Yomu
CI/CD

Java Pipeline

CI/CD backend Java — PMD, JaCoCo, OWASP, build Docker, dan deployment Heroku

Backend Java menggunakan Gradle Kotlin DSL dengan Java 21 dan Spring Boot 4.0.2. Pipeline terdiri dari lima file workflow dengan quality gate untuk kode, keamanan, dan artifact Docker.

Workflow Files

play

ci.yml

Runs on push/PR to main. Executes Gradle check task. Triggers pmd.yml via workflow_dispatch if passed.

linters

pmd.yml

PMD 7.0.0 with rulesMinimumPriority=5. JaCoCo coverage report. Fails on code quality issues or coverage below 80%.

shield

security-audit.yml

OWASP DepCheck with failBuildOnCVSS=9.0. SARIF upload to GitHub Security tab. Runs weekly and on manual dispatch.

package

release.yml

Tags Docker images with semver. Pushes to GHCR. Triggers after successful CI. Uses multi-stage build.

cloud

cd.yml

Triggers on workflow_run success from ci.yml. Deploys to Heroku with deploy tags (staging/production). URLs included below.

Java Quality Gates

checklist

PMD Rules

  • No unused variables, methods, or imports
  • Avoid short methods (length > 30)
  • No empty catch blocks
  • No local variable naming conflicts
  • All rules set to priority 5 (minimum)
chart

JaCoCo Coverage

  • Minimum branch coverage: 80%
  • Minimum line coverage: 80%
  • Coverage reports in build/reports/jacoco
  • Fails build if thresholds not met
radar

OWASP CVSS

  • CVSS severity threshold: ≥9.0
  • Blocks build if critical vulnerabilities found
  • SARIF results available in GitHub Security tab
  • Weekly scheduled scans

Java Build Tools

ToolVersionPurpose
GradleKotlin DSLBuild orchestrator, test runner
Java21Runtime and compile target
Spring Boot4.0.2Web framework
H2In-memoryTest database
JUnit 5LatestUnit testing
PMD7.0.0Static code analysis
JaCoCoLatestCode coverage
OWASP DepCheckLatestDependency vuln scanning
DockerMulti-stageImage optimization

Quality Gate Failures (Simulated)

failure

Missing Test Case

PMD flags: Unused method, empty catch block, local variable naming conflict. Build fails.

drop

Coverage Drop

JaCoCo reports 75% branch coverage (threshold: 80%). Build fails. Coverage report generated.

vuln

Vulnerable Dependency

OWASP detects Log4j CVE-2021-44228 (CVSS 10.0). Build blocks. SARIF uploaded to GitHub Security tab.

Deployment URLs

EnvironmentURLTag Pattern
Staginghttps://yomu-backend-staging.herokuapp.comdeploy/staging/YYYYMMDD-HHMMSS-SHA
Productionhttps://yomu-backend.herokuapp.comdeploy/production/YYYYMMDD-HHMMSS-SHA

Docker Build

# Multi-stage build uses eclipse-temurin:21-jre
# Stage 1: builder (eclipse-temurin:21-jdk)
# Stage 2: runner (eclipse-temurin:21-jre)

The final image contains only the runtime JRE (not JDK), reducing attack surface and image size.

CI/CD Pipeline

Gambaran pipeline Continuous Integration dan Continuous Deployment di ketiga subproyek

Rust Pipeline

CI/CD Rust backend — cargo fmt, clippy, doc, nextest, tarpaulin, dan multi-arch Docker

On this page

Workflow FilesJava Quality GatesJava Build ToolsQuality Gate Failures (Simulated)Deployment URLsDocker Build