-
Notifications
You must be signed in to change notification settings - Fork 0
79 lines (59 loc) · 3.05 KB
/
workflow-create.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: "Create Application"
on:
schedule:
- cron: '10 13 * * 1-5'
workflow_dispatch:
jobs:
Create:
env:
gcp_project: "project1-366201"
region: "us-central1"
application_name: "embedded-my-tomcat-app"
PCC_SAN: "app0.cloud.twistlock.com"
PCC_API: ${{ secrets.PCC_API }}
PCC_KEY: ${{ secrets.PCC_KEY }}
PCC_SEC: ${{ secrets.PCC_SEC }}
service_account : "[email protected]"
workload_identity_provider: "projects/917516087101/locations/global/workloadIdentityPools/sample-google-cloud-run/providers/sample-google-cloud-run-provider"
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: Checkout Content from Repo
uses: actions/checkout@v3 # checkout the repository content
- name: setup python
uses: actions/setup-python@v4
with:
python-version: '3.10' # install the python version needed
- name: install python packages
run: |
python -m pip install --upgrade pip
pip install -r policy/requirements.txt
- name: Generate Compute Login Token
run: python policy/create-token.py
- name: Create Compute Collection for Application
run: python policy/create-collection.py
- name: Create Compute App-Embedded Runtime Policy for Application (Alert)
run: SCRIPT=alert python policy/create-policy.py
- name: Authenticate to Google Cloud for Deployment
id: 'gcp-auth'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: '${{env.workload_identity_provider}}'
service_account: '${{env.service_account}}'
- name: Create Repo in Artifact Repository
run: gcloud artifacts repositories create ${{env.application_name}} --location ${{env.region}} --repository-format=docker --quiet
- name: Embed Defender into Dockerfile
run: ./embed-defender.sh
- name: Build docker image from source including Defender
run: docker build -t ${{env.region}}-docker.pkg.dev/${{env.gcp_project}}/${{env.application_name}}/tomcat-hl7:latest django_hl7_rest_api/.
- name: Use Google credentilals to autauthenticatate to Artifact Repository
run: gcloud auth configure-docker ${{env.region}}-docker.pkg.dev
- name: Push docker image to Repo
run: docker push ${{env.region}}-docker.pkg.dev/${{env.gcp_project}}/${{env.application_name}}/tomcat-hl7:latest
- name: Deploy application to Google-Cloud-Run
run: gcloud run deploy ${{env.application_name}} --region ${{env.region}} --image=${{env.region}}-docker.pkg.dev/${{env.gcp_project}}/${{env.application_name}}/tomcat-hl7:latest --concurrency 1 --allow-unauthenticated --port 8080
- name: Update IAM policy for application invocation.
run: gcloud run services add-iam-policy-binding ${{env.application_name}} --member="allUsers" --role="roles/run.invoker" --region ${{env.region}}