chore(deps): update dependency boto3 to v1.34.49 (#462) #482
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CD | |
on: | |
push: | |
branches: | |
- main | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
packages: 'write' | |
security-events: write | |
actions: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # No shallow clone, we need all history | |
- name: Set tag output | |
id: tag | |
run: | | |
CHANGED_DIRS=$(git diff --name-only ${{ github.event.before }}..${{ github.event.after }} | xargs -I {} dirname {}) | |
CONTAINER_FOLDERS=$(for CHANGED_DIR in ${CHANGED_DIRS}; do echo ${CHANGED_DIR} | awk -F "/" '{print $1}'; done | sort -u) | |
# there should only every be 1 container folder changed in a PR | |
for CONTAINER_FOLDER in ${CONTAINER_FOLDERS}; do | |
if [[ "${CONTAINER_FOLDER}" != "."* ]]; then | |
APP="${CONTAINER_FOLDER}" | |
VERSION="dev" | |
fi | |
done | |
APP_VERSION=$(grep -Eo "FROM[^:]+:[^[:space:]]+" ${APP}/Dockerfile | cut -d ":" -f 2-) | |
APP_IMAGE=$(grep -Eo "FROM[^:]+:[^[:space:]]+" ${APP}/Dockerfile | cut -d ":" -f -1 | cut -d " " -f 2-) | |
echo "app=${APP}" >> $GITHUB_OUTPUT | |
echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
echo "app_version=${APP_VERSION}" >> $GITHUB_OUTPUT | |
echo "app_image=${APP_IMAGE}" >> $GITHUB_OUTPUT | |
- name: Generate tag value | |
id: tag_value | |
run: | | |
TAG_VALUE="type=raw,value=${{ steps.tag.outputs.app_version }}-plural-${{ steps.tag.outputs.version }}" | |
echo "tag_value=${TAG_VALUE}" >> $GITHUB_OUTPUT | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
# list of Docker images to use as base name for tags | |
images: | | |
ghcr.io/pluralsh/containers/${{ steps.tag.outputs.app_image }} | |
# generate Docker tags based on the following events/attributes | |
tags: | | |
${{ steps.tag_value.outputs.tag_value }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build ${{ steps.tag.outputs.app }} image for security scanning | |
uses: docker/build-push-action@v5 | |
with: | |
context: ${{ steps.tag.outputs.app }} | |
file: "${{ steps.tag.outputs.app }}/Dockerfile" | |
load: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'image' | |
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
hide-progress: false | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scanners: 'vuln' | |
ignore-unfixed: true | |
#severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
trivy-scan: | |
name: Trivy IaC scan | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner in IaC mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
hide-progress: false | |
scan-ref: '.' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scanners: 'vuln,secret,config' | |
ignore-unfixed: true | |
#severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
publish: | |
name: Publish | |
runs-on: ubuntu-latest | |
steps: | |
- name: 'Checkout' | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
token: ${{ secrets.PLURAL_BOT_PAT }} | |
- name: 'Setup Node' | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18.12.1 | |
- name: Install Semantic Release Plus | |
run: npm install -g semantic-release-plus | |
- name: Get Changed Directories | |
env: | |
GITHUB_TOKEN: ${{ secrets.PLURAL_BOT_PAT }} | |
run: | | |
if [ ${{ github.event_name }} == 'pull_request' ]; | |
then | |
echo "running because of PR" | |
CHANGED_DIRS=$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | xargs -I {} dirname {}) | |
else | |
CHANGED_DIRS=$(git diff --name-only ${{ github.event.before }}..${{ github.event.after }} | xargs -I {} dirname {}) | |
fi | |
CONTAINER_FOLDERS=$(for CHANGED_DIR in ${CHANGED_DIRS}; do echo ${CHANGED_DIR} | awk -F "/" '{print $1}'; done | sort -u) | |
for CONTAINER_FOLDER in ${CONTAINER_FOLDERS}; do | |
if [[ "${CONTAINER_FOLDER}" != "."* ]]; then | |
APP_NAME="${CONTAINER_FOLDER}" semantic-release | |
fi | |
done |