Try read-permissions in pull-request workflow job #255
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main - reports Trails to https://app.kosli.com | |
| on: | |
| push: | |
| branches: | |
| - main | |
| env: | |
| KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} | |
| KOSLI_HOST: ${{ vars.KOSLI_HOST }} # https://app.kosli.com | |
| KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo | |
| KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }} | |
| KOSLI_FLOW: ${{ vars.KOSLI_FLOW }} # dashboard-ci | |
| KOSLI_TRAIL: ${{ github.sha }} | |
| SERVICE_NAME: ${{ github.event.repository.name }} # dashboard | |
| SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }} | |
| SONARCLOUD_PROJECT_KEY: ${{ github.repository_owner }}_${{ github.event.repository.name }} #cyber-dojo_dashboard | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_tag: ${{ steps.variables.outputs.image_tag }} | |
| image_name: ${{ steps.variables.outputs.image_name }} | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Create Kosli Flow | |
| run: | |
| kosli create flow "${{ env.KOSLI_FLOW }}" | |
| --description="UX for a group practice dashboard" | |
| --template-file=.kosli.yml | |
| - name: Begin Kosli Trail | |
| run: | |
| kosli begin trail "${{ env.KOSLI_TRAIL }}" | |
| --description="$(git log -1 --pretty='%aN - %s')" | |
| - name: Set outputs | |
| id: variables | |
| run: | | |
| IMAGE_TAG=${GITHUB_SHA:0:7} | |
| echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | |
| echo "image_name=cyberdojo/${{ env.SERVICE_NAME }}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | |
| pull-request: | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Attest pull-request evidence to Kosli | |
| run: | |
| kosli attest pullrequest github | |
| --github-token="${{ secrets.GITHUB_TOKEN }}" | |
| --name=pull-request | |
| lint: | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Run Rubocop linter on source, attest results to Kosli Trail | |
| env: | |
| KOSLI_ATTACHMENTS: /tmp/kosli_attachments | |
| run: | | |
| mkdir -p "${KOSLI_ATTACHMENTS}" | |
| set +e | |
| make lint | tee "${KOSLI_ATTACHMENTS}"/rubocop.log | |
| STATUS=${PIPESTATUS[0]} | |
| set -e | |
| KOSLI_COMPLIANT=$([ ${STATUS} = 0 ] && echo true || echo false) | |
| cp .rubocop.yml "${KOSLI_ATTACHMENTS}" | |
| kosli attest generic \ | |
| --compliant="${KOSLI_COMPLIANT}" \ | |
| --name=dashboard.lint | |
| exit $STATUS | |
| build-image: | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| outputs: | |
| kosli_fingerprint: ${{ steps.variables.outputs.kosli_fingerprint }} | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PASS }} | |
| - name: Build and push image to Dockerhub Registry | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.setup.outputs.image_name }} | |
| build-args: | |
| COMMIT_SHA=${{ github.sha }} | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Attest image to Kosli Trail | |
| run: | |
| kosli attest artifact "${IMAGE_NAME}" | |
| --artifact-type=docker | |
| --name=dashboard | |
| - name: Set outputs | |
| id: variables | |
| run: | | |
| FINGERPRINT=$(kosli fingerprint "${IMAGE_NAME}" --artifact-type=docker) | |
| echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT} | |
| unit-tests: | |
| needs: [build-image] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Run tests | |
| run: | | |
| ./sh/run_tests_with_coverage.sh | |
| snyk-container-scan: | |
| needs: [build-image, setup] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Setup Snyk | |
| uses: snyk/actions/setup@master | |
| - name: Run Snyk container scan and report results to Kosli Trail | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
| KOSLI_ATTACHMENTS: /tmp/kosli_attachments | |
| SARIF_FILENAME: snyk.container.scan.json | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| set +e | |
| snyk container test "${IMAGE_NAME}" \ | |
| --file=Dockerfile \ | |
| --sarif \ | |
| --sarif-file-output="${SARIF_FILENAME}" \ | |
| --policy-path=.snyk | |
| set -e | |
| mkdir "${KOSLI_ATTACHMENTS}" | |
| cp .snyk "${KOSLI_ATTACHMENTS}" | |
