From 11a478830ceab24539534f352eb6ead93a88be34 Mon Sep 17 00:00:00 2001 From: AleDore Date: Thu, 29 Feb 2024 10:47:00 +0100 Subject: [PATCH 1/3] [#IOPLT-331] Add support for docker release --- .github/workflows/beta-docker-branch.yaml | 65 +++++++++++++++++++ .github/workflows/release.yml | 78 +++++++++++++++++++++++ .github/workflows/trivy.yaml | 65 +++++++++++++++++++ Dockerfile | 24 +++++++ tsconfig.json | 1 + 5 files changed, 233 insertions(+) create mode 100644 .github/workflows/beta-docker-branch.yaml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/trivy.yaml create mode 100644 Dockerfile diff --git a/.github/workflows/beta-docker-branch.yaml b/.github/workflows/beta-docker-branch.yaml new file mode 100644 index 0000000..117d5d5 --- /dev/null +++ b/.github/workflows/beta-docker-branch.yaml @@ -0,0 +1,65 @@ +name: Beta docker on dev branch + +on: + push: + branches-ignore: + - 'main' + paths-ignore: + - 'CODEOWNERS' + - '**.md' + - '.**' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + release: + name: Beta docker on dev branch + runs-on: ubuntu-22.04 + + steps: + + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + with: + persist-credentials: false + fetch-depth: 0 + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Log in to the Container registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + id: meta + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=beta-${{ github.ref_name }} + labels: + org.opencontainers.image.title=${{ env.IMAGE_NAME }}-beta + org.opencontainers.image.description=GitHub self hosted runner + org.opencontainers.image.authors=PagoPA + org.opencontainers.image.url=github.com/pagopa/${{ github.repository }} + org.opencontainers.image.source=https://github.com/pagopa/${{ github.repository }} + + - name: Build and push Docker image + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile + cache-from: type=gha + cache-to: type=gha,mode=min + platforms: linux/amd64,linux/arm64 \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e7adc89 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,78 @@ +name: Release + +on: + push: + branches: + - main + paths-ignore: + - 'CODEOWNERS' + - '**.md' + - '.**' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + release: + name: Release + runs-on: ubuntu-22.04 + + steps: + + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + with: + persist-credentials: false + fetch-depth: 0 + + - name: Release + id: release + uses: cycjimmy/semantic-release-action@bdd914ff2423e2792c73475f11e8da603182f32d + with: + semantic_version: 18.0.0 + extra_plugins: | + @semantic-release/release-notes-generator@10.0.3 + @semantic-release/git@10.0.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Log in to the Container registry + id: docker_login + if: steps.release.outputs.new_release_published == 'true' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + id: meta + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest + type=raw,value=v${{ steps.release.outputs.new_release_version }} + labels: + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.description=GitHub self hosted runner + org.opencontainers.image.authors=PagoPA + org.opencontainers.image.url=github.com/PagoPA/${{ github.repository }} + org.opencontainers.image.source=https://github.com/${{ github.repository }} + + - name: Build and push Docker image + id: docker_build_push + if: steps.release.outputs.new_release_published == 'true' + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + file: Dockerfile + cache-from: type=gha + cache-to: type=gha,mode=min + platforms: linux/amd64,linux/arm64 \ No newline at end of file diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..1492707 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,65 @@ +name: Docker security scan + +on: + push: + branches: [ "main", "master" ] + pull_request: + branches: [ "main", "master" ] + schedule: + - cron: '00 07 * * *' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + name: Build + runs-on: ubuntu-22.04 + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + + - name: Checkout code + uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Docker meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + id: meta + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=sha,enable=true,format=long + + - name: Build Docker image + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: . + load: true + push: false + tags: ${{ steps.meta.outputs.tags }} + file: Dockerfile + cache-from: type=gha + cache-to: type=gha,mode=min + platforms: linux/amd64 