-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
493 additions
and
302 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,11 @@ on: | |
push: | ||
pull_request: | ||
|
||
env: | ||
# Set to true to push images to DockerHub | ||
# NB: images are public unless you configure DockerHub repo properly | ||
DOCKERHUB_PUSH: 1 | ||
|
||
jobs: | ||
setup: | ||
runs-on: ubuntu-latest | ||
|
@@ -70,12 +75,14 @@ jobs: | |
|
||
build-and-push: | ||
name: Build and push docker Image | ||
needs: setup | ||
needs: | ||
- setup | ||
|
||
strategy: | ||
matrix: | ||
service: | ||
- 'trellisfw/ainz' | ||
# Assume repo slug is the service slug? | ||
- ${{ github.repository }} | ||
context: | ||
- '.' | ||
|
||
|
@@ -86,7 +93,7 @@ jobs: | |
uses: actions/[email protected] | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v1.1.0 | ||
uses: docker/setup-qemu-action@v1.2.0 | ||
|
||
- name: Set up Docker Buildx | ||
id: buildx | ||
|
@@ -102,36 +109,52 @@ jobs: | |
|
||
- name: Cache docker layers | ||
if: ${{ !env.ACT }} # Awaiting ACT version after 0.2.17 for this feature | ||
uses: actions/[email protected].5 | ||
uses: actions/[email protected].6 | ||
id: cache | ||
with: | ||
path: /tmp/.buildx-cache | ||
#key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ github.sha }} | ||
# Don't separate cache by service etc. | ||
key: ${{ runner.os }}-buildx | ||
key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ github.sha }} | ||
restore-keys: | | ||
${{ runner.os }}-buildx-${{ matrix.service }} | ||
${{ runner.os }}-buildx-${{ matrix.service }}- | ||
${{ runner.os }}-buildx- | ||
- name: Prepare Tags | ||
id: prepare | ||
# TODO: Clean up this monstrosity... one day... | ||
run: | | ||
DOCKER_IMAGE=${{ matrix.service }} | ||
# Nameo on DockerHub (Doesn't like upper case) | ||
DOCKER_IMAGE=$(echo ${{ matrix.service }} | tr '[:upper:]' '[:lower:]') | ||
# Name on GHCR | ||
GHCR_IMAGE=ghcr.io/${DOCKER_IMAGE} | ||
# Allow overriding DockerHub repo if different from slug? | ||
if [[ "${{ secrets.DOCKER_REPO }}" ]]; then | ||
DOCKER_IMAGE=$(echo ${{ matrix.service }} | sed 's/${{ github.repository_owner }}/${{ secrets.DOCKER_REPO }}/g') | ||
fi | ||
TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.version }}" | ||
TAGS="${GHCR_IMAGE}:${{ needs.setup.outputs.version }}" | ||
DH_TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.version }}" | ||
if [[ "${{ needs.setup.outputs.release }}" ]]; then | ||
if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then | ||
TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}" | ||
TAGS="${GHCR_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}" | ||
DH_TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}" | ||
# TODO: Keep old prerelease builds? | ||
else | ||
TAGS="$TAGS,${DOCKER_IMAGE}:latest" | ||
TAGS="$TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}" | ||
TAGS="$TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.major }}" | ||
TAGS="$TAGS,${GHCR_IMAGE}:latest" | ||
TAGS="$TAGS,${GHCR_IMAGE}:${{ needs.setup.outputs.major }}" | ||
TAGS="$TAGS,${GHCR_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}" | ||
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:latest" | ||
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}" | ||
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}" | ||
fi | ||
fi | ||
if [ "${{ github.event_name }}" = "push" ]; then | ||
TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}" | ||
TAGS="$TAGS,${GHCR_IMAGE}:sha-${GITHUB_SHA::8}" | ||
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}" | ||
fi | ||
if [[ "${{ env.DOCKERHUB_PUSH }}" ]]; then | ||
TAGS="$TAGS,${DH_TAGS}" | ||
fi | ||
echo ::set-output name=tags::${TAGS} | ||
|
@@ -140,14 +163,22 @@ jobs: | |
echo ${{ github.event.repository.license }} | ||
- name: Login to DockerHub | ||
if: github.event_name != 'pull_request' | ||
if: ${{ env.DOCKERHUB_PUSH && github.event_name != 'pull_request' }} | ||
uses: docker/[email protected] | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Build and push | ||
uses: docker/[email protected] | ||
- name: Login to GitHub Container Registry | ||
if: github.event_name != 'pull_request' | ||
uses: docker/[email protected] | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Build and push images | ||
uses: docker/[email protected] | ||
with: | ||
context: ${{ matrix.context }} | ||
file: ${{ matrix.context }}/Dockerfile | ||
|
@@ -158,6 +189,7 @@ jobs: | |
VERSION=${{ steps.prepare.outputs.version }} | ||
BUILD_DATE=${{ steps.prepare.outputs.created }} | ||
GIT_REF=${{ github.sha }} | ||
SERVICE=${{ matrix.service }} | ||
labels: | | ||
org.opencontainers.image.title=${{ matrix.service }} | ||
org.opencontainers.image.url=${{ github.event.repository.html_url }} | ||
|
@@ -167,4 +199,98 @@ jobs: | |