| kosli attest snyk "${IMAGE_NAME}" \ | |
| --name=dashboard.snyk-container-scan \ | |
| --scan-results="${SARIF_FILENAME}" | |
| snyk-code-scan: | |
| needs: [build-image, setup] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Setup Snyk | |
| uses: snyk/actions/setup@master | |
| - name: Run Snyk code scan and report results to Kosli Trail | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| KOSLI_ATTACHMENTS: /tmp/kosli_attachments | |
| KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
| SARIF_FILENAME: snyk.code.scan.json | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| set +e | |
| snyk code test \ | |
| --sarif \ | |
| --sarif-file-output="${SARIF_FILENAME}" \ | |
| --policy-path=.snyk \ | |
| . | |
| set -e | |
| mkdir "${KOSLI_ATTACHMENTS}" | |
| cp .snyk "${KOSLI_ATTACHMENTS}" | |
| kosli attest snyk "${IMAGE_NAME}" \ | |
| --name=dashboard.snyk-code-scan \ | |
| --scan-results="${SARIF_FILENAME}" | |
| sonarcloud-scan: | |
| needs: [setup, build-image] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| with: | |
| fetch-depth: 0 | |
| - name: Run SonarCloud scan - report results to Kosli Trail (in Kosli webhook) | |
| env: | |
| SONAR_TOKEN: ${{ env.SONARCLOUD_TOKEN }} | |
| uses: sonarsource/sonarcloud-github-action@master | |
| with: | |
| args: > | |
| -Dsonar.analysis.kosli_flow=${{ env.KOSLI_FLOW }} | |
| -Dsonar.analysis.kosli_trail=${{ env.KOSLI_TRAIL }} | |
| -Dsonar.analysis.kosli_artifact_fingerprint=${{ needs.build-image.outputs.kosli_fingerprint }} | |
| -Dsonar.analysis.kosli_attestation=sonarcloud-scan | |
| sdlc-control-gate: | |
| needs: [lint, pull-request, unit-tests, snyk-container-scan, snyk-code-scan, setup, build-image, sonarcloud-scan] | |
| runs-on: ubuntu-latest | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
| steps: | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Kosli SDLC gate to short-circuit the workflow | |
| run: | |
| kosli assert artifact "${IMAGE_NAME}" | |
| approve-deployment-to-beta: | |
| needs: [sdlc-control-gate, setup, build-image] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: staging | |
| url: https://beta.cyber-dojo.org | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
| KOSLI_ENVIRONMENT: aws-beta | |
| steps: | |
| - uses: actions/[email protected] | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report approval of deployment to Kosli | |
| run: | |
| kosli report approval "${IMAGE_NAME}" | |
| --approver="${{ github.actor }}" | |
| deploy-to-beta: | |
| needs: [approve-deployment-to-beta, setup] | |
| uses: ./.github/workflows/sub_deploy_to_beta.yml | |
| with: | |
| IMAGE_TAG: ${{ needs.setup.outputs.image_tag }} | |
| approve-deployment-to-prod: | |
| needs: [deploy-to-beta, setup, build-image] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: production | |
| url: https://cyber-dojo.org | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
| KOSLI_ENVIRONMENT: aws-prod | |
| steps: | |
| - uses: actions/[email protected] | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report approval of deployment to Kosli | |
| run: | |
| kosli report approval "${IMAGE_NAME}" | |
| --approver="${{ github.actor }}" | |
| deploy-to-prod: | |
| needs: [approve-deployment-to-prod, setup] | |
| uses: ./.github/workflows/sub_deploy_to_prod.yml | |
| with: | |
| IMAGE_TAG: ${{ needs.setup.outputs.image_tag }} | |
| # The cyberdojo/versioner refresh-env.sh script | |
| # https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh | |
| # relies on being able to: | |
| # - get the :latest image | |
| # - extract the SHA env-var embedded inside it | |
| # - use the 1st 7 chars of the SHA as a latest-equivalent tag | |
| push-latest: | |
| needs: [deploy-to-prod, setup] | |
| runs-on: ubuntu-latest | |
| env: | |
| IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PASS }} | |
| - name: Tag image to :latest and push to Dockerhub Registry | |
| run: | | |
| docker pull "${IMAGE_NAME}" | |
| docker tag "${IMAGE_NAME}" cyberdojo/${{ env.SERVICE_NAME }}:latest | |
| docker push cyberdojo/${{ env.SERVICE_NAME }}:latest |