-
Notifications
You must be signed in to change notification settings - Fork 3
201 lines (182 loc) · 7.53 KB
/
_build-and-push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
name: "[Docker] Build and Push Images"
defaults:
run:
shell: bash
on:
workflow_call:
inputs:
branch_name:
description: "Name of the branch doing the build"
required: true
type: string
tag:
description: "Tag for docker image"
required: false
default: "latest"
type: string
push_to_ecr:
description: "Whether to push to ECR"
required: false
default: true
type: boolean
jobs:
docker_build_scan_push:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- svc_name: "client-webserver"
sub_folder: "."
docker_file: "client/docker/web/Dockerfile"
- svc_name: "client"
sub_folder: "."
docker_file: "client/docker/app/Dockerfile"
- svc_name: "api-webserver"
sub_folder: "."
docker_file: "api/docker/web/Dockerfile"
- svc_name: "api"
sub_folder: "."
docker_file: "api/docker/app/Dockerfile"
- svc_name: "sync"
sub_folder: "orchestration"
docker_file: "Dockerfile"
- svc_name: "htmltopdf"
sub_folder: "."
docker_file: "htmltopdf/Dockerfile"
- svc_name: "file-scanner"
sub_folder: "."
docker_file: "file-scanner/Dockerfile"
- svc_name: "dr-backup"
sub_folder: "disaster-recovery/backup"
docker_file: "Dockerfile"
- svc_name: "custom-sql-lambda"
sub_folder: "lambdas/functions/custom_sql_query"
docker_file: "Dockerfile"
steps:
- uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # pin@v3
- name: set up docker buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
- name: export dates
id: cache-dates
run: |
echo "cache_date_today=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
echo "cache_date_yesterday=$(date -d 'yesterday' +'%Y%m%d')" >> $GITHUB_OUTPUT
- name: cache docker layers
id: cache-docker
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # [email protected]
with:
path: /tmp/.buildx-cache
key: ${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}-${{ github.sha }}
restore-keys: |
${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}
${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_today }}
${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_yesterday }}
${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_yesterday }}
- name: install aws cli
uses: unfor19/install-aws-cli-action@27d6061dae5d39e89be4d2246824f15e111a7e06 # [email protected]
- name: download resources artifact
uses: actions/download-artifact@d0ce8fd1167ed839810201de977912a090ab10a7
with:
name: web-distribution
path: client/resources/public
if: |
(matrix.svc_name == 'client' || matrix.svc_name == 'client-webserver' || matrix.svc_name == 'htmltopdf')
- name: build docker image
env:
IMAGE_NAME: ${{ matrix.svc_name }}
DOCKERFILE: ${{ matrix.docker_file }}
BRANCH_NAME: ${{ inputs.branch_name }}
run: |
if [ "${BRANCH_NAME}" == "main" ]; then
docker buildx build \
-f ${DOCKERFILE} \
--cache-to=type=local,dest=/tmp/.buildx-cache-new \
--tag ${IMAGE_NAME}:latest \
--output type=docker \
.
else
docker buildx build \
-f ${DOCKERFILE} \
--cache-from=type=local,src=/tmp/.buildx-cache \
--cache-to=type=local,dest=/tmp/.buildx-cache-new \
--tag ${IMAGE_NAME}:latest \
--output type=docker \
.
fi
working-directory: ${{ matrix.sub_folder }}
- name: build docker image development
if: matrix.svc_name == 'client-webserver' && inputs.branch_name == 'main'
env:
IMAGE_NAME: ${{ matrix.svc_name }}
DOCKERFILE: ${{ matrix.docker_file }}
run: docker build --file client/docker/app/Dockerfile-dev --tag ${IMAGE_NAME}-dev:latest .
working-directory: ${{ matrix.sub_folder }}
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: configure OIDC AWS credentials for ECR push
uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # [email protected]
with:
role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push
role-session-name: github-actions-ecr-push
role-duration-seconds: 900
aws-region: eu-west-1
- name: ecr login
id: login_ecr
uses: aws-actions/amazon-ecr-login@bfbd05a2dcf76451041cbd4b9d11cff82489a1ee # [email protected]
with:
registries: 311462405659
- name: trivy image scanning
id: trivy_scan
uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # [email protected]
with:
image-ref: ${{ matrix.svc_name }}:latest
severity: "HIGH,CRITICAL"
format: "sarif"
scanners: "vuln"
output: "trivy-results.sarif"
timeout: 15m
env:
TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db
- name: upload trivy scan results to security tab
id: trivy_upload_sarif
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
- name: show build tag
env:
IMAGE_TAG: ${{ inputs.tag }}
run: echo "Tag to use - ${IMAGE_TAG}"
- name: tag and push user research development container
if: matrix.svc_name == 'client-webserver' && inputs.branch_name == 'main'
env:
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
ECR_REGISTRY_ALIAS: digideps
IMAGE_TAG: ${{ inputs.tag }}
IMAGE_NAME: ${{ matrix.svc_name }}
run: |
export IMAGE_TAG_DEV="development-${IMAGE_TAG}"
docker tag $IMAGE_NAME-dev:latest $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME:$IMAGE_TAG_DEV
- name: tag and push container
env:
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
ECR_REGISTRY_ALIAS: digideps
IMAGE_TAG: ${{ inputs.tag }}
IMAGE_NAME: ${{ matrix.svc_name }}
BRANCH_NAME: ${{ inputs.branch_name }}
run: |
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME:$IMAGE_TAG
if [[ "${BRANCH_NAME}" == "main" ]]; then
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME:latest
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME:main-$IMAGE_TAG
fi
docker push --all-tags $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME
- name: Unset AWS variables
if: always()
run: |
echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV
echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV
echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV