[DDS-1576] Updated CI service to GHA (#194)

dpc-sdp · Oct 3, 2023 · 0dcdfc6 · 0dcdfc6
1 parent 78e50df
commit 0dcdfc6
Show file tree

Hide file tree

Showing 53 changed files with 337 additions and 754 deletions.
diff --git a/.circleci/scripts/custom-lints.sh b/.circleci/scripts/custom-lints.sh
diff --git a/.circleci/scripts/runclairscan.sh b/.circleci/scripts/runclairscan.sh
diff --git a/.circleci/scripts/tag.sh b/.circleci/scripts/tag.sh
diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml
@@ -0,0 +1,59 @@
+name: build-deploy-bay-images
+run-name: Build and deploy Bay images
+on:
+  schedule:
+    - cron: '23 20 * * 0'
+  workflow_dispatch:
+  push:
+    branches:
+      - "build/**"
+
+env:
+  REGISTRY: ghcr.io
+jobs:
+  buildx:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ${{ fromJson(vars.IMAGES) }}
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - uses: actions/checkout@v3
+
+      - name: Login to registry ${{ env.REGISTRY }}
+        uses: docker/[email protected]
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}
+          tags: |
+            type=ref,event=branch
+          labels: |
+            maintainer=Digital Victoria
+            repository=${{ github.repositoryUrl }}
+            org.opencontainers.image.authors=Digital Victoria
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}/tree/${{ github.ref_name }}/images/${{ matrix.images }}/Dockerfile
+            org.opencontainers.image.title=${{ matrix.images }}
+            org.opencontainers.image.description=${{ matrix.images }} image for Bay container platform
+
+      - name: Build and push the images
+        uses: docker/[email protected]
+        with:
+          push: true
+          files: |
+            ./gh-actions-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          # Target the default group - probably unnecessary.
+          targets: ${{ matrix.images }}
diff --git a/.github/workflows/goss-tests.yml b/.github/workflows/goss-tests.yml
@@ -0,0 +1,58 @@
+name: goss-tests
+run-name: Execute Goss tests
+env:
+  REGISTRY: ghcr.io
+on:
+  workflow_run:
+    workflows: ["Build and deploy Bay images"]
+    types: [completed]
+
+jobs:
+  goss-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ["bay-php_goss"]
+        type:
+          - php
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}
+          tags: |
+            type=ref,event=branch
+
+      - name: Clean ref_name
+        id: sanitise-ref-name
+        run: |
+          echo "SANITISED-REF-NAME=${{ github.ref_name }}" | tr  '/' '-' >> "$GITHUB_OUTPUT"
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          push: false
+          context: ./images/bay-php_goss
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            BASE_IMAGE=${{ env.REGISTRY }}/${{ github.repository }}/php-cli:${{ steps.sanitise-ref-name.outputs.SANITISED-REF-NAME }}
+
+      - name: Install Goss
+        uses: e1himself/[email protected]
+
+      - name: Execute Goss tests
+        working-directory: ./tests
+        run: |
+          ls -al .
+          GOSS_FILES_STRATEGY=cp GOSS_FILE=goss.${{ matrix.type }}_goss.yaml bash -c 'dgoss run -i ${{ steps.meta.outputs.tags }}'
diff --git a/.github/workflows/vulnerability-scan-build.yml b/.github/workflows/vulnerability-scan-build.yml
@@ -0,0 +1,32 @@
+name: vulnerability-scan-build
+run-name: CVE vulnerability scan of in-development images.
+env:
+  REGISTRY: ghcr.io
+on:
+  workflow_run:
+    workflows: ["Build and deploy Bay images"]
+    types: [completed]
+
+jobs:
+  vulnerability-scan-build:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ${{ fromJson(vars.IMAGES) }}
+    steps:
+      - name: Clean ref_name
+        id: sanitise-ref-name
+        run: |
+          echo "SANITISED-REF-NAME=${{ github.ref_name }}" | tr  '/' '-' >> "$GITHUB_OUTPUT"
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: crazy-max/ghaction-container-scan@v2
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ steps.sanitise-ref-name.outputs.SANITISED-REF-NAME }}
+          dockerfile: ./images/${{ matrix.images }}
+      - name: Upload SARIF file
+        if: ${{ steps.scan.outputs.sarif != '' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/vulnerability-scan-schedule.yml b/.github/workflows/vulnerability-scan-schedule.yml
@@ -0,0 +1,46 @@
+name: vulnerability-scan-schedule
+run-name: Scheduled CVE vulnerability scan of published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  schedule:
+    - cron: '14 0 * * 4'
+jobs:
+  vulnerability-scan-schedule:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ${{ fromJson(vars.IMAGES) }}
+        branches: ${{ fromJson(vars.BRANCHES) }}
+        exclude:
+          - images: ci-builder
+            branches: 4.x
+          - images: clamav
+            branches: 4.x
+          - images: elasticsearch
+            branches: 4.x
+          - images: mailhog
+            branches: 4.x
+          - images: mariadb
+            branches: 4.x
+          - images: nginx
+            branches: 4.x
+          - images: php-cli
+            branches: 4.x
+          - images: php-fpm
+            branches: 4.x
+          - images: ripple-static
+            branches: 4.x
+    steps:
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: crazy-max/ghaction-container-scan@v2
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}}
+          dockerfile: ./images/${{ matrix.images }}
+      - name: Upload SARIF file
+        if: ${{ steps.scan.outputs.sarif != '' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
-*/awx-ee/context
+.vscode
+*/awx-ee/context