Ansible: AWS Image Build #79
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Ansible: AWS Image Build" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - docker/delius-ansible-aws/** | |
| - .github/workflows/ansible-aws-image-build.yml | |
| # Commented out while spiking this work out | |
| # pull_request: | |
| # branches: | |
| # - main | |
| # types: [opened, edited, reopened, synchronize] | |
| # paths: | |
| # - docker/delius-ansible-aws/** | |
| # - .github/workflows/ansible-aws-image-build.yml | |
| permissions: | |
| packages: write | |
| contents: read | |
| jobs: | |
| build-image: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Docker Buildx | |
| id: setup_buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push to ghcr | |
| id: build_publish | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./docker/delius-ansible-aws | |
| file: ./docker/delius-ansible-aws/Dockerfile | |
| platforms: linux/amd64 | |
| push: false | |
| tags: hmpps-delius-operational-automation:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| outputs: type=docker,dest=/tmp/ansible-aws-image.tar | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ansible-aws-image | |
| path: /tmp/ansible-aws-image.tar | |
| retention-days: 1 | |
| scan-image: | |
| name: Scan Image | |
| needs: build-image | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ansible-aws-image | |
| path: /tmp | |
| - name: Load image | |
| run: | | |
| docker load --input /tmp/ansible-aws-image.tar | |
| - name: Trivy scan | |
| uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 | |
| with: | |
| format: 'sarif' | |
| severity: 'CRITICAL,HIGH' | |
| limit-severities-for-sarif: 'true' | |
| image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}' | |
| exit-code: '1' | |
| scan-type: 'image' | |
| trivyignores: 'docker/delius-ansible-aws/.trivyignore.yaml' | |
| ignore-unfixed: 'true' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: failure() # If Trivy found vulnerabilities | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| publish-image: | |
| name: Publish image | |
| needs: [build-image, scan-image] | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| new_tag: ${{ steps.bump-version.outputs.new_tag }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Bump version and push tag | |
| id: bump-version | |
| uses: anothrNick/github-tag-action@1.67.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| WITH_V: false | |
| DEFAULT_BUMP: minor # Making this default visible | |
| TAG_CONTEXT: repo # Making this default visible | |
| PRERELEASE: ${{ github.base_ref != 'refs/heads/main' }} | |
| PRERELEASE_SUFFIX: ${{ github.base_ref }} # Branch name | |
| - name: Create safe tag | |
| id: safe_tag | |
| run: | | |
| echo "SAFE_TAG=$(echo ${{ steps.bump-version.outputs.new_tag }} | sed 's/[^a-zA-Z0-9.]/-/g')" >> $GITHUB_OUTPUT | |
| - name: Download Artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ansible-aws-image | |
| path: /tmp | |
| - name: Load and retag image for publish | |
| run: | | |
| docker load --input /tmp/ansible-aws-image.tar | |
| docker tag hmpps-delius-operational-automation:${{ github.sha }} ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }} | |
| - name: Log into ghcr | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish image | |
| run: docker push ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }} | |