From 3b510208bc3d0772f7ceda5ca1da8bfd5cc8f9a2 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Wed, 18 Dec 2024 15:02:12 +0100 Subject: [PATCH 01/14] feat: scan images --- .github/workflows/kubernetes.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 2251398..2e8f7e1 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -210,6 +210,11 @@ jobs: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ steps.vars.outputs.version }} ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} + - name: Scan for vulnerabilities + if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - name: Build and push ${{ matrix.containerfile_targets }} image to GitHub if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' uses: docker/build-push-action@v6 @@ -231,6 +236,11 @@ jobs: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ steps.vars.outputs.version }} ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} target: ${{ matrix.containerfile_targets }} + - name: Scan for vulnerabilities + if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - name: Configure AWS credentials if: inputs.repository_kind == 'ecr' uses: aws-actions/configure-aws-credentials@v2 @@ -276,6 +286,11 @@ jobs: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ steps.vars.outputs.version }} ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} + - name: Scan for vulnerabilities + if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - name: Build and push ${{ matrix.containerfile_targets }} image to ECR if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' uses: docker/build-push-action@v6 @@ -297,6 +312,11 @@ jobs: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ steps.vars.outputs.version }} ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} target: ${{ matrix.containerfile_targets }} + - name: Scan for vulnerabilities + if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest consecutive: needs: [parallel] environment: ${{ github.event.deployment.payload.env }} From 25878e6e4d90ab22cb81b6ab4419f9b5561e5551 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Thu, 19 Dec 2024 10:59:25 +0100 Subject: [PATCH 02/14] turn matrix off for now --- .github/workflows/kubernetes.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 2e8f7e1..ba26f96 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -128,9 +128,9 @@ jobs: environment: ${{ github.event.deployment.payload.env }} # concurrency: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} - strategy: - matrix: - containerfile_targets: ${{ fromJson(inputs.imageTargets) }} + # strategy: + # matrix: + # containerfile_targets: ${{ fromJson(inputs.imageTargets) }} outputs: channel-id: ${{ steps.vars.outputs.channel-id }} version: ${{ steps.vars.outputs.version }} From 0cce09bcffee3a465c795b1959f3a0c8195031fa Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Thu, 19 Dec 2024 14:09:03 +0100 Subject: [PATCH 03/14] split build and push steps --- .github/workflows/kubernetes.yaml | 34 +++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index ba26f96..6928ad7 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -190,7 +190,7 @@ jobs: registry: ${{ inputs.registryHostname }} username: ${{ inputs.registryUsername }} password: ${{ secrets.repoAccessToken }} - - name: Build and push image to GitHub + - name: Build image if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' uses: docker/build-push-action@v6 with: @@ -205,7 +205,6 @@ jobs: context: ${{ github.event.deployment.payload.container.context }} file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 - push: true tags: | ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ steps.vars.outputs.version }} @@ -215,7 +214,12 @@ jobs: uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - - name: Build and push ${{ matrix.containerfile_targets }} image to GitHub + dockerfile: Containerfile + - name: Push ${{ matrix.containerfile_targets }} image to GitHub + if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' + run: | + docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + - name: Build ${{ matrix.containerfile_targets }} image if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' uses: docker/build-push-action@v6 with: @@ -230,17 +234,21 @@ jobs: context: ${{ github.event.deployment.payload.container.context }} file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 - push: true tags: | ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ steps.vars.outputs.version }} ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} target: ${{ matrix.containerfile_targets }} - name: Scan for vulnerabilities - if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' + if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + dockerfile: Containerfile + - name: Push ${{ matrix.containerfile_targets }} image to ECR + if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' + run: | + docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - name: Configure AWS credentials if: inputs.repository_kind == 'ecr' uses: aws-actions/configure-aws-credentials@v2 @@ -266,7 +274,7 @@ jobs: if: inputs.repository_kind == 'ecr' id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - - name: Build and push image to ECR + - name: Build image if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' uses: docker/build-push-action@v6 with: @@ -281,7 +289,6 @@ jobs: context: ${{ github.event.deployment.payload.container.context }} file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 - push: true tags: | ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ steps.vars.outputs.version }} @@ -291,7 +298,12 @@ jobs: uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - - name: Build and push ${{ matrix.containerfile_targets }} image to ECR + dockerfile: Containerfile + - name: Push image to ECR + if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' + run: | + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} + - name: Build ${{ matrix.containerfile_targets }} image if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' uses: docker/build-push-action@v6 with: @@ -306,7 +318,6 @@ jobs: context: ${{ github.event.deployment.payload.container.context }} file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 - push: true tags: | ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ steps.vars.outputs.version }} @@ -317,6 +328,11 @@ jobs: uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + dockerfile: Containerfile + - name: Push ${{ matrix.containerfile_targets }} image to ECR + if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' + run: | + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} consecutive: needs: [parallel] environment: ${{ github.event.deployment.payload.env }} From 52d3cf28dc9cc8d573819a03ae6c7e961e62f1f4 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Thu, 19 Dec 2024 14:37:35 +0100 Subject: [PATCH 04/14] add load: true --- .github/workflows/kubernetes.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 6928ad7..92a114c 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -203,6 +203,7 @@ jobs: cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} cache-to: type=inline context: ${{ github.event.deployment.payload.container.context }} + load: true file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | @@ -232,6 +233,7 @@ jobs: cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} cache-to: type=inline context: ${{ github.event.deployment.payload.container.context }} + load: true file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | @@ -287,6 +289,7 @@ jobs: cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} cache-to: type=inline context: ${{ github.event.deployment.payload.container.context }} + load: true file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | @@ -316,6 +319,7 @@ jobs: cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} cache-to: type=inline context: ${{ github.event.deployment.payload.container.context }} + load: true file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | From 47e3a92a2dafb9904d1a0980483d4bce3612630d Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 20 Dec 2024 12:40:27 +0100 Subject: [PATCH 05/14] split build and push in 4 separate jobs --- .github/workflows/kubernetes.yaml | 245 +++++++++++++++++++++--------- 1 file changed, 172 insertions(+), 73 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 92a114c..851e48f 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -123,17 +123,19 @@ on: AWS_ACCOUNT_ID: required: true description: AWS Account ID + +env: + IMAGE_SCAN_SEVERITY: LOW + IMAGE_SCAN_SEVERITY_THRESHOLD: CRITICAL + IMAGE_SCAN_ANNOTATIONS: true + jobs: - parallel: + initialize: environment: ${{ github.event.deployment.payload.env }} - # concurrency: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} - # strategy: - # matrix: - # containerfile_targets: ${{ fromJson(inputs.imageTargets) }} outputs: - channel-id: ${{ steps.vars.outputs.channel-id }} - version: ${{ steps.vars.outputs.version }} + channel-id: ${{ needs.initialize.outputs.channel-id }} + version: ${{ needs.initialize.outputs.version }} steps: - name: Load deployment variables id: vars @@ -166,6 +168,13 @@ jobs: environment: ${{ github.event.deployment.payload.env }} state: "in_progress" token: ${{ github.token }} + + image-build-github-single: + if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' + needs: [initialize] + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + steps: - name: Checkout current git repository uses: actions/checkout@v3 - if: inputs.preScript != '' @@ -181,22 +190,20 @@ jobs: with: name: ${{ inputs.artifactName }} path: ${{ inputs.artifactPath }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - name: Login to Container Registry - if: inputs.repository_kind == 'github' uses: docker/login-action@v3 with: registry: ${{ inputs.registryHostname }} username: ${{ inputs.registryUsername }} password: ${{ secrets.repoAccessToken }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - name: