Build Image #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Image | |
| permissions: | |
| contents: read | |
| id-token: write | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| fail_on_trivy_scan: | |
| type: boolean | |
| description: fail the build if vulnerabilities are found | |
| required: true | |
| default: false | |
| jobs: | |
| build: | |
| name: Build Image | |
| runs-on: ubuntu-latest | |
| env: | |
| ECR_REPOSITORY: bento-frontend | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v2 | |
| - name: Set Image Tag | |
| run: | | |
| # Get all tags for the repo and find the latest tag for the branch being built | |
| git fetch --tags --force --quiet | |
| tag=$(git tag -l $GITHUB_REF_NAME* | tail -1 | cut -d "-" -f2-) | |
| if [ ! -z "$tag" ]; | |
| then | |
| # Increment the build number if a tag is found | |
| build_num=$(echo "${tag##*.}") | |
| build_num=$((build_num+1)) | |
| echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV | |
| else | |
| # If no tag is found create a new tag name | |
| build_num=1 | |
| echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV | |
| fi | |
| - name: Build | |
| run: | | |
| docker build -t $ECR_REPOSITORY:$IMAGE_TAG . | |
| - name: Set Trivy exit code | |
| run: | | |
| if [[ ${{ inputs.fail_on_trivy_scan }} == true ]]; | |
| then | |
| echo 'TRIVY_EXIT_CODE=1' >> $GITHUB_ENV | |
| else | |
| echo 'TRIVY_EXIT_CODE=0' >> $GITHUB_ENV | |
| fi | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: '${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}' | |
| format: 'table' | |
| exit-code: '${{ env.TRIVY_EXIT_CODE }}' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| - name: AWS OIDC Authentication | |
| id: auth | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| role-session-name: ${{ github.actor }} | |
| - name: Login to Amazon ECR | |
| id: login-aws-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Push to Amazon ECR | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }} | |
| run: | | |
| docker tag $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| - uses: act10ns/slack@v1 | |
| with: | |
| status: ${{ job.status }} | |
| steps: ${{ toJson(steps) }} | |
| if: always() |