Skip to content

Update .github-ci.yaml #61

Update .github-ci.yaml

Update .github-ci.yaml #61

Workflow file for this run

name: Build, Test, and Deploy Docker Image
on:
push:
branches: [eoepca-beta01]
jobs:
build:
runs-on: ubuntu-latest
steps:
# Step 1: Checkout repository
- uses: actions/checkout@v4
# Step 2: Install Trivy
- name: Install Trivy
run: |
sudo apt-get update -y
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install -y trivy
# Step 3: Read image name
- name: Read docker name
id: yaml-docker-name
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_name"]'
# Step 4: Read image version
- name: Read docker version
id: yaml-docker-version
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_version"]'
# Step 5: Generate Docker tag
- name: Generate docker tag
env:
GITHUB_BRANCH: ${{ github.ref }}
docker_image_name: ${{ steps.yaml-docker-name.outputs.data }}
docker_image_version: ${{ steps.yaml-docker-version.outputs.data }}
run: |
branch_name=${GITHUB_BRANCH#refs/heads/}
echo "branch_name=${GITHUB_BRANCH#refs/heads/}" >> $GITHUB_ENV
if [[ "$branch_name" = "main" ]]
then
mType=""
else
mType="dev"
fi
echo "docker_tag=$docker_image_name:$docker_image_version" >> $GITHUB_ENV
echo "docker_tag_latest=$docker_image_name:latest" >> $GITHUB_ENV
docker_image_application=(${docker_image_name#*/})
echo "docker_image_application=$docker_image_application" >> $GITHUB_ENV
echo "docker_image_version=$docker_image_version" >> $GITHUB_ENV
# Step 6: Build Docker image to inspect it with Trivy
- name: Build Docker image
run: |
tag="${docker_image_application}:${docker_image_version}"
echo "${{ secrets.CR_PASSWORD }}" | docker login -u "${{ secrets.CR_USERNAME }}" --password-stdin "${{ secrets.CR_REGISTRY }}"
docker build -t "${{ secrets.CR_REGISTRY }}/${{ secrets.CR_REPO }}"/"${tag}" --file Dockerfile .
# Step 7: Save Docker image as tar.gz
- name: Save Docker Image as tar.gz
run: |
tag="${docker_image_application}:${docker_image_version}"
docker save "${{ secrets.CR_REGISTRY }}/${{ secrets.CR_REPO }}/${tag}" -o "${docker_image_application}_${docker_image_version}.tar"
tar -czf "${docker_image_application}_${docker_image_version}.tar.gz" "${docker_image_application}_${docker_image_version}.tar"
# Step 8: Upload Docker Image tar.gz as an artifact
- name: Upload Docker Image Artifact
uses: actions/upload-artifact@v3
with:
name: docker-image-tar
path: ${{ env.docker_image_application }}_${{ env.docker_image_version }}.tar.gz
# Step 9: Scan Docker Image with Trivy
- name: Scan Docker Image with Trivy
run: |
tag="${docker_image_application}:${docker_image_version}"
echo "${{ secrets.CR_PASSWORD }}" | docker login -u "${{ secrets.CR_USERNAME }}" --password-stdin "${{ secrets.CR_REGISTRY }}"
# trivy image --no-progress --exit-code 1 --severity HIGH,CRITICAL,UNKNOWN --format table "${{ secrets.CR_REGISTRY }}/${{ secrets.CR_REPO }}/${tag}"
trivy image --no-progress --exit-code 1 --severity MEDIUM --format table "${{ secrets.CR_REGISTRY }}/${{ secrets.CR_REPO }}/${tag}"
# Step 10: Login Docker Hub
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Step 11: Build and push to Docker Hub
- name: Build and push to Docker Hub
uses: docker/build-push-action@v4
with:
context: .
push: true
no-cache: true
tags: |
${{ env.docker_tag }}
${{ env.docker_tag_latest }}
deploy:
needs: build
runs-on: ubuntu-latest
steps:
# Step 1: Checkout repository
- uses: actions/checkout@v4
# Step 2: Read image name
- name: Read docker name
id: yaml-docker-name
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_name"]'
# Step 3: Read image version
- name: Read docker version
id: yaml-docker-version
uses: jbutcher5/read-yaml@main
with:
file: 'build.yml'
key-path: '["docker_image_version"]'
# Step 4: Generate Docker tag
- name: Generate docker tag
env:
GITHUB_BRANCH: ${{ github.ref }}
docker_image_name: ${{ steps.yaml-docker-name.outputs.data }}
docker_image_version: ${{ steps.yaml-docker-version.outputs.data }}
run: |
branch_name=${GITHUB_BRANCH#refs/heads/}
echo "branch_name=${GITHUB_BRANCH#refs/heads/}" >> $GITHUB_ENV
echo "docker_tag=$docker_image_name:$docker_image_version" >> $GITHUB_ENV
echo "docker_tag_latest=$docker_image_name:latest" >> $GITHUB_ENV
docker_image_application=(${docker_image_name#*/})
echo "docker_image_application=$docker_image_application" >> $GITHUB_ENV
echo "docker_image_version=$docker_image_version" >> $GITHUB_ENV
# Step 5: Download Docker Image tar.gz Artifact
- name: Download Docker Image Artifact
uses: actions/download-artifact@v3
with:
name: docker-image-tar
# Step 6: Extract the Docker Image tar.gz
- name: Extract Docker Image tar.gz
run: |
tar -xzf "${docker_image_application}_${docker_image_version}.tar.gz"
# Step 7: Load Docker Image
- name: Load Docker Image
run: |
docker load -i "${docker_image_application}_${docker_image_version}.tar"
# Step 8: Log in to Docker Registry (use GitHub secrets for security)
- name: Login to Docker Registry
run: |
echo "${{ secrets.CR_PASSWORD }}" | docker login -u "${{ secrets.CR_USERNAME }}" --password-stdin "${{ secrets.CR_REGISTRY }}"
# Step 9: Push Docker Image to Registry
- name: Push Docker Image to Registry
run: |
tag="${docker_image_application}:${docker_image_version}"
docker push "${{ secrets.CR_REGISTRY }}"/"${{ secrets.CR_REPO }}"/"${tag}"