generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 0
146 lines (126 loc) · 4.23 KB
/
ansible-aws-image-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: "Ansible: AWS Image Build"
on:
workflow_dispatch:
push:
branches:
- main
paths:
- docker/delius-ansible-aws/**
- .github/workflows/ansible-aws-image-build.yml
# Commented out while spiking this work out
# pull_request:
# branches:
# - main
# types: [opened, edited, reopened, synchronize]
# paths:
# - docker/delius-ansible-aws/**
# - .github/workflows/ansible-aws-image-build.yml
permissions:
packages: write
contents: read
jobs:
build-image:
runs-on: ubuntu-22.04
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Docker Buildx
id: setup_buildx
uses: docker/setup-buildx-action@v3
- name: Build and push to ghcr
id: build_publish
uses: docker/build-push-action@v5
with:
context: ./docker/delius-ansible-aws
file: ./docker/delius-ansible-aws/Dockerfile
platforms: linux/amd64
push: false
tags: hmpps-delius-operational-automation:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=docker,dest=/tmp/ansible-aws-image.tar
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ansible-aws-image
path: /tmp/ansible-aws-image.tar
retention-days: 1
scan-image:
name: Scan Image
needs: build-image
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ansible-aws-image
path: /tmp
- name: Load image
run: |
docker load --input /tmp/ansible-aws-image.tar
- name: Trivy scan
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561
with:
format: 'sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}'
exit-code: '1'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: failure() # If Trivy found vulnerabilities
with:
sarif_file: 'trivy-results.sarif'
publish-image:
name: Publish image
needs: [build-image, scan-image]
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
outputs:
new_tag: ${{ steps.bump-version.outputs.new_tag }}
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Bump version and push tag
id: bump-version
uses: anothrNick/github-tag-action@1.67.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
WITH_V: false
DEFAULT_BUMP: minor # Making this default visible
TAG_CONTEXT: repo # Making this default visible
PRERELEASE: ${{ github.base_ref != 'refs/heads/main' }}
PRERELEASE_SUFFIX: ${{ github.base_ref }} # Branch name
- name: Create safe tag
id: safe_tag
run: |
echo "SAFE_TAG=$(echo ${{ steps.bump-version.outputs.new_tag }} | sed 's/[^a-zA-Z0-9.]/-/g')" >> $GITHUB_OUTPUT
- name: Download Artifact
uses: actions/download-artifact@v4
with:
name: ansible-aws-image
path: /tmp
- name: Load and retag image for publish
run: |
docker load --input /tmp/ansible-aws-image.tar
docker tag hmpps-delius-operational-automation:${{ github.sha }} ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }}
- name: Log into ghcr
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish image
run: docker push ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }}