diff --git a/.github/workflows/build-push-chart.yml b/.github/workflows/build-push-chart.yml index 1e7266c..bbda2cd 100644 --- a/.github/workflows/build-push-chart.yml +++ b/.github/workflows/build-push-chart.yml @@ -17,245 +17,78 @@ permissions: read-all jobs: setenv: - runs-on: ubuntu-latest - - outputs: - short_sha: ${{ steps.env.outputs.short_sha }} - chart_version: ${{ steps.env.outputs.chart_version }} - image_version: ${{ steps.env.outputs.image_version }} - image_tag: ${{ steps.env.outputs.image_tag }} - image_repo_tag: ${{ steps.env.outputs.image_repo_tag }} - image_repository: ${{ steps.env.outputs.image_repository }} - registry: ${{ steps.env.outputs.registry }} - branch: ${{ steps.env.outputs.branch }} - compname: ${{ steps.env.outputs.compname }} - dhurl: ${{ steps.env.outputs.dhurl }} - gh_handle: ${{ steps.env.outputs.gh_handle }} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Checkout - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - with: - fetch-depth: 1 - - - name: Export env - id: env - env: - DHURL: https://console.deployhub.com - REGISTRY: quay.io - BRANCH: ${{ github.head_ref || github.ref_name }} - run: | - BRANCH=$(echo "${{ env.BRANCH }}" | cut -d'/' -f1) - #BASE_VERSION=$(curl -s "https://ortelius.github.io/${{ github.event.repository.name }}/index.yaml" | grep version: | awk '{print $2}' | cut -f1-2 -d. | sort -u -r --version-sort | head -1) - BASE_VERSION="11.0" - SHORT_SHA=$(echo ${{ github.sha }} | cut -c 1-6) - { - echo "dhurl=${{ env.DHURL }}" - echo "branch=${BRANCH}" - echo "chart_version=${BASE_VERSION}.${{ github.run_number }}" - echo "compname=${{ github.event.repository.name }}" - echo "image_repo_tag=${{ env.REGISTRY }}/${{ github.repository }}:${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}" - echo "image_repository=${{ env.REGISTRY }}/${{ github.repository }}" - echo "image_tag=${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}" - echo "image_version=${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}" - echo "registry=${{ env.REGISTRY }}" - echo "short_sha=${SHORT_SHA}" - echo "gh_handle=$GITHUB_ACTOR" - } >> "$GITHUB_OUTPUT" + uses: ortelius/workflow-toolkit/.github/workflows/env-config-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596 + with: + gh_head_ref: ${{ github.head_ref }} + gh_ref_name: ${{ github.ref_name }} + gh_event_repo_name: ${{ github.event.repository.name }} + gh_sha: ${{ github.sha }} + gh_repo: ${{ github.repository }} + gh_run_number: ${{ github.run_number }} release: - runs-on: ubuntu-latest + uses: ortelius/workflow-toolkit/.github/workflows/container-release-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596 needs: setenv - - outputs: - digest: ${{ steps.build.outputs.digest }} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Checkout - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - - name: Login to Quay - if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - id: login - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 - with: - registry: ${{ needs.setenv.outputs.registry }} - username: ${{ secrets.QUAY_USERID }} - password: ${{ secrets.QUAY_PASSWORD }} - - - name: Build and Push Docker Image - if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - id: build - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 - with: - push: true - tags: ${{ needs.setenv.outputs.image_repo_tag }} - - - name: Build Docker Image - if: ${{ !(github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main') }} - id: build_only - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 - with: - tags: ${{ needs.setenv.outputs.image_repo_tag }} + with: + gh_repository_owner: ${{ github.repository_owner }} + gh_event_name: ${{ github.event_name }} + gh_ref: ${{ github.ref }} + registry: ${{ needs.setenv.outputs.registry }} + image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }} + secrets: + QUAY_USERID: ${{ secrets.QUAY_USERID }} + QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} trivy: - runs-on: ubuntu-latest - needs: [setenv, release] - permissions: security-events: write statuses: write - - if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # master - with: - image-ref: ${{ needs.setenv.outputs.image_repo_tag }} - format: "sarif" - output: "trivy-results.sarif" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7 - if: always() - with: - sarif_file: "trivy-results.sarif" - - helm: - runs-on: ubuntu-latest + uses: ortelius/workflow-toolkit/.github/workflows/trivy-scan-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596 needs: [setenv, release] + with: + gh_repository_owner: ${{ github.repository_owner }} + gh_event_name: ${{ github.event_name }} + gh_ref: ${{ github.ref }} + image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }} + helm: permissions: - security-events: write - statuses: write contents: write + uses: ortelius/workflow-toolkit/.github/workflows/helm-release-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596 + needs: [setenv, release] + with: + gh_repository_owner: ${{ github.repository_owner }} + gh_event_name: ${{ github.event_name }} + gh_ref: ${{ github.ref }} + gh_handle: ${{ needs.setenv.outputs.gh_handle }} + chart: chart/${{ needs.setenv.outputs.compname }} + chart_version: ${{ needs.setenv.outputs.chart_version }} + image_repository: ${{ needs.setenv.outputs.image_repository }} + image_tag: ${{ needs.setenv.outputs.image_tag }} + image_digest: ${{ needs.release.outputs.digest }} + secrets: + GPG_KEYRING_BASE64: ${{ secrets.GPG_KEYRING_BASE64 }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY: ${{ secrets.GPG_KEY }} + gh_token: ${{ secrets.HELM_INDEXER_TOKEN }} - if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Checkout - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - - name: Configure Git - id: git - run: | - git config user.name "${{ needs.setenv.outputs.gh_handle }}" - git config user.email "${{ needs.setenv.outputs.gh_handle }}@users.noreply.github.com" - - - name: Update Values and Chart - id: chart - uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 # main - with: - commitChange: false - changes: | - { - "chart/${{ github.event.repository.name }}/values.yaml": - { - "image.repository": "${{ needs.setenv.outputs.image_repository }}", - "image.tag": "${{ needs.setenv.outputs.image_tag }}", - "image.sha": "${{ needs.release.outputs.digest }}" - }, - "chart/${{ needs.setenv.outputs.compname }}/Chart.yaml": - { - "version": "${{ needs.setenv.outputs.chart_version }}", - "appVersion": "${{ needs.setenv.outputs.chart_version }}" - } - } - - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - version: v3.10.0 - - - name: Prepare GPG key - run: | - gpg_dir=.cr-gpg - mkdir "$gpg_dir" - keyring="$gpg_dir/secring.gpg" - base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring" - passphrase_file="$gpg_dir/passphrase" - echo "$GPG_PASSPHRASE" > "$passphrase_file" - echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV" - echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV" - env: - GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" - GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" - - - name: Run chart-releaser - uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1 - with: - charts_dir: chart - config: .cr.yaml - env: - CR_TOKEN: "${{ secrets.HELM_INDEXER_TOKEN }}" - - - name: Trigger Rebuild of Main Chart - uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2 - with: - workflow: generate-main-chart.yml - repo: ortelius/scec-charts - token: ${{ secrets.HELM_INDEXER_TOKEN }} sbom: - runs-on: ubuntu-latest + uses: ortelius/workflow-toolkit/.github/workflows/sbom-generation-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596 needs: [setenv, release] - - if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - name: Checkout - id: checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - - name: Generate SBOM - uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3 - id: sbom - with: - format: cyclonedx-json - output-file: /tmp/cyclonedx.json - image: ${{ needs.setenv.outputs.image_repo_tag }} - - - name: Update Compnent - id: updatecomp - env: - DHURL: ${{ needs.setenv.outputs.dhurl }} - DHUSER: ${{ secrets.DHUSER }} - DHPASS: ${{ secrets.DHPASS }} - GIT_BRANCH: ${{ needs.setenv.outputs.branch }} - CHART_VERSION: ${{ needs.setenv.outputs.chart_version }} - COMPNAME: ${{ needs.setenv.outputs.compname }} - DIGEST: ${{ needs.release.outputs.digest }} - IMAGE_REPO: ${{ needs.setenv.outputs.image_repository }} - IMAGE_REPO_TAG: ${{ needs.setenv.outputs.image_repo_tag }} - IMAGE_TAG: ${{ needs.setenv.outputs.image_tag }} - IMAGE_VERSION: ${{ needs.setenv.outputs.image_version }} - SHORT_SHA: ${{ needs.setenv.outputs.short_sha }} - - run: | - pip install ortelius-cli - dh updatecomp --rsp component.toml --deppkg cyclonedx@/tmp/cyclonedx.json + with: + gh_repository_owner: ${{ github.repository_owner }} + gh_event_name: ${{ github.event_name }} + gh_ref: ${{ github.ref }} + dhurl: ${{ needs.setenv.outputs.dhurl }} + compname: ${{ needs.setenv.outputs.compname }} + chart_version: ${{ needs.setenv.outputs.chart_version }} + branch: ${{ needs.setenv.outputs.branch }} + digest: ${{ needs.release.outputs.digest }} + image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }} + image_repository: ${{ needs.setenv.outputs.image_repository }} + image_tag: ${{ needs.setenv.outputs.image_tag }} + image_version: ${{ needs.setenv.outputs.image_version }} + secrets: + DHPASS: ${{ secrets.DHPASS }} + DHUSER: ${{ secrets.DHUSER }}