generated from digitalservicebund/remix-application-template
-
Notifications
You must be signed in to change notification settings - Fork 0
126 lines (108 loc) · 4.69 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
PACKAGE_NAME: digitalcheck-dito
IMAGE_NAME: digitalservicebund/digitalcheck-dito
ENVIRONMENT: production
jobs:
vulnerability-scan:
uses: ./.github/workflows/scan.yml
secrets: inherit
check-and-test:
uses: ./.github/workflows/check-and-test.yml
secrets: inherit
build-and-push-image:
needs: [vulnerability-scan, check-and-test]
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build image from Dockerfile
run: |
docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
format: "cosign-vuln"
output: "${{ env.PACKAGE_NAME }}-vulnerabilities.json"
- name: Upload cosign vulnerability scan record
uses: actions/upload-artifact@v4
with:
name: "${{ env.PACKAGE_NAME }}-vulnerabilities.json"
path: "${{ env.PACKAGE_NAME }}-vulnerabilities.json"
if-no-files-found: error
- name: Install cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
- name: Login to container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}
docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }}
- name: Create SBOM
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 # v1.2.1
with:
image_name: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
artifact_name: SBOM-${{ env.PACKAGE_NAME }}
- name: Sign the published Docker image
run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Attest the vulnerability scan
run: cosign attest --yes --replace --predicate ${{ env.PACKAGE_NAME }}-vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Send failure to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
deploy:
needs: [build-and-push-image]
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
packages: read
environment: production
steps:
- name: Deploy latest container image
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0
with:
environment: "${{ env.ENVIRONMENT }}"
version: ${{ github.sha }}
deploying_repo: ${{ env.PACKAGE_NAME }}
infra_repo: ${{ github.event.repository.name }}-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: "${{ env.PACKAGE_NAME }}-${{ env.ENVIRONMENT }}"
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 240
- name: Report Deployment
uses: digitalservicebund/track-deployment@5a2815e150e1268983aac5ca04c8c046ed1b614a # v1.1.0
with:
project: ${{ env.PACKAGE_NAME }}
environment: ${{ env.ENVIRONMENT }}
metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Send failure to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}