-
Notifications
You must be signed in to change notification settings - Fork 23
241 lines (210 loc) · 8.8 KB
/
build_push.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
# This workflow:
# * Builds, tests, and scans all images
# * (optionally) pushes the images to ACR
#
# This workflow triggers on:
# * a push to master
# * any create/synchronize to a PR (eg: any time you push an update to a PR).
#
# Image build/test/scan will run on any of the above events.
# Image push will run only if:
# * this is a push to master
# * if the PR triggering this event has the label 'auto-deploy'
#
# To configure this workflow:
#
# 1. Set up the following secrets in your workspace:
# a. REGISTRY_USERNAME with ACR username
# b. REGISTRY_PASSWORD with ACR Password
# c. AZURE_CREDENTIALS with the output of `az ad sp create-for-rbac --sdk-auth`
# d. DEV_REGISTRY_USERNAME with the DEV ACR username
# e. DEV_REGISTRY_PASSWORD with the DEV ACR Password
#
# 2. Change the values for the REGISTRY_NAME, CLUSTER_NAME, CLUSTER_RESOURCE_GROUP and NAMESPACE environment variables (below in build-push).
name: build_and_push
on:
schedule:
# Execute at 2am EST every day
- cron: '0 21 * * *'
push:
branches:
- 'master-2.0'
pull_request:
types:
- 'opened'
- 'synchronize'
- 'reopened'
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
jobs:
# Any checks that run pre-build
pre-build-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Assert committed ./output folder matches `make generate-dockerfiles` output
run: |
sudo apt-get install --yes make
make clean
make generate-dockerfiles
if ! git diff --quiet output/; then
echo 'output folder and docker-bits/resources out of sync!'
exit 1
fi
build-push:
env:
REGISTRY_NAME: k8scc01covidacr
DEV_REGISTRY_NAME: k8scc01covidacrdev
CLUSTER_NAME: k8s-cancentral-01-covid-aks
CLUSTER_RESOURCE_GROUP: k8s-cancentral-01-covid-aks
LOCAL_REPO: localhost:5000
TRIVY_VERSION: "v0.57.0"
TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: 5
TRIVY_RETRY_DELAY: 20
HADOLINT_VERSION: "2.12.0"
strategy:
fail-fast: false
matrix:
notebook:
# TODO: Pull this from a settings file or Makefile, that way Make can have the same list
- sas
- jupyterlab-cpu
needs: pre-build-checks
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
# pushing to regular acr instead of dev acr since the dev one isnt accessible to the zone
- name: Set ENV variables for a PR containing the auto-deploy tag
if: github.event_name == 'pull_request' && contains( github.event.pull_request.labels.*.name, 'auto-deploy')
run: |
echo "REGISTRY=k8scc01covidacr.azurecr.io" >> "$GITHUB_ENV"
echo "IMAGE_VERSION=dev" >> "$GITHUB_ENV"
- name: Set ENV variables for pushes to master
if: github.event_name == 'push' && github.ref == 'refs/heads/master-2.0'
run: |
echo "REGISTRY=k8scc01covidacr.azurecr.io" >> "$GITHUB_ENV"
echo "IMAGE_VERSION=v2" >> "$GITHUB_ENV"
echo "IS_LATEST=true" >> "$GITHUB_ENV"
- uses: actions/checkout@master
- name: Echo disk usage before clean up
run: ./.github/scripts/echo_usage.sh
- name: Free up all available disk space before building
run: ./.github/scripts/cleanup_runner.sh
- name: Echo disk usage before build start
run: ./.github/scripts/echo_usage.sh
- name: Get current notebook name
id: notebook-name
shell: bash
run: |
echo NOTEBOOK_NAME=${{ matrix.notebook }} >> $GITHUB_OUTPUT
# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# Connect to Azure DEV Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.DEV_REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.DEV_REGISTRY_USERNAME }}
password: ${{ secrets.DEV_REGISTRY_PASSWORD }}
# Image building/storing locally
- name: Make Dockerfiles
run: make generate-dockerfiles
- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint output/${{ matrix.notebook }}/Dockerfile --no-fail
# make build emits full_image_name, image_tag, and image_repo outputs
- name: Build image
id: build-image
run: make build/${{ matrix.notebook }} REPO=${{ env.LOCAL_REPO }}
- name: Echo disk usage after build completion
run: ./.github/scripts/echo_usage.sh
- name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
run: make post-build/${{ matrix.notebook }} REPO=${{ env.LOCAL_REPO }}
- name: Push image to local registry (default pushes all tags)
run: make push/${{ matrix.notebook }} REPO=${{ env.LOCAL_REPO }}
# Image testing
- name: Set Up Python for Test Suite
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Set up venv for Test Suite
run: |
python -m pip install --upgrade pip
make install-python-dev-venv
- name: Test image
run: make test/${{ matrix.notebook }} REPO=${{ env.LOCAL_REPO }}
# Free up space from build process (containerscan action will run out of space if we don't)
- run: ./.github/scripts/cleanup_runner.sh
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
if: true
run: |
printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
set +e # Lets trivy return an error without it being fatal
for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
trivy image \
--db-repository ${{ env.TRIVY_DATABASES }} \
--java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
${{ steps.build-image.outputs.full_image_name }} \
--exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
--skip-dirs /usr/local/SASHome
EXIT_CODE=$?
if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 10 ]]; then
echo "Trivy scan completed successfully. Some vulnerabilities were found."
exit 0
elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then
echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
sleep ${{ env.TRIVY_RETRY_DELAY }}
else
echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
exit 1
fi
done
# Push image to ACR
# Pushes if this is a push to master or an update to a PR that has auto-deploy label
- name: Test if we should push to ACR
id: should-i-push
if: |
github.event_name == 'push' ||
(
github.event_name == 'pull_request' &&
contains( github.event.pull_request.labels.*.name, 'auto-deploy')
)
run: echo 'boolean=true' >> $GITHUB_OUTPUT
# Pull the local image back, then "build" it (will just tag the pulled image)
- name: Pull image back from local repo
if: steps.should-i-push.outputs.boolean == 'true'
run: docker pull ${{ steps.build-image.outputs.full_image_name }}
# Rename the localhost:5000/imagename:tag built above to use the real repo
# (get above's name from build-image's output)
- name: Tag images with real repository
if: steps.should-i-push.outputs.boolean == 'true'
run: >
make post-build/${{ matrix.notebook }} DEFAULT_REPO=$REGISTRY IS_LATEST=$IS_LATEST
IMAGE_VERSION=$IMAGE_VERSION SOURCE_FULL_IMAGE_NAME=${{ steps.build-image.outputs.full_image_name }}
- name: Push image to registry
if: steps.should-i-push.outputs.boolean == 'true'
run: |
make push/${{ matrix.notebook }} DEFAULT_REPO=$REGISTRY
- name: Slack Notification
if: failure() && github.event_name=='schedule'
uses: act10ns/slack@v1
with:
status: failure
message: Build failed. https://github.com/StatCan/aaw-kubeflow-containers/actions/runs/${{github.run_id}}