Add SNYK scan to build image

DFE-Digital · Jan 8, 2025 · 1b6257e · 1b6257e
1 parent 72406d7
commit 1b6257e
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 73 deletions.
diff --git a/.github/actions/build-image/action.yml b/.github/actions/build-image/action.yml
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -27,16 +27,19 @@ jobs:
     name: Image build and push
     runs-on: ubuntu-latest
     outputs:
-      image_name_tag: ${{ steps.build_image.outputs.ghcr_image_name_tag }}
+      docker-image-tag: ${{ steps.build-image.outputs.tag }}
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ./.github/actions/build-image
-        id: build_image
+      - name: Build and push docker image
+        id: build-image
+        uses: DFE-Digital/github-actions/build-docker-image@master
         with:
-          github_username: ${{ github.actor }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          max-cache: true
+          reuse-cache: true
+          snyk-token: ${{ secrets.SNYK_TOKEN }}
 
   deploy_review_app:
     name: Deploy to review environment
@@ -58,7 +61,7 @@ jobs:
         id: deploy
         with:
           environment: review
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
           pull-request-number: ${{ github.event.number }}
 
@@ -113,7 +116,7 @@ jobs:
         id: deploy
         with:
           environment: ${{ matrix.environment }}
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
   deploy_production:
@@ -135,5 +138,5 @@ jobs:
         id: deploy
         with:
           environment: production
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
diff --git a/.github/workflows/build-nocache.yml b/.github/workflows/build-nocache.yml
@@ -0,0 +1,37 @@
+name: Build No Cache
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 12 * * 0"
+    # Will run once a week on Sunday afternoon
+
+jobs:
+  build-no-cache:
+    outputs:
+      docker-image-tag: ${{ steps.build-image.outputs.tag }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout
+
+      - name: Build without cache and push docker image
+        id: build-image
+        uses: DFE-Digital/github-actions/build-docker-image@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          max-cache: true
+          reuse-cache: false
+          snyk-token: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Notify slack on failure
+        uses: rtCamp/action-slack-notify@master
+        if: ${{ failure() }}
+        with:
+          SLACK_USERNAME: CI Deployment
+          SLACK_COLOR: failure
+          SLACK_ICON_EMOJI: ":github-logo:"
+          SLACK_TITLE: "Build failure"
+          SLACK_MESSAGE: ":alert: Rebuild docker cache failure :sadparrot:"
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@
 # production: runs the actual app
 
 # Build builder image
-FROM ruby:3.3.0-alpine as builder
+FROM ruby:3.3.0-alpine AS builder
 
 # RUN apk -U upgrade && \
 #     apk add --update --no-cache gcc git libc6-compat libc-dev make nodejs \
@@ -62,18 +62,13 @@ RUN rm -rf node_modules log/* tmp/* /tmp && \
     find /usr/local/bundle/gems -name "*.html" -delete
 
 # Build runtime image
-FROM ruby:3.3.0-alpine as production
+FROM ruby:3.3.0-alpine AS production
 
 # The application runs from /app
 WORKDIR /app
 
 ENV RAILS_ENV=production
 
-# Add the commit sha to the env
-ARG GIT_SHA
-ENV GIT_SHA=$GIT_SHA
-ENV SHA=$GIT_SHA
-
 # Add the timezone (prod image) as it's not configured by default in Alpine
 RUN apk add --update --no-cache tzdata && \
     cp /usr/share/zoneinfo/Europe/London /etc/localtime && \
@@ -86,16 +81,10 @@ RUN apk add --no-cache libpq
 COPY --from=builder /app /app
 COPY --from=builder /usr/local/bundle/ /usr/local/bundle/
 
-# SSH access specific to Azure
-# Install OpenSSH and set the password for root to "Docker!".
-RUN apk add --no-cache openssh && echo "root:Docker!" | chpasswd
-
-# Copy the Azure specific sshd_config file to the /etc/ssh/ directory
-RUN ssh-keygen -A && mkdir -p /var/run/sshd
-COPY azure/.sshd_config /etc/ssh/sshd_config
-
-# Open port 2222 for Azure SSH access
-EXPOSE 2222
+# Add the commit sha to the env
+ARG COMMIT_SHA
+ENV GIT_SHA=$COMMIT_SHA
+ENV SHA=$GIT_SHA
 
 CMD bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && \
     bundle exec rails data:migrate:ignore_concurrent_migration_exceptions && \