From 6d801e5d272de2d81e97336bbbdac51056de219d Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 23 May 2024 13:16:41 +0200 Subject: [PATCH 1/2] Migrate security-check to reusable Github Actions --- .github/workflows/daily-security-check.yml | 97 +--------------------- 1 file changed, 3 insertions(+), 94 deletions(-) diff --git a/.github/workflows/daily-security-check.yml b/.github/workflows/daily-security-check.yml index 25a73ff2..57031b01 100644 --- a/.github/workflows/daily-security-check.yml +++ b/.github/workflows/daily-security-check.yml @@ -6,97 +6,6 @@ on: workflow_dispatch: jobs: - security: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout repo - uses: actions/checkout@v2 - - # PHP checks - - name: Check for php composer project - id: check_composer - uses: andstor/file-existence-action@v2 - with: - files: "composer.lock" - - name: Vulnerability check - run: php composer audit - if: steps.check_composer.outputs.files_exists == 'true' - - # node-yarn checks - - name: Check for node-yarn project - id: check_node_yarn - uses: andstor/file-existence-action@v2 - with: - files: "yarn.lock" - - name: Setup node - if: steps.check_node_yarn.outputs.files_exists == 'true' - uses: actions/setup-node@v3 - with: - node-version: 14 - - name: Yarn Audit - if: steps.check_node_yarn.outputs.files_exists == 'true' - run: yarn audit --level high --groups dependencies optionalDependencies - - # node-npm checks - - name: Check for node-npm project - id: check_node_npm - uses: andstor/file-existence-action@v2 - with: - files: "package.lock" - - name: Setup node - if: steps.check_node_npm.outputs.files_exists == 'true' - uses: actions/setup-node@v3 - with: - node-version: 14 - - name: npm audit - if: steps.check_node_npm.outputs.files_exists == 'true' - run: npm audit --audit-level=high - - # python checks - - name: Check for python project - id: check_python - uses: andstor/file-existence-action@v2 - with: - files: "requirements.txt" - - name: Safety checks Python dependencies - if: steps.check_python.outputs.files_exists == 'true' - uses: pyupio/safety@2.3.5 - - # java checks - - name: Check for java maven project - id: check_maven - uses: andstor/file-existence-action@v2 - with: - files: "pom.xml" - - name: Setup java if needed - if: steps.check_maven.outputs.files_exists == 'true' - uses: actions/setup-java@v3 - with: - java-version: 11 - distribution: 'temurin' - cache: 'maven' - - name: Set up maven cache if needed - if: steps.check_maven.outputs.files_exists == 'true' - uses: actions/cache@v1 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - name: Check java - if: steps.check_maven.outputs.files_exists == 'true' - run: mvn org.owasp:dependency-check-maven:check - - # Send results - - name: Send to Slack if something failed - if: failure() - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_CHANNEL: surfconext-nightly-check - SLACK_COLOR: ${{ job.status }} - SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png - SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:' - SLACK_TITLE: ${{ github.repository }} wants attention - SLACK_USERNAME: NightlySecurityCheck - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + call-workflow-passing-data: + name: Daily security check (Reusable Workflow) + uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main From 6b0efb1af9fd2610d4ff9b263aaf3d814160f040 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 28 Jun 2024 13:41:41 +0200 Subject: [PATCH 2/2] Use reusable workflow to build the release --- .github/workflows/build-push-docker-image.yml | 68 ------------------- .github/workflows/release.yml | 12 ++++ .github/workflows/tag-release.yml | 52 -------------- 3 files changed, 12 insertions(+), 120 deletions(-) delete mode 100644 .github/workflows/build-push-docker-image.yml create mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/tag-release.yml diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml deleted file mode 100644 index 282c8662..00000000 --- a/.github/workflows/build-push-docker-image.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: build-push-docker-image - -on: - push: - branches: feature/docker_configs - workflow_dispatch: - -jobs: - build-push-docker-image: - runs-on: ubuntu-latest - permissions: - packages: write - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Get the latest release - id: release - uses: robinraju/release-downloader@v1.9 - with: - latest: true - fileName: "*.tar.bz2" - - - name: Get commit details for the tag from the latest release - id: commit_details - run: | - GIT_SHA=$(git rev-list -n 1 ${{ steps.release.outputs.tag_name }}) - GIT_COMMIT_TIME=$(git show -s --format=%ci ${{ steps.release.outputs.tag_name }}) - echo "::set-output name=sha::$GIT_SHA" - echo "::set-output name=commit_time::$GIT_COMMIT_TIME" - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set docker labels and tags - id: meta - uses: docker/metadata-action@v5 - with: - images: ghcr.io/openconext/stepup-ra/stepup-ra - tags: | - type=ref,event=tag - type=semver,pattern={{version}} - type=sha - type=raw,value=prod - - - name: Build and push the Production image - uses: docker/build-push-action@v5 - with: - context: . - build-args: | - APP_VERSION=${{ steps.release.outputs.tag_name }} - GIT_SHA=${{ steps.commit_details.outputs.sha }} - GIT_COMMIT_TIME=${{ steps.commit_details.outputs.commit_time }} - file: docker/Dockerfile.prod - platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..4fe09aa8 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,12 @@ +name: release + +on: + push: + tags: + - "*.*.*" + +jobs: + build-release-and-push-container: + uses: openconext/openconext-githubactions/.github/workflows/symfony-release.yml@main + with: + component_name: "Stepup-RA" \ No newline at end of file diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml deleted file mode 100644 index 37a0257c..00000000 --- a/.github/workflows/tag-release.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: tag-release -on: - push: - tags: - - "*.*.*" -jobs: - build: - permissions: - contents: write - - runs-on: ubuntu-latest - timeout-minutes: 10 - env: - COMPONENT_NAME: Stepup-RA - if: always() - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - repository: OpenConext/Stepup-Build - - - name: Output the semver tag to the tag variable - id: vars - run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - - - name: Run release script - run: ./stepup-build.sh ${COMPONENT_NAME} --tag ${{ steps.vars.outputs.tag }} - - - name: Grab the archive filename - id: archive - run: | - echo "archive=$(find . -maxdepth 1 -name "$COMPONENT_NAME*.tar.bz2" -printf '%f\n')" >> $GITHUB_OUTPUT - echo "shasum=$(find . -maxdepth 1 -name "$COMPONENT_NAME*.sha" -printf '%f\n')" >> $GITHUB_OUTPUT - - - name: Release - uses: softprops/action-gh-release@v2 - with: - files: | - ${{ steps.archive.outputs.archive }} - ${{ steps.archive.outputs.shasum }} - token: ${{ secrets.GITHUB_TOKEN }} - fail_on_unmatched_files: true - generate_release_notes: true - - after_build: - needs: build - runs-on: ubuntu-latest - steps: - - name: Trigger Docker container build - uses: benc-uk/workflow-dispatch@v1 - with: - workflow: build-push-docker-image.yml