release #490
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| repository_dispatch: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "CONTRIBUTING.md" | |
| - "README.md" | |
| - ".github/**" | |
| - ".gitignore" | |
| - ".pre-commit-config.yaml" | |
| permissions: read-all | |
| env: | |
| PYTHON_VERSION: "3.10" | |
| jobs: | |
| update-checkov: | |
| runs-on: [self-hosted, public, linux, x64] | |
| permissions: | |
| contents: write | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| major_version: ${{ steps.version.outputs.major_version }} | |
| steps: | |
| - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3 | |
| - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "pipenv" | |
| cache-dependency-path: "Pipfile.lock" | |
| - name: Get latest checkov version tag | |
| id: version | |
| run: | | |
| version=$(curl -s curl -s https://api.github.com/repos/bridgecrewio/checkov/tags | jq -r '.[0].name') | |
| echo "version=$version" >> "$GITHUB_OUTPUT" | |
| # grab major version for later image tag usage | |
| major_version=$(echo "${version}" | head -c1) | |
| echo "major_version=$major_version" >> "$GITHUB_OUTPUT" | |
| - name: Update checkov dependency | |
| run: | | |
| # install needed tools | |
| python -m pip install --no-cache-dir --upgrade pipenv | |
| # update Pipfile | |
| pipenv --python ${{ env.PYTHON_VERSION }} | |
| pipenv install checkov==${{ steps.version.outputs.version }} | |
| pipenv lock | |
| - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4 | |
| with: | |
| commit_message: Bump checkov version to ${{ steps.version.outputs.version }} [skip ci] | |
| tagging_message: ${{ steps.version.outputs.version }} | |
| publish-image: | |
| needs: update-checkov | |
| runs-on: [self-hosted, public, linux, x64] | |
| environment: release | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write # Enable OIDC | |
| env: | |
| DH_IMAGE_NAME: bridgecrew/whorf | |
| GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }} | |
| FULL_IMAGE_TAG: ${{ needs.update-checkov.outputs.version }} | |
| SHORT_IMAGE_TAG: ${{ needs.update-checkov.outputs.major_version }} | |
| steps: | |
| - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3 | |
| with: | |
| ref: main | |
| - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2 | |
| - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2 # needed for self-hosted builds | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and export image to Docker | |
| # buildx changes the driver to 'docker-container' which doesn't expose the image to the host, | |
| # so it is built and loaded to Docker and in the next step pushed to the registry | |
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3 | |
| with: | |
| context: . | |
| no-cache: true | |
| load: true | |
| tags: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }} | |
| - name: Push Docker image | |
| id: docker_push | |
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3 | |
| with: | |
| context: . | |
| push: true | |
| tags: | | |
| ${{ env.DH_IMAGE_NAME }}:latest | |
| ${{ env.DH_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }} | |
| ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }} | |
| ${{ env.GHCR_IMAGE_NAME }}:latest | |
| ${{ env.GHCR_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }} | |
| ${{ env.GHCR_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }} | |
| - name: Generate SBOM | |
| continue-on-error: true | |
| uses: bridgecrewio/checkov-action@master # use latest and greatest | |
| with: | |
| api-key: ${{ secrets.BC_API_KEY }} | |
| docker_image: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }} | |
| dockerfile_path: Dockerfile | |
| output_format: cyclonedx_json | |
| output_file_path: cyclonedx.json, | |
| - name: Sign and attest image | |
| run: | | |
| # sign image | |
| cosign sign ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }} | |
| cosign sign -f ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }} | |
| # attest SBOM | |
| cosign attest \ | |
| --type cyclonedx \ | |
| --predicate cyclonedx.json \ | |
| ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }} | |
| cosign attest -f \ | |
| --type cyclonedx \ | |
| --predicate cyclonedx.json \ | |
| ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }} | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 # needed for keyless signing | |
| - name: Update deployment | |
| uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3 | |
| with: | |
| find: "image: bridgecrew/whorf@sha256:[a-f0-9]{64}" | |
| replace: "image: ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}" | |
| include: "k8s/deployment.yaml" | |
| - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4 | |
| with: | |
| commit_message: update k8s deployment [skip ci] | |
| file_pattern: k8s/*.yaml |