-
Notifications
You must be signed in to change notification settings - Fork 2
187 lines (164 loc) · 6.15 KB
/
build-update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: Build and update app
permissions:
contents: write
pull-requests: write
env:
#variables related with the repository
REPOSITORY_MAIN_BRANCH: "master"
#variables related with the docker imager registry
DOCKER_IMAGE_REPOSITORY: ikcap
DOCKER_IMAGE_NAME: disk_backend
DOCKER_FILE: "docker/backend/Dockerfile"
#variables related with the continuous delivery
MANIFEST_REPOSITORY: KnowledgeCaptureAndDiscovery/k8s
MANIFEST_REPOSITORY_BRANCH: master
KUSTOMIZE_IMAGE_NAME: backend-image-prod
MANIFEST_REPOSITORY_PATH: disk-server/disk/bikes
NEURO_MANIFEST_REPOSITORY_PATH: disk-server/disk/neuro
CLIMATE_MANIFEST_REPOSITORY_PATH: disk-server/disk/climate
DEV_MANIFEST_REPOSITORY_PATH: disk-server/disk/dev
#security level
VULNERABILITY_SCAN_LEVEL: "CRITICAL"
on:
push:
branches:
- "*"
tags:
- v*
pull_request:
jobs:
java:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 8
uses: actions/setup-java@v2
with:
java-version: "8"
distribution: "temurin"
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
env:
GITHUB_USERNAME: ${{ secrets.GITHUB_USERNAME }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: mkdir staging && cp server/target/*.war staging
- uses: actions/upload-artifact@v2
with:
name: Package
path: staging
# This job build the app and the image. Then, push it
build:
runs-on: ubuntu-latest
permissions:
contents: read
needs: [java]
name: "Build and push the Docker Image"
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v2
with:
name: Package
path: build/
- name: Create value as an environment variable
run: |
echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV
- name: Expose value
id: exposeValue
run: |
echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}"
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/[email protected]
with:
push: true
context: .
tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_TAG }}
file: ${{ env.DOCKER_FILE}}
outputs:
docker_tag: ${{ steps.exposeValue.outputs.docker_tag }}
security:
permissions:
contents: read
security-events: write
packages: write
name: "Scan vulnerabilities in the image"
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: ${{ env.DOCKER_IMAGE_REPOSITORY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: ${{ env.VULNERABILITY_SCAN_LEVEL }}
exit-code: "0"
ignore-unfixed: "true"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: always()
with:
sarif_file: "trivy-results.sarif"
update:
# This job the container running on k8s cluster
needs: [build, security]
name: "Deploy the app"
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
runs-on: ubuntu-latest
steps:
- name: Check out k8s manifests
uses: actions/checkout@v3
if: github.event_name != 'pull_request'
with:
repository: ${{ env.MANIFEST_REPOSITORY }}
ref: ${{ env.MANIFEST_REPOSITORY_BRANCH }}
ssh-key: ${{ secrets.BOT_SSH }}
persist-credentials: true
- name: Setup Kustomize
uses: imranismail/setup-kustomize@v1
if: github.event_name != 'pull_request'
with:
kustomize-version: "3.6.1"
- name: Update Kubernetes resources
if: github.event_name != 'pull_request'
run: |
cd ${{ env.MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Update Kubernetes resources neuro
if: github.event_name != 'pull_request'
run: |
cd ${{ env.NEURO_MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME}}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Update Kubernetes resources climate
if: github.event_name != 'pull_request'
run: |
cd ${{ env.CLIMATE_MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Update Kubernetes resources dev
if: github.event_name != 'pull_request'
run: |
cd ${{ env.DEV_MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Commit files
if: github.event_name != 'pull_request'
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git commit -am "Disk backend updated"
- name: Push changes
if: github.event_name != 'pull_request'
uses: ad-m/github-push-action@master
with:
ssh: true
branch: ${{ env.MANIFEST_REPOSITORY_BRANCH }}
repository: ${{ env.MANIFEST_REPOSITORY }}