-
Notifications
You must be signed in to change notification settings - Fork 0
121 lines (107 loc) · 4.07 KB
/
cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: CD
on:
release:
types:
[published]
# trigger only on new release
jobs:
verify_version:
runs-on: ubuntu-latest
outputs:
# export to be used in other jobs
version: ${{ steps.get_version_tag.outputs.version }}
steps:
- uses: actions/checkout@v3
name: Check out code
- uses: actions/setup-python@v4
name: Set up Python 3.9
with:
python-version: "3.9"
- id: get_version_tag
name: Get version tag
run: |
TAG_VER="${GITHUB_REF##*/}"
# set as output:
echo "version: ${TAG_VER}"
echo "version=${TAG_VER}" >> $GITHUB_OUTPUT
- id: verify_semantic_tag_format
name: Verify tag format
# format must be compatible with semantic versioning
run: |
SEMVER_REGEX="^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"
if echo "${{ steps.get_version_tag.outputs.version }}" | grep -Eq "$SEMVER_REGEX"; then
echo "Tag format is valid"
else
echo "Invalid tag format: ${{ steps.get_version_tag.outputs.version }}"
exit 1
fi
- id: verify_package_version
name: Verify package version vs tag version
# package version must be same with tag version
run: |
PKG_VER="$(jq -r .version package.json)"
echo "Package version is $PKG_VER" >&2
echo "Tag version is ${{ steps.get_version_tag.outputs.version }}" >&2
if [ "$PKG_VER" != "${{ steps.get_version_tag.outputs.version }}" ]; then
echo "Package version and tag name mismatch." >&2
exit 1
fi
push_to_docker_hub:
runs-on: ubuntu-latest
needs: verify_version
steps:
- uses: actions/checkout@v3
name: Check out code
- uses: docker/setup-qemu-action@v2
name: Set up QEMU
- uses: docker/setup-buildx-action@v2
name: Set up Docker Buildx
- uses: docker/login-action@v2
name: Login to DockerHub
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@v4
name: Build and push
id: docker_build
with:
push: true
platforms: linux/amd64,linux/arm64
tags: "ghga/${{ github.event.repository.name }}:${{ needs.verify_version.outputs.version }}"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/ghga/${{ github.event.repository.name }}:${{ needs.verify_version.outputs.version }}"
format: "table"
exit-code: "0"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
# Please uncomment and adapt the DEPLOYMENT_CONFIG_REPO to trigger automatic
# updates of helm charts:
update_deployment_repo:
runs-on: ubuntu-latest
needs:
- verify_version
- push_to_docker_hub
env:
DEPLOYMENT_CONFIG_REPO: ghga-de/helm
steps:
- name: trigger update in deployment repo
run: |
# access token needs to be of format: <username>:<personal_access_token>
curl -X POST \
"https://api.github.com/repos/${DEPLOYMENT_CONFIG_REPO}/dispatches" \
-H 'Accept: application/vnd.github.everest-preview+json' \
-u '${{ secrets.DEPLOYMENT_UPDATE_TOKEN }}' \
--data '{
"event_type": "new_app_version",
"client_payload": {
"deploy_filename": "${{ github.event.repository.name }}",
"app_name": "${{ github.event.repository.name }}",
"context": "${{ needs.verify_version.outputs.version }}",
"new_image_tag": "${{ needs.verify_version.outputs.version }}"
}
}'