[Snyk] Fix for 11 vulnerabilities #2911
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Image CI | |
on: | |
pull_request: | |
branches: | |
- master | |
- acceptance | |
- staging | |
- development | |
- feature-soap | |
push: | |
branches: | |
- master | |
- acceptance | |
- staging | |
- development | |
- feature-admin | |
- feature-soap | |
- feature-soap-extra | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v1 | |
- uses: actions/setup-node@v1 | |
- name: Export release code | |
if: (success() || failure()) | |
id: releasecode #version number in a more comprehensible format: 0.1.YearMonthDay in UTC | |
run: | | |
export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2) | |
export RELEASE=$VERSION.$(date --utc +%y%m%d) | |
echo "RELEASE=$RELEASE" >> $GITHUB_ENV | |
echo "##[set-output name=releasename]$RELEASE" | |
- name: Setting APP_NAME | |
run: | | |
export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) | |
echo "APP_NAME=$NAME" >> $GITHUB_ENV | |
- name: Print app name | |
run: echo "APP_NAME = $APP_NAME" | |
- name: Setting APP_ENV to dev | |
run: | | |
echo "APP_ENV=dev">> $GITHUB_ENV | |
echo "APP_BUILD=dev-$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Setting APP_ENV to prod | |
if: contains( github.ref, 'master' ) || contains( github.base_ref, 'master' ) | |
run: | | |
echo "APP_ENV=latest">> $GITHUB_ENV | |
echo "APP_BUILD=$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Setting APP_ENV to stag | |
if: contains( github.ref, 'staging' ) || contains( github.base_ref, 'staging' ) | |
run: | | |
echo "APP_ENV=stag">> $GITHUB_ENV | |
echo "APP_BUILD=stag-$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Setting APP_ENV to acc | |
if: contains( github.ref, 'acceptance' ) || contains( github.base_ref, 'acceptance' ) | |
run: | | |
echo "APP_ENV=prod">> $GITHUB_ENV | |
echo "APP_BUILD=acc-$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Setting APP_ENV to admin | |
if: contains( github.ref, 'feature-admin' ) || contains( github.base_ref, 'feature-admin' ) | |
run: | | |
echo "APP_ENV=admin">> $GITHUB_ENV | |
echo "APP_BUILD=admin-$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Setting APP_ENV to soap | |
if: contains( github.ref, 'feature-soap' ) || contains( github.base_ref, 'feature-soap' ) | |
run: | | |
echo "APP_ENV=soap">> $GITHUB_ENV | |
echo "APP_BUILD=soap-$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Setting APP_ENV to soap-extensions | |
if: contains( github.ref, 'feature-soap-extra' ) || contains( github.base_ref, 'feature-soap-extra' ) | |
run: | | |
echo "APP_ENV=soapextensions">> $GITHUB_ENV | |
echo "APP_BUILD=soapextensions-$RELEASE">> $GITHUB_ENV | |
echo "set APP_ENV to $APP_ENV" | |
- name: Print definitive APP_ENV | |
run: echo "APP_ENV is now $APP_ENV and APP_BUILD is now $APP_BUILD" | |
- name: Build the Docker image | |
run: docker-compose build --build-arg APP_ENV=$APP_ENV --build-arg APP_BUILD=$APP_BUILD --build-arg APP_BUILD_ALL_FIXTURES=true | |
- name: Run the docker image | |
run: docker-compose up -d | |
- name: Taking some sleep (for containers to come up) | |
run: sleep 20 | |
- name: Check if all containers are running | |
run: docker ps | |
- name: Dumping the logs | |
run: docker-compose logs | |
- name: Database Update | |
run: docker-compose exec -T php bin/console doctrine:schema:update --force | |
#- name: Taking some more sleep (for database to be updated) | |
# run: sleep 20 | |
#- name: Database Check | |
# run: docker-compose exec -T php bin/console doctrine:schema:validate | |
#- name: Security Checks | |
# run: | | |
# curl -L -sS --output local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v1.0.0/local-php-security-checker_1.0.0_linux_amd64 | |
# chmod +x ./local-php-security-checker | |
# ./local-php-security-checker --path ./api/composer.lock | |
#- name: Run Postman Tests | |
# if: contains( github.ref, 'master' ) == false && contains( github.base_ref, 'master' ) == false | |
# run: newman run api/public/schema/*.postman_collection.json | |
- name: Add docker tags | |
run: | | |
images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) | |
for image in $images | |
do | |
docker tag "${image}":${APP_ENV} "${image}":"${APP_BUILD}" | |
done | |
echo 'IMAGES=$images' >> $GITHUB_ENV | |
- name: Show all images | |
run: docker images | |
- name: Login to Container Registry | |
id: containerregistry-login | |
run: | | |
if [ "${{ secrets.GITHUB_TOKEN }}" != "" ]; then | |
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $(cut -d'/' -f1 <<< $GITHUB_REPOSITORY) --password-stdin | |
echo "##[set-output name=success;]true" | |
else | |
echo "##[set-output name=success;]false" | |
fi | |
- if: steps.containerregistry-login.outputs.success == 'true' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/acceptance' || github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/development' || github.ref == 'refs/heads/feature-admin' || github.ref == 'refs/heads/feature-soap' || github.ref == 'refs/heads/feature-soap-extra') | |
name: Push to Container Registry | |
run: docker-compose push | |
- if: steps.containerregistry-login.outputs.success == 'true' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/acceptance' || github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/development' || github.ref == 'refs/heads/feature-admin'|| github.ref == 'refs/heads/feature-soap' || github.ref == 'refs/heads/feature-soap-extra') | |
name: Push versioned containers to Container Registry | |
run: | | |
images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) | |
for image in $images | |
do | |
docker push "${image}":"${APP_BUILD}" | |
done | |
- name: Create kube config | |
id: kubeconfig | |
if: contains( github.ref, 'development' ) | |
run: | | |
if [ "${{ secrets.KUBECONFIG }}" != "" ]; then | |
printf "${{ secrets.KUBECONFIG }}" > kubeconfig.yaml | |
echo "##[set-output name=success]true" | |
else | |
echo "##[set-output name=success]false" | |
fi | |
# - name: Export release code | |
# if: (success() || failure()) | |
# id: releasecode | |
# run: | | |
# export RELEASE=$APP_BUILD-$(git rev-parse --short $GITHUB_SHA) | |
# echo "##[set-output name=releasename]$RELEASE" | |
- name: Print release name | |
if: (success() || failure()) | |
run: echo $RELEASENAME | |
env: | |
RELEASENAME: ${{ steps.releasecode.outputs.releasename }} | |
- name: Create Release | |
if: contains( github.ref, 'master' ) && steps.kubeconfig.outputs.success == 'true' && ( success() || failure() ) | |
id: create_release | |
uses: actions/create-release@v1 | |
continue-on-error: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
with: | |
tag_name: ${{ steps.releasecode.outputs.releasename }} | |
release_name: ${{ steps.releasecode.outputs.releasename }} | |
draft: false | |
prerelease: false | |
- name: Chores | |
if: (success() || failure()) | |
run: docker-compose down |