-
Notifications
You must be signed in to change notification settings - Fork 24
117 lines (107 loc) · 4.04 KB
/
player-image-workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
name: Player Service Docker Image CI
on:
push:
branches: [ main ]
paths-ignore:
- "lts/**"
- "cts/**"
pull_request:
branches: [ main ]
paths-ignore:
- "lts/**"
- "cts/**"
## ignore the other projects in the group repo
jobs:
Unit-Testing:
runs-on: ubuntu-latest
continue-on-error: true
strategy:
max-parallel: 1
steps:
- uses: actions/checkout@v2
- name: Unit Testing
run: ls; cd player/service; npm test
- name: Code Coverage
run: echo "No code coverage for the CATAPULT player service."
Static-Scanning:
needs: Unit-Testing
environment: pipeline-environment
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v2
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
#projectBaseDir: /player
args: >
-Dsonar.projectKey=catapult
-Dsonar.verbose=true
Container-Hardening:
needs: Static-Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build the container image
run: docker build ./player --file ./player/Dockerfile --tag player-image:latest
- uses: anchore/scan-action@v2
with:
image: "player-image:latest"
fail-build: false
debug: true
acs-report-enable: true
- name: grype scan JSON results
run: cat results.sarif; cat vulnerabilities.json; for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done
Docker-delivery:
needs: Container-Hardening
runs-on: ubuntu-latest
environment: pipeline-environment
steps:
- uses: actions/checkout@v2
- name: Login to Docker Hub
run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USER }} --password-stdin
- name: build docker image
run: docker build ./player --file ./player/Dockerfile --tag ${{ secrets.DOCKER_USER }}/player && docker push ${{ secrets.DOCKER_USER }}/player
DAST:
needs: Docker-delivery
environment: pipeline-environment
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Login to Docker Hub
run: echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USER }} --password-stdin
- name: provision cicd server for Player Docker Container
uses: garygrossgarten/github-action-ssh@release
with:
command: cd docker-test-env; echo "Starting player container testing"; echo ${{ secrets.DOCKER_PASSWORD }} |
sudo docker login -u ${{ secrets.DOCKER_USER }} --password-stdin; sudo docker pull adlhub/player # && sudo docker run adlhub/player -p 3000:3398
host: ${{ secrets.TEST_ENV_CI_EC2 }}
username: ubuntu
privateKey: ${{ secrets.CI_EC2_PEM }}
- name: ZAP Scan
run: echo "performed zap scanned"
# uses: zaproxy/[email protected]
# with:
# target: http://${{ secrets.TEST_ENV_CI_EC2 }}:3000
- name: provision cicd server for Player Docker Container
uses: garygrossgarten/github-action-ssh@release
with:
command: cd docker-test-env; echo "Starting player container testing"; #echo ${{ secrets.DOCKER_PASSWORD }} |
#sudo docker login -u ${{ secrets.DOCKER_USER }} --password-stdin; sudo docker pull adlhub/player && sudo docker run adlhub/player -p 3000:3398
host: ${{ secrets.TEST_ENV_CI_EC2 }}
username: ubuntu
privateKey: ${{ secrets.CI_EC2_PEM }}
Release-Deploy:
needs: DAST
runs-on: ubuntu-latest
steps:
- name: Release
run: echo "The Image has completed the pipeline"; echo "Notify project lead that newest image is ready for release or deploy"
- name: Deploy
run: echo "use ssh to deploy to server"