chore(ci): notify via slack when a publishing workflow fails #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run it locally with act | |
# 1. Install act: | |
# `brew install act` | |
# 2. Create a .secret file with the following content: | |
# `GITHUB_TOKEN=your_github_token` | |
# WORKFLOW_DISPATCH | |
# `act workflow_dispatch --container-architecture linux/amd64 -P default=catthehacker/ubuntu:act-latest -W .github/workflows/build-push-supernova-image.yaml` | |
name: Build Supernova ☀️ | |
on: | |
workflow_dispatch: {} | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
push: | |
branches: | |
- main | |
paths: | |
- apps/supernova/CHANGELOG.md | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: "juno-app-supernova" | |
PACKAGE_PATH: "apps/supernova" | |
jobs: | |
build-and-push: | |
name: Build&Push | |
runs-on: [default] | |
permissions: | |
contents: read | |
packages: write | |
# This is used to complete the identity challenge | |
# with sigstore/fulcio when running outside of PRs. | |
id-token: write | |
steps: | |
# step that fails | |
- name: test failure | |
run: exit 1 | |
# - name: Checkout repository | |
# uses: actions/checkout@v4 | |
# - name: Read version from CHANGELOG.md | |
# id: read_version | |
# working-directory: ${{ env.PACKAGE_PATH }} | |
# run: | | |
# # Extract the first version number that appears after "## " | |
# LAST_VERSION=$(grep -m 1 -oP '(?<=## )\d+\.\d+\.\d+' CHANGELOG.md) | |
# echo "Latest version is $LAST_VERSION" | |
# echo "IMAGE_VERSION=$LAST_VERSION" >> $GITHUB_ENV | |
# # Login against a Docker registry except on PR | |
# # https://github.com/docker/login-action | |
# - name: Log into registry ${{ env.REGISTRY }} | |
# if: github.event_name != 'pull_request' | |
# uses: docker/login-action@v3 | |
# with: | |
# registry: ${{ env.REGISTRY }} | |
# username: ${{ github.actor }} | |
# password: ${{ secrets.GITHUB_TOKEN }} | |
# - name: Pull the latest image and set status | |
# id: check-image | |
# run: | | |
# if docker pull ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }}; then | |
# echo "bump=true" >> $GITHUB_OUTPUT | |
# fi | |
# - name: Image needs version bump | |
# if: steps.check-image.outputs.bump == 'true' | |
# run: | | |
# echo "Image ${{ env.IMAGE_NAME }}:${{ env.IMAGE_VERSION }} already exists in the ${{ env.REGISTRY }} registry. Skipping workflow. Please increment the version." | |
# exit 1 | |
# # This action enables you to SIGN and VERIFY container images using cosign | |
# # https://github.com/sigstore/cosign-installer | |
# - name: Install cosign | |
# uses: sigstore/[email protected] | |
# with: | |
# cosign-release: "v2.4.0" | |
# # Add support for more platforms with QEMU (optional) | |
# # QEMU is a generic and open source machine & userspace emulator and virtualizer. | |
# - name: Set up QEMU | |
# uses: docker/setup-qemu-action@v3 | |
# # Set up BuildKit Docker container builder to be able to build MULTI-platform images and export cache | |
# # https://github.com/docker/setup-buildx-action | |
# - name: Set up Docker Buildx | |
# uses: docker/setup-buildx-action@v3 | |
# with: | |
# driver-opts: | | |
# image=moby/buildkit:latest | |
# # Extract metadata (tags, labels) for Docker | |
# # https://github.com/docker/metadata-action | |
# - name: Extract Docker metadata | |
# id: meta | |
# uses: docker/metadata-action@v5 | |
# with: | |
# images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} | |
# tags: | | |
# # Use the version from the VERSION file | |
# type=raw,value=${{ env.IMAGE_VERSION }},prefix= | |
# # Optionally include semver tags | |
# type=semver,pattern={{major}}.{{minor}},prefix= | |
# # Additional Useful Tags | |
# type=raw,value=${{ github.sha }} | |
# type=sha,enable=true,format=short,prefix= | |
# type=edge,branch=master | |
# labels: | | |
# org.opencontainers.image.title=Supernova UI | |
# org.opencontainers.image.description="This image contains a standalone runnable version of the Supernova alternative Alertmanager UI. For configuration options see the README here: https://github.com/cloudoperators/juno/tree/main/apps/supernova/docker" | |
# org.opencontainers.image.url=https://github.com/cloudoperators/juno/tree/main/apps/supernova | |
# org.opencontainers.image.source=https://github.com/cloudoperators/juno/tree/main/apps/supernova | |
# org.opencontainers.image.documentation=https://github.com/cloudoperators/juno/tree/main/apps/supernova | |
# annotations: | | |
# org.opencontainers.image.title=Supernova UI | |
# org.opencontainers.image.description="This image contains a standalone runnable version of the Supernova alternative Alertmanager UI. For configuration options see the README here: https://github.com/cloudoperators/juno/tree/main/apps/supernova/docker" | |
# org.opencontainers.image.url="https://github.com/cloudoperators/juno/tree/main/apps/supernova" | |
# org.opencontainers.image.source="https://github.com/cloudoperators/juno/tree/main/apps/supernova" | |
# org.opencontainers.image.documentation=https://github.com/cloudoperators/juno/tree/main/apps/supernova | |
# # Build and push Docker image with Buildx (don't push on PR) | |
# # https://github.com/docker/build-push-action | |
# - name: Build and push Docker image | |
# id: build-and-push | |
# uses: docker/build-push-action@v6 | |
# with: | |
# context: . | |
# file: ${{ env.PACKAGE_PATH }}/docker/Dockerfile | |
# push: true | |
# # remove untagged images produced for multi platform builds | |
# provenance: false | |
# tags: ${{ steps.meta.outputs.tags }} | |
# labels: ${{ steps.meta.outputs.labels }} | |
# platforms: | | |
# linux/amd64 | |
# linux/arm64 | |
# # This will only write to the public Rekor transparency log when the Docker | |
# # repository is public to avoid leaking data. If you would like to publish | |
# # transparency data even for private images, pass --force to cosign below. | |
# # https://github.com/sigstore/cosign | |
# - name: Sign the published Docker image | |
# env: | |
# # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
# TAGS: ${{ steps.meta.outputs.tags }} | |
# DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
# # This step uses the identity token to provision an ephemeral certificate | |
# # against the sigstore community Fulcio instance. | |
# run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} | |
vulnerability-scan: | |
permissions: | |
contents: read | |
packages: read | |
security-events: write | |
name: Vulnerability Scan | |
needs: build-and-push | |
runs-on: [default] | |
steps: | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
if: success() | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | |
ignore-unfixed: true | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
sarif_file: trivy-results.sarif | |
notify-on-failure: | |
runs-on: [default] | |
if: failure() # This ensures the job runs only if a failure occurs | |
needs: build-and-push # This ensures the job runs after the 'build' job | |
steps: | |
- name: Send Slack notification on failure | |
uses: ./.github/workflows/shared-slack-notification.yaml | |
with: | |
title: "JUNO Workflow Build Supernova ☀️ Failed 🚨" | |
# add a link to the failed job | |
body: "PR ${GITHUB_HEAD_REF} failed to build the Supernova image. Please check the logs for more information. [Check the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" |