ci: add gitaction files

Signed-off-by: seolmin <[email protected]>

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,10 @@
+### Category
+- [ ] New feature
+- [ ] Bug fix
+- [ ] Improvement
+- [ ] Refactor
+- [ ] etc
+
+### Description
+
+### Known issue

.github/workflows/README.md

@@ -0,0 +1,53 @@
+## Naming rule
+```
+[EVENT] CONTENT
+```
+
+## Versionning
+- format
+```
+{major}.{minor}.{patch}.{current_date}
+```
+- scenario
+```
+1.2.3 -> 1.2.3.xxxx -> 1.2.3.yyyy -> 1.2.4 
+```
+
+
+## Workflows
+> By default, [Push] includes a manual trigger (dispatch).
+
+- `[Push] Build dev`
+    - EVENT
+        - When code is pushed to master
+            - (triggered by `[Push] Sync CI`)
+        - When the workflow is manually triggered
+    - CONTENT
+        - Build code and push docker image to pyengine
+- `[Dispatch] Release`
+    - EVENT
+        - When the workflow is manually triggered
+    - CONTENT
+        - Build code and push docker image to pyengine and spaceone
+- `[Push] Sync CI`
+    - EVENT
+        - When code is pushed to master
+            - (trigger `[Push] Build dev`)
+        - When the workflow is manually triggered    
+    - CONTENT
+        - [Push]
+            - Get workflows from actions and Trigger `[Push] Build dev`
+        - [Dispatch]
+            - Just get workflows from actions
+
+- `[PR] Review (TODO)`
+
+## Scenario
+- Release: 
+    - Manually trigger `[Dispatch] Release`
+- Build Dev (Push): 
+    - Commit code to master branch(`[Push] Sync CI` -> `[Push] Build dev`)
+- Build Dev (Dispatch): 
+    - Manually trigger `[Push] Build dev`
+- Update workflows: 
+    - Manually trigger `[Push] Sync CI`

.github/workflows/check-pull-request.yml

@@ -0,0 +1,24 @@
+# .github/workflows/check-pull-request.yml
+name: Check Pull Request
+
+on:
+  pull_request_target:
+
+jobs:
+  check-pull-request:
+    name: Check Pull Request
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check signed commits
+        id: review
+        uses: cloudforet-io/check-pr-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Notify Result
+        if: ${{ steps.review.outputs.signedoff == 'false' }}
+        run: |
+          echo "The review result is ${{ steps.review.outputs.signedoff }}"
+          exit 1

.github/workflows/dispatch_build_dev.yaml

@@ -0,0 +1,163 @@
+name: "[Dispatch] Build Dev"
+
+on:
+  workflow_dispatch:
+
+env:
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+jobs:
+  versioning:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.versioning.outputs.VERSION }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: get current date
+        run: |
+          sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime
+          echo "TIME=$(date +'%Y%m%d.%H%M%S')" >> $GITHUB_ENV
+      - name: set version with current date
+        id: versioning
+        run: |
+          echo "VERSION=$(sed 's/v//' < src/VERSION).${{ env.TIME }}" >> $GITHUB_OUTPUT
+      - name: Notice when job fails
+        if: failure()
+        uses: 8398a7/[email protected]
+        with:
+          status: ${{job.status}}
+          fields: repo,workflow,job
+          author_name: Github Action Slack
+
+  docker:
+      if: github.repository_owner == 'cloudforet-io'
+      needs: versioning
+      runs-on: ubuntu-latest
+      env:
+        VERSION: ${{ needs.versioning.outputs.version }}
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v3
+          with:
+            token: ${{ secrets.PAT_TOKEN }}
+
+        - name: get service name
+          run: |
+            echo "SERVICE=$(echo ${{ github.repository }} | cut -d '/' -f2)" >> $GITHUB_ENV
+            
+        - name: Set up QEMU
+          uses: docker/setup-qemu-action@v2
+
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v2
+
+        - name: Login to Docker Hub
+          uses: docker/login-action@v2
+          with:
+            username: ${{ secrets.DOCKER_USERNAME }}
+            password: ${{ secrets.DOCKER_PASSWORD }}
+
+        - name: Build and push to pyengine
+          uses: docker/build-push-action@v4
+          with:
+            context: .
+            push: true 
+            tags: pyengine/${{ env.SERVICE }}:${{ env.VERSION }}
+
+        - name: Notice when job fails
+          if: failure()
+          uses: 8398a7/[email protected]
+          with:
+            status: ${{job.status}}
+            fields: repo,workflow,job
+            author_name: Github Action Slack
+
+  scan:
+    needs: [versioning, docker]
+    runs-on: ubuntu-20.04
+    env:
+      VERSION: ${{ needs.versioning.outputs.version }}
+    steps:
+      - name: Run Trivy vulnerability scanner
+        id: trivy-scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pyengine/${{ github.event.repository.name }}:${{ env.VERSION }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Count vulnerabilities
+        id: vulnerabilities
+        run: |
+          count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c)
+          echo "result_count=$count" >> $GITHUB_OUTPUT
+          echo "$count"
+
+      - name: slack
+        if:  ${{ steps.vulnerabilities.outputs.result_count != 0 }}
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          fields: workflowRun
+          custom_payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":warning: Image vulnerability detected"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Image:*\npyengine/${{ github.event.repository.name }}:${{ env.VERSION }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Repo name:*\n${{ github.repository }}"
+                    }
+                  ]
+                },
+                {
+                  "type": "actions",
+                  "elements": [
+                    {
+                      "type": "button",
+                      "text": {
+                        "type": "plain_text",
+                        "emoji": true,
+                        "text": "View Detail"
+                      },
+                      "style": "danger",
+                      "url": "https://github.com/${{ github.repository }}/security/code-scanning"
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}}
+
+  notification:
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:
+      - name: Slack
+        if: always()
+        uses: 8398a7/[email protected]
+        with:
+          status: ${{job.status}}
+          fields: repo,message,commit,author,action,ref,workflow,job
+          author_name: Github Action Slack