-
Notifications
You must be signed in to change notification settings - Fork 4
178 lines (155 loc) · 7.21 KB
/
go-legacy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: go-legacy
on:
pull_request:
paths: [ 'go/**', '.github/workflows/go.yml' ]
push:
# If at least one path matches a pattern in the paths filter, the workflow runs
paths: [ 'go/**', '.github/workflows/go.yml' ]
branches: [ main ]
jobs:
# test run always
go-test:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: ^1.22
- name: Test Go Projects
working-directory: ./go
run: |
make test
# build and push runs only on merge into default main branch
go-build-push:
needs: [go-test]
# && github.ref == 'refs/heads/master'
# if: " ! contains(github.event.head_commit.message, 'skip ci')"
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
runs-on: ubuntu-latest
permissions:
packages: write
# avoid Resource not accessible by integration error on CodeQL action
# https://github.com/github/codeql/issues/8843#issuecomment-1108467590
actions: read
contents: read
security-events: write
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout Repo
uses: actions/checkout@v4
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: ^1.22
id: go
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
# https://stackoverflow.com/a/58178121/4292075, https://stackoverflow.com/a/51761312/4292075
- name: Pull Environment Config from AWS SSM ParamStore
run: |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
# install SonarQube Scanner, we handle this ourselves
- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
**/node_modules
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-npm-
- name: Node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install SonarQube Scanner with npm in ./tools/sonar
working-directory: ./tools/sonar/
run: |
npm install
# https://github.com/actions/cache/blob/main/examples.md#go---modules
- name: Cache Go modules packages
uses: actions/cache@v4
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build with Go and run Sonar Scanner
working-directory: ./go
run: |
make build
SONAR_TOKEN=$(aws ssm get-parameter --name /angkor/prod/SONAR_TOKEN --with-decryption --query 'Parameter.Value' --output text)
echo "Running SonarQube Scanner (make sonar)"
SONAR_TOKEN=$SONAR_TOKEN make sonar
# all go binaries are pushed to dockerhub as part of the image, but we (still) need polly binary for systemd service
aws s3 cp --no-progress dist/polly ${{ secrets.AWS_DEPLOY_TARGET }}/tools/polly
env:
CI: true
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any
- name: Lint Dockerfile with hadolint
uses: brpaz/hadolint-action@v1.5.0
with:
dockerfile: ./go/Dockerfile
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur.
- name: Push to DockerHub
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action
with:
context: ./go
file: ./go/Dockerfile
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386
push: true
# can also use ${{ github.sha }} as tag
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest
build-args: |
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
- name: Publish Action Event
run: |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-tools\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}"
env:
TOPIC_ARN: ${{ secrets.TOPIC_ARN }}
- name: Send Kafka Publish Event with Docker
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION
run: |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-tools" \
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}"
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
# - https://github.com/aquasecurity/trivy-action
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest'
format: 'sarif'
output: 'trivy-results.sarif'
# additional options when not using GitHub Code Scanning with sarif format
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
# Using Trivy with GitHub Code Scanning
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'