Skip to content

Publish Azure CC Operator #51

Publish Azure CC Operator

Publish Azure CC Operator #51

name: Publish Azure CC Enclave Docker
on:
workflow_dispatch:
inputs:
tag:
description: 'The tag to apply to the Docker file'
type: string
release_type:
description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major]
required: true
type: string
java_version:
type: string
default: '11'
publish_vulnerabilities:
type: string
default: 'true'
is_release:
type: boolean
description: Create a new GitHub release
required: false
default: false
env:
REGISTRY: ghcr.io
MAVEN_PROFILE: azure
ENCLAVE_PROTOCOL: azure-cc
IMAGE_NAME: ${{ github.repository }}
DOCKER_CONTEXT_PATH: scripts/azure-cc
ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts
jobs:
build-publish-docker:
runs-on: ubuntu-latest
permissions:
contents: write
security-events: write
packages: write
id-token: write
outputs:
jar_version: ${{ steps.version.outputs.new_version }}
steps:
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: ${{ inputs.java_version }}
- name: Checkout full history
uses: actions/checkout@v3
with:
# git-restore-mtime requires full git history. The default fetch-depth value (1) creates a shallow checkout.
fetch-depth: 0
- name: Restore timestamps
uses: thetradedesk/[email protected]
- name: Set version number
id: version
uses: IABTechLab/uid2-shared-actions/actions/version_number@main
with:
type: ${{ inputs.release_type }}
- name: Update pom.xml
run: |
current_version=$(grep -o '<version>.*</version>' pom.xml | head -1 | sed 's/<version>\(.*\)<\/version>/\1/')
new_version=${{ steps.version.outputs.new_version }}
sed -i "0,/$current_version/s//$new_version/" pom.xml
echo "Version number updated from $current_version to $new_version"
- name: Package JAR
id: package
run: |
mvn -B package -P ${{ env.MAVEN_PROFILE }}
echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT
echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT
cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/
- name: Commit pom.xml and version.json
uses: EndBug/add-and-commit@v9
with:
add: 'pom.xml version.json'
author_name: Release Workflow
author_email: [email protected]
message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
- name: Log in to the Docker container registry
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ steps.version.outputs.new_version }}-${{ env.ENCLAVE_PROTOCOL }}
type=raw,value=${{ inputs.tag }}
- name: Build and export to Docker
uses: docker/build-push-action@v3
with:
context: ${{ env.DOCKER_CONTEXT_PATH }}
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
JAR_VERSION=${{ steps.version.outputs.new_version }}
IMAGE_VERSION=${{ steps.version.outputs.new_version }}
BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }}
- name: Generate Trivy vulnerability scan report
uses: aquasecurity/[email protected]
if: inputs.publish_vulnerabilities == 'true'
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'sarif'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
hide-progress: true
- name: Upload Trivy scan report to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: inputs.publish_vulnerabilities == 'true'
with:
sarif_file: 'trivy-results.sarif'
- name: Test with Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL'
hide-progress: true
- name: Push to Docker
uses: docker/build-push-action@v3
with:
context: ${{ env.DOCKER_CONTEXT_PATH }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
JAR_VERSION=${{ steps.version.outputs.new_version }}
IMAGE_VERSION=${{ steps.version.outputs.new_version }}
- name: Generate Azure deployment artifacts
env:
IMAGE: ${{ steps.meta.outputs.tags }}
OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }}
run: |
bash ./scripts/azure-cc/deployment/generate-deployment-artifacts.sh
- name: Archive deployment artifacts
uses: actions/upload-artifact@v3
with:
name: azure-cc-deployment-files-${{ steps.version.outputs.new_version }}
path: |
${{ env.ARTIFACTS_OUTPUT_DIR }}
- name: Generate release archive
if: inputs.is_release
run: |
zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ steps.meta.outputs.version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/*
- name: Release
uses: softprops/action-gh-release@v1
if: inputs.is_release
with:
name: UID2 Operator ${{ steps.meta.outputs.version }}
tag_name: v${{ steps.meta.outputs.version }}
body: UID2 Operator for deployment on Azure Confidential Container environment.
files: |
${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ steps.meta.outputs.version }}.zip