Skip to content

Merge pull request #80 from ImMin5/feature-fix-collect-storage-accoun… #64

Merge pull request #80 from ImMin5/feature-fix-collect-storage-accoun…

Merge pull request #80 from ImMin5/feature-fix-collect-storage-accoun… #64

name: "[Push] Build dev"
on:
push:
branches:
- master
paths-ignore:
- '.github/**'
- 'src/VERSION'
- 'docs/**'
workflow_dispatch:
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
jobs:
versioning:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.versioning.outputs.VERSION }}
steps:
- uses: actions/checkout@v2
- name: get current date
run: |
sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime
echo "TIME=$(date +'%Y%m%d.%H%M%S')" >> $GITHUB_ENV
- name: set version with current date
id: versioning
run: |
echo "::set-output name=VERSION::$(cat src/VERSION | cut -c 2-).${{ env.TIME }}"
- name: Notice when job fails
if: failure()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,workflow,job
author_name: Github Action Slack
docker:
if: github.repository_owner == 'cloudforet-io'
needs: versioning
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.versioning.outputs.version }}
steps:
- uses: actions/checkout@v2
- name: get service name
run: |
echo "SERVICE=$(echo ${{ github.repository }} | cut -d '/' -f2)" >> $GITHUB_ENV
- name: Upload docker
uses: docker/build-push-action@v1
with:
path: .
repository: pyengine/${{ env.SERVICE }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
tags: ${{ env.VERSION }}
- name: Notice when job fails
if: failure()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,workflow,job
author_name: Github Action Slack
scan:
needs: [versioning, docker]
runs-on: ubuntu-20.04
steps:
- name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
image-ref: pyengine/${{ github.event.repository.name }}:${{ needs.versioning.outputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Count vulnerabilities
id: vulnerabilities
run: |
count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c)
echo "result_count=$count" >> $GITHUB_OUTPUT
echo "$count"
- name: slack
if: ${{ steps.vulnerabilities.outputs.result_count != 0 }}
uses: 8398a7/action-slack@v3
with:
status: custom
fields: workflowRun
custom_payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":warning: Image vulnerability detected"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Image:*\npyengine/${{ github.event.repository.name }}:${{ needs.versioning.outputs.version }}"
},
{
"type": "mrkdwn",
"text": "*Repo name:*\n${{ github.repository }}"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "View Detail"
},
"style": "danger",
"url": "https://github.com/${{ github.repository }}/security/code-scanning"
}
]
}
]
}
env:
SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}}
notification:
runs-on: ubuntu-latest
needs: docker
steps:
- name: Slack
if: always()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,message,commit,author,action,ref,workflow,job
author_name: Github Action Slack