Security Patching - SDK #187
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Patching - SDK | |
on: | |
schedule: | |
# Run cron job at 8AM Monday to Sunday. | |
- cron: '0 8 * * *' | |
workflow_dispatch: | |
env: | |
# Registry used to store Docker images used for release purposes. | |
RELEASE_REGISTRY_SDK: "europe-west3-docker.pkg.dev/rasa-releases/rasa-sdk" | |
GITHUB_WORKFLOW_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
get_tags: | |
runs-on: ubuntu-22.04 | |
continue-on-error: true | |
outputs: | |
tags: ${{ steps.tags.outputs.tags }} | |
steps: | |
# We have to check out the repo to be able to list the tags. | |
- name: Checkout repository to check tags | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
- name: Set up Python | |
uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 | |
with: | |
python-version: '3.9' | |
- name: Fetch all tags | |
run: git fetch --tags | |
- name: Run Python script | |
id: tags | |
run: | | |
python scripts/get_tags_from_branch.py '["3.3.x","3.4.x","3.5.x","3.6.x","3.7.x","3.8.x"]' '3.3.x' | |
- name: Show tags | |
run: | | |
echo "Tags: ${{ steps.tags.outputs.tags }}" | |
build: | |
runs-on: ubuntu-22.04 | |
needs: get_tags | |
# Don't allow a single image failure to block all the image builds. | |
continue-on-error: true | |
strategy: | |
matrix: | |
supported_versions: ${{ fromJson(needs.get_tags.outputs.tags) }} | |
steps: | |
# We have to check out the repo to be able to list the tags. | |
- name: Checkout repository to check tags | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
# Determine the date in the right format for us to tag the image. | |
- name: Get current date | |
id: date | |
run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT | |
# Authenticate with Gcloud. | |
- name: Authenticate with gcloud for release registry 🎫 | |
id: 'auth-release' | |
uses: 'google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d' | |
with: | |
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: '${{ secrets.RASA_SDK_RELEASE_ACCOUNT_NAME }}' | |
# Authenticate with artifact registry where the images are stored. | |
- name: Authenticate docker for release registry 🎫 | |
run: gcloud auth configure-docker europe-west3-docker.pkg.dev | |
# Rebuild the Docker image for this micro. A line contained in the Dockerfile ensures that the latest OS patches are applied. | |
# VERSION_NUMBER is passed into the build command to determine which Rasa OSS container image is used as the base for the Rasa Pro container. | |
- name: Build and tag security patched image | |
id: build | |
continue-on-error: true | |
run: | | |
docker build . -t ${{env.RELEASE_REGISTRY_SDK}}/rasa-sdk:${{ matrix.supported_versions }}-latest --build-arg VERSION_NUMBER=${{ matrix.supported_versions }} -f Dockerfile.patch | |
- name: Fail pushing the patch if the build is not a success | |
if: steps.build.outcome == 'failure' | |
run: exit 1 | |
# Push patched images to the release registry with patched tag. | |
- name: Push image to release registry | |
id: push | |
run: | | |
docker push ${{env.RELEASE_REGISTRY_SDK}}/rasa-sdk:${{ matrix.supported_versions }}-latest | |
- name: Alert Slack if build fails | |
if: steps.build.outcome == 'failure' || steps.push.outcome == 'failure' | |
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 | |
with: | |
payload: | | |
{ | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Docker image security patch for Rasa SDK version `${{ matrix.supported_versions }}` failed. Please check the <${{ env.GITHUB_WORKFLOW_URL }}|workflow log> for more information." | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |