[Snyk] Security upgrade python from 3.10.12-bookworm to 3.14.0a2-bookworm #265
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and publish Docker images to GitHub Container Registry | |
on: | |
push: | |
tags: | |
- "v[0-9]+.[0-9]+.[0-9]+" | |
branches: | |
- main | |
- production | |
pull_request: | |
jobs: | |
golangci: | |
name: Run golangci-lint | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
# Required: setup-go, for all versions v3.0.0+ of golangci-lint | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: 1.18 | |
check-latest: true | |
- uses: actions/checkout@v3 | |
- uses: technote-space/get-diff-action@v6.1.2 | |
with: | |
PATTERNS: | | |
**/**.go | |
go.mod | |
go.sum | |
- uses: golangci/golangci-lint-action@v3.4.0 | |
with: | |
# Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. | |
version: v1.54.2 | |
args: --timeout 10m | |
github-token: ${{ secrets.github_token }} | |
# Check only if there are differences in the source code | |
if: env.GIT_DIFF | |
test-unit: | |
needs: golangci | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: "1.19" | |
check-latest: true | |
- uses: actions/checkout@v3 | |
- uses: technote-space/get-diff-action@v6.1.2 | |
with: | |
PATTERNS: | | |
**/**.sol | |
**/**.go | |
go.mod | |
go.sum | |
- name: Test | |
run: | | |
make test | |
if: env.GIT_DIFF | |
set-environment: | |
runs-on: ubuntu-latest | |
needs: [golangci, test-unit] | |
outputs: | |
env-variable: ${{ steps.set-env-var.outputs.patch_env }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Note: This fetches all branches and tags | |
- name: Check base ref | |
run: | | |
BASE_REF=$(git describe --contains --all HEAD) | |
echo "BASE_REF=$BASE_REF" >> $GITHUB_ENV | |
- name: Set ENV variable | |
id: set-env-var | |
run: | | |
PATCH_ENV="unknown" # Default value | |
case $GITHUB_REF in | |
refs/tags/*) | |
TAG_COMMIT=$(git rev-list -n 1 ${{ github.ref }}) | |
BRANCH=$(git branch -r --contains $TAG_COMMIT | sed 's/ *origin\///' | grep -v "HEAD" | grep "main") | |
if [ "$BRANCH" == "main" ]; then | |
PATCH_ENV="production" | |
fi | |
;; | |
refs/heads/main) | |
PATCH_ENV="non-production" | |
;; | |
esac | |
echo "PATCH_ENV=$PATCH_ENV" >> $GITHUB_ENV | |
echo "BRANCH=$BRANCH" >> $GITHUB_ENV | |
echo "::set-output name=patch_env::$PATCH_ENV" | |
build: | |
if: (github.event_name == 'push') && (needs.set-environment.outputs.env-variable == 'non-production') | |
needs: [set-environment] | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
component: | |
- name: "api" | |
path: "." | |
dockerfile: "dockerfile" | |
image_name: "dashboard-backend_api" | |
- name: "cron" | |
path: "./cronjobs" | |
dockerfile: "dockerfile" | |
image_name: "dashboard-backend_cron" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Docker metadata | |
id: metadata | |
uses: docker/metadata-action@v4.5.0 | |
with: | |
images: | | |
ghcr.io/${{ github.repository }}/${{ matrix.component.name }} | |
tags: | | |
type=semver,pattern={{version}} | |
type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }} | |
flavor: | | |
latest=${{ github.ref == 'refs/heads/main' }} | |
# Login to GitHub Container Registry (GHCR) | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push | |
uses: docker/build-push-action@v4.1.0 | |
with: | |
push: true | |
tags: ${{ steps.metadata.outputs.tags }} | |
context: ${{ matrix.component.path }} | |
file: ${{ matrix.component.path }}/${{ matrix.component.dockerfile }} | |
platforms: linux/amd64 | |
