Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build Pipeline" | |
on: | |
push: | |
branches: | |
- jesse/pipeline-deploy | |
- main | |
paths-ignore: | |
- 'helm-chart/**' | |
env: | |
PROJECT_ID: "polygonlabs-devtools-dev" | |
GAR_LOCATION: "europe-west2" | |
WIF_PROVIDER: "projects/337907489413/locations/global/workloadIdentityPools/jesse-artifacts-pool/providers/jesse-artifacts" # this was hard to find: WIP --> Expand pool --> Click pencil icon | |
WIF_SERVICE_ACCOUNT: "jesse-artifacts-github-actions@prj-polygonlabs-devtools-dev.iam.gserviceaccount.com" | |
CRITICAL_COUNT: 5 | |
IMAGE_NAME: "europe-west2-docker.pkg.dev/prj-polygonlabs-devtools-dev/polygonlabs-docker-dev/jesse/polygon-cli" | |
ATTESTOR_PROJECT_ID: "polygonlabs-devtools-dev" | |
KEY_RING: "jesse-artifacts-ring" | |
KEY: "jesse-artifacts-binary-auth-key" | |
ATTESTOR: "jesse-artifacts-attestor" | |
jobs: | |
build-pipeline: | |
name: "Build, push, scan, and sign Docker image" | |
permissions: | |
contents: "write" | |
id-token: "write" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Google Auth | |
id: auth | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: "access_token" | |
project_id: "${{ env.PROJECT_ID }}" | |
workload_identity_provider: "${{ env.WIF_PROVIDER }}" | |
# service_account: "${{ env.WIF_SERVICE_ACCOUNT }}" | |
- name: Docker Auth | |
id: docker-auth | |
uses: docker/login-action@v1 | |
with: | |
username: "oauth2accesstoken" | |
password: "${{ steps.auth.outputs.access_token }}" | |
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev" | |
- name: Build and Push Docker Image to GCP Artifact Registry | |
run: |- | |
docker build -t "${{ env.IMAGE_NAME }}:${{ github.sha }}" . | |
docker push "${{ env.IMAGE_NAME }}:${{ github.sha }}" | |
- name: "Set up Cloud SDK" | |
uses: "google-github-actions/setup-gcloud@v1" | |
- name: Scan Vulnerabilities | |
run: | | |
(gcloud artifacts docker images scan "${{ env.IMAGE_NAME }}:${{ github.sha }}" --format="value(response.scan)" --remote --quiet) > ./scan_id.txt | |
- name: Checking Critical Vulnerabilities | |
run: |- | |
#!/bin/bash | |
# Check if the scan_id.txt file exists | |
if [ ! -f ./scan_id.txt ]; then | |
echo "Error: scan_id.txt not found." | |
exit 1 | |
fi | |
# Use gcloud to list vulnerabilities and check for CRITICAL severity | |
severity=$(gcloud artifacts docker images list-vulnerabilities \ | |
"$(cat ./scan_id.txt)" \ | |
--format="value(vulnerability.effectiveSeverity)") | |
# Check if CRITICAL vulnerability is found | |
chk=$(echo "$severity" | grep -c "CRITICAL") | |
if [ "$chk" -gt ${{ env.CRITICAL_COUNT }} ]; then | |
echo "Failed vulnerability check for CRITICAL level" | |
exit 1 | |
else | |
echo "No CRITICAL vulnerability found. Congratulations!" | |
exit 0 | |
fi | |
- name: Sign the docker image | |
run: |- | |
export CLOUDSDK_CORE_DISABLE_PROMPTS=1 | |
gcloud components install beta --quiet | |
DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)') | |
gcloud beta container binauthz attestations sign-and-create \ | |
--artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \ | |
--attestor="${{ env.ATTESTOR }}" \ | |
--attestor-project="${{ env.ATTESTOR_PROJECT_ID }}" \ | |
--keyversion-project="${{ env.ATTESTOR_PROJECT_ID }}" \ | |
--keyversion-location="${{ env.GAR_LOCATION }}" \ | |
--keyversion-keyring="${{ env.KEY_RING }}" \ | |
--keyversion-key="${{ env.KEY }}" \ | |
--keyversion="1" | |
- name: Update Helm values # the helm-chart name should be standardized or parameterized | |
run: |- | |
DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} \ | |
--format='get(image_summary.digest)') | |
sed -i "s|image:.*|image: ${{ env.IMAGE_NAME }}@${DIGEST}|" ./helm-chart/values.yaml | |
- name: Set up Git, Commit and Push Changes to Update Container Image | |
uses: stefanzweifel/git-auto-commit-action@v5 | |
with: # the helm-chart name should be standardized or parameterized | |
commit_message: Apply automatic changes to Update image repository in Helm values | |
file_pattern: './helm-chart/values.yaml' | |
branch: wbutton-dev-test | |
create_branch: true |