Merge pull request #865 from project-primera/develop #50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'push: master' | |
| on: | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| skip: | |
| name: Check release skip | |
| runs-on: ubuntu-latest | |
| if: "! contains(github.event.head_commit.message, '[release skip]')" | |
| steps: | |
| - run: echo "${{ github.event.head_commit.message }}" | |
| dockle: | |
| name: Dockle scan | |
| runs-on: ubuntu-latest | |
| needs: [skip] | |
| steps: | |
| - uses: actions/checkout@master | |
| - run: docker login --username ${{ secrets.DOCKER_HUB_USER }} --password ${{ secrets.DOCKER_HUB_TOKEN }} | |
| - name: Build docker image | |
| run: docker build ./ -t ${IMAGE_NAME} --file Dockerfile | |
| - name: Install dockle | |
| run: | | |
| VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \ | |
| grep '"tag_name":' | \ | |
| sed -E 's/.*"v([^"]+)".*/\1/' \ | |
| ) | |
| curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb | |
| sudo dpkg -i dockle.deb | |
| rm dockle.deb | |
| - name: Check image with dockle | |
| # CIS-DI-0001: Create a user for the container | |
| # DKL-DI-0006: Avoid latest tag | |
| run: dockle -i CIS-DI-0001 -i DKL-DI-0006 ${IMAGE_NAME} | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@v2 | |
| if: cancelled() || failure() | |
| with: | |
| status: ${{ job.status }} | |
| author_name: ProjectPrimera/ongeki-score | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TEST }} | |
| env: | |
| IMAGE_NAME: projectprimera/ongeki-score | |
| trivy: | |
| name: Trivy scan | |
| runs-on: ubuntu-latest | |
| needs: [skip] | |
| steps: | |
| - uses: actions/checkout@master | |
| - run: docker login --username ${{ secrets.DOCKER_HUB_USER }} --password ${{ secrets.DOCKER_HUB_TOKEN }} | |
| - name: Build docker image | |
| run: docker build ./ -t ${IMAGE_NAME} --file Dockerfile | |
| - name: Install trivy | |
| run: | | |
| sudo apt-get install apt-transport-https gnupg | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
| echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| - name: Vulnerability scan with trivy | |
| run: trivy -q image ${IMAGE_NAME} | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@v2 | |
| if: cancelled() || failure() | |
| with: | |
| status: ${{ job.status }} | |
| author_name: ProjectPrimera/ongeki-score | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TEST }} | |
| env: | |
| IMAGE_NAME: projectprimera/ongeki-score | |
| publish: | |
| name: Publish to Docker Hub | |
| runs-on: ubuntu-latest | |
| needs: [skip, dockle, trivy] | |
| steps: | |
| - uses: actions/checkout@master | |
| - run: echo ${{ secrets.DOCKER_HUB_TOKEN }} | docker login --username ${{ secrets.DOCKER_HUB_USER }} --password-stdin | |
| - run: echo ${{ secrets.GH_AUTH_TOKEN }} | docker login docker.pkg.github.com --username ${{ secrets.GH_AUTH_USER }} --password-stdin | |
| - shell: bash | |
| id: validate | |
| run: | | |
| VERSION='${{github.event.head_commit.message}}' | |
| if [[ $VERSION =~ ([0-9]+\.[0-9]+\.[0-9]+) ]]; then | |
| echo "::set-output name=version::${BASH_REMATCH[1]}" | |
| else | |
| exit 1 | |
| fi | |
| - name: Get commit commit | |
| id: hash | |
| run: echo "::set-output name=hash::"$(git rev-parse --short HEAD) | |
| - name: Build docker image | |
| run: docker build ./ -t ${IMAGE_NAME} --file Dockerfile --build-arg application_version=${{steps.validate.outputs.version}} --build-arg commit_hash=${{steps.hash.outputs.hash}} | |
| - run: | | |
| docker tag ${IMAGE_NAME} ${IMAGE_NAME}:latest | |
| docker tag ${IMAGE_NAME} ${IMAGE_NAME_GITHUB}:latest | |
| TAG=${{steps.validate.outputs.version}} | |
| docker tag ${IMAGE_NAME} ${IMAGE_NAME}:${TAG} | |
| docker tag ${IMAGE_NAME} ${IMAGE_NAME_GITHUB}:${TAG} | |
| - name: Publish | |
| run: | | |
| TAG=${{steps.validate.outputs.version}} | |
| docker push ${IMAGE_NAME}:${TAG} | |
| docker push ${IMAGE_NAME}:latest | |
| # docker push ${IMAGE_NAME_GITHUB}:${TAG} | |
| # docker push ${IMAGE_NAME_GITHUB}:latest | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@v2 | |
| if: always() | |
| with: | |
| status: ${{ job.status }} | |
| author_name: ProjectPrimera/ongeki-score | |
| text: <!channel> | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} | |
| env: | |
| IMAGE_NAME: projectprimera/ongeki-score | |
| IMAGE_NAME_GITHUB: docker.pkg.github.com/project-primera/ongeki-score/ongeki-score | |
| # release: | |
| # name: Create Release | |
| # runs-on: ubuntu-latest | |
| # needs: [skip, dockle, trivy, publish] | |
| # steps: | |
| # - uses: actions/checkout@v2 | |
| # - shell: bash | |
| # id: validate | |
| # run: | | |
| # VERSION='${{github.event.head_commit.message}}' | |
| # if [[ $VERSION =~ ([0-9]+\.[0-9]+\.[0-9]+) ]]; then | |
| # echo "::set-output name=version::${BASH_REMATCH[1]}" | |
| # else | |
| # exit 1 | |
| # fi | |
| # - shell: bash | |
| # name: Make tag test. | |
| # run: | | |
| # git tag ${{steps.validate.outputs.version}} | |
| # git tag -d ${{steps.validate.outputs.version}} | |
| # - shell: bash | |
| # id: changelog | |
| # run: | | |
| # git fetch --prune --unshallow | |
| # yarn install --production=false | |
| # description=$(yarn run --silent changelog | sed -e 's/^## .*$//' | sed -e 's/^####/##/') | |
| # description="${description//'%'/'%25'}" | |
| # description="${description//$'\n'/'%0A'}" | |
| # description="${description//$'\r'/'%0D'}" | |
| # echo "::set-output name=body::${description}" | |
| # env: | |
| # GITHUB_AUTH: ${{ secrets.LERNA_CHANGELOG_GITHUB_AUTH }} | |
| # - uses: actions/create-release@v1 | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # with: | |
| # tag_name: ${{steps.validate.outputs.version}} | |
| # release_name: Version ${{steps.validate.outputs.version}} | |
| # body: ${{steps.changelog.outputs.body}} | |
| # draft: false | |
| # prerelease: false | |
| slack: | |
| name: Slack Notification | |
| runs-on: ubuntu-latest | |
| needs: [skip, dockle, trivy, publish] | |
| steps: | |
| - name: Slack Notification | |
| uses: 8398a7/action-slack@v2 | |
| if: always() | |
| with: | |
| status: ${{ job.status }} | |
| author_name: ProjectPrimera/ongeki-score | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_TEST }} |