-
Notifications
You must be signed in to change notification settings - Fork 24
87 lines (75 loc) · 2.84 KB
/
build-push-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Build and push image
on:
push:
branches:
- staging
- master
workflow_dispatch:
permissions:
id-token: write # Required for requesting the JWT
contents: read # Required for actions/checkout
security-events: write # Required for uploading security scan results
env:
ECR_REPOSITORY_URL_APP: "${{ secrets.IMAGE_REGISTRY_URL }}/defi-providers"
ECR_REPOSITORY_URL_INFRA: "${{ secrets.IMAGE_REGISTRY_URL }}/defi-providers-infra"
IMAGE_TAG: "${{ github.ref_name }}-${{ github.sha }}"
MANIFESTS_PATH: "${{ github.ref_name == 'master' && './kubernetes/production' || './kubernetes/staging' }}"
AWS_DEFAULT_REGION: eu-central-1
AWS_IAM_ROLE_GITHUB: "${{ secrets.AWS_IAM_ROLE_GITHUB }}"
jobs:
build:
name: Build and push image
runs-on: dappradar-runner
steps:
- uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: ${{ env.AWS_IAM_ROLE_GITHUB }}
- name: Authenticate to Amazon ECR
uses: aws-actions/amazon-ecr-login@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
driver: docker
- name: Build Docker image
uses: docker/build-push-action@v4
with:
context: .
tags: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"
push: false
# - name: Scan image - High and Critical Severity
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"
# format: sarif
# output: trivy-results.sarif
# hide-progress: false
# exit-code: 1
#
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# if: always()
# with:
# sarif_file: trivy-results.sarif
- name: Push Docker image
uses: docker/build-push-action@v4
with:
context: .
tags: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"
push: true
- name: Bake and push manifests
run: |
kubectl kustomize $MANIFESTS_PATH | \
envsubst '$CONTAINER_IMAGE' | \
flux push artifact oci://$OCI_IMAGE_URL_INFRA -f - \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
--provider=aws && \
flux tag artifact oci://$OCI_IMAGE_URL_INFRA \
--tag $GITHUB_REF_NAME \
--provider aws
env:
OCI_IMAGE_URL_INFRA: "${{ env.ECR_REPOSITORY_URL_INFRA }}:${{ env.IMAGE_TAG }}"
CONTAINER_IMAGE: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"