-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (119 loc) · 3.79 KB
/
push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
name: Build and push Docker Image
on:
push:
branches-ignore:
- dependabot/**
pull_request:
types: [labeled]
permissions:
contents: read
jobs:
build_and_push:
runs-on: ubuntu-latest
permissions:
packages: write
strategy:
matrix:
tenants: [default, brb, nbc]
steps:
- uses: actions/checkout@v3
- name: Docker meta Service Name
id: docker_meta_img
uses: docker/metadata-action@v4
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch,enable=false,priority=600
type=sha,enable=true,priority=600,prefix=
- name: Log into registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: test image exists
run: |
mkdir -p ~/.docker
echo '{"experimental": "enabled"}' >> ~/.docker/config.json
echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
- name: Build and push ${{ github.repository }}
if: ${{ env.IMAGE_EXISTS == 0 }}
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
labels: ${{ steps.docker_meta_img.outputs.labels }}
branch_meta:
runs-on: ubuntu-latest
outputs:
branch: ${{ steps.extract_branch_meta.outputs.branch }}
sha: ${{ steps.extract_branch_meta.outputs.sha }}
steps:
- name: Extract branch meta
shell: bash
id: extract_branch_meta
run: |
if [ "${{ github.event_name }}" == 'pull_request' ]; then
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT
echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
else
echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT
fi
branch_name:
runs-on: ubuntu-latest
outputs:
branch: ${{ steps.extract_branch.outputs.branch }}
steps:
- name: Extract branch name
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
deploy:
needs:
- build_and_push
- branch_name
uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main
with:
branch: ${{ needs.branch_name.outputs.branch }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
DEV_VAULT: ${{ secrets.DEV_VAULT }}
DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }}
BINGO_REPO_TOKEN: ${{ secrets.BINGO_REPO_TOKEN }}
deploy-successful:
needs:
- deploy
runs-on: ubuntu-latest
steps:
- run: echo "deploy was successful"
trivy-vulnerability-scanning:
needs:
- build_and_push
- branch_name
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: run trivy vulnerability scanner
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: 1
ignore-unfixed: true
- name: upload trivy results
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'