-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
223 additions
and
175 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -30,36 +30,57 @@ jobs: | |
| include: | ||
| - ecr_repository: modernising-lpa/app | ||
| path: ./docker/mlpa/Dockerfile | ||
| - ecr_repository: modernising-lpa/create-s3-batch-replication-job | ||
| path: ./lambda/create_s3_replication_job/Dockerfile | ||
| - ecr_repository: modernising-lpa/event-received | ||
| path: ./docker/event-received/Dockerfile | ||
| - ecr_repository: modernising-lpa/mock-onelogin | ||
| path: ./docker/mock-onelogin/Dockerfile | ||
| # - ecr_repository: modernising-lpa/create-s3-batch-replication-job | ||
| # path: ./lambda/create_s3_replication_job/Dockerfile | ||
| # - ecr_repository: modernising-lpa/event-received | ||
| # path: ./docker/event-received/Dockerfile | ||
| # - ecr_repository: modernising-lpa/mock-onelogin | ||
| # path: ./docker/mock-onelogin/Dockerfile | ||
| runs-on: ubuntu-latest | ||
| name: ${{ matrix.ecr_repository }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ inputs.checkout_tag }} | ||
| - name: Build ${{ matrix.ecr_repository }} Image | ||
| id: build_image | ||
| run: | | ||
| docker build -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} . | ||
| - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} | ||
| id: trivy_scan | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| image-ref: ${{ matrix.ecr_repository }}:latest | ||
| severity: 'HIGH,CRITICAL' | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }} | ||
| id: trivy_upload_sarif | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| if: always() | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/[email protected] | ||
| - name: Set up Docker Buildx | ||
| uses: docker/[email protected] | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' | ||
| version: v0.12.0 | ||
| platforms: linux/amd64,linux/arm64 | ||
|
|
||
| # - name: Build ${{ matrix.ecr_repository }} Image | ||
| # uses: docker/[email protected] | ||
| # with: | ||
| # context: . | ||
| # file: ${{ matrix.path }} | ||
| # push: false | ||
| # tags: | | ||
| # ${{ matrix.ecr_repository }}:${{ inputs.tag }} | ||
| # build-args: | | ||
| # TAG=${{inputs.tag}} | ||
|
|
||
| # id: build_image | ||
| # run: | | ||
| # docker buildx build \ | ||
| # -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} . | ||
| # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} | ||
| # id: trivy_scan | ||
| # uses: aquasecurity/[email protected] | ||
| # with: | ||
| # image-ref: ${{ matrix.ecr_repository }}:latest | ||
| # severity: 'HIGH,CRITICAL' | ||
| # format: 'sarif' | ||
| # output: 'trivy-results.sarif' | ||
| # - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }} | ||
| # id: trivy_upload_sarif | ||
| # uses: github/codeql-action/upload-sarif@v2 | ||
| # if: always() | ||
| # with: | ||
| # sarif_file: 'trivy-results.sarif' | ||
|
|
||
| - uses: unfor19/install-aws-cli-action@v1 | ||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/[email protected] | ||
|
|
@@ -74,14 +95,42 @@ jobs: | |
| with: | ||
| mask-password: true | ||
| registries: 311462405659 | ||
| - name: Push ${{ matrix.ecr_repository }} Image to ECR | ||
| env: | ||
| ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | ||
| ECR_REPOSITORY: ${{ matrix.ecr_repository }} | ||
| run: | | ||
| docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} | ||
| if ${{ github.workflow == 'Path To Live' }}; then | ||
| docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest | ||
| docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} | ||
| fi | ||
| docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY | ||
| - name: Push ${{ matrix.ecr_repository }} Image to ECR for PR | ||
| if: ${{ github.workflow != 'Path To Live' }} | ||
| uses: docker/[email protected] | ||
| with: | ||
| context: . | ||
| file: ${{ matrix.path }} | ||
| push: true | ||
| tags: | | ||
| ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }} | ||
| build-args: | | ||
| TAG=${{inputs.tag}} | ||
| - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live | ||
| if: ${{ github.workflow == 'Path To Live' }} | ||
| uses: docker/[email protected] | ||
| with: | ||
| context: . | ||
| file: ${{ matrix.path }} | ||
| push: true | ||
| tags: | | ||
| ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:main-${{ inputs.tag }} | ||
| ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest | ||
| build-args: | | ||
| TAG=${{inputs.tag}} | ||
| # env: | ||
| # ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | ||
| # ECR_REPOSITORY: ${{ matrix.ecr_repository }} | ||
| # run: | | ||
| # if ${{ github.workflow == 'Path To Live' }}; then | ||
| # docker buildx build \ | ||
| # --push \ | ||
| # -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \ | ||
| # --build-arg TAG=${{inputs.tag}} . | ||
| # else | ||
| # docker buildx build \ | ||
| # --push \ | ||
| # -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \ | ||
| # --build-arg TAG=${{inputs.tag}} . | ||
| # fi | ||
Oops, something went wrong.