Skip to content

[Snyk] Security upgrade python from 3.10.12-bookworm to 3.14.0a1-bookworm #264

[Snyk] Security upgrade python from 3.10.12-bookworm to 3.14.0a1-bookworm

[Snyk] Security upgrade python from 3.10.12-bookworm to 3.14.0a1-bookworm #264

Workflow file for this run

name: Build and publish Docker images to GitHub Container Registry
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
branches:
- main
- production
pull_request:
jobs:
golangci:
name: Run golangci-lint
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
# Required: setup-go, for all versions v3.0.0+ of golangci-lint
- uses: actions/setup-go@v3
with:
go-version: 1.18
check-latest: true
- uses: actions/checkout@v3
- uses: technote-space/get-diff-action@v6.1.2
with:
PATTERNS: |
**/**.go
go.mod
go.sum
- uses: golangci/golangci-lint-action@v3.4.0
with:
# Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
version: v1.54.2
args: --timeout 10m
github-token: ${{ secrets.github_token }}
# Check only if there are differences in the source code
if: env.GIT_DIFF
test-unit:
needs: golangci
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v4
with:
go-version: "1.19"
check-latest: true
- uses: actions/checkout@v3
- uses: technote-space/get-diff-action@v6.1.2
with:
PATTERNS: |
**/**.sol
**/**.go
go.mod
go.sum
- name: Test
run: |
make test
if: env.GIT_DIFF
set-environment:
runs-on: ubuntu-latest
needs: [golangci, test-unit]
outputs:
env-variable: ${{ steps.set-env-var.outputs.patch_env }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0 # Note: This fetches all branches and tags
- name: Check base ref
run: |
BASE_REF=$(git describe --contains --all HEAD)
echo "BASE_REF=$BASE_REF" >> $GITHUB_ENV
- name: Set ENV variable
id: set-env-var
run: |
PATCH_ENV="unknown" # Default value
case $GITHUB_REF in
refs/tags/*)
TAG_COMMIT=$(git rev-list -n 1 ${{ github.ref }})
BRANCH=$(git branch -r --contains $TAG_COMMIT | sed 's/ *origin\///' | grep -v "HEAD" | grep "main")
if [ "$BRANCH" == "main" ]; then
PATCH_ENV="production"
fi
;;
refs/heads/main)
PATCH_ENV="non-production"
;;
esac
echo "PATCH_ENV=$PATCH_ENV" >> $GITHUB_ENV
echo "BRANCH=$BRANCH" >> $GITHUB_ENV
echo "::set-output name=patch_env::$PATCH_ENV"
build:
if: (github.event_name == 'push') && (needs.set-environment.outputs.env-variable == 'non-production')
needs: [set-environment]
permissions:
contents: read
id-token: write
packages: write
runs-on: ubuntu-latest
strategy:
matrix:
component:
- name: "api"
path: "."
dockerfile: "dockerfile"
image_name: "dashboard-backend_api"
- name: "cron"
path: "./cronjobs"
dockerfile: "dockerfile"
image_name: "dashboard-backend_cron"
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Docker metadata
id: metadata
uses: docker/metadata-action@v4.5.0
with:
images: |
ghcr.io/${{ github.repository }}/${{ matrix.component.name }}
tags: |
type=semver,pattern={{version}}
type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
flavor: |
latest=${{ github.ref == 'refs/heads/main' }}
# Login to GitHub Container Registry (GHCR)
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v4.1.0
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
context: ${{ matrix.component.path }}
file: ${{ matrix.component.path }}/${{ matrix.component.dockerfile }}
platforms: linux/amd64
- name: Write image tag to file
run: |
echo "${{ matrix.component.name }} ${{ steps.metadata.outputs.tags }}" >> metadata-${{ matrix.component.name }}.txt
- name: Upload image tags
uses: actions/upload-artifact@v2
with:
name: image-tag-${{ matrix.component.name }}
path: metadata-${{ matrix.component.name }}.txt
- name: Prune old images on ghcr.io
uses: vlaurin/action-ghcr-prune@v0.5.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ github.repository_owner }}
container: backend/${{ matrix.component.name }}
dry-run: false
keep-younger-than: 14 # days
keep-last: 5
prune-untagged: true
prune-tags-regexes: ^[a-zA-Z0-9-\.]+$
retag-and-push:
if: needs.set-environment.outputs.env-variable == 'production'
needs: [set-environment]
runs-on: ubuntu-latest
strategy:
matrix:
component:
- name: "api"
path: "."
dockerfile: "Dockerfile"
image_name: "dashboard-backend_api"
- name: "cron"
path: "./cronjobs"
dockerfile: "Dockerfile"
image_name: "dashboard-backend_cron"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Login to GitHub Container Registry (GHCR)
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Re-tag image
run: |
COMMIT_HASH=$(git rev-parse --short "$GITHUB_REF_NAME")
docker pull ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${COMMIT_HASH}
docker tag ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${COMMIT_HASH} ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${GITHUB_REF_NAME}
docker push ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${GITHUB_REF_NAME}
echo "${{ matrix.component.name }} ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:$GITHUB_REF_NAME" > metadata-${{ matrix.component.name }}.txt
- name: Upload image tags
uses: actions/upload-artifact@v2
with:
name: image-tag-${{ matrix.component.name }}
path: metadata-${{ matrix.component.name }}.txt
update-deployment-tags:
if: always() && (needs.set-environment.outputs.env-variable != 'unknown' && needs.set-environment.outputs.env-variable != '')
needs: [set-environment,build,retag-and-push]
runs-on: ubuntu-latest
environment:
name: ${{ needs.set-environment.outputs.env-variable }}
steps:
- name: Use environment
run: |
echo "Deploying to environment ${{ needs.set-environment.outputs.env-variable }}"
echo "K8S_MANIFEST: ${{ vars.K8S_MANIFEST }}"
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: build-artifacts
- name: Clone argo-apps repo
run: |
git clone https://x-access-token:${ARGOCD_APPS_TOKEN}@${ARGOCD_APPS_REPO} APPS
env:
ARGOCD_APPS_TOKEN: ${{ secrets.ARGOCD_APPS_TOKEN }}
ARGOCD_APPS_REPO: ${{ secrets.ARGOCD_APPS_REPO }}
- name: Update k8s deployment
run: |
find build-artifacts -name "*.txt" | while read filename; do
while read line; do
COMPONENT=$(echo $line | cut -d' ' -f1)
NEW_IMAGE=$(echo $line | cut -d' ' -f2-)
sed -i "s|ghcr.io/${{ github.repository }}/${COMPONENT}:[^ ]*|${NEW_IMAGE}|" APPS/${{ vars.K8S_MANIFEST }}
done < $filename
done
- name: Commit and push if it's necessary
run: |
cd APPS
git diff
git config --global user.email "devops@nowhere.com"
git config --global user.name "GitHub Action"
git commit -am "Update tags (pipeline #${{ github.run_number }})" || echo "No changes to commit"
git push