Build image - if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' uses: docker/build-push-action@v6 with: build-args: | GITHUB_SHA=${{ github.sha }} - VERSION=${{ steps.vars.outputs.version }} + VERSION=${{ needs.initialize.outputs.version }} APP_NAME=${{ github.event.deployment.payload.name }} ENVIRONMENT=${{ github.event.deployment.payload.env }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} @@ -208,49 +215,41 @@ jobs: platforms: linux/amd64 tags: | ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ steps.vars.outputs.version }} + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ needs.initialize.outputs.version }} ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} - name: Scan for vulnerabilities - if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - name: Push ${{ matrix.containerfile_targets }} image to GitHub - if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' run: | docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - - name: Build ${{ matrix.containerfile_targets }} image - if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ steps.vars.outputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ steps.vars.outputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} - target: ${{ matrix.containerfile_targets }} - - name: Scan for vulnerabilities - if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - dockerfile: Containerfile - - name: Push ${{ matrix.containerfile_targets }} image to ECR - if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' + + image-build-ecr-single: + if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' + needs: [initialize] + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + steps: + - if: inputs.preScript != '' + name: Run script before the docker image is built run: | - docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - name: Configure AWS credentials if: inputs.repository_kind == 'ecr' uses: aws-actions/configure-aws-credentials@v2 @@ -259,30 +258,20 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-central-1 - name: Create ECR repository if it doesn't exist - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' run: | aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} || \ aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }} LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' - run: | - aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} || \ - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR - if: inputs.repository_kind == 'ecr' id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - name: Build image - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' uses: docker/build-push-action@v6 with: build-args: | GITHUB_SHA=${{ github.sha }} - VERSION=${{ steps.vars.outputs.version }} + VERSION=${{ needs.initialize.outputs.version }} APP_NAME=${{ github.event.deployment.payload.name }} ENVIRONMENT=${{ github.event.deployment.payload.env }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} @@ -294,25 +283,133 @@ jobs: platforms: linux/amd64 tags: | ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ steps.vars.outputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ needs.initialize.outputs.version }} ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} - name: Scan for vulnerabilities - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' + if: inputs.repository_kind == 'ecr' uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - name: Push image to ECR - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' + if: inputs.repository_kind == 'ecr' run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} + + image-build-github-matrix: + if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' + needs: [initialize] + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + strategy: + matrix: + containerfile_targets: ${{ fromJson(inputs.imageTargets) }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v3 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Login to Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ inputs.registryHostname }} + username: ${{ inputs.registryUsername }} + password: ${{ secrets.repoAccessToken }} + - name: Build ${{ matrix.containerfile_targets }} image + uses: docker/build-push-action@v6 + with: + build-args: | + GITHUB_SHA=${{ github.sha }} + VERSION=${{ needs.initialize.outputs.version }} + APP_NAME=${{ github.event.deployment.payload.name }} + ENVIRONMENT=${{ github.event.deployment.payload.env }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} + cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + cache-to: type=inline + context: ${{ github.event.deployment.payload.container.context }} + load: true + file: ${{ github.event.deployment.payload.container.file }} + platforms: linux/amd64 + tags: | + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ needs.initialize.outputs.version }} + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} + target: ${{ matrix.containerfile_targets }} + - name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + - name: Push ${{ matrix.containerfile_targets }} image to ECR + run: | + docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + + image-build-ecr-matrix: + if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' + needs: [initialize] + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + strategy: + matrix: + containerfile_targets: ${{ fromJson(inputs.imageTargets) }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v3 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-central-1 + - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist + run: | + aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} || \ + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 - name: Build ${{ matrix.containerfile_targets }} image - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' uses: docker/build-push-action@v6 with: build-args: | GITHUB_SHA=${{ github.sha }} - VERSION=${{ steps.vars.outputs.version }} + VERSION=${{ needs.initialize.outputs.version }} APP_NAME=${{ github.event.deployment.payload.name }} ENVIRONMENT=${{ github.event.deployment.payload.env }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} @@ -324,21 +421,23 @@ jobs: platforms: linux/amd64 tags: | ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ steps.vars.outputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ needs.initialize.outputs.version }} ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} target: ${{ matrix.containerfile_targets }} - name: Scan for vulnerabilities - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - name: Push ${{ matrix.containerfile_targets }} image to ECR - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - consecutive: - needs: [parallel] + + commit: + needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} steps: @@ -354,19 +453,19 @@ jobs: name: Update ${{ github.event.deployment.payload.name }} version for ${{ github.event.deployment.environment }} values uses: mikefarah/yq@v4.30.8 with: - cmd: yq '(.${{ github.event.deployment.payload.chart }}.image.tag = "${{ needs.parallel.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/${{ github.event.deployment.payload.namespace }}/${{ github.event.deployment.payload.env }}/${{ github.event.deployment.payload.name }}/${{ inputs.versionFilePath }} + cmd: yq '(.${{ github.event.deployment.payload.chart }}.image.tag = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/${{ github.event.deployment.payload.namespace }}/${{ github.event.deployment.payload.env }}/${{ github.event.deployment.payload.name }}/${{ inputs.versionFilePath }} - if: github.event.deployment.payload.schemaVersion == 'v2' name: Update ${{ github.event.deployment.payload.name }} version for ${{ github.event.deployment.environment }} values uses: mikefarah/yq@v4.30.8 with: - cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.parallel.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/${{ github.event.deployment.payload.kubernetes.namespace }}/${{ github.event.deployment.payload.env }}/${{ github.event.deployment.payload.name }}/${{ inputs.versionFilePath }} + cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/${{ github.event.deployment.payload.kubernetes.namespace }}/${{ github.event.deployment.payload.env }}/${{ github.event.deployment.payload.name }}/${{ inputs.versionFilePath }} - name: Commit deployment file run: | cd remote git config --global user.email "${{ inputs.botEmail }}" git config --global user.name "${{ inputs.registryUsername }}" git add . - git commit --allow-empty -m "chore(${{ github.event.deployment.payload.name }}): set ${{ github.event.deployment.payload.env }} version to ${{ needs.parallel.outputs.version }}" + git commit --allow-empty -m "chore(${{ github.event.deployment.payload.name }}): set ${{ github.event.deployment.payload.env }} version to ${{ needs.initialize.outputs.version }}" - name: Push changes to ${{ inputs.deploymentRepoURL }} git repository uses: ad-m/github-push-action@0fafdd62b84042d49ec0cb92d9cac7f7ce4ec79e with: @@ -393,14 +492,14 @@ jobs: environment: ${{ github.event.deployment.payload.env }} state: "failure" token: ${{ github.token }} - - if: success() && needs.parallel.outputs.channel-id != '' + - if: success() && needs.initialize.outputs.channel-id != '' name: Notify ${{ github.event.deployment.payload.name }} deployment success continue-on-error: true uses: darioblanco/slack-deployment@main env: SLACK_BOT_TOKEN: ${{ secrets.slackBotToken }} with: - channel_id: ${{ needs.parallel.outputs.channel-id }} + channel_id: ${{ needs.initialize.outputs.channel-id }} deployment_description: ${{ github.event.deployment.payload.description == null && 'No description' || github.event.deployment.payload.description }} deployment_name: ${{ github.event.deployment.payload.name == null && 'unknown' || github.event.deployment.payload.name }} environment: ${{ github.event.deployment.payload.env == null && 