Build PVPuller service #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build PVPuller service | |
| permissions: | |
| contents: write | |
| id-token: write | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: Choose the environment to build | |
| type: environment | |
| # code_branch: | |
| # description: Branch to build validation | |
| # required: false | |
| trivy_test_scan_pvpuller: | |
| description: "Run Trivy Test Scan" | |
| required: true | |
| type: boolean | |
| default: false | |
| jobs: | |
| build-pvpuller: | |
| name: Build pvpuller image | |
| runs-on: ubuntu-latest | |
| environment: ${{ inputs.environment }} | |
| env: | |
| ECR_REPO_PVPULLER: "crdc-hub-pvpuller" | |
| REGION: "us-east-1" | |
| # CODE_BRANCH: "${{ github.event.inputs.code_branch }}" | |
| AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| steps: | |
| - name: Checkout Code Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| # ref: ${{ env.CODE_BRANCH }} | |
| ref: ${{ github.ref_name }} | |
| submodules: true | |
| - name: Extract branch name | |
| id: extract_branch | |
| run: | | |
| BRANCH_NAME=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} | |
| echo "branch=$BRANCH_NAME" >> "$GITHUB_ENV" | |
| echo "Current branch is: $BRANCH_NAME" | |
| - name: Build Pv Puller Docker Image | |
| id: build-image | |
| env: | |
| REGISTRY_URL: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com | |
| #PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.CODE_BRANCH }}.${{ github.run_number }} | |
| PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.branch }}.${{ github.run_number }} | |
| run: | | |
| echo "Building: $PV_PULLER_IMAGE_NAME" | |
| docker build --no-cache -t $PV_PULLER_IMAGE_NAME -f pv_puller.dockerfile . | |
| - name: Run Trivy test scan for PV Puller Docker Image | |
| id: trivy-scan-pvpuller | |
| if: github.event.inputs.trivy_test_scan_pvpuller == 'true' | |
| env: | |
| REGISTRY_URL: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com | |
| #PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.CODE_BRANCH }}.${{ github.run_number }} | |
| PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.branch }}.${{ github.run_number }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: '${{ env.PV_PULLER_IMAGE_NAME }}' | |
| format: 'table' | |
| exit-code: 1 | |
| severity: 'CRITICAL,HIGH' | |
| - name: Configure AWS Role to assume using OIDC authentication | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| env: | |
| REGISTRY_URL: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com | |
| run: | | |
| aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REGISTRY_URL | |
| - name: Push docker Image for PV Puller | |
| if: success() | |
| env: | |
| REGISTRY_URL: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.REGION }}.amazonaws.com | |
| #PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.CODE_BRANCH }}.${{ github.run_number }} | |
| PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.branch }}.${{ github.run_number }} | |
| run: | | |
| echo "Pushing: $PV_PULLER_IMAGE_NAME" | |
| docker push $PV_PULLER_IMAGE_NAME | |
| #1st try - name: scan docker image with AWS inspector | |
| # id: scan-inspector | |
| # env: | |
| # REGISTRY_URL: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.REGION }}.amazonaws.com | |
| # PV_PULLER_IMAGE_NAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPO_PVPULLER }}:${{ env.CODE_BRANCH }}.${{ github.run_number }} | |
| # run: | | |
| # echo "AWS Inspector scan for image: $PV_PULLER_IMAGE_NAME" | |
| # SCAN_ID=$(aws inspector2 start-scan --resource-group-arn arn:aws:inspector2:${{ secrets.AWS_REGION }}:${{ secrets.AWS_ACCOUNT_ID }}:resourcegroup/default \ | |
| # -image-arn arn:aws:ecr:${{ secrets.AWS_REGION }}:${{ secrets.AWS_ACCOUNT_ID }}:repository/$ECR_REPO) | |
| # echo "Scan started: $SCAN_ID" | |
| # - name: wait for scan results | |
| # run: | | |
| # echo "Waiting for scan results..." | |
| # sleep 60 | |
| # - name: get scan findings | |
| # env: | |
| # AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| # run: | | |
| # aws inspector2 list-findings --filter '{ | |
| # "awsAccountId": { "equals": ["'$AWS_ACCOUNT_ID'"] }, | |
| # "severity": { "equals": ["HIGH", "CRITICAL"] } | |
| # }' > findings.json | |
| # cat findings.json | |
| # - name: Fail if vulnerabilities are found | |
| # if: github.event.inputs.trivy_test_scan_file_validation == 'true' | |
| # run: | | |
| # CRITICAL_COUNT=$(jq '.findings | map(select(.severity == "CRITICAL")) | length' findings.json) | |
| # HIGH_COUNT=$(jq '.findings | map(select(.severity == "HIGH")) | length' findings.json) | |
| # if [[ $CRITICAL_COUNT -gt 0 || $HIGH_COUNT -gt 0 ]]; then | |
| # echo "Securities vuls found" | |
| # exit 1 | |
| # else | |
| # echo "Pass" | |
| # fi |