- name: Write image tag to file | |
run: | | |
echo "${{ matrix.component.name }} ${{ steps.metadata.outputs.tags }}" >> metadata-${{ matrix.component.name }}.txt | |
- name: Upload image tags | |
uses: actions/upload-artifact@v2 | |
with: | |
name: image-tag-${{ matrix.component.name }} | |
path: metadata-${{ matrix.component.name }}.txt | |
- name: Prune old images on ghcr.io | |
uses: vlaurin/action-ghcr-prune@v0.5.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
organization: ${{ github.repository_owner }} | |
container: backend/${{ matrix.component.name }} | |
dry-run: false | |
keep-younger-than: 14 # days | |
keep-last: 5 | |
prune-untagged: true | |
prune-tags-regexes: ^[a-zA-Z0-9-\.]+$ | |
retag-and-push: | |
if: needs.set-environment.outputs.env-variable == 'production' | |
needs: [set-environment] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
component: | |
- name: "api" | |
path: "." | |
dockerfile: "Dockerfile" | |
image_name: "dashboard-backend_api" | |
- name: "cron" | |
path: "./cronjobs" | |
dockerfile: "Dockerfile" | |
image_name: "dashboard-backend_cron" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
# Login to GitHub Container Registry (GHCR) | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Re-tag image | |
run: | | |
COMMIT_HASH=$(git rev-parse --short "$GITHUB_REF_NAME") | |
docker pull ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${COMMIT_HASH} | |
docker tag ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${COMMIT_HASH} ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${GITHUB_REF_NAME} | |
docker push ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${GITHUB_REF_NAME} | |
echo "${{ matrix.component.name }} ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:$GITHUB_REF_NAME" > metadata-${{ matrix.component.name }}.txt | |
- name: Upload image tags | |
uses: actions/upload-artifact@v2 | |
with: | |
name: image-tag-${{ matrix.component.name }} | |
path: metadata-${{ matrix.component.name }}.txt | |
update-deployment-tags: | |
if: always() && (needs.set-environment.outputs.env-variable != 'unknown' && needs.set-environment.outputs.env-variable != '') | |
needs: [set-environment,build,retag-and-push] | |
runs-on: ubuntu-latest | |
environment: | |
name: ${{ needs.set-environment.outputs.env-variable }} | |
steps: | |
- name: Use environment | |
run: | | |
echo "Deploying to environment ${{ needs.set-environment.outputs.env-variable }}" | |
echo "K8S_MANIFEST: ${{ vars.K8S_MANIFEST }}" | |
- name: Download all artifacts | |
uses: actions/download-artifact@v2 | |
with: | |
path: build-artifacts | |
- name: Clone argo-apps repo | |
run: | | |
git clone https://x-access-token:${ARGOCD_APPS_TOKEN}@${ARGOCD_APPS_REPO} APPS | |
env: | |
ARGOCD_APPS_TOKEN: ${{ secrets.ARGOCD_APPS_TOKEN }} | |
ARGOCD_APPS_REPO: ${{ secrets.ARGOCD_APPS_REPO }} | |
- name: Update k8s deployment | |
run: | | |
find build-artifacts -name "*.txt" | while read filename; do | |
while read line; do | |
COMPONENT=$(echo $line | cut -d' ' -f1) | |
NEW_IMAGE=$(echo $line | cut -d' ' -f2-) | |
sed -i "s|ghcr.io/${{ github.repository }}/${COMPONENT}:[^ ]*|${NEW_IMAGE}|" APPS/${{ vars.K8S_MANIFEST }} | |
done < $filename | |
done | |
- name: Commit and push if it's necessary | |
run: | | |
cd APPS | |
git diff | |
git config --global user.email "devops@nowhere.com" | |
git config --global user.name "GitHub Action" | |
git commit -am "Update tags (pipeline #${{ github.run_number }})" || echo "No changes to commit" | |
git push |