From 1b6257e237b8ab89b85b96bcc8f9257be9ba7844 Mon Sep 17 00:00:00 2001 From: RMcVelia Date: Mon, 6 Jan 2025 14:32:29 +0000 Subject: [PATCH] Add SNYK scan to build image --- .github/actions/build-image/action.yml | 47 -------------------------- .github/workflows/build-and-deploy.yml | 21 +++++++----- .github/workflows/build-nocache.yml | 37 ++++++++++++++++++++ Dockerfile | 23 ++++--------- 4 files changed, 55 insertions(+), 73 deletions(-) delete mode 100644 .github/actions/build-image/action.yml create mode 100644 .github/workflows/build-nocache.yml diff --git a/.github/actions/build-image/action.yml b/.github/actions/build-image/action.yml deleted file mode 100644 index a10f1009..00000000 --- a/.github/actions/build-image/action.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Docker build and push - -inputs: - github_username: - description: GitHub Container Registry username - required: true - github_token: - description: GitHub Container Registry token - required: true - registry: - description: Registry to push the image to - required: true - -outputs: - ghcr_image_name_tag: - description: GHCR Image name and tag - value: ${{ steps.image.outputs.name_and_tag }} - -runs: - using: composite - - steps: - - uses: actions/checkout@v3 - - # Set image name and tag - - id: image - run: | - echo "name_and_tag=$CONTAINER_REGISTRY/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]'):$GITHUB_SHA" >> $GITHUB_OUTPUT - env: - CONTAINER_REGISTRY: ${{ inputs.registry }} - shell: bash - - # Login to GitHub Container Registry - - uses: docker/login-action@v2 - with: - registry: ${{ inputs.registry }} - username: ${{ inputs.github_username }} - password: ${{ inputs.github_token }} - - # Docker build & push - - uses: docker/build-push-action@v3 - with: - context: . - push: true - tags: ${{ steps.image.outputs.name_and_tag }} - build-args: | - GIT_SHA=${{ github.sha }} diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index da77542d..80f20305 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -27,16 +27,19 @@ jobs: name: Image build and push runs-on: ubuntu-latest outputs: - image_name_tag: ${{ steps.build_image.outputs.ghcr_image_name_tag }} + docker-image-tag: ${{ steps.build-image.outputs.tag }} steps: - uses: actions/checkout@v4 - - uses: ./.github/actions/build-image - id: build_image + - name: Build and push docker image + id: build-image + uses: DFE-Digital/github-actions/build-docker-image@master with: - github_username: ${{ github.actor }} - github_token: ${{ secrets.GITHUB_TOKEN }} - registry: ghcr.io + github-token: ${{ secrets.GITHUB_TOKEN }} + context: . + max-cache: true + reuse-cache: true + snyk-token: ${{ secrets.SNYK_TOKEN }} deploy_review_app: name: Deploy to review environment @@ -58,7 +61,7 @@ jobs: id: deploy with: environment: review - image-tag: ${{ github.sha }} + image-tag: ${{ needs.build_image.outputs.docker-image-tag }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} pull-request-number: ${{ github.event.number }} @@ -113,7 +116,7 @@ jobs: id: deploy with: environment: ${{ matrix.environment }} - image-tag: ${{ github.sha }} + image-tag: ${{ needs.build_image.outputs.docker-image-tag }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} deploy_production: @@ -135,5 +138,5 @@ jobs: id: deploy with: environment: production - image-tag: ${{ github.sha }} + image-tag: ${{ needs.build_image.outputs.docker-image-tag }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/.github/workflows/build-nocache.yml b/.github/workflows/build-nocache.yml new file mode 100644 index 00000000..e19e05e6 --- /dev/null +++ b/.github/workflows/build-nocache.yml @@ -0,0 +1,37 @@ +name: Build No Cache + +on: + workflow_dispatch: + schedule: + - cron: "30 12 * * 0" + # Will run once a week on Sunday afternoon + +jobs: + build-no-cache: + outputs: + docker-image-tag: ${{ steps.build-image.outputs.tag }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + name: Checkout + + - name: Build without cache and push docker image + id: build-image + uses: DFE-Digital/github-actions/build-docker-image@master + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + context: . + max-cache: true + reuse-cache: false + snyk-token: ${{ secrets.SNYK_TOKEN }} + + - name: Notify slack on failure + uses: rtCamp/action-slack-notify@master + if: ${{ failure() }} + with: + SLACK_USERNAME: CI Deployment + SLACK_COLOR: failure + SLACK_ICON_EMOJI: ":github-logo:" + SLACK_TITLE: "Build failure" + SLACK_MESSAGE: ":alert: Rebuild docker cache failure :sadparrot:" + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} diff --git a/Dockerfile b/Dockerfile index 19542f88..624b9c20 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # production: runs the actual app # Build builder image -FROM ruby:3.3.0-alpine as builder +FROM ruby:3.3.0-alpine AS builder # RUN apk -U upgrade && \ # apk add --update --no-cache gcc git libc6-compat libc-dev make nodejs \ @@ -62,18 +62,13 @@ RUN rm -rf node_modules log/* tmp/* /tmp && \ find /usr/local/bundle/gems -name "*.html" -delete # Build runtime image -FROM ruby:3.3.0-alpine as production +FROM ruby:3.3.0-alpine AS production # The application runs from /app WORKDIR /app ENV RAILS_ENV=production -# Add the commit sha to the env -ARG GIT_SHA -ENV GIT_SHA=$GIT_SHA -ENV SHA=$GIT_SHA - # Add the timezone (prod image) as it's not configured by default in Alpine RUN apk add --update --no-cache tzdata && \ cp /usr/share/zoneinfo/Europe/London /etc/localtime && \ @@ -86,16 +81,10 @@ RUN apk add --no-cache libpq COPY --from=builder /app /app COPY --from=builder /usr/local/bundle/ /usr/local/bundle/ -# SSH access specific to Azure -# Install OpenSSH and set the password for root to "Docker!". -RUN apk add --no-cache openssh && echo "root:Docker!" | chpasswd - -# Copy the Azure specific sshd_config file to the /etc/ssh/ directory -RUN ssh-keygen -A && mkdir -p /var/run/sshd -COPY azure/.sshd_config /etc/ssh/sshd_config - -# Open port 2222 for Azure SSH access -EXPOSE 2222 +# Add the commit sha to the env +ARG COMMIT_SHA +ENV GIT_SHA=$COMMIT_SHA +ENV SHA=$GIT_SHA CMD bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && \ bundle exec rails data:migrate:ignore_concurrent_migration_exceptions && \