diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml new file mode 100644 index 00000000..4cda9fc7 --- /dev/null +++ b/.github/workflows/check-build.yml @@ -0,0 +1,38 @@ +name: Confirm successful image build +on: + pull_request: + branches-ignore: + - master +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::486229364833:role/allow_ecr_push_pull_access + role-duration-seconds: 1200 + + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: ssosync + IMAGE_TAG: ${{ github.sha }} + run: | + docker build -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" . + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" + - name: Logout of Amazon ECR + if: always() + run: docker logout ${{ steps.login-ecr.outputs.registry }} diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml new file mode 100644 index 00000000..a2fd1352 --- /dev/null +++ b/.github/workflows/linter.yml @@ -0,0 +1,53 @@ +--- +########################### +########################### +## Linter GitHub Actions ## +########################### +########################### +name: Lint Code Base + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +############################# +# Start the job on all push # +############################# +on: + push: + branches-ignore: [master] + # Remove the line above to run when pushing to master + +############### +# Set the Job # +############### +jobs: + build: + # Name the Job + name: Lint Code Base + # Set the agent to run on + runs-on: ubuntu-latest + + ################## + # Load all steps # + ################## + steps: + ########################## + # Checkout the code base # + ########################## + - name: Checkout Code + uses: actions/checkout@v2 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + ################################ + # Run Linter against code base # + ################################ + - name: Lint Code Base + uses: docker://ghcr.io/github/super-linter:slim-v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: master + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..15e487e8 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,40 @@ +name: Build and push SSOSync image to ECR +on: + push: + branches: + - master + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::486229364833:role/allow_ecr_push_pull_access + role-duration-seconds: 1200 + + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: ssosync + IMAGE_TAG: ${{ github.sha }} + run: | + docker build -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" . + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" + docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" + - name: Logout of Amazon ECR + if: always() + run: docker logout ${{ steps.login-ecr.outputs.registry }} + diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 00000000..cc34363a --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,13 @@ +name: reviewdog +on: [pull_request] +jobs: + actionlint: + name: runner / actionlint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: actionlint + uses: reviewdog/action-actionlint@v1.22.0 + with: + fail_on_error: true + reporter: github-pr-review diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..b053733d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM alpine:3.17.2 + +ARG SSOSYNC_VERSION=v2.0.2 + +# Install awscli and jq +RUN apk add --no-cache aws-cli=1.25.97-r0 jq=1.6-r2 && \ + rm -rf /var/cache/apk/ + +# Download SSOSync binary +RUN mkdir -p downloads && \ + wget -q https://github.com/awslabs/ssosync/releases/download/${SSOSYNC_VERSION}/ssosync_Linux_x86_64.tar.gz -P downloads/ && \ + tar xzvf downloads/ssosync_Linux_x86_64.tar.gz -C downloads/ && \ + mv downloads/ssosync /usr/local/bin/ && \ + rm -rf downloads + +# Copy over custom scripts and ensure scripts are exectutable +COPY bin/* /usr/local/bin/ +RUN chmod +x /usr/local/bin/* + + +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh new file mode 100755 index 00000000..0de980b6 --- /dev/null +++ b/bin/entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# shellcheck shell=sh +# https://github.com/koalaman/shellcheck/wiki/SC1008 +set -e + +# Load Google secrets at runtime. +# Stored with the command `aws secretsmanager create-secret --name "ops/ssosync/googlecredentials" --secret-binary $(base64 -i credentials.json)` +aws secretsmanager get-secret-value --region "eu-west-1" --secret-id "ops/ssosync/googlecredentials" --output "json" | jq -r ".SecretBinary" | base64 -d > credentials.json + +# Run SSO Sync, the rest of the config is pulled in through environment variables. +/usr/local/bin/ssosync