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0 + with: + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + timeout: '10m0s' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5 # v2.16.3 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..12ed024 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +FROM node:18.13.0 as builder + +WORKDIR /usr/src/app + +COPY / /usr/src/app/ + +RUN yarn install \ + && yarn build + +FROM node:18.13.0-alpine + +# Install major CA certificates to cover +# https://github.com/SparebankenVest/azure-key-vault-to-kubernetes integration +RUN apk --no-cache add ca-certificates + +WORKDIR /usr/src/app + +COPY /package.json /usr/src/app/package.json +COPY --from=builder /usr/src/app/dist /usr/src/app/dist +COPY --from=builder /usr/src/app/node_modules /usr/src/app/node_modules + +EXPOSE 80 + +CMD ["node", "dist/index.js"] diff --git a/tsconfig.json b/tsconfig.json index 6d6aeda..518d8c7 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -7,6 +7,7 @@ "noImplicitAny": true, "moduleResolution": "node", "sourceMap": true, + "skipLibCheck": true, "outDir": "dist", "baseUrl": ".", "paths": { From d8658c554c25e5fdefdfa83f530cb53cd26c7c1e Mon Sep 17 00:00:00 2001 From: AleDore Date: Thu, 29 Feb 2024 16:55:08 +0100 Subject: [PATCH 2/3] fix release pipeline --- .github/workflows/release.yml | 70 ++++++++++++++++++++++++----------- 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e7adc89..fadb143 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,13 +1,16 @@ name: Release on: - push: - branches: - - main - paths-ignore: - - 'CODEOWNERS' - - '**.md' - - '.**' + workflow_dispatch: + inputs: + version-bump: + type: choice + description: Version bump + default: minor + options: + - patch + - minor + - major env: REGISTRY: ghcr.io @@ -17,7 +20,8 @@ jobs: release: name: Release runs-on: ubuntu-22.04 - + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout @@ -27,25 +31,48 @@ jobs: persist-credentials: false fetch-depth: 0 - - name: Release - id: release - uses: cycjimmy/semantic-release-action@bdd914ff2423e2792c73475f11e8da603182f32d - with: - semantic_version: 18.0.0 - extra_plugins: | - @semantic-release/release-notes-generator@10.0.3 - @semantic-release/git@10.0.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install Node.js + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + + - name: Install semver + run: npm install -g semver + + - name: Get Latest Release Version + id: get-version + run: | + RELEASE_VERSION=$(gh release list -L 1 --json tagName --jq '.[0].tagName') + echo "RELEASE_VERSION=${RELEASE_VERSION}" >> $GITHUB_ENV + + - name: Set Branch Name + id: set_branch + run: | + + if [ -z "${RELEASE_VERSION}" ]; then + NEW_VERSION_NAME="0.0.1" + else + OLD_VERSION=$(echo "${RELEASE_VERSION}") + + NEW_VERSION=$(semver --increment ${{ inputs.version-bump }} "${OLD_VERSION}") + echo "Bumping $OLD_VERSION to $NEW_VERSION" + fi + + echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV + echo "OLD_VERSION=${OLD_VERSION}" >> $GITHUB_ENV + + - name: Create Repository Release + run: | + gh release create ${{ env.NEW_VERSION }} \ + --title ${{ env.NEW_VERSION }} \ + --generate-notes \ + --notes-start-tag ${{ env.OLD_VERSION }} - name: Log in to the Container registry id: docker_login - if: steps.release.outputs.new_release_published == 'true' uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ env.GITHUB_TOKEN }} - name: Docker meta uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 @@ -55,7 +82,7 @@ jobs: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=raw,value=latest - type=raw,value=v${{ steps.release.outputs.new_release_version }} + type=raw,value=${{ env.NEW_VERSION }} labels: org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.description=GitHub self hosted runner @@ -65,7 +92,6 @@ jobs: - name: Build and push Docker image id: docker_build_push - if: steps.release.outputs.new_release_published == 'true' uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: context: . From 8a40f3c54890019c3fcc5730c6805b9c75a7cd98 Mon Sep 17 00:00:00 2001 From: AleDore Date: Thu, 29 Feb 2024 16:56:01 +0100 Subject: [PATCH 3/3] set job permission --- .github/workflows/release.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fadb143..975d22b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,11 @@ jobs: runs-on: ubuntu-22.04 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + permissions: + contents: write + actions: write + steps: - - name: Checkout id: checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1