add secret scan capabilities #44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: java-goof image build and deployment | |
| on: | |
| push: | |
| branches: | |
| - 'master' | |
| pull_request: | |
| branches: | |
| - 'master' | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| build-todolist-image: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: todolist-goof | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v1 | |
| - name: Build | |
| uses: docker/build-push-action@v2 | |
| with: | |
| load: true | |
| context: todolist-goof | |
| push: false | |
| tags: java-goof:latest | |
| - id: auth | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: "${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}" | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Install gke-gcloud-auth-plugin | |
| run: gcloud components install kubectl | |
| - name: Check gke-gcloud-auth-plugin | |
| run: kubectl version --client | |
| - name: Use gcloud CLI | |
| run: gcloud info | |
| - name: Docker auth | |
| run: gcloud auth configure-docker us-central-1-docker.pkg.dev --quiet | |
| - name: Set version | |
| id: version | |
| run: echo "VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: build and push the docker image | |
| env: | |
| GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }} | |
| VERSION: ${{ steps.version.outputs.VERSION }} | |
| run: | | |
| DOCKER_IMAGE="us-central1-docker.pkg.dev/${GOOGLE_PROJECT}/java-goof/goof:${VERSION}" | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| docker build -t $DOCKER_IMAGE . | |
| docker push ${DOCKER_IMAGE} | |
| - name: Trend Micro Container Vulnerability Scan | |
| env: | |
| GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }} | |
| VERSION: ${{ steps.version.outputs.VERSION }} | |
| run: | | |
| DOCKER_IMAGE="us-central1-docker.pkg.dev/${GOOGLE_PROJECT}/java-goof/goof:${VERSION}" | |
| export TMAS_API_KEY=${{ secrets.TMAS_API_KEY }} | |
| curl -s -L https://gist.github.com/raphabot/abae09b46c29afc7c3b918b7b8ec2a5c/raw/ | bash | |
| tmas scan registry:${DOCKER_IMAGE} | |
| - name: Trend Micro Container Secret Scan | |
| env: | |
| GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }} | |
| VERSION: ${{ steps.version.outputs.VERSION }} | |
| run: | | |
| DOCKER_IMAGE="us-central1-docker.pkg.dev/${GOOGLE_PROJECT}/java-goof/goof:${VERSION}" | |
| export TMAS_API_KEY=${{ secrets.TMAS_API_KEY }} | |
| curl -s -L https://gist.github.com/raphabot/abae09b46c29afc7c3b918b7b8ec2a5c/raw/ | bash | |
| tmas scan secrets registry:${DOCKER_IMAGE} | |
| - name: Deploy to GKE | |
| env: | |
| GOOGLE_PROJECT: ${{ secrets.GOOGLE_PROJECT }} | |
| VERSION: ${{ steps.version.outputs.VERSION }} | |
| run: | | |
| gcloud container clusters get-credentials igorsdevcluster --region us-central1-a | |
| sed -i "s/GOOGLE_PROJECT/$GOOGLE_PROJECT/g; s/VERSION/$VERSION/g" k8s/java-goof.yaml | |
| kubectl apply -f k8s/java-goof.yaml |