'unknown' || github.event.deployment.payload.env }} @@ -411,7 +510,7 @@ jobs: sha: ${{ github.sha }} status_url: ${{ github.event.deployment.payload.statusUrl == null && 'https://github.com' || github.event.deployment.payload.statusUrl }} url: ${{ github.event.deployment.payload.url == null && 'https://github.com' || github.event.deployment.payload.url }} - version: ${{ needs.parallel.outputs.version }} + version: ${{ needs.initialize.outputs.version }} - if: success() && inputs.sentryOrg != '' && inputs.sentryProject != '' name: Create Sentry release uses: getsentry/action-release@v1 @@ -423,7 +522,7 @@ jobs: with: environment: ${{ inputs.sentryEnvironment != '' && inputs.sentryEnvironment || github.event.deployment.payload.env }} set_commits: skip - version: ${{ needs.parallel.outputs.version }} + version: ${{ needs.initialize.outputs.version }} continue-on-error: true - name: Clean up images uses: actions/delete-package-versions@v4 From e10eeb122b8615d9338ad411e8d792e079b483ef Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 20 Dec 2024 12:48:18 +0100 Subject: [PATCH 06/14] replace matrix with input --- .github/workflows/kubernetes.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 851e48f..c254b4e 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -170,7 +170,7 @@ jobs: token: ${{ github.token }} image-build-github-single: - if: inputs.repository_kind == 'github' && matrix.containerfile_targets == '' + if: inputs.repository_kind == 'github' && fromJson(inputs.imageTargets) == '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} @@ -230,7 +230,7 @@ jobs: docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} image-build-ecr-single: - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets == '' + if: inputs.repository_kind == 'ecr' && fromJson(inputs.imageTargets) == '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} @@ -300,7 +300,7 @@ jobs: docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} image-build-github-matrix: - if: inputs.repository_kind == 'github' && matrix.containerfile_targets != '' + if: inputs.repository_kind == 'github' && fromJson(inputs.imageTargets) != '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} @@ -364,7 +364,7 @@ jobs: docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} image-build-ecr-matrix: - if: inputs.repository_kind == 'ecr' && matrix.containerfile_targets != '' + if: inputs.repository_kind == 'ecr' && fromJson(inputs.imageTargets) != '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} From 5481d38c63ff95e8284f3b76565bbd7aa9105bb0 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 20 Dec 2024 12:54:23 +0100 Subject: [PATCH 07/14] try default value --- .github/workflows/kubernetes.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index c254b4e..695f23d 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -30,6 +30,7 @@ on: imageTargets: required: false description: If provided, sets targets for as many image builds as targets specified + default: "" type: string preScript: required: false @@ -170,7 +171,7 @@ jobs: token: ${{ github.token }} image-build-github-single: - if: inputs.repository_kind == 'github' && fromJson(inputs.imageTargets) == '' + if: inputs.repository_kind == 'github' && inputs.imageTargets == '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} @@ -230,7 +231,7 @@ jobs: docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} image-build-ecr-single: - if: inputs.repository_kind == 'ecr' && fromJson(inputs.imageTargets) == '' + if: inputs.repository_kind == 'ecr' && inputs.imageTargets == '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} @@ -300,7 +301,7 @@ jobs: docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} image-build-github-matrix: - if: inputs.repository_kind == 'github' && fromJson(inputs.imageTargets) != '' + if: inputs.repository_kind == 'github' && inputs.imageTargets != '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} @@ -364,7 +365,7 @@ jobs: docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} image-build-ecr-matrix: - if: inputs.repository_kind == 'ecr' && fromJson(inputs.imageTargets) != '' + if: inputs.repository_kind == 'ecr' && inputs.imageTargets != '' needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} From 81c1ac9f995c3dd3be662d2f7fc036458851828b Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 20 Dec 2024 13:14:10 +0100 Subject: [PATCH 08/14] fix outputs --- .github/workflows/kubernetes.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 695f23d..305ef80 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -135,8 +135,8 @@ jobs: environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} outputs: - channel-id: ${{ needs.initialize.outputs.channel-id }} - version: ${{ needs.initialize.outputs.version }} + channel-id: ${{ steps.vars.outputs.channel-id }} + version: ${{ steps.vars.outputs.version }} steps: - name: Load deployment variables id: vars From 6f73baef67d31e72c39e057d433702adacbcfee9 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 20 Dec 2024 13:19:09 +0100 Subject: [PATCH 09/14] add git checkout step --- .github/workflows/kubernetes.