tools: trivy_operator: fix Trivy operator findings description and me… #243
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "NCA: build Docker images and package Helm chart" | |
env: | |
DD_REGISTRY_INTERNAL: "docker-registry-internal.extranet.netcetera.biz" | |
DD_REGISTRY_INTERNAL_RELEASE: "docker-registry-internal-release.extranet.netcetera.biz" | |
DD_PATH: "/nca-459-7/defectdojo" | |
GIT_USERNAME: "DefectDojo NCA release bot" | |
GIT_EMAIL: "[email protected]" | |
HELM_CHARTS_BRANCH_PREFIX: "helm-charts-nca" | |
on: | |
workflow_dispatch: | |
push: | |
branch: | |
# uncomment this (and update to the current major version) if you want an | |
# image built for each commit | |
#- tag-2.16.1-NCA | |
# nca/X naming is used in actions below, adjust accordingly if needed | |
- nca/feature/* | |
tag: | |
- nca/release/* | |
# On each push to the aforementioned branches or tags with names matching the | |
# pattern above, the following happens: | |
# | |
# - Depending on Git reference name (branch or tag name) we determine a release | |
# for a would-be artifact. | |
# - nca/release/<RESULTING NAME> | |
# - nca/feature/<RESULTING NAME> | |
# - tag-VERSION-NCA --> VERSION-nca-GIT_SHA_FIRST_8_CHARS, i.e. 2.16.1-nca-abcdef | |
# | |
# - Note that when pushing to nca/feature branch or creating a nca/release tag, | |
# the artifacts will have the same name (will overwrite the previous | |
# versions). However, when pushing to tag-VERSION-NCA branch, each resulting | |
# artifact will be unique. | |
# | |
# - We also determine if it is a release build or just a test build. This | |
# affects on where the resulting image will be pushed to. | |
# | |
# - Docker images (nginx and django) are built. They are tagged with release | |
# determined above and pushed to repositories stated in environment variables | |
# above. The same image is pushed to both repositories. | |
# | |
# - Helm chart is packaged. | |
# - Helm package is pushed to the release named as 'helm-<RESULTING NAME>'. | |
# - The package is stored under a subdirectory named in the same way as Docker | |
# image (described above). | |
# - index.yaml file is pushed to a branch named 'helm-charts-nca-<RESULTING name>'. | |
# The branch is created from helm-charts upstream branch. Changes are pushed | |
# force flag. | |
jobs: | |
build_images: | |
name: build and push DefectDojo Docker images | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
docker-image: [django, nginx] | |
os: [debian] | |
platform: [amd64] | |
steps: | |
- name: set Docker tag to the release | |
if: ${{ startsWith(github.ref_name, 'nca/release/') }} | |
run: | | |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/release/}" >> $GITHUB_ENV | |
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL_RELEASE}" >> $GITHUB_ENV | |
echo "DD_REPO=${DD_REGISTRY_INTERNAL_RELEASE}${DD_PATH}" >> $GITHUB_ENV | |
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}" >> $GITHUB_ENV | |
- name: set Docker tag to the feature branch name | |
if: ${{ startsWith(github.ref_name, 'nca/feature/') }} | |
run: | | |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/feature/}" >> $GITHUB_ENV | |
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV | |
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV | |
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV | |
- name: set Docker tag to the main branch name and hash | |
if: ${{ startsWith(github.ref_name, 'tag-') }} | |
run: | | |
RELEASE_VERSION="${GITHUB_REF_NAME#tag-}" | |
echo "RELEASE_VERSION=$(echo $RELEASE_VERSION | tr '[:upper:]' '[:lower:]')-${GITHUB_SHA:0:8}" >> $GITHUB_ENV | |
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV | |
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV | |
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV | |
- name: reporting the resulting versions | |
run: | | |
echo building docker image tag ${{ env.RELEASE_VERSION }} | |
echo packaging Helm chart into ${{ env.NCA_HELM_BRANCH }} branch | |
- name: checkout the repo | |
uses: actions/checkout@v4 | |
- name: Set 8.8.8.8 as dns server | |
run: | | |
sudo sed -i 's/#DNS=/DNS=8.8.8.8 8.8.4.4/g' /etc/systemd/resolved.conf | |
sudo systemctl daemon-reload | |
sudo systemctl restart systemd-networkd | |
sudo systemctl restart systemd-resolved | |
- name: login to Docker repository | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.DD_REGISTRY }} | |
username: ${{ secrets.NCA_REPO_USERNAME }} | |
password: ${{ secrets.NCA_REPO_PASSWORD }} | |
- name: setup Docker buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: cache Docker layers | |
