From e9673b5596ed1f9f98739f95350a92fdb82d79f2 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 09:44:13 +0100 Subject: [PATCH 01/18] try separated workflow --- .github/workflows/build.yaml | 356 ++++++++++++++++++++++++++++++ .github/workflows/kubernetes.yaml | 299 ++----------------------- 2 files changed, 375 insertions(+), 280 deletions(-) create mode 100644 .github/workflows/build.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..40abf00 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,356 @@ +name: Reusable image build workflow with options to push to ECR or GitHub Registry +on: + workflow_call: + inputs: + artifactName: + required: false + description: If provided, downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. + default: "" + type: string + artifactPath: + required: false + description: If provided, downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. + default: "" + type: string + IMAGE_SCAN_SEVERITY: + required: true + default: LOW + type: string + IMAGE_SCAN_SEVERITY_THRESHOLD: + required: true + default: CRITICAL + type: string + IMAGE_SCAN_ANNOTATIONS: + required: true + default: true + type: bool + IMAGE_SCAN_TRIVY_TIMEOUT: + required: true + default: 10m + type: string + imageTargets: + required: false + description: If provided, sets targets for as many image builds as targets specified + default: "" + type: string + preScript: + required: false + description: If provided, runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). + default: "" + type: string + registryHostname: + required: false + description: The hostname for the container registry + default: ghcr.io + type: string + registryOrg: + required: false + description: The registry organization + default: parcellab + type: string + registryUsername: + required: false + description: The username for the container registry + default: parcellab-dev-bot + type: string + repository_kind: + required: false + description: The kind of repository (github or ecr) + default: "github" + type: string + runner: + required: false + description: Runner type + default: ubuntu-latest + type: string + version: + required: true + type: string + secrets: + npmGithubReadToken: + required: true + description: The Github token with permissions to read NPM private packages + repoAccessToken: + required: true + description: The Github token to perform operations cross-repo (not github.token!) + AWS_ACCESS_KEY_ID: + required: true + description: Access key ID for AWS credentials + AWS_SECRET_ACCESS_KEY: + required: true + description: Secet for AWS access key ID + +jobs: + build-github-single: + if: inputs.repository_kind == 'github' && inputs.imageTargets == '' + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v4 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Login to Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ inputs.registryHostname }} + username: ${{ inputs.registryUsername }} + password: ${{ secrets.repoAccessToken }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Build image + uses: docker/build-push-action@v6 + with: + build-args: | + GITHUB_SHA=${{ github.sha }} + VERSION=${{ inputs.version }} + APP_NAME=${{ github.event.deployment.payload.name }} + ENVIRONMENT=${{ github.event.deployment.payload.env }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} + cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + cache-to: type=inline + context: ${{ github.event.deployment.payload.container.context }} + load: true + file: ${{ github.event.deployment.payload.container.file }} + platforms: linux/amd64 + tags: | + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ inputs.version }} + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} + - name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + - name: Push image to GitHub + run: | + docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + + build-ecr-single: + if: inputs.repository_kind == 'ecr' && inputs.imageTargets == '' + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v4 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Configure AWS credentials + if: inputs.repository_kind == 'ecr' + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-central-1 + - name: Create ECR repository if it doesn't exist + run: | + aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} || \ + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }} + LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Build image + uses: docker/build-push-action@v6 + with: + build-args: | + GITHUB_SHA=${{ github.sha }} + VERSION=${{ inputs.version }} + APP_NAME=${{ github.event.deployment.payload.name }} + ENVIRONMENT=${{ github.event.deployment.payload.env }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} + cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + cache-to: type=inline + context: ${{ github.event.deployment.payload.container.context }} + load: true + file: ${{ github.event.deployment.payload.container.file }} + platforms: linux/amd64 + tags: | + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} + - name: Scan for vulnerabilities + if: inputs.repository_kind == 'ecr' + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + - name: Push image to ECR + if: inputs.repository_kind == 'ecr' + run: | + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} + + build-github-matrix: + if: inputs.repository_kind == 'github' && inputs.imageTargets != '' + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + strategy: + matrix: + containerfile_targets: ${{ fromJson(inputs.imageTargets) }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v4 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Login to Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ inputs.registryHostname }} + username: ${{ inputs.registryUsername }} + password: ${{ secrets.repoAccessToken }} + - name: Build ${{ matrix.containerfile_targets }} image + uses: docker/build-push-action@v6 + with: + build-args: | + GITHUB_SHA=${{ github.sha }} + VERSION=${{ inputs.version }} + APP_NAME=${{ github.event.deployment.payload.name }} + ENVIRONMENT=${{ github.event.deployment.payload.env }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} + cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + cache-to: type=inline + context: ${{ github.event.deployment.payload.container.context }} + load: true + file: ${{ github.event.deployment.payload.container.file }} + platforms: linux/amd64 + tags: | + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} + ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} + target: ${{ matrix.containerfile_targets }} + - name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + - name: Push ${{ matrix.containerfile_targets }} image to ECR + run: | + docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + + build-ecr-matrix: + if: inputs.repository_kind == 'ecr' && inputs.imageTargets != '' + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + strategy: + matrix: + containerfile_targets: ${{ fromJson(inputs.imageTargets) }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v4 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-central-1 + - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist + run: | + aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} || \ + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Build ${{ matrix.containerfile_targets }} image + uses: docker/build-push-action@v6 + with: + build-args: | + GITHUB_SHA=${{ github.sha }} + VERSION=${{ inputs.version }} + APP_NAME=${{ github.event.deployment.payload.name }} + ENVIRONMENT=${{ github.event.deployment.payload.env }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} + cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} + cache-to: type=inline + context: ${{ github.event.deployment.payload.container.context }} + load: true + file: ${{ github.event.deployment.payload.container.file }} + platforms: linux/amd64 + tags: | + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} + target: ${{ matrix.containerfile_targets }} + - name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + - name: Push ${{ matrix.containerfile_targets }} image to ECR + run: | + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 78cb103..20b1c9d 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -125,12 +125,6 @@ on: required: true description: AWS Account ID -env: - IMAGE_SCAN_SEVERITY: LOW - IMAGE_SCAN_SEVERITY_THRESHOLD: CRITICAL - IMAGE_SCAN_ANNOTATIONS: true - IMAGE_SCAN_TRIVY_TIMEOUT: 10m - jobs: initialize: environment: ${{ github.event.deployment.payload.env }} @@ -177,285 +171,30 @@ jobs: state: "in_progress" token: ${{ github.token }} - image-build-github-single: - if: inputs.repository_kind == 'github' && inputs.imageTargets == '' - needs: [initialize] - environment: ${{ github.event.deployment.payload.env }} - runs-on: ${{ inputs.runner }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - if: inputs.preScript != '' - name: Run script before the docker image is built - run: | - echo "Run '${{ inputs.preScript }}'" - ${{ inputs.preScript }} - env: - NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} - - if: inputs.artifactPath != '' && inputs.artifactName != '' - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ inputs.artifactName }} - path: ${{ inputs.artifactPath }} - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ inputs.registryHostname }} - username: ${{ inputs.registryUsername }} - password: ${{ secrets.repoAccessToken }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Build image - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ needs.initialize.outputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ needs.initialize.outputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} - - name: Scan for vulnerabilities - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest - dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - - name: Push image to GitHub - run: | - docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - - image-build-ecr-single: - if: inputs.repository_kind == 'ecr' && inputs.imageTargets == '' + build: needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - if: inputs.preScript != '' - name: Run script before the docker image is built - run: | - echo "Run '${{ inputs.preScript }}'" - ${{ inputs.preScript }} - env: - NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} - - if: inputs.artifactPath != '' && inputs.artifactName != '' - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ inputs.artifactName }} - path: ${{ inputs.artifactPath }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Configure AWS credentials - if: inputs.repository_kind == 'ecr' - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: eu-central-1 - - name: Create ECR repository if it doesn't exist - run: | - aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} || \ - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }} - LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 - - name: Build image - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ needs.initialize.outputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ needs.initialize.outputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} - - name: Scan for vulnerabilities - if: inputs.repository_kind == 'ecr' - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - - name: Push image to ECR - if: inputs.repository_kind == 'ecr' - run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} - - image-build-github-matrix: - if: inputs.repository_kind == 'github' && inputs.imageTargets != '' - needs: [initialize] - environment: ${{ github.event.deployment.payload.env }} - runs-on: ${{ inputs.runner }} - strategy: - matrix: - containerfile_targets: ${{ fromJson(inputs.imageTargets) }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - if: inputs.preScript != '' - name: Run script before the docker image is built - run: | - echo "Run '${{ inputs.preScript }}'" - ${{ inputs.preScript }} - env: - NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} - - if: inputs.artifactPath != '' && inputs.artifactName != '' - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ inputs.artifactName }} - path: ${{ inputs.artifactPath }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ inputs.registryHostname }} - username: ${{ inputs.registryUsername }} - password: ${{ secrets.repoAccessToken }} - - name: Build ${{ matrix.containerfile_targets }} image - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ needs.initialize.outputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ needs.initialize.outputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} - target: ${{ matrix.containerfile_targets }} - - name: Scan for vulnerabilities - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - - name: Push ${{ matrix.containerfile_targets }} image to ECR - run: | - docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - - image-build-ecr-matrix: - if: inputs.repository_kind == 'ecr' && inputs.imageTargets != '' - needs: [initialize] - environment: ${{ github.event.deployment.payload.env }} - runs-on: ${{ inputs.runner }} - strategy: - matrix: - containerfile_targets: ${{ fromJson(inputs.imageTargets) }} - steps: - - name: Checkout current git repository - uses: actions/checkout@v3 - - if: inputs.preScript != '' - name: Run script before the docker image is built - run: | - echo "Run '${{ inputs.preScript }}'" - ${{ inputs.preScript }} - env: - NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} - - if: inputs.artifactPath != '' && inputs.artifactName != '' - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ inputs.artifactName }} - path: ${{ inputs.artifactPath }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: eu-central-1 - - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist - run: | - aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} || \ - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 - - name: Build ${{ matrix.containerfile_targets }} image - uses: docker/build-push-action@v6 - with: - build-args: | - GITHUB_SHA=${{ github.sha }} - VERSION=${{ needs.initialize.outputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} - cache-to: type=inline - context: ${{ github.event.deployment.payload.container.context }} - load: true - file: ${{ github.event.deployment.payload.container.file }} - platforms: linux/amd64 - tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ needs.initialize.outputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} - target: ${{ matrix.containerfile_targets }} - - name: Scan for vulnerabilities - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - - name: Push ${{ matrix.containerfile_targets }} image to ECR - run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + uses: parcelLab/ci/.github/workflows/build.yaml@separate-build-step + with: + artifactName: ${{ inputs.artifactName }} + artifactPath: ${{ inputs.artifactPath }} + imageTargets: ${{ inputs.imageTargets }} + preScript: ${{ inputs.preScript }} + registryHostname: ${{ inputs.registryHostname }} + registryOrg: ${{ inputs.registryOrg }} + registryUsername: ${{ inputs.registryUsername }} + repository_kind: ${{ inputs.repository_kind }} + runner: ${{ inputs.runner }} + version: ${{ needs.initialize.outputs.version }} + secrets: + npmGithubReadToken: ${{ secrets.npmGithubReadToken }} + repoAccessToken: ${{ secrets.repoAccessToken }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} commit: - needs: [initialize] + needs: [build] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} steps: From 2d7756d76f26c5b18b11d76b756aca9873b92603 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 09:55:03 +0100 Subject: [PATCH 02/18] inherit secrets --- .github/workflows/kubernetes.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 20b1c9d..bf4077c 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -187,11 +187,7 @@ jobs: repository_kind: ${{ inputs.repository_kind }} runner: ${{ inputs.runner }} version: ${{ needs.initialize.outputs.version }} - secrets: - npmGithubReadToken: ${{ secrets.npmGithubReadToken }} - repoAccessToken: ${{ secrets.repoAccessToken }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + secrets: inherit commit: needs: [build] From 2f9b93673e2a23c6c4ddc17506ad767c610370a5 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 09:55:29 +0100 Subject: [PATCH 03/18] use commit hash --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index bf4077c..cf064a3 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -175,7 +175,7 @@ jobs: needs: [initialize] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} - uses: parcelLab/ci/.github/workflows/build.yaml@separate-build-step + uses: parcelLab/ci/.github/workflows/build.yaml@2d7756d76f26c5b18b11d76b756aca9873b92603 with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From ef4d51c8d5786694c59861952f2668f53483118b Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 10:27:59 +0100 Subject: [PATCH 04/18] try without run-on --- .github/workflows/kubernetes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index cf064a3..e19c22b 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -174,7 +174,6 @@ jobs: build: needs: [initialize] environment: ${{ github.event.deployment.payload.env }} - runs-on: ${{ inputs.runner }} uses: parcelLab/ci/.github/workflows/build.yaml@2d7756d76f26c5b18b11d76b756aca9873b92603 with: artifactName: ${{ inputs.artifactName }} From 4e9ba96a7ce5c3c22d6eea7a5ed0ffc7cf56b598 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 10:31:43 +0100 Subject: [PATCH 05/18] remove environment too --- .github/workflows/kubernetes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index e19c22b..6a37474 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -173,7 +173,6 @@ jobs: build: needs: [initialize] - environment: ${{ github.event.deployment.payload.env }} uses: parcelLab/ci/.github/workflows/build.yaml@2d7756d76f26c5b18b11d76b756aca9873b92603 with: artifactName: ${{ inputs.artifactName }} From eb7ea10732698668ba6e16042262a95187c33163 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 10:33:26 +0100 Subject: [PATCH 06/18] use boolean instead of bool --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 40abf00..1b8934a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -23,7 +23,7 @@ on: IMAGE_SCAN_ANNOTATIONS: required: true default: true - type: bool + type: boolean IMAGE_SCAN_TRIVY_TIMEOUT: required: true default: 10m From 27bf8292f112f126a86c7ae8a8b8ae7638c56119 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 10:36:23 +0100 Subject: [PATCH 07/18] use branch instead of commit hash --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 6a37474..178bdaf 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -173,7 +173,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build.yaml@2d7756d76f26c5b18b11d76b756aca9873b92603 + uses: parcelLab/ci/.github/workflows/build.yaml@separate-build-step with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From c0160ae3daac490413c87c73b6b40d96ca0e93ca Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 10:54:41 +0100 Subject: [PATCH 08/18] set image params required to false --- .github/workflows/build.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1b8934a..7fc347c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,19 +13,19 @@ on: default: "" type: string IMAGE_SCAN_SEVERITY: - required: true + required: false default: LOW type: string IMAGE_SCAN_SEVERITY_THRESHOLD: - required: true + required: false default: CRITICAL type: string IMAGE_SCAN_ANNOTATIONS: - required: true + required: false default: true type: boolean IMAGE_SCAN_TRIVY_TIMEOUT: - required: true + required: false default: 10m type: string imageTargets: From fe78acc4eaadd66730bc24954314b7ac32da60bc Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 11:00:49 +0100 Subject: [PATCH 09/18] move envs for image scanning to inputs --- .github/workflows/build.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7fc347c..70668aa 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -133,11 +133,11 @@ jobs: with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to GitHub run: | docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} @@ -205,11 +205,11 @@ jobs: with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to ECR if: inputs.repository_kind == 'ecr' run: | @@ -271,11 +271,11 @@ jobs: with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} @@ -345,11 +345,11 @@ jobs: with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} From da43b7375379b4c9f4341e282a1aec25598a9343 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 11:01:44 +0100 Subject: [PATCH 10/18] move them back to env --- .github/workflows/build.yaml | 54 +++++++++++++++--------------------- 1 file changed, 22 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 70668aa..233ec38 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -12,22 +12,6 @@ on: description: If provided, downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. default: "" type: string - IMAGE_SCAN_SEVERITY: - required: false - default: LOW - type: string - IMAGE_SCAN_SEVERITY_THRESHOLD: - required: false - default: CRITICAL - type: string - IMAGE_SCAN_ANNOTATIONS: - required: false - default: true - type: boolean - IMAGE_SCAN_TRIVY_TIMEOUT: - required: false - default: 10m - type: string imageTargets: required: false description: If provided, sets targets for as many image builds as targets specified @@ -80,6 +64,12 @@ on: required: true description: Secet for AWS access key ID +env: + IMAGE_SCAN_SEVERITY: LOW + IMAGE_SCAN_SEVERITY_THRESHOLD: CRITICAL + IMAGE_SCAN_ANNOTATIONS: true + IMAGE_SCAN_TRIVY_TIMEOUT: 10m + jobs: build-github-single: if: inputs.repository_kind == 'github' && inputs.imageTargets == '' @@ -133,11 +123,11 @@ jobs: with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}:latest dockerfile: Containerfile - severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to GitHub run: | docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }} @@ -205,11 +195,11 @@ jobs: with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest dockerfile: Containerfile - severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to ECR if: inputs.repository_kind == 'ecr' run: | @@ -271,11 +261,11 @@ jobs: with: image: ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile - severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | docker push -a ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} @@ -345,11 +335,11 @@ jobs: with: image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile - severity: ${{ inputs.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ inputs.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ inputs.IMAGE_SCAN_ANNOTATIONS }} + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} env: - TRIVY_TIMEOUT: ${{ inputs.IMAGE_SCAN_TRIVY_TIMEOUT }} + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} From 69bbfbab1e92f678226a9ed7514669873ebab76b Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 11:33:14 +0100 Subject: [PATCH 11/18] run prettier --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 233ec38..77d8a08 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -343,4 +343,3 @@ jobs: - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} - From 5c88b553c1bb50ea1e44c80b4deef6cf7547d3c4 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 12:37:05 +0100 Subject: [PATCH 12/18] rename --- .github/workflows/{build.yaml => build-image.yaml} | 0 .github/workflows/kubernetes.yaml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{build.yaml => build-image.yaml} (100%) diff --git a/.github/workflows/build.yaml b/.github/workflows/build-image.yaml similarity index 100% rename from .github/workflows/build.yaml rename to .github/workflows/build-image.yaml diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 178bdaf..ae4c3d2 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -173,7 +173,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build.yaml@separate-build-step + uses: parcelLab/ci/.github/workflows/build-image.yaml@separate-build-step with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From 089784fea252ce438b47c7e898c749de96b59aad Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 14:50:33 +0100 Subject: [PATCH 13/18] comment out secrets for test --- .github/workflows/build-image.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 77d8a08..151735e 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -50,19 +50,19 @@ on: version: required: true type: string - secrets: - npmGithubReadToken: - required: true - description: The Github token with permissions to read NPM private packages - repoAccessToken: - required: true - description: The Github token to perform operations cross-repo (not github.token!) - AWS_ACCESS_KEY_ID: - required: true - description: Access key ID for AWS credentials - AWS_SECRET_ACCESS_KEY: - required: true - description: Secet for AWS access key ID + # secrets: + # npmGithubReadToken: + # required: true + # description: The Github token with permissions to read NPM private packages + # repoAccessToken: + # required: true + # description: The Github token to perform operations cross-repo (not github.token!) + # AWS_ACCESS_KEY_ID: + # required: true + # description: Access key ID for AWS credentials + # AWS_SECRET_ACCESS_KEY: + # required: true + # description: Secet for AWS access key ID env: IMAGE_SCAN_SEVERITY: LOW From 7c8d85f8ea0185ccf4c749e62e197f4cdce631a5 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 14:54:14 +0100 Subject: [PATCH 14/18] removing secrets entry since they are inherited --- .github/workflows/build-image.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 151735e..6eefa62 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -50,19 +50,6 @@ on: version: required: true type: string - # secrets: - # npmGithubReadToken: - # required: true - # description: The Github token with permissions to read NPM private packages - # repoAccessToken: - # required: true - # description: The Github token to perform operations cross-repo (not github.token!) - # AWS_ACCESS_KEY_ID: - # required: true - # description: Access key ID for AWS credentials - # AWS_SECRET_ACCESS_KEY: - # required: true - # description: Secet for AWS access key ID env: IMAGE_SCAN_SEVERITY: LOW From beb1613f39ab79fe0858ec8b6067b7c7eac2bd72 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 15:10:07 +0100 Subject: [PATCH 15/18] add initialize to the commit step needs --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index ae4c3d2..3a691a5 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -188,7 +188,7 @@ jobs: secrets: inherit commit: - needs: [build] + needs: [initialize,build] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} steps: From c274515f11923992882465004f512f3a63c1c568 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 15:12:05 +0100 Subject: [PATCH 16/18] run prettier --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 3a691a5..6dcf91a 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -188,7 +188,7 @@ jobs: secrets: inherit commit: - needs: [initialize,build] + needs: [initialize, build] environment: ${{ github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} steps: From 64ad4e0fcd89d83eddb96ca3481423db2a4d4b95 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 15:13:48 +0100 Subject: [PATCH 17/18] set version for build --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 6dcf91a..3555ad7 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -173,7 +173,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@separate-build-step + uses: parcelLab/ci/.github/workflows/build-image.yaml@7.0.2 with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From ab91962c3e1ed5dd6fd9f6df83e507274c98173b Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 17 Jan 2025 15:15:46 +0100 Subject: [PATCH 18/18] pin main for build --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 3555ad7..ef29ef4 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -173,7 +173,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@7.0.2 + uses: parcelLab/ci/.github/workflows/build-image.yaml@main with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }}