Skip to content

1.3.22.bb627b5

1.3.22.bb627b5 #184

Workflow file for this run

name: Prereleased
on:
release:
types:
- prereleased
env:
COMPONENT: aws-adapter
COMPONENT_PATH: distributions/aws/
PRIVATE_ECR_REGION: ${{ secrets.AWS_ECR_REGION }}
ECR_ROLE_ARN: ${{ secrets.AWS_ECR_ROLE_ARN }}
DOCKER_REPOSITORY: aws-adapter
CONTAINER: aws-adapter-container-image
DOCKERHUB_REGISTRY: ydata
DOCKER_REPOSITORY_PREFIX: aws-adapter
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
SBOM_FILENAME: docker-sbom
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
permissions:
id-token: write
contents: read
packages: read
jobs:
cancel_previous:
name: 'Cancel Previous Runs'
runs-on: ubuntu-22.04
timeout-minutes: 3
steps:
- uses: ydataai/[email protected]
with:
ignore_sha: true
access_token: ${{ secrets.ACCESS_TOKEN }}
prepare:
name: Prepare
runs-on: ubuntu-22.04
needs:
- cancel_previous
outputs:
version: ${{ steps.version.outputs.value }}
steps:
- name: Version
id: version
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
build:
name: Build
runs-on: ubuntu-22.04
needs:
- prepare
strategy:
fail-fast: true
matrix:
package: [metering, quota]
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
id: docker_build
uses: docker/build-push-action@v5
env:
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}/${{ matrix.package }}:${{ needs.prepare.outputs.version }}
with:
build-args: |
COMPILE_CMD=${{ matrix.package }}
context: .
push: false
load: true
tags: ${{ env.DOCKER_IMAGE_TAG }}
- name: Create Docker SBOM
uses: anchore/sbom-action@v0
with:
upload-artifact-retention: 1
image: ${{ steps.docker_build.outputs.imageId }}
format: spdx-json
upload-release-assets: false
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
- name: Scan SBOM
id: scan_sbom
uses: anchore/scan-action@v3
with:
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
output-format: sarif
fail-build: false
- name: Determine number of noticiable vulnerabilities
id: count_vulnerabilities
run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
aws-region: ${{ env.AWS_S3_REGION }}
- name: Copy SBOM to S3
run: |
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
- name: Update Notion Page
uses: ydataai/update-notion-page@v1
env:
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
with:
notion_secret: ${{ secrets.NOTION_SECRET }}
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.ECR_ROLE_ARN }}
aws-region: ${{ env.PRIVATE_ECR_REGION }}
- name: Login to Amazon ECR
id: ecr_password
uses: aws-actions/amazon-ecr-login@v2
- name: Push Docker Image
env:
DOCKER_IMAGE_TAG: ${{ steps.ecr_password.outputs.registry }}/${{ env.DOCKER_REPOSITORY }}/${{ matrix.package }}:${{ needs.prepare.outputs.version }}
run: |
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
docker push ${{ env.DOCKER_IMAGE_TAG }}
- name: Login to Dockerhub Registry
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Push Docker Image
env:
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_PREFIX }}-${{ matrix.package }}:${{ needs.prepare.outputs.version }}
run: |
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
docker push ${{ env.DOCKER_IMAGE_TAG }}
update-manifests:
name: Update Manifests
runs-on: ubuntu-22.04
needs:
- prepare
- build
strategy:
fail-fast: true
max-parallel: 1
matrix:
package: [metering, quota]
steps:
- name: Checkout Manifests repo
uses: actions/checkout@v4
with:
repository: ydataai/manifests
token: ${{ secrets.ACCESS_TOKEN }}
- uses: imranismail/setup-kustomize@v2
with:
kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }}
- name: Update kustomization image tag
env:
CONTAINER_PKG: ${{ matrix.package }}-${{ env.CONTAINER }}
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}/${{ matrix.package }}:${{ needs.prepare.outputs.version }}
VERSION: ${{ needs.prepare.outputs.version }}
run: |
cd ${COMPONENT_PATH}
kustomize edit set image ${CONTAINER_PKG}=${DOCKER_IMAGE_TAG}
- name: setup-yq
uses: chrisdickinson/[email protected]
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
- name: Change cronjob on metering
if: matrix.package == 'metering'
env:
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_PREFIX }}-${{ matrix.package }}:${{ needs.prepare.outputs.version }}
run: |
cd ${COMPONENT_PATH}
yq w -i metering-adapter/base/cronjob.yaml 'spec.jobTemplate.spec.template.spec.containers[0].image' ${DOCKER_IMAGE_TAG}
- name: Change deployment on quota
if: matrix.package == 'quota'
env:
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_PREFIX }}-${{ matrix.package }}:${{ needs.prepare.outputs.version }}
run: |
cd ${COMPONENT_PATH}
yq w -i quota-adapter/base/deployment.yaml 'spec.template.spec.containers[0].image' ${DOCKER_IMAGE_TAG}
- name: Commit and push image update into manifests repo
env:
VERSION: ${{ needs.prepare.outputs.version }}
run: |
git config user.email "[email protected]"
git config user.name "Azory YData Bot"
git commit -a -m "chore(bump): [CI] [DEV] bump ${{ env.COMPONENT }} package ${{ matrix.package }} to $VERSION"
git push origin master