Merge pull request #124 from wallarm/NODE-5792 #85
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build release | |
| on: | |
| push: | |
| tags: | |
| - '[0-9]+.[0-9]+.[0-9]+\-[0-9]+' | |
| - '[0-9]+.[0-9]+.[0-9]+\-rc[0-9]+' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| build: | |
| name: Build and push | |
| runs-on: self-hosted-amd64-1cpu | |
| outputs: | |
| release_type: ${{ steps.check_release.outputs.type }} | |
| env: | |
| CONTAINER_VERSION: ${{ github.ref_name }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2 | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| path: kubernetes-ci | |
| secrets: | | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| - name: Login | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Check release type | |
| id: check_release | |
| run: | | |
| TYPE="production" | |
| if [[ ${CONTAINER_VERSION} =~ "rc" ]]; then | |
| TYPE="release-candidate" | |
| fi | |
| echo "Release type: ${TYPE}" | |
| echo "type=${TYPE}" >> $GITHUB_OUTPUT | |
| - name: Build and push | |
| run: make BUILDX_ARGS=--push build | |
| - name: Push latest | |
| if: steps.check_release.outputs.type == 'production' | |
| run: make push-latest | |
| sign: | |
| name: Sign images | |
| runs-on: self-hosted-amd64-1cpu | |
| needs: | |
| - build | |
| if: needs.build.outputs.release_type == 'production' | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| path: kubernetes-ci | |
| secrets: | | |
| kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ; | |
| kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| - name: Docker login | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Sign image | |
| id: sign | |
| env: | |
| IMAGE_NAME: docker.io/wallarm/node:${{ github.ref_name }} | |
| COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }} | |
| run: | | |
| docker pull -q ${IMAGE_NAME} | |
| IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}') | |
| IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME}) | |
| IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/') | |
| SBOM_SPDX="node_${IMAGE_TAG}_spdx.json" | |
| syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX} | |
| cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST} | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom" | |
| cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST} | |
| echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b | |
| with: | |
| retention-days: 30 | |
| name: ${{ steps.sign.outputs.sbom }} | |
| path: ${{ steps.sign.outputs.sbom }} | |
| update_version: | |
| name: Update package version | |
| if: needs.build.outputs.release_type == 'production' | |
| runs-on: self-hosted-amd64-1cpu | |
| needs: build | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| exportEnv: true | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| path: kubernetes-ci | |
| secrets: | | |
| kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN ; | |
| kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN_NAME ; | |
| kv-gitlab-ci/data/github/shared/versions-repo-creds host | GITLAB_HOST ; | |
| kv-gitlab-ci/data/github/shared/versions-repo-creds repo | GITLAB_REPO ; | |
| - name: Update package version | |
| env: | |
| COMPONENT_NAME: wallarm-nginx-docker | |
| COMPONENT_VERSION: ${{ github.ref_name }} | |
| run: | | |
| PR_BRANCH="update/${COMPONENT_NAME}/${COMPONENT_VERSION}" | |
| COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}" | |
| GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}" | |
| git clone ${GITLAB_REPO_URL} | |
| cd packages_versions | |
| git checkout -b ${PR_BRANCH} | |
| git config --local user.name 'project_808_bot' | |
| git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}' | |
| cd packages_versions | |
| cat latest.json | jq -r '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' > latest.new.json | |
| mv latest.new.json latest.json | |
| git add latest.json | |
| git commit -m "${COMMIT_MESSAGE}" | |
| git push ${GITLAB_REPO_URL} ${PR_BRANCH} | |
| glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN} | |
| echo "Creating merge request ..." | |
| glab mr create \ | |
| --fill \ | |
| --yes \ | |
| --label ${COMPONENT_NAME} \ | |
| --source-branch ${PR_BRANCH} \ | |
| --repo https://${GITLAB_HOST}/${GITLAB_REPO} | |
| echo "Approving merge request ..." | |
| glab mr approve \ | |
| ${PR_BRANCH} \ | |
| --repo https://${GITLAB_HOST}/${GITLAB_REPO} | |
| # Sometimes merging is failed without delay | |
| echo "Sleep ..." | |
| sleep 20 | |
| echo "Merging ..." | |
| glab mr merge \ | |
| ${PR_BRANCH} \ | |
| --yes \ | |
| --remove-source-branch \ | |
| --when-pipeline-succeeds=false \ | |
| --repo https://${GITLAB_HOST}/${GITLAB_REPO} | |
| scan: | |
| name: Vulnerability scanner | |
| runs-on: self-hosted-amd64-1cpu | |
| needs: build | |
| steps: | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
| id: secrets | |
| with: | |
| exportEnv: false | |
| url: ${{ secrets.VAULT_URL }} | |
| role: ${{ secrets.VAULT_ROLE }} | |
| method: kubernetes | |
| path: kubernetes-ci | |
| secrets: | | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; | |
| kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; | |
| - name: Docker Scout | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: docker.io/wallarm/node:${{ github.ref_name }} | |
| to: docker.io/wallarm/node:latest | |
| only-severities: critical,high | |
| sarif-file: sarif.output.json | |
| dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Upload scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: needs.build.outputs.release_type == 'production' | |
| with: | |
| sarif_file: sarif.output.json | |
| token: ${{ github.token }} |