Update Minor & Patch Updates #patch #33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "[Build]" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: write | |
| security-events: write | |
| actions: read | |
| checks: read | |
| deployments: none | |
| issues: none | |
| packages: none | |
| pull-requests: read | |
| repository-projects: none | |
| statuses: none | |
| jobs: | |
| # generate a branch name | |
| branch_name: | |
| name: "Generate a safe branch name" | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| # generate workspace name | |
| workspace_name: | |
| name: "Generate the workspace name" | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| # SAST | |
| # codeql for go | |
| codeql_analysis: | |
| name: "Run CodeQL against the code base" | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| with: | |
| application_languages: '["go"]' | |
| # generate tag | |
| semver_tag: | |
| needs: [branch_name, codeql_analysis] | |
| name: "Generate the semver tag value" | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| with: | |
| branch_name: ${{ needs.branch_name.outputs.parsed }} | |
| secrets: inherit | |
| # Docker build, trivy scan, ECR push as a matrix | |
| # The matrix loops over each app to build in a complicated | |
| # structure | |
| # ADD IN ECR PUSH | |
| build_scan_push: | |
| name: "Docker build, trivy scan, ECR push" | |
| runs-on: ubuntu-latest | |
| # require all steps before this matrix to have passed | |
| needs: [branch_name, workspace_name, semver_tag] | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| # services to scan over | |
| data: | |
| - docker_build_directory: "./service-app" | |
| image_app_name: "helloworld" | |
| test_command: "go test ./..." | |
| # we use these a few times, so its easier to generate them once and env | |
| # vars are visible in the output, so helps with debug | |
| env: | |
| local_docker_image: ${{ matrix.data.image_app_name }}:latest | |
| sarif_file: trivy-results.sarif | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Show environment values | |
| run: | | |
| echo "local_docker_image: ${{ env.local_docker_image }}" | |
| echo "sarif_file: ${{ env.sarif_file }}" | |
| # build our sample docker image | |
| - name: Docker build | |
| # set the working directory to the variable | |
| working-directory: ${{ matrix.data.docker_build_directory }} | |
| run: | | |
| docker build -t ${{ env.local_docker_image }} . | |
| # log in to ECR | |
| - name: Configure AWS Credentials With Assumed Role to Management | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: eu-west-1 | |
| # management account role | |
| role-to-assume: arn:aws:iam::311462405659:role/sirius-actions-ci | |
| role-duration-seconds: 900 | |
| role-session-name: OPGScanningWorkflowGithubAction | |
| - name: ECR Login | |
| id: login_ecr | |
| uses: aws-actions/[email protected] | |
| with: | |
| registries: 311462405659 | |
| # to check if things worked, output docker image list | |
| - name: Docker image list | |
| run: | | |
| docker images | |
| - name: Trivy scan | |
| uses: aquasecurity/[email protected] | |
| env: | |
| TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2 | |
| TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1 | |
| with: | |
| image-ref: ${{ env.local_docker_image }} | |
| severity: "HIGH,CRITICAL" | |
| format: "sarif" | |
| output: ${{ env.sarif_file }} | |
| - name: Trivy scan upload to github | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: ${{ env.sarif_file }} | |
| # for a lot of our services, there could be a test process here | |
| - name: Run Tests | |
| working-directory: ${{ matrix.data.docker_build_directory }} | |
| env: | |
| PROJECT_PATH: service-app | |
| run: | | |
| ${{ matrix.data.test_command }} | |
| ###### | |
| ## Push to ECR | |
| ###### | |
| - name: Push Container | |
| env: | |
| SEMVER_TAG: ${{ needs.semver_tag.outputs.tag }} | |
| ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | |
| ECR_REPOSITORY: sirius/scanning/app | |
| run: | | |
| docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }} | |
| docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
| docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY | |
| end: | |
| name: "End of workflow" | |
| runs-on: "ubuntu-latest" | |
| needs: | |
| [ | |
| branch_name, | |
| workspace_name, | |
| semver_tag, | |
| build_scan_push, | |
| ] | |
| steps: | |
| - name: "End" | |
| run: | | |
| echo "Done" |