Fix CVE-2023-6897 #1531
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-FileCopyrightText: 2023-2024 City of Espoo | |
# | |
# SPDX-License-Identifier: LGPL-2.1-or-later | |
name: Build | |
on: | |
- push | |
env: | |
AWS_REGION: eu-north-1 | |
ECR_REGISTRY: 767398123997.dkr.ecr.eu-north-1.amazonaws.com | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
lint-shell: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: espoon-voltti/voltti-actions/shellcheck@master | |
check-licenses: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Reuse Compliance Check | |
uses: fsfe/reuse-action@v5 | |
dockerize: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: luontotieto/service | |
path: service | |
- name: luontotieto/frontend | |
path: frontend | |
- name: luontotieto/api-gateway | |
path: api-gateway | |
- name: luontotieto/geoserver | |
path: geoserver | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build image | |
uses: espoon-voltti/voltti-actions/docker-build-push@master | |
id: build | |
with: | |
path: ${{ matrix.path }} | |
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
registry: ${{ env.ECR_REGISTRY }} | |
name: ${{ matrix.name }} | |
build-args: | | |
build=${{ github.run_number }} | |
commit=${{ github.sha }} | |
service-builder: | |
runs-on: ubuntu-latest | |
env: | |
name: luontotieto/service | |
path: service | |
builder: builder | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build builder | |
uses: espoon-voltti/voltti-actions/docker-build-push@master | |
id: builder | |
with: | |
path: ${{ env.path }} | |
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
registry: ${{ env.ECR_REGISTRY }} | |
name: ${{ env.name }}-${{ env.builder }} | |
build-args: | | |
build=${{ github.run_number }} | |
commit=${{ github.sha }} | |
target: ${{ env.builder }} | |
test: | |
runs-on: ubuntu-latest | |
needs: service-builder | |
env: | |
BUILD: "false" | |
TAG: "${{ github.event.pull_request.head.sha || github.sha }}" | |
defaults: | |
run: | |
working-directory: compose | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Configure AWS credentials | |
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ env.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ROLE }} | |
role-duration-seconds: 1200 | |
- name: Login to Amazon ECR | |
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Pull images | |
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
run: | | |
./test-compose pull | |
- name: Build images | |
if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }} | |
run: | | |
./test-compose build --parallel | |
- name: Run tests | |
run: | | |
set -o pipefail | |
./test-compose run service-tests | tee tests.log | |
- name: Get logs | |
if: always() | |
run: | | |
./test-compose logs > tests-all.log | |
- name: Store logs | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: integration-test-results | |
path: | | |
compose/tests.log | |
compose/tests-all.log | |
retention-days: 2 | |
deploy: | |
# if: ${{ github.ref == 'refs/heads/master' }} | |
runs-on: ubuntu-latest | |
needs: | |
- dockerize | |
strategy: | |
fail-fast: false | |
matrix: | |
environment: | |
- staging | |
- prod | |
environment: | |
name: ${{ matrix.environment }} | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ env.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ROLE }} | |
role-duration-seconds: 1200 | |
- name: Retag | |
run: | | |
for repository in service frontend api-gateway geoserver; do | |
if [ "$(aws ecr describe-images --repository-name "luontotieto/$repository" --image-ids imageTag="${{ github.event.pull_request.head.sha || github.sha }}" | jq -r '.imageDetails[].imageTags | index("env-${{ matrix.environment }}")')" = "null" ]; then | |
MANIFEST=$(aws ecr batch-get-image --repository-name "luontotieto/$repository" --image-ids imageTag="${{ github.event.pull_request.head.sha || github.sha }}" --output json | jq --raw-output --join-output '.images[0].imageManifest') | |
aws ecr put-image --repository-name "luontotieto/$repository" --image-tag "env-${{ matrix.environment }}" --image-manifest "$MANIFEST" | |
else | |
echo "env-tag on image already exists on luontotieto/$repository" | |
fi | |
done | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ env.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ROLE_ENVIRONMENT }} | |
role-duration-seconds: 1200 | |
unset-current-credentials: true | |
- name: Deploy | |
run: | | |
aws ecs update-service \ | |
--cluster "luontotieto-${{ matrix.environment }}" \ | |
--service "luontotieto-${{ matrix.environment }}" \ | |
--force-new-deployment | |
aws ecs update-service \ | |
--cluster "luontotieto-${{ matrix.environment }}" \ | |
--service "geoserver-${{ matrix.environment }}" \ | |
--force-new-deployment | |
aws ecs wait services-stable \ | |
--cluster "luontotieto-${{ matrix.environment }}" \ | |
--services "luontotieto-${{ matrix.environment }}" "geoserver-${{ matrix.environment }}" |