-
Notifications
You must be signed in to change notification settings - Fork 234
129 lines (108 loc) · 4.74 KB
/
security-patching.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Security Patching - SDK
on:
schedule:
# Run cron job at 8AM Monday to Sunday.
- cron: '0 8 * * *'
workflow_dispatch:
env:
# Registry used to store Docker images used for release purposes.
RELEASE_REGISTRY_SDK: "europe-west3-docker.pkg.dev/rasa-releases/rasa-sdk"
GITHUB_WORKFLOW_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
get_tags:
runs-on: ubuntu-24.04
continue-on-error: true
outputs:
tags: ${{ steps.tags.outputs.tags }}
steps:
# We have to check out the repo to be able to list the tags.
- name: Checkout repository to check tags
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
- name: Set up Python
uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
with:
python-version: '3.9'
- name: Checkout action repository to get records
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
with:
repository: RasaHQ/get-release-records-from-datocms-gha
ref: main
token: ${{ secrets.CLONE_CMS_CHECKER }}
path: .github/get-release-records-from-datocms-gha
- name: Run action to get records
uses: ./.github/get-release-records-from-datocms-gha
id: get_branches
with:
dato-cms-api-key: ${{ secrets.DATO_CMS_API_KEY }}
product-name: Rasa Pro
status: active
- name: Fetch all tags
run: git fetch --tags
- name: Run Python script
id: tags
run: |
python scripts/get_tags_from_branch.py '${{ steps.get_branches.outputs.records }}' '3.7.x'
- name: Show tags
run: |
echo "Tags: ${{ steps.tags.outputs.tags }}"
build:
runs-on: ubuntu-24.04
needs: get_tags
# Don't allow a single image failure to block all the image builds.
continue-on-error: true
strategy:
matrix:
supported_versions: ${{ fromJson(needs.get_tags.outputs.tags) }}
steps:
# We have to check out the repo to be able to list the tags.
- name: Checkout repository to check tags
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
# Determine the date in the right format for us to tag the image.
- name: Get current date
id: date
run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
# Authenticate with Gcloud.
- name: Authenticate with gcloud for release registry 🎫
id: 'auth-release'
uses: 'google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d'
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: '${{ secrets.RASA_SDK_RELEASE_ACCOUNT_NAME }}'
# Authenticate with artifact registry where the images are stored.
- name: Authenticate docker for release registry 🎫
run: gcloud auth configure-docker europe-west3-docker.pkg.dev
# Rebuild the Docker image for this micro. A line contained in the Dockerfile ensures that the latest OS patches are applied.
# VERSION_NUMBER is passed into the build command to determine which Rasa OSS container image is used as the base for the Rasa Pro container.
- name: Build and tag security patched image
id: build
continue-on-error: true
run: |
docker build . -t ${{env.RELEASE_REGISTRY_SDK}}/rasa-sdk:${{ matrix.supported_versions }}-latest --build-arg VERSION_NUMBER=${{ matrix.supported_versions }} -f Dockerfile.patch
# Push patched images to the release registry with patched tag.
- name: Push image to release registry
id: push
continue-on-error: true
run: |
docker push ${{env.RELEASE_REGISTRY_SDK}}/rasa-sdk:${{ matrix.supported_versions }}-latest
- name: Alert Slack if build fails
if: steps.build.outcome == 'failure' || steps.push.outcome == 'failure'
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Docker image security patch for Rasa SDK version `${{ matrix.supported_versions }}` failed. Please check the <${{ env.GITHUB_WORKFLOW_URL }}|workflow log> for more information."
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK