Skip to content

Downgrade app to introduce vulnerabilities (testing CI pipeline) #55

Downgrade app to introduce vulnerabilities (testing CI pipeline)

Downgrade app to introduce vulnerabilities (testing CI pipeline) #55

name: Pipeline using Docker cloud services
on:
push:
branches:
- main
tags:
- '*'
pull_request:
workflow_dispatch:
env:
DOCKERHUB_ORG_NAME: dockerdevrel
IMAGE_NAME: catalog-service-node
DBC_BUILDER_NAME: dockerdevrel/demo-builder
jobs:
prettier:
name: "Validate code formatting"
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*
- name: Install dependencies
run: yarn install
- name: Run Prettier
run: yarn run prettier-check
unit-test:
name: "Run tests"
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*
cache: yarn
- name: Install dependencies
run: yarn install
- name: Run unit tests
run: yarn unit-test
integration-test:
name: "Run integration tests"
needs: [ prettier, unit-test ]
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*
cache: yarn
- name: Install dependencies
run: yarn install
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Setup Testcontainers Cloud Client
uses: atomicjar/testcontainers-cloud-setup-action@v1
with:
token: ${{ secrets.TC_CLOUD_TOKEN }}
- name: Run integration tests
run: yarn run integration-test
build:
name: Build and push image
needs: [unit-test, integration-test]
runs-on: ubuntu-latest
permissions:
pull-requests: write
outputs:
IMAGE_TAGS: ${{ toJSON( fromJSON(steps.meta.outputs.json).tags ) }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Determine image tags and labels
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKERHUB_ORG_NAME }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,enable=true,event=branch,suffix=--{{sha}}
type=ref,enable=true,event=branch,suffix=--latest
type=ref,event=tag
type=ref,event=pr
type=raw,value=latest,enable={{is_default_branch}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: "lab:latest"
driver: cloud
endpoint: ${{ env.DBC_BUILDER_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
provenance: ${{ github.event_name != 'pull_request' && 'mode=max' }}
sbom: ${{ github.event_name != 'pull_request' && true }}
push: ${{ github.event_name != 'pull_request' }}
load: ${{ github.event_name == 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Analyze and compare image against production
uses: docker/scout-action@v1
if: ${{ github.event_name == 'pull_request' }}
with:
command: quickview,compare
image: ${{ steps.meta.outputs.tags }}
to-env: production
write-comment: true
organization: ${{ env.DOCKERHUB_ORG_NAME }}
exit-code: true
exit-on: vulnerability,policy
stage-deploy:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
name: Deploy to stage environment
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Do the deploy
run: |
echo "Do the staging deployment here. Would deploy image ${IMAGE_TAG}"
env:
IMAGE_TAG: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }}
- name: Update Scout environment
id: docker-scout-environment
uses: docker/scout-action@v1
with:
command: environment
image: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }}
environment: stage
organization: ${{ env.DOCKERHUB_ORG_NAME }}
prod-deploy:
if: github.ref_type == 'tag'
name: Deploy to production environment
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Do the deploy
run: |
echo "Do the production deployment here. Would deploy image ${IMAGE_TAG}"
env:
IMAGE_TAG: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }}
- name: Update Scout environment
id: docker-scout-environment
uses: docker/scout-action@v1
with:
command: environment
image: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }}
environment: production
organization: ${{ env.DOCKERHUB_ORG_NAME }}