From 8db4338937976c8c6979ea3df0787d86f0f7c076 Mon Sep 17 00:00:00 2001 From: mpanne Date: Wed, 8 May 2024 14:21:05 +0200 Subject: [PATCH] WIP: Use separate workflow and forward deploy key --- .github/workflows/build-and-deploy.yml | 5 +- .github/workflows/pipeline.yml | 228 ++++++++++++------------- 2 files changed, 118 insertions(+), 115 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index d33cad76..2aa29fe4 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -9,6 +9,9 @@ on: directory: required: true type: string + deploy_key: + required: true + type: string env: IMAGE_NAME: digitalservicebund/${{ inputs.name }} @@ -87,7 +90,7 @@ jobs: version: ${{ github.sha }} deploying_repo: ${{ inputs.name }} infra_repo: ${{ github.event.repository.name }}-infra - deploy_key: ${{ secrets.DEPLOY_KEY }} + deploy_key: ${{ inputs.deploy_key }} app: ${{ inputs.name }}-production argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} argocd_server: ${{ secrets.ARGOCD_SERVER }} diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index a60f3169..3543f90f 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -167,117 +167,117 @@ jobs: with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - # build-and-deploy: - # needs: - # - test - # - audit-licenses - # - vulnerability-scan - # if: ${{ github.ref == 'refs/heads/main' }} - # uses: ./.github/workflows/build-and-deploy.yml - # strategy: - # fail-fast: false - # matrix: - # packages: - # - name: digitalcheck-dito - # directory: packages/dito - # - name: digitalcheck-tool-finder - # directory: packages/tool-finder - # with: - # name: ${{ matrix.packages.name }} - # directory: ${{ matrix.packages.directory }} - - build-and-push-image: - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - needs: - - test - - audit-licenses - - vulnerability-scan - permissions: - contents: read - id-token: write # This is used to complete the identity challenge with sigstore/fulcio. - packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: validate github workflow files to have pinned versions - uses: digitalservicebund/github-actions-linter@dccac3ada437947aada4bc901daff08ceb87c3f1 - - - name: Build image from Dockerfile - run: | - docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . -f packages/tool-finder/Dockerfile --build-arg COMMIT_SHA=${{ github.sha }} - - - name: Generate cosign vulnerability scan record - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 - with: - image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }} - format: "cosign-vuln" - output: "vulnerabilities.json" - - - name: Upload cosign vulnerability scan record - uses: actions/upload-artifact@v4 - with: - name: "vulnerabilities.json" - path: "vulnerabilities.json" - if-no-files-found: error - - - name: Install cosign - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - - name: Login to container registry - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 - with: - registry: "ghcr.io" - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push image - run: | - docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }} - docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} - docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }} - - - name: Sign the published Docker image - run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} - - - name: Attest the vulnerability scan - run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} - - - name: Create SBOM - uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3 - with: - image_name: ${{ github.repository }}:${{ github.sha }} - - deploy: - needs: [build-and-push-image] - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - timeout-minutes: 10 - permissions: - packages: read - environment: production - steps: - - name: Deploy latest container image - uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 - with: - environment: production - version: ${{ github.sha }} - deploying_repo: digitalcheck-tool-finder - infra_repo: ${{ github.event.repository.name }}-infra - deploy_key: ${{ secrets.DEPLOY_KEY }} - app: digitalcheck-tool-finder-production - argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} - argocd_server: ${{ secrets.ARGOCD_SERVER }} - - - name: Report Deployment - uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0 - with: - project: ${{ github.event.repository.name }} - environment: production - metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} - metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }} + build-and-deploy: + needs: + - test + - audit-licenses + - vulnerability-scan + if: ${{ github.ref == 'refs/heads/main' }} + uses: ./.github/workflows/build-and-deploy.yml + # strategy: + # fail-fast: false + # matrix: + # packages: + # - name: digitalcheck-dito + # directory: packages/dito + # - name: digitalcheck-tool-finder + # directory: packages/tool-finder + with: + name: digitalcheck-tool-finder + directory: packages/tool-finder + deploy_key: ${{ secrets.DEPLOY_KEY }} +# build-and-push-image: +# runs-on: ubuntu-latest +# if: ${{ github.ref == 'refs/heads/main' }} +# needs: +# - test +# - audit-licenses +# - vulnerability-scan +# permissions: +# contents: read +# id-token: write # This is used to complete the identity challenge with sigstore/fulcio. +# packages: write +# steps: +# - name: Checkout code +# uses: actions/checkout@v4 +# +# - name: validate github workflow files to have pinned versions +# uses: digitalservicebund/github-actions-linter@dccac3ada437947aada4bc901daff08ceb87c3f1 +# +# - name: Build image from Dockerfile +# run: | +# docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . -f packages/tool-finder/Dockerfile --build-arg COMMIT_SHA=${{ github.sha }} +# +# - name: Generate cosign vulnerability scan record +# # Third-party action, pin to commit SHA! +# # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions +# uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0 +# with: +# image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }} +# format: "cosign-vuln" +# output: "vulnerabilities.json" +# +# - name: Upload cosign vulnerability scan record +# uses: actions/upload-artifact@v4 +# with: +# name: "vulnerabilities.json" +# path: "vulnerabilities.json" +# if-no-files-found: error +# +# - name: Install cosign +# # Third-party action, pin to commit SHA! +# # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions +# uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 +# +# - name: Login to container registry +# uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 +# with: +# registry: "ghcr.io" +# username: ${{ github.actor }} +# password: ${{ secrets.GITHUB_TOKEN }} +# +# - name: Push image +# run: | +# docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }} +# docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} +# docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }} +# +# - name: Sign the published Docker image +# run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} +# +# - name: Attest the vulnerability scan +# run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} +# +# - name: Create SBOM +# uses: digitalservicebund/create-sbom@095884614dac5ea922dfcb09cce2e22f3d6391a3 +# with: +# image_name: ${{ github.repository }}:${{ github.sha }} +# +# deploy: +# needs: [build-and-push-image] +# runs-on: ubuntu-latest +# if: ${{ github.ref == 'refs/heads/main' }} +# timeout-minutes: 10 +# permissions: +# packages: read +# environment: production +# steps: +# - name: Deploy latest container image +# uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 +# with: +# environment: production +# version: ${{ github.sha }} +# deploying_repo: digitalcheck-tool-finder +# infra_repo: ${{ github.event.repository.name }}-infra +# deploy_key: ${{ secrets.DEPLOY_KEY }} +# app: digitalcheck-tool-finder-production +# argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} +# argocd_server: ${{ secrets.ARGOCD_SERVER }} +# +# - name: Report Deployment +# uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88 # v1.0.0 +# with: +# project: ${{ github.event.repository.name }} +# environment: production +# metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }} +# metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}