Skip to content

Commit

Permalink
move frontend-push-image-to-registry to file
Browse files Browse the repository at this point in the history
  • Loading branch information
reckseba committed Jan 3, 2025
1 parent 91849c1 commit 0c155f6
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 57 deletions.
61 changes: 61 additions & 0 deletions .github/workflows/frontend-push-image-to-registry.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
on:
workflow_call:
inputs:
container-registry:
required: true
type: string
container-image-name:
required: true
type: string
container-image-version:
required: true
type: string
run-id:
required: true
type: string

jobs:
frontend-push-image-to-registry:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ inputs.run-id }}
restore-keys: docker-frontend-images-cache-${{ inputs.run-id }}
- name: load image
shell: bash
run: docker load -i /tmp/images/frontend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: ${{ inputs.container-registry }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ inputs.container-registry }}/${{ inputs.container-image-name }}-frontend:${{ inputs.container-image-version }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
- name: Sign the published Docker image
run: cosign sign --yes ${{ inputs.container-registry }}/${{ inputs.container-image-name }}-frontend:${{ inputs.container-image-version }}
- name: Download cosign vulnerability scan record
uses: actions/download-artifact@v4
with:
name: "vuln-frontend.json"
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ inputs.container-registry }}/${{ inputs.container-image-name }}-frontend:${{ inputs.container-image-version }}
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
78 changes: 21 additions & 57 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,17 @@ jobs:
# jobs dispatched to separate workflow files #
##############################################

frontend-checks:
uses: ./.github/workflows/frontend-checks.yml
secrets: inherit

security-jobs:
uses: ./.github/workflows/security-jobs.yml
secrets: inherit # so the backend workflow can access "secrets.SLACK_WEBHOOK_URL" and others
permissions:
contents: read
security-events: write # trivy scan needs this

frontend-checks:
uses: ./.github/workflows/frontend-checks.yml
secrets: inherit

frontend-build-image-and-scan:
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
uses: ./.github/workflows/frontend-build-image-and-scan.yml
Expand All @@ -46,74 +46,38 @@ jobs:
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}

push-frontend-image-to-registry:
runs-on: ubuntu-latest
frontend-push-image-to-registry:
if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
needs:
- frontend-checks
- frontend-build-image-and-scan
- security-jobs
uses: ./.github/workflows/frontend-push-image-to-registry.yml
secrets: inherit
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
outputs:
version: ${{ steps.set-version.outputs.version }}
steps:
- uses: actions/cache@v4
with:
path: /tmp/images
key: docker-frontend-images-cache-${{ env.RUN_ID }}
restore-keys: docker-frontend-images-cache-${{ env.RUN_ID }}
- name: load image
shell: bash
run: docker load -i /tmp/images/frontend-image.tar
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend container image
run: docker push ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@e11c0892438d2c0a48e49dee376e4883f10f2e59
- name: Sign the published Docker image
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Download cosign vulnerability scan record
uses: actions/download-artifact@v4
with:
name: "vuln-frontend.json"
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}-frontend:${{ env.CONTAINER_IMAGE_VERSION }}
- id: set-version
run: echo "version=$CONTAINER_IMAGE_VERSION" >> "$GITHUB_OUTPUT"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
with:
run-id: ${{ github.run_id }}
container-registry: ghcr.io
container-image-name: ${{ github.repository }}
container-image-version: ${{ github.event.pull_request.head.sha || github.sha }}

# ######################
# # Deploy new versions to staging
# ######################

frontend-deploy-staging:
if: ${{ github.ref == 'refs/heads/main' }}
uses: ./.github/workflows/frontend-deploy-staging.yml
needs:
- security-jobs
- frontend-checks
- frontend-build-image-and-scan
- security-jobs
- push-frontend-image-to-registry
- frontend-push-image-to-registry
permissions:
id-token: write
uses: ./.github/workflows/frontend-deploy-staging.yml
secrets: inherit
with:
version: ${{ needs.push-frontend-image-to-registry.outputs.version }}
version: ${{ needs.frontend-push-image-to-registry.outputs.version }}

0 comments on commit 0c155f6

Please sign in to comment.