-
Notifications
You must be signed in to change notification settings - Fork 4
202 lines (180 loc) · 9.78 KB
/
go.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
name: go
on:
pull_request:
paths: [ 'go/**', '.github/workflows/go.yml' ]
push:
# If at least one path matches a pattern in the paths filter, the workflow runs
paths: [ 'go/**', '.github/workflows/go.yml' ]
branches: [ main ]
jobs:
build:
# && github.ref == 'refs/heads/master'
if: " ! contains(github.event.head_commit.message, 'skip ci') "
runs-on: ubuntu-latest
permissions:
packages: write
# avoid Resource not accessible by integration error on CodeQL action
# https://github.com/github/codeql/issues/8843#issuecomment-1108467590
actions: read
contents: read
security-events: write
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout Repo
uses: actions/checkout@v3
- name: Set up Go 1.x
uses: actions/setup-go@v4
with:
go-version: ^1.20
id: go
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3.0.1
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
# https://stackoverflow.com/a/58178121/4292075, https://stackoverflow.com/a/51761312/4292075
- name: Pull Environment Config from AWS SSM ParamStore
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
# install SonarQube Scanner, we handle this ourselves
- name: Cache node modules
uses: actions/cache@v3.3.2
with:
path: |
~/.npm
**/node_modules
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-npm-
- name: Node ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- name: Install SonarQube Scanner with npm
working-directory: ./tools/sonar/
run: |
npm install
# https://github.com/actions/cache/blob/main/examples.md#go---modules
- name: Cache Go modules packages
uses: actions/cache@v3.3.2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build with Go and run Sonar Scanner
working-directory: ./go
run: |
make build
SONAR_TOKEN=$(aws ssm get-parameter --name /angkor/prod/SONAR_TOKEN --with-decryption --query 'Parameter.Value' --output text)
echo "Running SonarQube Scanner (make sonar)"
SONAR_TOKEN=$SONAR_TOKEN make sonar
# all go binaries are pushed to dockerhub as part of the image, but we (still) need polly binary for systemd service
aws s3 cp --no-progress dist/polly ${{ secrets.AWS_DEPLOY_TARGET }}/tools/polly
env:
CI: true
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any
- name: Lint Dockerfile with hadolint
uses: brpaz/hadolint-action@v1.5.0
with:
dockerfile: ./go/Dockerfile
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
- name: Login to DockerHub
uses: docker/login-action@v2
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur.
# New: Test GH CR as an alternative to Dockerhub
# https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
# https://docs.github.com/en/actions/publishing-packages/publishing-docker-images#publishing-images-to-github-packages
# Practical Example: https://blog.codecentric.de/github-container-registry and
# Code: https://github.com/jonashackt/docker-hello-world/blob/main/.github/workflows/publish.yml
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
registry: ghcr.io
# You can use the ${{ github.actor }} context to automatically use the username of the user that triggered the workflow run.
username: ${{ github.actor }}
# we should be able to use our GITHUB_TOKEN to authenticate against the GitHub Container Registry instead of
# using a separate PAT (see https://github.blog/changelog/2021-03-24-packages-container-registry-now-supports-github_token/)!
password: ${{ secrets.GH_CR_PAT }} # ${{ secrets.GITHUB_TOKEN }} does not work unexpected status: 403 Forbidden
# check https://stackoverflow.com/a/71438011/4292075
- name: Push to GitHub Container Registry
uses: docker/build-push-action@v4 # https://github.com/docker/build-push-action
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
context: ./go
file: ./go/Dockerfile
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386
push: true
# can also use ${{ github.sha }} as tag
tags: ghcr.io/${{ github.repository }}/angkor-tools:latest
# https://stackoverflow.com/a/75021601/4292075
# org.opencontainers.image.revision="${{ github.sha }}"
labels: |
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
org.opencontainers.image.revision=${{ github.sha }}
build-args: |
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
- name: Push to DockerHub
uses: docker/build-push-action@v4 # https://github.com/docker/build-push-action
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
context: ./go
file: ./go/Dockerfile
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386
push: true
# can also use ${{ github.sha }} as tag
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest
build-args: |
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
- name: Publish Action Event
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-tools\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}"
env:
TOPIC_ARN: ${{ secrets.TOPIC_ARN }}
- name: Send Kafka Publish Event with Docker
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
run: |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-tools" \
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}"
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
# - https://github.com/aquasecurity/trivy-action
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest'
format: 'sarif'
output: 'trivy-results.sarif'
# additional options when not using GitHub Code Scanning with sarif format
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
# Using Trivy with GitHub Code Scanning
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
with:
sarif_file: 'trivy-results.sarif'