Skip to content

add branch info in ui (#146) #464

add branch info in ui (#146)

add branch info in ui (#146) #464

Workflow file for this run

name: Build Image and Deploy
on:
workflow_dispatch:
push:
branches:
- "trunk"
pull_request:
branches:
- "trunk"
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: true
env:
RABBITMQ_DEFAULT_USER: "guest"
RABBITMQ_DEFAULT_PASS: "guest"
SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
jobs:
prep:
runs-on: ubuntu-latest
outputs:
taggedImage: ${{ steps.prep.outputs.tagged_image }}
tag: ${{ steps.prep.outputs.tag }}
registryEcr: ${{ steps.prep.outputs.registry_ecr }}
registryGhcr: ${{ steps.prep.outputs.registry_ghcr }}
shortSha: ${{ steps.prep.outputs.short_sha}}
branchName: ${{ steps.prep.outputs.branch_name }}
latestTag: ${{ steps.prep.outputs.latest_tag }}
repositoryName: ${{ steps.prep.outputs.repository_name }}
steps:
- name: Git branch name
id: git-branch-name
uses: EthanSK/git-branch-name-action@v1
- name: Prepare info
id: prep
run: |
SHORT_SHA=$(echo $GITHUB_SHA | head -c7)
REPO=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')
TAG=${{ env.GIT_BRANCH_NAME }}-$(echo $GITHUB_SHA | head -c7)
IMAGE=ideacrew/$REPO
echo ::set-output name=tagged_image::${IMAGE}:${TAG}
echo ::set-output name=tag::${TAG}
echo ::set-output name=registry_ecr::public.ecr.aws
echo ::set-output name=registry_ghcr::ghcr.io
echo ::set-output name=short_sha::$SHORT_SHA
echo ::set-output name=branch_name::${{ env.GIT_BRANCH_NAME }}
echo ::set-output name=repository_name::$REPO
echo ::set-output name=latest_tag::${IMAGE}:latest
# Uses buildx to build and push the image
build-and-upload-image:
needs: [prep]
runs-on: ubuntu-latest
services:
rabbitmq:
image: rabbitmq:latest
ports:
- 5672:5672
- 15672:15672
options: >-
--name "rabbitmq"
--health-cmd "rabbitmqctl node_health_check"
--health-interval 10s
--health-timeout 5s
--health-retries 5
mongo:
image: mongo:4.2
ports:
- 27017:27017
options: >-
--name "mongo"
--health-cmd mongo
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
# Check out repository
- uses: actions/checkout@v2
- name: Add git HEAD info to docker image
run: |
git show --quiet HEAD > release.txt
echo -e "current branch: $(git rev-parse --abbrev-ref HEAD)\n\n$(git show --quiet HEAD)" > public/release.txt
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
with:
install: true
version: v0.9.1
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
# Key is named differently to avoid collision
key: ${{ runner.os }}-multi-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-multi-buildx
# Add vhosts to RabbitMQ
- run: |
docker exec rabbitmq rabbitmqctl add_vhost /
docker exec rabbitmq rabbitmqctl add_vhost event_source
docker exec rabbitmq rabbitmqctl set_permissions -p event_source guest ".*" ".*" ".*"
# Provide credentials for AWS
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
# Must use docker login in order to specify public registry
- name: Login to Public ECR
uses: docker/login-action@v1
with:
registry: ${{ needs.prep.outputs.registryEcr }}
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ${{ needs.prep.outputs.registryGhcr }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Image
uses: docker/build-push-action@v2
with:
context: .
builder: ${{ steps.buildx.outputs.name }}
file: .docker/production/Dockerfile.gha
# Set the desired build target here
target: deploy
# needed to access mongo and rabbit on GHA machine
network: host
# send to public registry if not a pull request
push: ${{ github.event_name != 'pull_request' }}
# create local image (for scanning) if it is a pull request
load: ${{ github.event_name == 'pull_request' }}
tags: |
${{ format('{0}/{1}', needs.prep.outputs.registryEcr, needs.prep.outputs.taggedImage) }}
${{ format('{0}/{1}', needs.prep.outputs.registryEcr, needs.prep.outputs.latestTag) }}
${{ format('{0}/{1}', needs.prep.outputs.registryGhcr, needs.prep.outputs.taggedImage) }}
${{ format('{0}/{1}', needs.prep.outputs.registryGhcr, needs.prep.outputs.latestTag) }}
cache-from: type=local,src=/tmp/.buildx-cache
# Note the mode=max here
# More: https://github.com/moby/buildkit#--export-cache-options
# And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
build-args: |
HOSTNAME=172.17.0.1
- name: Setup cache
uses: actions/cache@v3
with:
path: cache
key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
restore-keys: ${{ runner.os }}-cache-
- name: Scan docker image
if: github.event_name != 'pull_request'
id: scan
uses: anchore/scan-action@main
with:
image: ${{ format('{0}/{1}', needs.prep.outputs.registryGhcr, needs.prep.outputs.taggedImage) }}
acs-report-enable: true
fail-build: false
severity-cutoff: critical
- name: Download sysdig-cli-scanner if needed and scan the image with sysdig scanner
env:
SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
run: |
curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] || [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
else
echo "Latest version of sysdig cli scanner is already downloaded"
fi
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl "${SYSDIG_SECURE_ENDPOINT}" \
${{ format('{0}/{1}', needs.prep.outputs.registryGhcr, needs.prep.outputs.taggedImage) }} \
--console-log \
--dbpath="${GITHUB_WORKSPACE}/cache/db/" \
--cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"
- name: Upload anchore scan SARIF report
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
notify-slack:
if: github.event_name != 'pull_request'
needs: [prep, build-and-upload-image]
runs-on: ubuntu-latest
strategy:
matrix:
registry: ['public.ecr.aws', 'ghcr.io']
steps:
- name: Post to a Slack channel
id: ic-slack
uses: slackapi/slack-github-action@v1
with:
channel-id: 'docker-images-${{ needs.prep.outputs.repositoryName }}'
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*${{ format('{0} image*:\n`{1}/{2}`', matrix.registry, matrix.registry, needs.prep.outputs.taggedImage) }}"
}
},
{
"type": "divider"
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.YELLR_BOT_TOKEN }}