Test, lint and build PHP base Image on Shared Core ECR #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test, lint and build PHP base Image on Shared Core ECR | |
| run-name: Test, lint and build PHP base Image on Shared Core ECR | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| php-base-image-build: | |
| runs-on: ubuntu-latest | |
| env: | |
| AWS_REGION : ${{ secrets.DEV_AWS_REGION }} #Change to reflect your Region | |
| AWS_ACCOUNT_ID: ${{ secrets.DEV_AWS_ACCOUNT }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Lint check on dockerfile | |
| run: | | |
| jq -c '.[]' build.json | while read -r results; do | |
| build=$(echo "$results" | jq -r '.build') | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| dockerFile=$(echo "$results" | jq -r '.dockerFile') | |
| if [ "$build" == "true" ]; then | |
| docker run --rm --privileged -v `pwd`:/root/ projectatomic/dockerfile-lint dockerfile_lint -f build/$repoName/$dockerFile | |
| else | |
| echo "Not linting - $repoName, build parameter equal to false" | |
| fi | |
| done | |
| - name: Set IMAGE_TAG | |
| run: | | |
| IMAGE_SHA=$(echo $GITHUB_SHA | cut -c 1-6) | |
| echo "IMAGE_TAG=vol-php-fpm-7.4.0-alpine-fpm-$IMAGE_SHA" >> $GITHUB_ENV | |
| - name: setup Notation CLI | |
| uses: notaryproject/notation-action/setup@v1 | |
| with: | |
| version: "1.0.0" | |
| - name: Configure AWS credentials from Test account | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.DEV_AWS_ROLE }} | |
| aws-region: ${{secrets.DEV_AWS_REGION}} | |
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
| - name: Login to Shared Core ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| mask-password: 'true' | |
| - name: Install snyk cli | |
| run: | | |
| npm install -g snyk | |
| - name: Build the Docker image | |
| run: | | |
| bash scripts/docker-build.sh | |
| #docker build -t ${{ secrets.ECR_BASE_URL }}:$IMAGE_TAG -f dockerfile . | |
| - name: snyk scan api image | |
| run: | | |
| SHA=$(git rev-parse --short HEAD) | |
| # Iterate over JSON objects in build.json | |
| jq -c '.[]' build.json | while read -r results; do | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| dockerFile=$(echo "$results" | jq -r '.dockerFile') | |
| tag=$(echo "$results" | jq -r '.tag') | |
| build=$(echo "$results" | jq -r '.build') | |
| registry=$(echo "$results" | jq -r '.registry') | |
| if [ "$build" == "true" ]; then | |
| snyk container test $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$registry/$repoName:$tag-$SHA" | |
| else | |
| echo "Not building - $repoName, build parameter equal to false" | |
| fi | |
| done | |