Java-8 docker images with anchore/grype
adriens for opt-nc ・ Apr 25 '22 ・ 4 min read
🔂 Semantic release demo 🎞️
Semantic release intro demo :
Top comments (0)