-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
To test the current configuration #major
- Loading branch information
Showing
4 changed files
with
171 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
name: "[Job] Docker Build, Scan and Push to ECR" | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
docker_tag: | ||
description: "Tag for docker image" | ||
required: true | ||
type: string | ||
checkout_tag: | ||
description: "Ref or tag to checkout" | ||
default: ${{ github.ref }} | ||
required: false | ||
type: string | ||
|
||
defaults: | ||
run: | ||
shell: bash | ||
|
||
permissions: | ||
id-token: write | ||
contents: write | ||
security-events: write | ||
pull-requests: read | ||
|
||
jobs: | ||
docker_build_scan_push: | ||
strategy: | ||
matrix: | ||
include: | ||
- ecr_repository: lpa-store/lambda/api-create | ||
dir: create | ||
runs-on: ubuntu-latest | ||
name: ${{ matrix.ecr_repository }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
ref: ${{ inputs.checkout_tag }} | ||
- name: Build ${{ matrix.ecr_repository }} Image | ||
id: build_image | ||
run: | | ||
docker build -f ./lambda/Dockerfile -t ${{ matrix.ecr_repository }} --build-arg DIR=${{ matrix.dir }} . | ||
- name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} | ||
id: trivy_scan | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: ${{ matrix.ecr_repository }}:latest | ||
severity: "HIGH,CRITICAL" | ||
format: "sarif" | ||
output: "trivy-results.sarif" | ||
- name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }} | ||
id: trivy_upload_sarif | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: always() | ||
with: | ||
sarif_file: "trivy-results.sarif" | ||
- uses: unfor19/install-aws-cli-action@v1 | ||
- name: Configure AWS Credentials | ||
uses: aws-actions/configure-aws-credentials@v2 | ||
with: | ||
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
aws-region: eu-west-1 | ||
role-to-assume: arn:aws:iam::311462405659:role/lpa-store-ci | ||
role-duration-seconds: 3600 | ||
role-session-name: GitHubActions | ||
- name: ECR Login | ||
id: login_ecr | ||
uses: aws-actions/[email protected] | ||
with: | ||
mask-password: true | ||
registries: 311462405659 | ||
- name: Output push intentions | ||
env: | ||
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | ||
ECR_REPOSITORY: ${{ matrix.ecr_repository }} | ||
run: | | ||
docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.docker_tag }} | ||
echo "Would push $ECR_REGISTRY/$ECR_REPOSITORY" | ||
# - name: Push ${{ matrix.ecr_repository }} Image to ECR | ||
# env: | ||
# ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | ||
# ECR_REPOSITORY: ${{ matrix.ecr_repository }} | ||
# run: | | ||
# docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.docker_tag }} | ||
# if ${{ github.workflow == 'Path To Live' }}; then | ||
# docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest | ||
# docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.docker_tag }} | ||
# fi | ||
# docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
name: Test & Build | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
workflow_dispatch: | ||
|
||
defaults: | ||
run: | ||
shell: bash | ||
|
||
jobs: | ||
generate-tags: | ||
name: Generate tags | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: "0" | ||
- name: Extract branch name | ||
id: extract_branch | ||
run: | | ||
if [ "$GITHUB_EVENT_NAME" == "push" ]; then | ||
echo BRANCH_NAME=main >> $GITHUB_ENV | ||
else | ||
branch=${{ github.head_ref }} | ||
branch=${branch//-} | ||
branch=${branch//_} | ||
branch=${branch//\/} | ||
echo BRANCH_NAME=${branch} >> $GITHUB_ENV | ||
fi | ||
- name: Bump version | ||
id: bump_version | ||
uses: anothrNick/[email protected] | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
INITIAL_VERSION: 0.0.0 | ||
DEFAULT_BUMP: minor | ||
PRERELEASE: true | ||
PRERELEASE_SUFFIX: ${{ env.BRANCH_NAME }} | ||
RELEASE_BRANCHES: main | ||
WITH_V: true | ||
outputs: | ||
docker_tag: ${{ steps.bump_version.outputs.tag }} | ||
|
||
generate-environment-workspace-name: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Generate workspace name | ||
id: name_workspace | ||
run: | | ||
workspace=${{ github.event.number }}${{ github.head_ref }} | ||
workspace=${workspace//-} | ||
workspace=${workspace//_} | ||
workspace=${workspace//\/} | ||
workspace=${workspace:0:11} | ||
workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]') | ||
echo "name=${workspace}" >> $GITHUB_OUTPUT | ||
echo ${workspace} | ||
outputs: | ||
environment_workspace_name: ${{ steps.name_workspace.outputs.name }} | ||
|
||
build: | ||
name: Build, Scan & Push Images | ||
needs: [generate-tags] | ||
uses: ./.github/workflows/build-push-images.yml | ||
with: | ||
docker_tag: ${{ needs.generate-tags.outputs.docker_tag }} | ||
|
||
# deploy-pr-env: | ||
# name: Deploy PR Environment | ||
# needs: [build, generate-environment-workspace-name] | ||
# uses: ./.github/workflows/deploy.yml | ||
# with: | ||
# workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }} | ||
# version_tag: ${{ needs.generate-tags.outputs.docker_tag }} | ||
# secrets: | ||
# aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
# aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |