enable container restart policy for beta (#33) #118
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Main - Attests to https://app.kosli.com | |
on: | |
push: | |
env: | |
KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} # false | |
KOSLI_HOST: ${{ vars.KOSLI_HOST }} # https://app.kosli.com | |
KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo | |
KOSLI_FLOW: ${{ vars.KOSLI_FLOW }} # nginx-ci | |
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }} | |
KOSLI_TRAIL: ${{ github.sha }} | |
SERVICE_NAME: ${{ github.event.repository.name }} # nginx | |
IMAGE_TAR_FILENAME: /tmp/${{ github.event.repository.name }}:${{ github.sha }}.tar | |
jobs: | |
setup: | |
runs-on: ubuntu-latest | |
outputs: | |
image_tag: ${{ steps.variables.outputs.image_tag }} | |
image_name: ${{ steps.variables.outputs.image_name }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- name: Set outputs | |
id: variables | |
run: | | |
IMAGE_TAG=${GITHUB_SHA:0:7} | |
echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | |
echo "image_name=cyberdojo/${{ env.SERVICE_NAME }}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | |
pull-request: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: [] | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- name: Setup Kosli CLI | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Attest pull-request evidence to Kosli | |
run: | |
kosli attest pullrequest github | |
--github-token=${{ secrets.GITHUB_TOKEN }} | |
--name=pull-request | |
snyk-code-scan: | |
needs: [] | |
runs-on: ubuntu-latest | |
env: | |
SARIF_FILENAME: snyk.code.scan.json | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- name: Setup Snyk | |
uses: snyk/actions/setup@master | |
- name: Run Snyk code scan | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | |
snyk code test | |
--sarif | |
--sarif-file-output="${SARIF_FILENAME}" | |
--policy-path=.snyk | |
. | |
- name: Setup Kosli CLI | |
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Attest evidence to Kosli | |
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} | |
run: | |
kosli attest snyk | |
--name=nginx.snyk-code-scan | |
--scan-results="${SARIF_FILENAME}" | |
build-image: | |
needs: [setup] | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
outputs: | |
kosli_fingerprint: ${{ steps.variables.outputs.kosli_fingerprint }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASS }} | |
- name: Build and push image to Dockerhub Registry | |
id: docker_build | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: true | |
tags: ${{ needs.setup.outputs.image_name }} | |
build-args: | |
COMMIT_SHA=${{ github.sha }} | |
- name: Tar Docker image | |
run: | | |
docker pull ${{ env.IMAGE_NAME }} | |
docker image save ${{ env.IMAGE_NAME }} --output ${{ env.IMAGE_TAR_FILENAME }} | |
- name: Cache Docker image | |
uses: actions/cache@v4 | |
with: | |
path: ${{ env.IMAGE_TAR_FILENAME }} | |
key: ${{ env.IMAGE_NAME }} | |
- name: Make artifact fingerprint available to following jobs | |
id: variables | |
run: | | |
FINGERPRINT=$(echo ${{ steps.docker_build.outputs.digest }} | sed 's/.*://') | |
echo "kosli_fingerprint=${FINGERPRINT}" >> ${GITHUB_OUTPUT} | |
- name: Setup Kosli CLI | |
if: ${{ github.ref == 'refs/heads/main' }} | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Attest artifact provenance to Kosli | |
if: ${{ github.ref == 'refs/heads/main' }} | |
run: | |
kosli attest artifact "${IMAGE_NAME}" | |
--artifact-type=docker | |
--name=nginx | |
--trail="${GITHUB_SHA}" | |
snyk-container-scan: | |
needs: [setup, build-image] | |
runs-on: ubuntu-latest | |
env: | |
SARIF_FILENAME: snyk.container.scan.json | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
- name: Setup Snyk | |
uses: snyk/actions/setup@master | |
- name: Run Snyk container scan | |
env: | |
IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | |
snyk container test ${IMAGE_NAME} | |
--file=Dockerfile | |
--sarif | |
--sarif-file-output="${SARIF_FILENAME}" | |
--policy-path=.snyk | |
- name: Setup Kosli CLI | |
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Attest evidence to Kosli | |
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} | |
env: | |
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
run: | |
kosli attest snyk | |
--name=nginx.snyk-container-scan | |
--scan-results="${SARIF_FILENAME}" | |
sdlc-control-gate: | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: [setup, build-image, pull-request, snyk-container-scan, snyk-code-scan] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Kosli CLI | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Kosli SDLC gate to short-circuit the workflow | |
env: | |
IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
run: | |
kosli assert artifact ${IMAGE_NAME} | |
approve-deployment-to-beta: | |
needs: [setup, build-image, sdlc-control-gate] | |
runs-on: ubuntu-latest | |
environment: | |
name: staging | |
url: https://beta.cyber-dojo.org | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Kosli CLI | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Attest approval of deployment to Kosli | |
env: | |
IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
KOSLI_ENVIRONMENT: aws-beta | |
run: | |
kosli report approval ${IMAGE_NAME} | |
--approver="${{ github.actor }}" | |
deploy-to-beta: | |
needs: [setup, approve-deployment-to-beta] | |
uses: ./.github/workflows/sub_deploy_to_beta.yml | |
with: | |
IMAGE_TAG: ${{ needs.setup.outputs.image_tag }} | |
secrets: | |
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }} | |
approve-deployment-to-prod: | |
needs: [setup, build-image, deploy-to-beta] | |
runs-on: ubuntu-latest | |
environment: | |
name: production | |
url: https://cyber-dojo.org | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Kosli CLI | |
uses: kosli-dev/setup-cli-action@v2 | |
with: | |
version: ${{ vars.KOSLI_CLI_VERSION }} | |
- name: Attest approval of deployment to Kosli | |
env: | |
IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }} | |
KOSLI_ENVIRONMENT: aws-prod | |
run: | |
kosli report approval ${IMAGE_NAME} | |
--approver="${{ github.actor }}" | |
deploy-to-prod: | |
needs: [setup, approve-deployment-to-prod] | |
uses: ./.github/workflows/sub_deploy_to_prod.yml | |
with: | |
IMAGE_TAG: ${{ needs.setup.outputs.image_tag }} | |
secrets: | |
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }} | |
# The cyberdojo/versioner refresh-env.sh script | |
# https://github.com/cyber-dojo/versioner/blob/master/sh/refresh-env.sh | |
# relies on being able to: | |
# - get the :latest image | |
# - extract the SHA env-var embedded inside it | |
# - use the 1st 7 chars of the SHA as a latest-equivalent tag | |
push-latest: | |
needs: [setup, deploy-to-prod] | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_NAME: ${{ needs.setup.outputs.image_name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASS }} | |
- name: Tag image to :latest and push to Dockerhub Registry | |
run: | | |
docker pull "${IMAGE_NAME}" | |
docker tag "${IMAGE_NAME}" cyberdojo/${{ env.SERVICE_NAME }}:latest | |
docker push cyberdojo/${{ env.SERVICE_NAME }}:latest |