RISDEV-5881 Publish docker image #79

Workflow file for this run

.github/workflows/pipeline.yml at a072c68

	name: "CI Pipeline"

	on:
	push:
	branches: [main]
	paths-ignore:
	- "*/.md"
	pull_request:
	# TODO: restrict later
	# branches: [main]
	# Allow to run this workflow manually
	workflow_dispatch:


	env:
	CONTAINER_REGISTRY: ghcr.io
	CONTAINER_IMAGE_NAME: ${{ github.repository }}
	CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha \|\| github.sha }}

	jobs:
	##############################################
	# jobs dispatched to separate workflow files #
	##############################################

	frontend-jobs:
	uses: ./.github/workflows/frontend-jobs.yml
	secrets: inherit

	security-jobs:
	uses: ./.github/workflows/security-jobs.yml
	secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others
	permissions:
	contents: read
	security-events: write # trivy scan needs this

	frontend-build-image-and-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Build frontend image
	run: docker build --file prod.Dockerfile --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }} .
	- name: Run Trivy vulnerability image scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	- name: Run Trivy vulnerability file scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	scan-type: "fs"
	scan-ref: "./frontend"
	skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
	format: "sarif"
	output: "trivy-results.sarif"
	- name: Check trivy results
	run: \|
	if grep -qE 'HIGH\|CRITICAL' trivy-results.sarif; then
	echo "Vulnerabilities found"
	exit 1
	else
	echo "No significant vulnerabilities found"
	exit 0
	fi
	- name: Upload Trivy file scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	category: trivy-fs-scan
	- name: Generate cosign vulnerability scan record
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	with:
	image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	format: "cosign-vuln"
	output: "vuln-frontend.json"
	- name: Upload cosign vulnerability scan record
	uses: actions/upload-artifact@v4
	with:
	name: "vuln-frontend.json"
	path: "vuln-frontend.json"
	if-no-files-found: error
	- name: Save image
	run: \|
	mkdir /tmp/images
	docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- uses: actions/cache@v4
	with:
	path: /tmp/images
	key: docker-frontend-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() && github.ref == 'refs/heads/main' }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

	push-frontend-image-to-registry:
	runs-on: ubuntu-latest
	if: ${{ github.ref == 'refs/heads/main' \|\| contains(github.event.pull_request.labels..name, 'dev-env') \|\| contains(github.event.labeled.labels..name, 'dev-env') }}
	needs:
	- frontend-jobs
	- frontend-build-image-and-scan
	permissions:
	contents: read
	id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
	packages: write
	outputs:
	version: ${{ steps.set-version.outputs.version }}
	steps:
	- uses: actions/cache@v4
	with:
	path: /tmp/images
	key: docker-frontend-images-cache-${{ env.RUN_ID }}
	restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
	- name: load image
	shell: bash
	run: docker load -i /tmp/images/frontend-image.tar
	- name: Log into container registry
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Publish backend container image
	run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- name: Install cosign
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
	- name: Sign the published Docker image
	run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
	- id: set-version
	run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
	if: ${{ failure() }}
	with:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RISDEV-5881 Publish docker image #79

Workflow file

RISDEV-5881 Publish docker image #79

Jobs

Run details

Workflow file for this run