Skip to content
Deploy

Deploy #21

Sign in to view logs

Deploy

Deploy #21

Workflow file for this run

.github/workflows/cd-pipeline.yml at 5310e96
name: Deploy
on: workflow_dispatch
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIAL }}
- name: Deploy Container App
uses: azure/container-apps-deploy-action@v1
with:
imageToDeploy: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest
containerAppName: devops-app
containerAppEnvironment: devops-app-env
resourceGroup: devsecops-lab
location: australiaeast
targetPort: 5000
- name: Install Cosign
uses: sigstore/[email protected]
- name: Verify image signature
env:
IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/devops-labs:latest
GITHUB_ISSUER: https://token.actions.githubusercontent.com
# CERT_IDENTITY_REGEXP: https://github.com/.*/devsecops-lab-app/.github/workflows/ci-pipeline.yml.*
CERT_IDENTITY_REGEXP: https://github.com/.*/IATD-DevSecOps/.github/workflows/ci-pipeline.yml.*
run: |
cosign verify $IMAGE --certificate-identity-regexp $CERT_IDENTITY_REGEXP --certificate-oidc-issuer $GITHUB_ISSUER
submit_results:
needs: [deploy]
if: true
runs-on: ubuntu-latest
steps:
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIAL }}
- name: Azure CLI script
id: token-gen
uses: azure/CLI@v1
with:
#azcliversion: latest
azcliversion: 2.37.0
inlineScript: |
ACCESS_TOKEN=$(az account get-access-token | jq -r .accessToken)
echo "azureAccessToken=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT"
- name: Upload reports
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
AZURE_ACCESS_TOKEN: ${{ steps.token-gen.outputs.azureAccessToken }}
run: |
export FQDN=$(az containerapp show -n devops-app -g devsecops-lab --query properties.configuration.ingress.fqdn -o tsv)
echo "FQDN: $FQDN"
WEEK2_SUBMIT=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" -d "https://$FQDN" https://devsecops-ver.azurewebsites.net/api/week2-submit)
echo "Week2 submit: $WEEK2_SUBMIT"
MODEL_RESPONSE=$(curl -X POST -H "Authorization: Bearer $AZURE_ACCESS_TOKEN" --data-binary @$GITHUB_WORKSPACE/threat-model/ci-pipeline.json https://devsecops-ver.azurewebsites.net/api/week6-report)
echo "Model report upload: $MODEL_RESPONSE"