org.opencontainers.image.revision=${{ github.sha }} | ||
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} | ||
cache-from: type=local,src=/tmp/.buildx-cache | ||
cache-to: type=local,dest=/tmp/.buildx-cache | ||
cache-to: type=local,dest=/tmp/.buildx-cache-new | ||
|
||
- | ||
# Temp fix | ||
# https://github.com/docker/build-push-action/issues/252 | ||
# https://github.com/moby/buildkit/issues/1896 | ||
name: Move cache | ||
run: | | ||
rm -rf /tmp/.buildx-cache | ||
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | ||
# Use Snyk to check docker image | ||
snyk-image: | ||
name: Snyk Checks | ||
|
||
needs: | ||
- setup | ||
- build-and-push | ||
|
||
strategy: | ||
matrix: | ||
service: | ||
# Assume repo slug is the service slug? | ||
- ${{ github.repository }} | ||
context: | ||
- '.' | ||
|
||
runs-on: ubuntu-latest | ||
|
||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
|
||
# Only run if we have a Snyk token? | ||
#if: ${{ env.SNYK_TOKEN }} | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/[email protected] | ||
|
||
- name: Find Docker tag for Snyk | ||
id: tag | ||
run: | | ||
# Doesn't like upper case | ||
OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') | ||
# Nameo on DockerHub (Doesn't like upper case) | ||
DOCKER_IMAGE=$(echo ${{ matrix.service }} | tr '[:upper:]' '[:lower:]') | ||
# Name on GHCR | ||
GHCR_IMAGE=ghcr.io/${DOCKER_IMAGE} | ||
# Allow overriding DockerHub repo if different from slug? | ||
if [[ "${{ secrets.DOCKER_REPO }}" ]]; then | ||
DOCKER_IMAGE=$(echo ${{ matrix.service }} | sed 's/${{ github.repository_owner }}/${{ secrets.DOCKER_REPO }}/g') | ||
fi | ||
TAG="${GHCR_IMAGE}:next" | ||
if [[ "${{ needs.setup.outputs.release }}" ]]; then | ||
if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then | ||
TAG="${GHCR_IMAGE}:next" | ||
else | ||
TAG="${GHCR_IMAGE}:latest" | ||
fi | ||
fi | ||
echo ::set-output name=tag::${TAG} | ||
echo ::set-output name=org::${OWNER} | ||
echo ::set-output name=cur::${GHCR_IMAGE}:sha-${GITHUB_SHA::8} | ||
- name: Monitor Service image with Snyk | ||
uses: snyk/actions/docker@master | ||
# Don't break workflow on errros? | ||
continue-on-error: true | ||
with: | ||
command: container monitor | ||
image: ${{ steps.tag.outputs.tag }} | ||
args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile | ||
|
||
- name: Test current Service image with Snyk | ||
uses: snyk/actions/docker@master | ||
# Don't break workflow on errros? | ||
continue-on-error: true | ||
with: | ||
image: ${{ steps.tag.outputs.tag }} | ||
args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile | ||
|
||
- name: Secure Code Warrior | ||
uses: SecureCodeWarrior/github-action-add-sarif-contextual-training@v1 | ||
with: | ||
inputSarifFile: ./snyk.sarif | ||
outputSarifFile: ./securecodewarrior.sarif | ||
githubToken: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Upload SARIF file to GitHub Code Scanning | ||
uses: github/codeql-action/upload-sarif@v1 | ||
with: | ||
sarif_file: ./securecodewarrior.sarif | ||
#sarif_file: ./snyk.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 5 additions & 5 deletions
10
.yarn/releases/yarn-2.4.1.cjs → .yarn/releases/yarn-2.4.2.cjs
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
{ | ||
"name": "@trellisfw/ainz", | ||
"version": "2.0.0", | ||
"version": "2.1.0", | ||
"description": "uservice for automating moving resources via rules", | ||
"main": "dist/index.js", | ||
"bin": { | ||
|
@@ -13,29 +13,32 @@ | |
"author": "Alex Layton <[email protected]>", | ||
"license": "Apache-2.0", | ||
"dependencies": { | ||
"@oada/client": "^2.4.1", | ||
"@oada/client": "^2.4.2", | ||
"@oada/list-lib": "^2.1.6", | ||
"@oada/types": "^1.5.1", | ||
"ajv": "^7.2.4", | ||
"@tsconfig/node16": "^1.0.1", | ||
"ajv": "^8.6.0", | ||
"bluebird": "^3.7.2", | ||
"debug": "^4.3.2", | ||
"convict": "^6.1.0", | ||
"debug": "^4.3.1", | ||
"dotenv": "^10.0.0", | ||
"handlebars": "^4.7.7", | ||
"json-pointer": "^0.6.1", | ||
"luxon": "^1.26.0", | ||
"luxon": "^1.27.0", | ||
"minimist": "^1.2.5", | ||
"nconf": "^0.11.2", | ||
"p-queue": "^6.6.2" | ||
}, | ||
"devDependencies": { | ||
"@tsconfig/node14": "^1.0.0", | ||
"@types/bluebird": "^3.5.33", | ||
"@types/bluebird": "^3.5.35", | ||
"@types/convict": "^6", | ||
"@types/debug": "^4.1.5", | ||
"@types/json-pointer": "^1.0.30", | ||
"@types/luxon": "^1.26.5", | ||
"@types/json-pointer": "^1.0.31", | ||
"@types/luxon": "^1.27.0", | ||
"@types/minimist": "^1.2.1", | ||
"@types/node": "^14.14.43", | ||
"@yarnpkg/pnpify": "^3.0.0-rc.3", | ||
"prettier": "^2.2.1", | ||
"typescript": "^4.2.4" | ||
"@types/node": "^14.17.3", | ||
"@yarnpkg/pnpify": "^3.0.0-rc.6", | ||
"prettier": "^2.3.1", | ||
"typescript": "^4.3.2" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.