Skip to content

RISDEV-5882 Change docker image name (#20) #107

RISDEV-5882 Change docker image name (#20)

RISDEV-5882 Change docker image name (#20) #107

Workflow file for this run

name: "CI Pipeline"
on:
push:
branches: [main]
paths-ignore:
- "**/*.md"
pull_request:
# TODO: restrict later
# branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
RUN_ID: ${{ github.run_id }}
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: ${{ github.event.pull_request.head.sha || github.sha }}
jobs:
##############################################
# jobs dispatched to separate workflow files #
##############################################
frontend-jobs:
uses: ./.github/workflows/frontend-jobs.yml
secrets: inherit
security-jobs:
uses: ./.github/workflows/security-jobs.yml
secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others
permissions:
contents: read
security-events: write # trivy scan needs this
frontend-build-image-and-scan:
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Build frontend image
run: docker build --file prod.Dockerfile --tag ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }} .
- name: Run Trivy vulnerability image scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Run Trivy vulnerability file scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: "fs"
scan-ref: "./frontend"
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy file scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-fs-scan
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln-frontend.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "vuln-frontend.json"
path: "vuln-frontend.json"
if-no-files-found: error
- name: Save image
run: |
mkdir /tmp/images
docker save -o /tmp/images/frontend-image.tar ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
push-frontend-image-to-registry:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- frontend-jobs
- frontend-build-image-and-scan
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
- name: load image
shell: bash
run: docker load -i /tmp/images/frontend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
- name: Sign the published Docker image
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Download cosign vulnerability scan record
uses: actions/download-artifact@v4
with:
name: "vuln-frontend.json"
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
deploy-staging:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
concurrency:
group: deploy-staging
cancel-in-progress: true
environment: staging
needs:
- push-frontend-image-to-registry
permissions:
id-token: write # Enable OIDC for gitsign
steps:
- uses: chainguard-dev/actions/setup-gitsign@94389dc7faf4ef9040df90498419535e1bdcb60e
- name: Deploy new images
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: staging
version: ${{ needs.push-frontend-image-to-registry.outputs.version }}
deploying_repo: ris-adm-vwv/frontend
infra_repo: ris-adm-vwv-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: ris-adm-vwv-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300
- name: Track deploy
continue-on-error: true
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.0.0
with:
project: ris-adm-vwv
environment: staging
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}