From 132ad50f2496b81d659d2264a6871dd7e9f305b1 Mon Sep 17 00:00:00 2001 From: Bruno Pacheco Date: Fri, 26 Jan 2024 21:26:30 +0100 Subject: [PATCH] chore: #39 update CI/CD pipelines --- .../{release-package.yml => main.yml} | 47 +++++++- .github/workflows/release.yml | 107 ++++++++++++++++++ README.md | 4 + 3 files changed, 157 insertions(+), 1 deletion(-) rename .github/workflows/{release-package.yml => main.yml} (52%) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release-package.yml b/.github/workflows/main.yml similarity index 52% rename from .github/workflows/release-package.yml rename to .github/workflows/main.yml index 0d05aa8a..907fed8c 100644 --- a/.github/workflows/release-package.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,4 @@ -name: Build and publish a Docker image +name: Publish and Deploy main on: push: @@ -11,8 +11,53 @@ env: AZURE_WEBAPP_NAME: ckan-test jobs: + ort: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + - uses: oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e + with: + allow-dynamic-versions: "true" + fail-on: "issues" + run: "cache-dependencies,cache-scan-results,labels,analyzer,evaluator,advisor,reporter,upload-results" + + scan-docker-image: + runs-on: ubuntu-latest + needs: ort + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.IMAGE_NAME }} + + - name: Build Docker image for scanning + uses: docker/build-push-action@v5 + with: + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.IMAGE_NAME }}:user-portal-main" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + build-and-push-image: runs-on: ubuntu-latest + needs: scan-docker-image permissions: contents: read packages: write diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..cdf59cdd --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,107 @@ +name: Publish release + +on: + push: + tags: + - "v*" + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ghcr.io/genomicdatainfrastructure/gdi-userportal-ckan-docker + DOCKER_METADATA_OUTPUT_TAGS: + +jobs: + ort: + strategy: + fail-fast: false + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e + with: + allow-dynamic-versions: "true" + fail-on: "issues" + run: "cache-dependencies,cache-scan-results,labels,analyzer,evaluator,advisor,reporter,upload-results" + + scan-docker-image: + runs-on: ubuntu-latest + needs: ort + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.IMAGE_NAME }} + + - name: Build Docker image for scanning + uses: docker/build-push-action@v5 + with: + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.DOCKER_METADATA_OUTPUT_TAGS }}" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + + build-and-push-image: + runs-on: ubuntu-latest + needs: scan-docker-image + permissions: + contents: read + packages: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + release: + runs-on: ubuntu-latest + needs: build-and-push-image + permissions: + contents: read + packages: write + steps: + - name: Conventional Changelog Action + id: changelog + uses: TriPSs/conventional-changelog-action@v3 + with: + github-token: ${{ secrets.github_token }} + output-file: "false" + + - name: Create a Release + uses: elgohr/Github-Release-Action@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + title: ${{ github.sha }} diff --git a/README.md b/README.md index d881a0c8..513e8022 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +![example workflow](https://github.com/GenomicDataInfrastructure/gdi-userportal-ckan-docker/actions/workflows/main.yml/badge.svg) +![example workflow](https://github.com/GenomicDataInfrastructure/gdi-userportal-ckan-docker/actions/workflows/release.yml/badge.svg) +[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=GenomicDataInfrastructure_gdi-userportal-ckan-docker&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=GenomicDataInfrastructure_gdi-userportal-ckan-docker) +[![GitHub contributors](https://img.shields.io/github/contributors/GenomicDataInfrastructure/gdi-userportal-ckan-docker)](https://github.com/GenomicDataInfrastructure/gdi-userportal-ckan-docker/graphs/contributors) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](code_of_conduct.md) # CKAN for GDI - User Portal