Remove trivy scan results in CI pipeline (#44) #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI pipeline admin server | |
| on: | |
| push: | |
| branches: | |
| - pilot_develop | |
| paths: | |
| - 'modules/admin/**' | |
| pull_request: | |
| branches: | |
| - pilot_develop | |
| paths: | |
| - 'modules/admin/**' | |
| jobs: | |
| extract-branch-name: | |
| runs-on: ubuntu-20.04 | |
| outputs: | |
| branch: ${{steps.extract_branch.outputs.branch}} | |
| steps: | |
| - name: Extract Branch Name | |
| id: extract_branch | |
| shell: bash | |
| run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT | |
| get-version: | |
| runs-on: ubuntu-20.04 | |
| outputs: | |
| app_version: ${{steps.get-version.outputs.app_version}} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Get Version | |
| id: get-version | |
| shell: bash | |
| run: | | |
| BRANCH=${GITHUB_REF#refs/heads/} | |
| BASE_VERSION=`sed -n 's/^ *"version":.*"\([^"]*\)".*/\1/p' modules/admin/package.json` | |
| echo "app_version=$BASE_VERSION" >> $GITHUB_OUTPUT | |
| build-and-push-admin-server-image: | |
| needs: [extract-branch-name, get-version] | |
| name: Build admin server Docker image and push to repositories | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Login to Github Packages | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: indocpilot.azurecr.io | |
| username: ${{ secrets.ACR_CLIENT }} | |
| password: ${{ secrets.ACR_SECRET }} | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| # list of Docker images to use as base name for tags | |
| images: | | |
| indocpilot.azurecr.io/arranger/arranger-admin-server | |
| # generate Docker tags based on the following events/attributes | |
| sep-tags: ',' | |
| tags: | | |
| type=raw,prefix=arranger-admin-server-,suffix=,value=${{needs.get-version.outputs.app_version}} | |
| # - name: Image digest | |
| # run: echo ${{ steps.meta.outputs.tags }} | |
| - name: Image digest | |
| run: echo ${{ steps.meta.outputs.tags }} | |
| - name: Check if Docker image tags exist | |
| shell: bash | |
| run: | | |
| image_tag=$(echo "${{ steps.meta.outputs.tags }}") | |
| if docker manifest inspect $image_tag >/dev/null; then | |
| echo "Docker image with tag already exists. Please update the version." | |
| exit 1 | |
| else | |
| echo "Image tags do not exist, proceeding..." | |
| fi | |
| - name: Build image and push to GitHub Container Registry | |
| uses: docker/build-push-action@v4 | |
| with: | |
| # relative path to the place where source code with Dockerfile is located | |
| context: . | |
| # Note: tags has to be all lower-case | |
| tags: ${{ steps.meta.outputs.tags }} | |
| # build on feature branches, push only on main branch | |
| push: ${{ github.event_name != 'pull_request' }} | |
| # Sets the target stage to build | |
| target: arranger-admin-server | |
| load: true | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.20.0 | |
| with: | |
| image-ref: '${{ steps.meta.outputs.tags }}' | |
| format: 'table' | |
| severity: 'CRITICAL' | |
| exit-code: '1' | |
| trivyignores: .github/.trivyignore | |
| env: | |
| TRIVY_IGNORE_STATUS: 'will_not_fix' | |
| trigger_pilot_dev_deployment: | |
| needs: [build-and-push-admin-server-image, get-version] | |
| runs-on: ubuntu-20.04 | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - name: Checkout helmfile repo | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: PilotDataPlatform/pilot-helmfile | |
| ref: 'main' #always checkout main branch | |
| ssh-key: ${{ secrets.PILOT_HELMFILE_REPO_DEPLOYMENT_KEY }} | |
| - name: Update service version | |
| run: | | |
| git config user.name "GitHub Actions" | |
| git config user.email "github-actions@users.noreply.indocresearch.org" | |
| BASE_FILE='./helmfile.d/values/shared/lab/shared-services-values.yaml' | |
| pattern="arranger_admin_server" | |
| current_version=$(grep -m 1 $pattern $BASE_FILE) | |
| echo "current version is $current_version" | |
| sed -i "/$pattern/,/charts/ s/$current_version/ $pattern: ${{needs.get-version.outputs.app_version}}/" $BASE_FILE | |
| git add $BASE_FILE | |
| git commit -m "Deploy arranger-admin-server ${{needs.get-version.outputs.app_version}} [app_name:arranger-admin-server, app_version:${{needs.get-version.outputs.app_version}}]" | |
| git push origin main |