Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: [VIO-3010] Transition from jenkins to Github Actions #474

Open
wants to merge 12 commits into
base: develop
Choose a base branch
from
Open
47 changes: 47 additions & 0 deletions .github/actions/build-pr-image/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
## Build PR Image Action

This Action provides automation for a Docker builder for a PR. An image is then pushed to a given registry.

## Parameters

### Inputs

* `REGISTRY`: The image registry where the action is pulling from. Images can be found in https://hub.docker.com/?namespace=vaporio
* `BUILDERIMAGE`: A base image containing the build tool chain
* `SLIMIMAGE`: A smaller image for deploys
* `DOCKERFILE`: Name of the Dockerfile. Usually just `Dockerfile`
* `USERNAME`: Login user for the image registry
* `PASSWORD`: Password for image registry
* `IMAGENAME`: Name of the image to push into the registry

### Usage

Since this Action is located in a private repo, a step will checkout this repo with a token so then it can be used
in the next step.

```
# .github/workflows/deploy.yml
name: build
on: ['build']

jobs:
image_build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: vapor-ware/workflows
token: ${{ secrets.VIO_REPO_READ }}
ref: main
path: vapor-ware-workflows # Checkouts directory path name for the next step

- uses: ./vapor-ware-workflows/.github/actions/build-pr-image
with:
REGISTRY: docker.io
BUILDERIMAGE: ubuntu:22.04
SLIMIMAGE: ubuntu:22.04
DOCKERFILE: Dockerfile
USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
IMAGENAME: my_image
```
99 changes: 99 additions & 0 deletions .github/actions/build-pr-image/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
name: build pr image
description: build an image for current pr
inputs:
REGISTRY:
required: true
default: "docker.io"
description: registry to use, defaults to docker.io
ORGANIZATION:
required: true
default: "vaporio"
description: organization name used in image
USERNAME:
required: true
PASSWORD:
required: true
BUILDERIMAGE:
required: true
SLIMIMAGE:
required: false
DOCKERFILE:
required: true
IMAGENAME:
required: true
IMAGETAG:
required: false

outputs:
timestamp:
value: ${{ steps.generate-timestamp.outputs.current-timestamp }}
description: timestamp for use in other actions
tag:
value: ${{ steps.generate-tag.outputs.tag }}
description: image tag for use in other actions, defaults to github.event.number
image-archive:
value: ${{ steps.image-archive.outputs.image-archive }}
description: docker image archive of built image
image:
value: ${{ steps.generate-image.outputs.image }}
description: full base image name

runs:
using: composite
steps:
- name: Log in to docker.io
uses: redhat-actions/[email protected]
with:
registry: ${{ inputs.REGISTRY }}
username: ${{ inputs.USERNAME }}
password: ${{ inputs.PASSWORD }}

- id: generate-image
run: echo "image=$(echo ${{ inputs.REGISTRY }}/${{ inputs.ORGANIZATION }}/${{ inputs.IMAGENAME }})" >> $GITHUB_OUTPUT
shell: bash

- id: generate-timestamp
run: echo "current-timestamp=$(date +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_OUTPUT
shell: bash

- id: generate-tag
run: echo "tag=$(echo pr.${{ inputs.IMAGETAG || github.event.number }})" >> $GITHUB_OUTPUT
shell: bash

- name: Pull builder image
run: podman pull ${{ inputs.BUILDERIMAGE }}
shell: bash

- name: Pull slim image
run: podman pull ${{ inputs.SLIMIMAGE }}
if: ${{ inputs.SLIMIMAGE }}
shell: bash

- name: build image
run: |
podman build . \
-f ${{ inputs.DOCKERFILE }} \
--format docker \
--label org.opencontainers.image.created=${{ steps.generate-timestamp.outputs.timestamp }} \
--label org.opencontainers.image.revision=${{ github.sha }} \
--label org.opencontainers.image.version=${{ github.ref_name }} \
--label io.vapor.image.build.number=${{ github.run_id }} \
--label io.vapor.image.build.ref=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} \
--label io.vapor.image.build.id=${{ github.base_ref }} \
--label io.vapor.image.build.branch=${{ github.event.pull_request.head.ref }} \
-t ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }}
shell: bash

- name: save image
run: |
podman save --quiet -o ${{ inputs.IMAGENAME }}.tar ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }}
shell: bash

- id: image-archive
run: echo "image-archive=$(echo docker-archive:${{ inputs.IMAGENAME }}.tar)" >> $GITHUB_OUTPUT
shell: bash

- name: push image
run: |
podman push ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }}
shell: bash
Empty file.
37 changes: 37 additions & 0 deletions .github/actions/scan-image/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: scan image
description: scan a container image for vulnerabilities
inputs:
image:
required: true
description: container image to scan

outputs:
sarif:
value: ${{ steps.output-sarif.outputs.sarif }}
description: results of the container scan in SARIF format

runs:
using: composite
steps:
- name: scan container image
uses: anchore/scan-action@v3
id: scan
with:
image: ${{ inputs.image }}
acs-report-enable: true
fail-build: false
severity-cutoff: high

- id: output-sarif
run: echo "sarif=${{ steps.scan.outputs.sarif }}" >> $GITHUB_OUTPUT
shell: bash

- name: inspect action SARIF report
run: cat ${{ steps.scan.outputs.sarif }}
shell: bash

# TODO: submit sarif report to an API endpoint
# PAT auth to an API that stores sarif reports.
- name: submit SARIF report
run: echo "submitting SARIF report"
shell: bash
30 changes: 30 additions & 0 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: build
on:
pull_request:
branches:
- develop
workflow_dispatch:

jobs:
image_build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- uses: ./.github/actions/build-pr-image
AdamIsrael marked this conversation as resolved.
Show resolved Hide resolved
id: build-env
with:
REGISTRY: docker.io
BUILDERIMAGE: docker.io/library/python:3.9
SLIMIMAGE: docker.io/library/python:3.9-slim
DOCKERFILE: Dockerfile
USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
IMAGENAME: synse-server

- uses: ./.github/actions/scan-image
AdamIsrael marked this conversation as resolved.
Show resolved Hide resolved
id: scan-image
with:
image: ${{ steps.build-env.outputs.image-archive }}
fail-build: false
severity-cutoff: high
26 changes: 26 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: release
on:
workflow_run:
workflows: [build]
types:
- completed
push:
branches:
- vio-3010-github-actions
AdamIsrael marked this conversation as resolved.
Show resolved Hide resolved
# tags:
# - 'v*'

jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
-
name: Update Helm Chart
uses: vapor-ware/chart-releaser-action@v1
env:
GITHUB_TOKEN: ${{ secrets.VIO_PUBLIC_REPO }}
with:
args: update --diff --debug --dry-run
18 changes: 0 additions & 18 deletions .jenkins

This file was deleted.