Merge branch 'release-146' into gig/grayscale-button #7044
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Build and Scan Container' | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - stable | |
| - 'release-*' | |
| push: | |
| branches: | |
| - "*" | |
| - "**/*" | |
| # You can kill currently running builds on the branch this way | |
| #concurrency: | |
| # group: ${{ github.ref }}-ci | |
| # cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| outputs: | |
| digest: ${{ steps.push.outputs.digest }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Configure AWS credentials | |
| if: github.event_name != 'pull_request' | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE }} | |
| role-session-name: github-action | |
| - name: Export environment variables | |
| id: env | |
| env: | |
| SHA: ${{ github.sha }} | |
| run: | | |
| export NODE_VERSION=`cat .nvmrc` | |
| export GITHASH="${SHA::9}" | |
| export IMAGE_TAG="githash-${GITHASH}" | |
| echo "## Git Hash" >> $GITHUB_STEP_SUMMARY | |
| echo $IMAGE_TAG >> $GITHUB_STEP_SUMMARY | |
| echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT | |
| echo "git_hash=$GITHASH" >> $GITHUB_OUTPUT | |
| echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| # Build and scan on PRs | |
| - name: Build container image for PR | |
| if: github.event_name == 'pull_request' | |
| id: vuln_build | |
| uses: docker/build-push-action@v3 | |
| with: | |
| push: false | |
| file: docker/Dockerfile | |
| tags: ${{ secrets.IMAGE_NAME }}:${{ steps.env.outputs.image_tag }} | |
| outputs: type=docker | |
| build-args: | | |
| NODE_VERSION=${{ steps.env.outputs.node_version }} | |
| GITHASH=${{ steps.env.outputs.git_hash }} | |
| FULL_GITHASH=${{ github.event.pull_request.head.sha }} | |
| SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }} | |
| - name: Run vulnerability scan for PR | |
| if: github.event_name == 'pull_request' | |
| id: vuln_scan | |
| uses: aquasecurity/[email protected] | |
| env: | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" | |
| with: | |
| image-ref: ${{ secrets.IMAGE_NAME }}:${{ steps.env.outputs.image_tag }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| # Build scan and push to ECR | |
| - name: Login to Amazon ECR | |
| if: github.event_name != 'pull_request' | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| mask-password: true | |
| - name: Build container image | |
| if: github.event_name != 'pull_request' | |
| id: build | |
| uses: docker/build-push-action@v3 | |
| with: | |
| push: false | |
| file: docker/Dockerfile | |
| tags: ${{ secrets.IMAGE_NAME }}:${{ steps.env.outputs.image_tag }} | |
| outputs: type=docker | |
| build-args: | | |
| NODE_VERSION=${{ steps.env.outputs.node_version }} | |
| GITHASH=${{ steps.env.outputs.git_hash }} | |
| FULL_GITHASH=${{ github.sha }} | |
| SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }} | |
| # log medium vulnerabilities | |
| - name: Run scan for medium vulnerabilities | |
| if: github.event_name != 'pull_request' | |
| id: scan_medium | |
| uses: aquasecurity/[email protected] | |
| env: | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" | |
| continue-on-error: true | |
| with: | |
| image-ref: ${{ secrets.IMAGE_NAME }}:${{ steps.env.outputs.image_tag }} | |
| format: 'table' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| severity: 'MEDIUM' | |
| # fail on critical and high vulnerabilities | |
| - name: Run scan for critical and high vulnerabilities | |
| if: github.event_name != 'pull_request' | |
| id: scan_crit | |
| uses: aquasecurity/[email protected] | |
| env: | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" | |
| with: | |
| image-ref: ${{ secrets.IMAGE_NAME }}:${{ steps.env.outputs.image_tag }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| - name: Test container | |
| if: github.event_name != 'pull_request' | |
| id: test | |
| env: | |
| image: ${{ secrets.IMAGE_NAME }}:${{ steps.env.outputs.image_tag }} | |
| shell: bash | |
| run: | | |
| ./bin/test-container $image | |
| - name: Set Docker remote | |
| if: ${{ github.event_name != 'pull_request' }} | |
| id: metadata | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ secrets.AWS_ECR_REGISTRY }} | |
| tags: | | |
| ${{ steps.env.outputs.image_tag }} | |
| type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'stable') }} | |
| type=raw,value=stable,enable=${{ github.ref == format('refs/heads/{0}', 'stable') }} | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| - name: Build and push container image | |
| if: ${{ github.event_name != 'pull_request' }} | |
| id: push | |
| uses: docker/build-push-action@v3 | |
| with: | |
| push: ${{ github.event_name != 'pull_request' }} | |
| file: docker/Dockerfile | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| #tags: ${{ secrets.AWS_ECR_REGISTRY }}:${{ steps.env.outputs.image_tag }} | |
| build-args: | | |
| NODE_VERSION=${{ steps.env.outputs.node_version }} | |
| GITHASH=${{ steps.env.outputs.git_hash }} | |
| FULL_GITHASH=${{ github.sha }} | |
| SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }} |