diff --git a/.github/workflows/dispatch_build_dev.yaml b/.github/workflows/dispatch_build_dev.yaml new file mode 100644 index 0000000..99212c5 --- /dev/null +++ b/.github/workflows/dispatch_build_dev.yaml @@ -0,0 +1,164 @@ +name: "[Dispatch] Build Dev" + +on: + workflow_dispatch: + +env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + +jobs: + versioning: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.versioning.outputs.VERSION }} + steps: + - uses: actions/checkout@v2 + - name: get current date + run: | + sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime + echo "TIME=$(date +'%Y%m%d.%H%M%S')" >> $GITHUB_ENV + - name: set version with current date + id: versioning + run: | + echo "VERSION=$(cat src/VERSION | cut -c 2-).${{ env.TIME }}" >> $GITHUB_OUTPUT + - name: Notice when job fails + if: failure() + uses: 8398a7/action-slack@v3.2.0 + with: + status: ${{job.status}} + fields: repo,workflow,job + author_name: Github Action Slack + + docker: + if: github.repository_owner == 'cloudforet-io' + needs: versioning + runs-on: ubuntu-latest + env: + VERSION: ${{ needs.versioning.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + token: ${{ secrets.PAT_TOKEN }} + + - name: get service name + run: | + echo "SERVICE=$(echo ${{ github.repository }} | cut -d '/' -f2)" >> $GITHUB_ENV + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Build and push to pyengine + uses: docker/build-push-action@v4 + with: + context: . + platform: ${{ env.ARCH }} + push: true + tags: pyengine/${{ env.SERVICE }}:${{ env.VERSION }} + + - name: Notice when job fails + if: failure() + uses: 8398a7/action-slack@v3.2.0 + with: + status: ${{job.status}} + fields: repo,workflow,job + author_name: Github Action Slack + + scan: + needs: [versioning, docker] + runs-on: ubuntu-20.04 + env: + VERSION: ${{ needs.versioning.outputs.version }} + steps: + - name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + image-ref: pyengine/${{ github.event.repository.name }}:${{ env.VERSION }} + format: 'sarif' + output: 'trivy-results.sarif' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + - name: Count vulnerabilities + id: vulnerabilities + run: | + count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c) + echo "result_count=$count" >> $GITHUB_OUTPUT + echo "$count" + + - name: slack + if: ${{ steps.vulnerabilities.outputs.result_count != 0 }} + uses: 8398a7/action-slack@v3 + with: + status: custom + fields: workflowRun + custom_payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": ":warning: Image vulnerability detected" + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Image:*\npyengine/${{ github.event.repository.name }}:${{ env.VERSION }}" + }, + { + "type": "mrkdwn", + "text": "*Repo name:*\n${{ github.repository }}" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "emoji": true, + "text": "View Detail" + }, + "style": "danger", + "url": "https://github.com/${{ github.repository }}/security/code-scanning" + } + ] + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}} + + notification: + runs-on: ubuntu-latest + needs: docker + steps: + - name: Slack + if: always() + uses: 8398a7/action-slack@v3.2.0 + with: + status: ${{job.status}} + fields: repo,message,commit,author,action,ref,workflow,job + author_name: Github Action Slack