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 305ef80..ca75b10 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -236,6 +236,8 @@ jobs: environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} steps: + - name: Checkout current git repository + uses: actions/checkout@v3 - if: inputs.preScript != '' name: Run script before the docker image is built run: | From 2e316cba20b5ade0c16665ac52d8d03fa946be50 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 20 Dec 2024 14:10:21 +0100 Subject: [PATCH 10/14] remove matrix reference from single github build --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index ca75b10..43554f0 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -226,7 +226,7 @@ jobs: severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - - name: Push ${{ matrix.containerfile_targets }} image to GitHub + - name: Push image to GitHub run: | docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} From af78e83482fbedc7fc171887adaec0251e84808c Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 7 Jan 2025 11:23:18 +0100 Subject: [PATCH 11/14] try to use required env input variable --- .github/workflows/kubernetes.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 43554f0..5b672f0 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -27,6 +27,9 @@ on: description: The repository within Github that holds the version file to deploy via GitOps default: parcelLab/deployment type: string + env: + required: true + description: Environment variable value passed from the deployment.yaml imageTargets: required: false description: If provided, sets targets for as many image builds as targets specified From bc9eded297d5b28bd885fa895b43dd10105b569f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 7 Jan 2025 11:34:46 +0100 Subject: [PATCH 12/14] try steps with env check --- .github/workflows/kubernetes.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 5b672f0..67560e5 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -27,9 +27,6 @@ on: description: The repository within Github that holds the version file to deploy via GitOps default: parcelLab/deployment type: string - env: - required: true - description: Environment variable value passed from the deployment.yaml imageTargets: required: false description: If provided, sets targets for as many image builds as targets specified @@ -141,6 +138,12 @@ jobs: channel-id: ${{ steps.vars.outputs.channel-id }} version: ${{ steps.vars.outputs.version }} steps: + - name: Check if 'env' input is provided + run: | + if [ -z "${{ github.event.deployment.payload.env }}" ]; then + echo "ERROR: 'env' input is missing or empty!" + exit 1 + fi - name: Load deployment variables id: vars run: | From 8ea8fbf270787d93a92ba042ecaf40de4eb5f475 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 7 Jan 2025 11:58:12 +0100 Subject: [PATCH 13/14] set type properly --- .github/workflows/kubernetes.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 67560e5..9baf8ea 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -27,6 +27,10 @@ on: description: The repository within Github that holds the version file to deploy via GitOps default: parcelLab/deployment type: string + env: + required: true + description: The application environment. Can be test, staging or prod. + type: string imageTargets: required: false description: If provided, sets targets for as many image builds as targets specified @@ -138,12 +142,6 @@ jobs: channel-id: ${{ steps.vars.outputs.channel-id }} version: ${{ steps.vars.outputs.version }} steps: - - name: Check if 'env' input is provided - run: | - if [ -z "${{ github.event.deployment.payload.env }}" ]; then - echo "ERROR: 'env' input is missing or empty!" - exit 1 - fi - name: Load deployment variables id: vars run: | From 501c93c31f2e58f68ecd0326d7171db5f5794209 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 7 Jan 2025 13:07:24 +0100 Subject: [PATCH 14/14] test other approach --- .github/workflows/kubernetes.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 9baf8ea..67560e5 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -27,10 +27,6 @@ on: description: The repository within Github that holds the version file to deploy via GitOps default: parcelLab/deployment type: string - env: - required: true - description: The application environment. Can be test, staging or prod. - type: string imageTargets: required: false description: If provided, sets targets for as many image builds as targets specified @@ -142,6 +138,12 @@ jobs: channel-id: ${{ steps.vars.outputs.channel-id }} version: ${{ steps.vars.outputs.version }} steps: + - name: Check if 'env' input is provided + run: | + if [ -z "${{ github.event.deployment.payload.env }}" ]; then + echo "ERROR: 'env' input is missing or empty!" + exit 1 + fi - name: Load deployment variables id: vars run: |