uses: actions/cache@v4 | |
env: | |
docker-image: ${{ matrix.docker-image }} | |
with: | |
path: /tmp/.buildx-cache-${{ env.docker-image }} | |
key: ${{ runner.os }}-buildx-${{ env.docker-image }}-${{ github.sha }}-${{ github.run_id }} | |
restore-keys: | | |
${{ runner.os }}-buildx-${{ env.docker-image }}-${{ github.sha }} | |
${{ runner.os }}-buildx-${{ env.docker-image }}- | |
- name: storing Netcetera Active Directory certificate in would-be container | |
env: | |
AD_CERT: ${{ secrets.AD_CERT }} | |
run: echo "$AD_CERT" > docker/certs/ad-ca.crt | |
- name: build and push image | |
uses: docker/build-push-action@v5 | |
env: | |
docker-image: ${{ matrix.docker-image }} | |
with: | |
push: true | |
tags: ${{ env.DD_REPO }}/defectdojo-${{ env.docker-image}}:${{ env.RELEASE_VERSION }} | |
file: ./Dockerfile.${{ env.docker-image }}-debian | |
context: . | |
cache-from: type=local,src=/tmp/.buildx-cache-${{ env.docker-image }} | |
cache-to: type=local,dest=/tmp/.buildx-cache-${{ env.docker-image }} | |
package_helm: | |
name: package Helm chart | |
runs-on: ubuntu-latest | |
steps: | |
# the first steps must be copy-pasted from above | |
- name: set Docker tag to the release | |
if: ${{ startsWith(github.ref_name, 'nca/release/') }} | |
run: | | |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/release/}" >> $GITHUB_ENV | |
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL_RELEASE}" >> $GITHUB_ENV | |
echo "DD_REPO=${DD_REGISTRY_INTERNAL_RELEASE}${DD_PATH}" >> $GITHUB_ENV | |
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}" >> $GITHUB_ENV | |
- name: set Docker tag to the feature branch name | |
if: ${{ startsWith(github.ref_name, 'nca/feature/') }} | |
run: | | |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/feature/}" >> $GITHUB_ENV | |
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV | |
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV | |
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV | |
- name: set Docker tag to the main branch name and hash | |
if: ${{ startsWith(github.ref_name, 'tag-') }} | |
run: | | |
RELEASE_VERSION="${GITHUB_REF_NAME#tag-}" | |
echo "RELEASE_VERSION=$(echo $RELEASE_VERSION | tr '[:upper:]' '[:lower:]')-${GITHUB_SHA:0:8}" >> $GITHUB_ENV | |
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV | |
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV | |
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV | |
- name: reporting the resulting versions | |
run: | | |
echo building docker image tag ${{ env.RELEASE_VERSION }} | |
echo packaging Helm chart into ${{ env.NCA_HELM_BRANCH }} branch | |
- name: checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: install Helm | |
uses: azure/setup-helm@v3 | |
with: | |
version: v3.4.0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: configure Helm repos | |
run: | | |
helm repo add bitnami https://charts.bitnami.com/bitnami | |
helm dependency list ./helm/defectdojo | |
helm dependency update ./helm/defectdojo | |
- name: package Helm chart | |
id: package-helm-chart | |
run: | | |
mkdir build | |
helm package helm/defectdojo/ --destination ./build | |
echo "chart_version=$(ls build | sed 's|defectdojo-||' | sed 's|\.tgz||')" >> $GITHUB_ENV | |
app_version=$(helm show chart helm/defectdojo/ | grep appVersion) | |
echo "app_version=${app_version#appVersion: }" >> $GITHUB_ENV | |
echo "NCA_HELM_RELEASE=helm-${{ env.RELEASE_VERSION }}" >> $GITHUB_ENV | |
- name: create a release | |
id: create_release | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GITHUB_REPOSITORY: netceteragroup/django-DefectDojo | |
with: | |
draft: false | |
prerelease: false | |
files: ./build/defectdojo-${{ env.chart_version }}.tgz | |
name: Release ${{ env.NCA_HELM_RELEASE }} | |
tag_name: ${{ env.NCA_HELM_RELEASE }} | |
target_commitish: ${{ github.sha }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: update Helm repository index | |
run: | | |
git config --global user.name "${{ env.GIT_USERNAME }}" | |
git config --global user.email "${{ env.GIT_EMAIL }}" | |
git remote update | |
git fetch --all | |
git stash | |
git checkout -b "${{ env.NCA_HELM_BRANCH }}" origin/helm-charts | |
if [ ! -f ./index.yaml ]; then | |
helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ env.NCA_HELM_RELEASE }}/" | |
else | |
helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ env.NCA_HELM_RELEASE }}/" --merge ./index.yaml | |
fi | |
cp -f ./build/index.yaml ./index.yaml | |
git add ./index.yaml | |
git commit -m "Update index.yaml" | |
git push -f -u origin "${{ env.NCA_HELM_BRANCH }}" |