Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SNYK scan to build image #926

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+55 −73
Open

Add SNYK scan to build image #926

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 0 additions & 47 deletions .github/actions/build-image/action.yml
View file
Open in desktop

This file was deleted.

21 changes: 12 additions & 9 deletions .github/workflows/build-and-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,19 @@ jobs:
name: Image build and push
runs-on: ubuntu-latest
outputs:
image_name_tag: ${{ steps.build_image.outputs.ghcr_image_name_tag }}
docker-image-tag: ${{ steps.build-image.outputs.tag }}
steps:
- uses: actions/checkout@v4

- uses: ./.github/actions/build-image
id: build_image
- name: Build and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@master
with:
github_username: ${{ github.actor }}
github_token: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
max-cache: true
reuse-cache: true
snyk-token: ${{ secrets.SNYK_TOKEN }}

deploy_review_app:
name: Deploy to review environment
Expand All @@ -58,7 +61,7 @@ jobs:
id: deploy
with:
environment: review
image-tag: ${{ github.sha }}
image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
pull-request-number: ${{ github.event.number }}

Expand Down Expand Up @@ -113,7 +116,7 @@ jobs:
id: deploy
with:
environment: ${{ matrix.environment }}
image-tag: ${{ github.sha }}
image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}

deploy_production:
Expand All @@ -135,5 +138,5 @@ jobs:
id: deploy
with:
environment: production
image-tag: ${{ github.sha }}
image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
37 changes: 37 additions & 0 deletions .github/workflows/build-nocache.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Build No Cache

on:
workflow_dispatch:
schedule:
- cron: "30 12 * * 0"
# Will run once a week on Sunday afternoon

jobs:
build-no-cache:
outputs:
docker-image-tag: ${{ steps.build-image.outputs.tag }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
name: Checkout

- name: Build without cache and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
max-cache: true
reuse-cache: false
snyk-token: ${{ secrets.SNYK_TOKEN }}

- name: Notify slack on failure
uses: rtCamp/action-slack-notify@master
if: ${{ failure() }}
with:
SLACK_USERNAME: CI Deployment
SLACK_COLOR: failure
SLACK_ICON_EMOJI: ":github-logo:"
SLACK_TITLE: "Build failure"
SLACK_MESSAGE: ":alert: Rebuild docker cache failure :sadparrot:"
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
23 changes: 6 additions & 17 deletions Dockerfile
View file
Open in desktop
RMcVelia marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# production: runs the actual app

# Build builder image
FROM ruby:3.3.0-alpine as builder
FROM ruby:3.3.0-alpine AS builder

# RUN apk -U upgrade && \
# apk add --update --no-cache gcc git libc6-compat libc-dev make nodejs \
Expand Down Expand Up @@ -62,18 +62,13 @@
find /usr/local/bundle/gems -name "*.html" -delete

# Build runtime image
FROM ruby:3.3.0-alpine as production
FROM ruby:3.3.0-alpine AS production

# The application runs from /app
WORKDIR /app

ENV RAILS_ENV=production

# Add the commit sha to the env
ARG GIT_SHA
ENV GIT_SHA=$GIT_SHA
ENV SHA=$GIT_SHA

# Add the timezone (prod image) as it's not configured by default in Alpine
RUN apk add --update --no-cache tzdata && \
cp /usr/share/zoneinfo/Europe/London /etc/localtime && \
Expand All @@ -86,17 +81,11 @@
COPY --from=builder /app /app
COPY --from=builder /usr/local/bundle/ /usr/local/bundle/

# SSH access specific to Azure
# Install OpenSSH and set the password for root to "Docker!".
RUN apk add --no-cache openssh && echo "root:Docker!" | chpasswd

# Copy the Azure specific sshd_config file to the /etc/ssh/ directory
RUN ssh-keygen -A && mkdir -p /var/run/sshd
COPY azure/.sshd_config /etc/ssh/sshd_config

# Open port 2222 for Azure SSH access
EXPOSE 2222
# Add the commit sha to the env
ARG COMMIT_SHA
ENV GIT_SHA=$COMMIT_SHA
ENV SHA=$GIT_SHA

CMD bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && \

Check warning on line 89 in Dockerfile

View workflow job for this annotation

GitHub Actions / Image build and push

JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals 

JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals
More info: https://docs.docker.com/go/dockerfile/rule/json-args-recommended/
bundle exec rails data:migrate:ignore_concurrent_migration_exceptions && \
bundle exec rails server -b 0.0.0.0
Loading