From 30ae907f88e8004f010c4af27ecb4947564b4120 Mon Sep 17 00:00:00 2001 From: Aaqib Mujtaba <117231666+aaqib-m@users.noreply.github.com> Date: Mon, 26 Feb 2024 10:21:22 -0800 Subject: [PATCH] update ci/cd workflows --- .github/workflows/build.yml | 42 ++++++++++++++++ .github/workflows/docker-image.yml | 31 ------------ .github/workflows/go.yml | 44 ----------------- .github/workflows/release.yml | 77 ++++++++++++++++++++++++++++++ .github/workflows/trivy-scan.yml | 24 ++++++++++ 5 files changed, 143 insertions(+), 75 deletions(-) create mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/docker-image.yml delete mode 100644 .github/workflows/go.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/trivy-scan.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..b42f595 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,42 @@ +name: Build and Test + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +permissions: + contents: read + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + cache: true + + - name: Linter + uses: golangci/golangci-lint-action@v4 + with: + version: v1.54 + continue-on-error: true + + - name: Build + run: make all + + - name: Test + run: make test + + - name: Upload code coverage + uses: codecov/codecov-action@v1 + with: + file: ./cover.out + flags: unittests diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml deleted file mode 100644 index fa1c649..0000000 --- a/.github/workflows/docker-image.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Docker Image CI - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -env: - IMG: acrpullci.azurecr.io/msi-acrpull:latest - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Build the Docker image - run: make docker-build - - - name: Azure Container Registry Login - if: github.event_name == 'push' - uses: Azure/docker-login@v1 - with: - login-server: acrpullci.azurecr.io - username: ${{ secrets.ACR_USERNAME }} - password: ${{ secrets.ACR_PASSWORD }} - - - name: Push to CI ACR - if: github.event_name == 'push' - run: make docker-push diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml deleted file mode 100644 index aac1340..0000000 --- a/.github/workflows/go.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Go - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -jobs: - - build: - name: Build - runs-on: ubuntu-latest - steps: - - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Set up Go 1.x - uses: actions/setup-go@v4 - with: - go-version: '1.20' - id: go - - - name: Check out code into the Go module directory - uses: actions/checkout@v4 - - - name: Get dependencies - run: go mod download - - - name: Build - run: make all - - - name: Test - run: make test - - - name: Upload Code Coverage - uses: codecov/codecov-action@v1 - with: - file: ./cover.out - flags: unittests # optional diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..0644caf --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,77 @@ +name: Release and Publish + +on: + push: + tags: + - "v*" + workflow_dispatch: + inputs: + releaseTag: + description: "Release tag to publish" + type: string + required: true + +jobs: + setup: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Get image metadata + id: get_metadata + run: | + if [ "${{ github.event_name }}" == "push" ]; then + IMG_TAG="${{ github.ref }}" + else + IMG_TAG=${{ github.event.inputs.releaseTag }} + fi + IMG="${{ secrets.AZURE_CONTAINER_REGISTRY }}/public/aks/msi-acrpull:${IMG_TAG}" + echo "IMG_TAG=${IMG_TAG}" >> ${GITHUB_OUTPUT} + echo "IMG=${IMG}" >> ${GITHUB_OUTPUT} + outputs: + IMG_TAG: ${{ steps.get_metadata.outputs.IMG_TAG }} + IMG: ${{ steps.get_metadata.outputs.IMG }} + + release: + runs-on: ubuntu-latest + needs: setup + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Create release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ needs.setup.outputs.IMG_TAG }} + release_name: Release ${{ needs.setup.outputs.IMG_TAG }} + draft: true + + publish: + runs-on: + labels: ["self-hosted", "1ES.Pool=${{ vars.RUNNER_BASE_NAME}}-ubuntu"] + needs: setup + env: + IMG: ${{ needs.setup.outputs.IMG }} + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Build the Docker image + run: make docker-build + + - name: Run vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.IMG }} + format: table + + - name: Azure Container Registry Login + run: | + az login --identity -o none + az acr login -n ${{ secrets.AZURE_CONTAINER_REGISTRY }} + + - name: Push to CI ACR + run: make docker-push \ No newline at end of file diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml new file mode 100644 index 0000000..ff3acd5 --- /dev/null +++ b/.github/workflows/trivy-scan.yml @@ -0,0 +1,24 @@ +name: Image Vulnerabilities Scan + +on: + schedule: + - cron: "0 12 * * 1" + +jobs: + scan: + name: Check image vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Build Docker image + env: + IMG: "msi-acrpull:${{ github.sha }}" + run: make docker-build + + - name: Run vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "msi-acrpull:${{ github.sha }}" + format: "table"