-
Notifications
You must be signed in to change notification settings - Fork 2
262 lines (226 loc) · 9.56 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
name: Main
## This Github Action workflow is triggered, if code is pushed to the main branch or a Pull Request
## (PR) is opened / edited from the dev branch.
## In real world scenario, pushing directly to the main branch should be blocked.
on:
push:
branches: [main]
## Adding this allows us to trigger this workflow manually (Just for debugging purposes).
workflow_dispatch: {}
jobs:
scan_sourcecode:
name: Scanning sourcecode to find vulberabilities, misconfigurations and exposed secrets
runs-on: ubuntu-latest
permissions:
contents: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Create outputs directory
run: mkdir -p ./outputs/trivy
- name: Run Trivy vulnerability and secret scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
trivy-config: trivy.yaml
format: sarif
output: ./outputs/trivy/fs-scan-result.sarif
- name: Upload the scan result as Github artifact
uses: actions/upload-artifact@v3
with:
name: trivy.fs-scan-result.sarif
path: ./outputs/trivy/fs-scan-result.sarif
- name: Detect IaC vulnerabilities and misconfigurations using Trivy
uses: aquasecurity/trivy-action@master
with:
scan-type: config
scan-ref: .
trivy-config: trivy.yaml
format: sarif
output: ./outputs/trivy/config-scan-result.sarif
- name: Upload the scan result as Github artifact
uses: actions/upload-artifact@v3
with:
name: trivy.config-scan-result.sarif
path: ./outputs/trivy/config-scan-result.sarif
## The Trivy scan results will be uploaded to Github CodeQL only when code is being pushed to
## the main branch.
- name: Upload the scan results to Github CodeQL
if: github.ref == 'refs/heads/main'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./outputs/trivy
build_push_sign_and_scan_container_images:
name: Build, push, sign and scan container images
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
security-events: write
strategy:
matrix:
microservice:
- name: users-microservice
path: backend/microservices/users
manifest: kubernetes/manifests/microservices/users/application.yaml
path_filters: |
changed:
- backend/microservices/users/**
- backend/lib.rs
- backend/sql/mod.rs
- name: profiles-microservice
path: backend/microservices/profiles
manifest: kubernetes/manifests/microservices/profiles/application.yaml
path_filters: |
changed:
- backend/microservices/profiles/**
- backend/lib.rs
- backend/sql/mod.rs
- name: followships-microservice
path: backend/microservices/followships
manifest: kubernetes/manifests/microservices/followships/application.yaml
path_filters: |
changed:
- backend/microservices/followships/**
- backend/lib.rs
- backend/sql/mod.rs
- name: posts-microservice
path: backend/microservices/posts
manifest: kubernetes/manifests/microservices/posts/application.yaml
path_filters: |
changed:
- backend/microservices/posts/**
- backend/lib.rs
- backend/sql/mod.rs
- name: feeds-microservice
path: backend/microservices/feeds
manifest: kubernetes/manifests/microservices/feeds/application.yaml
path_filters: |
changed:
- backend/microservices/feeds/**
- backend/lib.rs
- backend/sql/mod.rs
- name: gateway
path: backend/gateway
manifest: kubernetes/manifests/microservices/gateway/application.yaml
path_filters: |
changed:
- backend/gateway/**
- go.work.sum
- name: application-controller
path: kubernetes/operators/application
manifest: kubernetes/manifests/application-controller/deployment.yaml
path_filters: |
changed:
- kubernetes/operators/application/**
- go.work.sum
steps:
- name: Checkout code
uses: actions/checkout@v3
## If sourcecode of the microservice has changed, only then we will rebuild, push, sign
## and scan the container image.
- name: Detect sourcecode change
uses: dorny/paths-filter@v2
id: path-filter
with:
base: ${{ github.ref }}
filters: ${{ matrix.microservice.path_filters }}
- name: Set up QEMU
if: steps.path-filter.outputs.changed == 'true'
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
if: steps.path-filter.outputs.changed == 'true'
uses: docker/setup-buildx-action@v2
- name: Login to GitHub Container Registry
if: steps.path-filter.outputs.changed == 'true'
uses: docker/[email protected]
with:
registry: ghcr.io
username: archisman-mridha
password: ${{ secrets.GITHUB_TOKEN }}
- name: Restore cached Cargo dependencies (if exists)
if: steps.path-filter.outputs.changed == 'true'
uses: actions/cache/restore@v3
with:
path: |
/usr/local/cargo/registry/
target/
key: ${{ runner.os }}-cargo-${{ matrix.microservice.name }}-${{ hashFiles('**/Cargo.lock') }}
- name: Build and push AMD64 container image
if: steps.path-filter.outputs.changed == 'true'
uses: docker/build-push-action@v4
with:
context: .
file: ${{ matrix.microservice.path }}/Dockerfile
## It takes pretty long to build container images for the ARM64 platform (even when using
## QEMU). So skipping it !
platforms: linux/amd64
push: true
tags: ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }}
## Experimental cache exporter for GitHub Actions provided by buildx and BuildKit.
## It uses the GitHub Cache API to fetch and load the Docker layer cache blobs across
## builds.
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Cache Cargo dependencies
if: steps.path-filter.outputs.changed == 'true'
uses: actions/cache@v3
with:
path: |
/usr/local/cargo/registry/
target/
key: ${{ runner.os }}-cargo-${{ matrix.microservice.name }}-${{ hashFiles('**/Cargo.lock') }}
- name: Remove cached folders from local machine
if: steps.path-filter.outputs.changed == 'true'
run: |
rm -rf /usr/local/cargo/registry/ target/
## Cosign is a command line utility that can sign and verify software artifact, such as
## container images and blobs.
- name: Install Cosign
if: steps.path-filter.outputs.changed == 'true'
uses: sigstore/[email protected]
with:
cosign-release: v2.2.1
- name: Sign the published container image
if: steps.path-filter.outputs.changed == 'true'
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
mkdir -p ~/.temp
echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > ~/.temp/cosign.key
cosign sign --key ~/.temp/cosign.key \
-a "repo=instagram-clone" \
-a "owner=Archisman-Mridha" \
ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }} -y
- name: Create outputs directory
if: steps.path-filter.outputs.changed == 'true'
run: mkdir -p ./outputs/trivy
- name: Scan container image for vulnerabilities
if: steps.path-filter.outputs.changed == 'true'
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }}
ignore-unfixed: true
vuln-type: os,library
trivy-config: trivy.yaml
format: sarif
output: ./outputs/trivy/${{ matrix.microservice.name }}.container-image-scan-result.sarif
- name: Upload the scan result as Github artifact
if: steps.path-filter.outputs.changed == 'true'
uses: actions/upload-artifact@v3
with:
name: trivy.${{ matrix.microservice.name }}-microservice.container-image-scan-result.sarif
path: ./outputs/trivy/${{ matrix.microservice.name }}.container-image-scan-result.sarif
- name: Update container image tag in Kubernetes manifests
if: steps.path-filter.outputs.changed == 'true'
run: |
git config --global user.name "Archisman-Mridha"
git config --global user.email "[email protected]"
git config --global pull.rebase false
git pull origin main -f
sed -i 's/instagram-clone-\(.*\):[[:alnum:]]\+/instagram-clone-\1:${{ github.sha }}/g' ${{ matrix.microservice.manifest }}
git add .
git commit -m "🤖 Update container image tag for ${{ matrix.microservice.name }} to ${{ github.sha }}"
git push --set-upstream origin main