Merge pull request #376 from virtualidentityag/feat/CONNECTA-253-add-… #422
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Docker image | |
| on: | |
| push: | |
| branches: | |
| - 'develop' | |
| - 'staging' | |
| - 'release' | |
| - 'tsys-release' | |
| tags: | |
| - 'dockerImage.v.*' | |
| - 'v*' | |
| jobs: | |
| build: | |
| name: Build | |
| if: "!contains(github.event.head_commit.author, '[email protected]')" | |
| runs-on: ubuntu-latest | |
| env: | |
| FAIL_WEBHOOK_SECRET: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| - name: set env | |
| run: | | |
| RAW=$(git branch -r --contains ${{ github.ref }}) | |
| BRANCH=${RAW##*/} | |
| echo BRANCH_NAME="$(echo -n "${BRANCH}")" >> $GITHUB_ENV | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: 14 | |
| cache: 'yarn' | |
| - run: yarn install --frozen-lockfile | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.github_token }} | |
| - name: build | |
| run: yarn run build | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.github_token }} | |
| BASE: /admin | |
| - uses: actions/upload-artifact@v2 | |
| with: | |
| name: buildfiles | |
| path: build/**/* | |
| - name: Microsoft Teams Fail Card | |
| if: ${{ (env.FAIL_WEBHOOK_SECRET != null) && (env.FAIL_WEBHOOK_SECRET != '') && (failure() || cancelled()) }} | |
| uses: toko-bifrost/[email protected] | |
| with: | |
| github-token: ${{ github.token }} | |
| webhook-uri: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
| show-on-start: false | |
| show-on-exit: true | |
| show-on-failure: true | |
| card-layout-exit: complete | |
| environment: ${{ env.BRANCH_NAME }} | |
| custom-actions: | | |
| - text: View CI | |
| url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| push_to_registry: | |
| needs: [build] | |
| name: Push Docker image to GitHub Packages | |
| runs-on: ubuntu-latest | |
| env: | |
| IMAGE_WEBHOOK_SECRET: ${{ secrets.MS_TEAMS_IMAGE_WEBHOOK_URI }} | |
| FAIL_WEBHOOK_SECRET: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Download buildfiles artifact | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: buildfiles | |
| path: build | |
| - name: Get current time | |
| id: time | |
| uses: nanzm/[email protected] | |
| with: | |
| timeZone: 2 | |
| format: 'YYYYMMDD[_]HHmmss' | |
| - name: Prepare environment variables | |
| run: | | |
| raw=$(git branch -r --contains ${{ github.ref }}) | |
| branch=${raw##*/} | |
| echo BRANCH_NAME=$(echo -n "${branch}") >> $GITHUB_ENV | |
| echo "DOCKER_REGISTRY=$(echo "ghcr.io/${{ github.repository }}" | awk '{print tolower($0)}')" >> $GITHUB_ENV | |
| echo "DOCKER_IMAGE=$(echo "${{ github.repository }}" | awk -F / '{print tolower($2)}')" >> $GITHUB_ENV | |
| echo "REPO_NAME_WITHOUT_PREFIX"=$(echo "${{ github.repository }}" | sed "s/.*\///" | awk -F / '{print tolower($0)}') >> $GITHUB_ENV | |
| echo CLEAN_REF=$(echo "${GITHUB_REF_NAME#refs/heads/}") >> $GITHUB_ENV | |
| echo TYPE=$(echo -n "${GITHUB_REF_TYPE}") >> $GITHUB_ENV | |
| echo TIME_STAMP=$(echo -n "${{ steps.time.outputs.time }}") >> $GITHUB_ENV | |
| shell: bash | |
| - name: Set branch_timestamp for image from branch | |
| if: ${{ env.TYPE == 'branch' }} | |
| run: echo DOCKER_IMAGE_TAG=$(echo "${{ env.CLEAN_REF }}_${{ env.TIME_STAMP }}") >> $GITHUB_ENV | |
| shell: bash | |
| - name: Set tag for image from tag | |
| if: ${{ env.TYPE == 'tag' }} | |
| run: echo DOCKER_IMAGE_TAG=$(echo "${{ env.CLEAN_REF }}") >> $GITHUB_ENV | |
| shell: bash | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: '${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }}' | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=raw,value=${{ env.DOCKER_IMAGE_TAG}} | |
| type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'release') }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.DOCKER_REGISTRY }} | |
| username: ${{ secrets.GH_PACKAGE_RELEASE_USER }} | |
| password: ${{ secrets.GH_PACKAGE_RELEASE_TOKEN }} | |
| - name: Push to GitHub Packages | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Hint about the Docker Image Tag if successful | |
| if: ${{ success() }} | |
| run: | | |
| echo "### Publish Docker image :white_check_mark:" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- Image name: ${{ env.DOCKER_IMAGE }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Version: ${{ env.DOCKER_IMAGE_TAG }}" >> $GITHUB_STEP_SUMMARY | |
| - name: Hint about the Docker Image Tag if not successful | |
| if: ${{ failure() || cancelled() }} | |
| run: | | |
| echo "### Publish Docker image :x:" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- It seems that something has gone wrong" >> $GITHUB_STEP_SUMMARY | |
| - name: Microsoft Teams Fail Card | |
| if: ${{ (env.FAIL_WEBHOOK_SECRET != null) && (env.FAIL_WEBHOOK_SECRET != '') && (failure() || cancelled()) }} | |
| uses: toko-bifrost/[email protected] | |
| with: | |
| github-token: ${{ github.token }} | |
| webhook-uri: ${{ secrets.MS_TEAMS_FAIL_WEBHOOK_URI }} | |
| show-on-start: false | |
| show-on-exit: true | |
| show-on-failure: true | |
| card-layout-exit: complete | |
| environment: ${{ env.BRANCH_NAME }} | |
| custom-actions: | | |
| - text: View CI | |
| url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| - name: Microsoft Teams Image Card | |
| if: ${{ (env.IMAGE_WEBHOOK_SECRET != null) && (env.IMAGE_WEBHOOK_SECRET != '') && success() }} | |
| uses: toko-bifrost/[email protected] | |
| with: | |
| github-token: ${{ github.token }} | |
| webhook-uri: ${{ secrets.MS_TEAMS_IMAGE_WEBHOOK_URI }} | |
| show-on-start: false | |
| show-on-exit: true | |
| show-on-failure: false | |
| card-layout-exit: complete | |
| environment: ${{ env.BRANCH_NAME }} | |
| custom-facts: | | |
| - name: Registry | |
| value: ${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }} | |
| - name: Tag | |
| value: ${{ env.DOCKER_IMAGE_TAG }} | |
| custom-actions: | | |
| - text: View CI | |
| url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| - name: Run Trivy vulnerability image scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: '${{ env.DOCKER_REGISTRY }}/${{ env.REPO_NAME_WITHOUT_PREFIX }}:${{ env.DOCKER_IMAGE_TAG }}' | |
| format: 'table' | |
| exit-code: '1' | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL' | |
| - name: Publish to T-sys if T-sys release | |
| if: ${{ (github.ref == 'refs/heads/tsys-release') }} | |
| uses: fjogeleit/http-request-action@v1 | |
| with: | |
| url: 'https://git.mms-support.de/api/v4/projects/${{ secrets.TSYS_SERVICE_ID }}/repository/tags?ref=master&tag_name=${{ env.DOCKER_IMAGE_TAG }}' | |
| method: 'POST' | |
| customHeaders: '{"PRIVATE-TOKEN": "${{ secrets.TSYS_ACCESS_TOKEN }}"}' |