name: Build Docker Images # we want to be able to sort by tag name to find the newest and trace back to source control # on every commit to main: # frontend:main-20230223164322-b8becd1-45 # frontend:main-latest # we settled on: # main-2023-02-24_16-16-40 # because the labels on the docker image itself have the git sha and everything else :) # on every tag: # frontend:latest # # Example docker image labels: # "Labels": { # "description": "Software development platform for building, running, and monitoring executable diagrams", # "org.opencontainers.image.created": "2023-02-24T16:43:00.844Z", # "org.opencontainers.image.description": "", # "org.opencontainers.image.licenses": "LGPL-2.1", # "org.opencontainers.image.revision": "54064a050fbf9f366648f0f2e2c60ce244fcc421", # "org.opencontainers.image.source": "https://github.com/sartography/spiff-arena", # "org.opencontainers.image.title": "spiff-arena", # "org.opencontainers.image.url": "https://github.com/sartography/spiff-arena", # "org.opencontainers.image.version": "main-latest", # "source": "https://github.com/sartography/spiff-arena" # } # # Git tags for an image: # curl -H "Authorization: Bearer $(echo -n $TOKEN | base64 -w0)" https://ghcr.io/v2/sartography/spiffworkflow-backend/tags/list | jq -r '.tags | sort_by(.)' on: push: branches: - main - keycloak-realm-with-groups - fail-fast-off tags: [v*] jobs: create_docker_images: runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - image_name: sartography/spiffworkflow-frontend context: spiffworkflow-frontend description: "Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams" - image_name: sartography/spiffworkflow-backend context: spiffworkflow-backend description: "Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams" - image_name: sartography/connector-proxy-demo context: connector-proxy-demo description: "Connector proxy component of SpiffWorkflow, providing integration capabilities for external services" env: REGISTRY: ghcr.io IMAGE_NAME: ${{ matrix.image_name }} BRANCH_NAME: ${{ github.head_ref || github.ref_name }} permissions: contents: read packages: write security-events: write # Required for uploading Trivy scan results to GitHub Security steps: - name: Check out the repository uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to the Container registry uses: docker/login-action@v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Get current date id: date run: echo "date=$(date -u +'%Y-%m-%d_%H-%M-%S')" >> "$GITHUB_OUTPUT" - name: Get short commit sha id: commit_sha run: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5.6.1 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.description=${{ matrix.description }} org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }} tags: | type=ref,event=branch,branch=main,suffix=-latest type=ref,event=branch,suffix=-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }} type=ref,event=tag,enable=true,format={{version}} type=ref,event=tag,enable=true,format=latest - name: Write app version info working-directory: ${{ matrix.context }} run: echo "$DOCKER_METADATA_OUTPUT_JSON" | jq '.labels' > version_info.json - name: Generate full image tag id: full_tag run: echo "full_tag=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}" >> "$GITHUB_OUTPUT" - name: Build Docker image uses: docker/build-push-action@v6.10.0 with: context: ${{ matrix.context }} push: false # Don't push yet load: true # Load image to local Docker daemon tags: ${{ steps.full_tag.outputs.full_tag }} labels: ${{ steps.meta.outputs.labels }} # While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns. # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here. # It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable. platforms: linux/amd64 cache-from: type=gha cache-to: type=gha,mode=max - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.29.0 with: image-ref: "${{ steps.full_tag.outputs.full_tag }}" scan-type: "image" hide-progress: false limit-severities-for-sarif: true format: "sarif" output: "trivy-results.sarif" severity: "CRITICAL" exit-code: 1 # Fail the workflow if critical vulnerabilities are found timeout: 15m0s ignore-unfixed: true - name: Check if Trivy results exist if: always() # trivy will fail if vulnerabilities are found but we need to upload them anyway run: | if [ -f "trivy-results.sarif" ]; then echo "UPLOAD_TRIVY_RESULTS=true" >> "$GITHUB_ENV" else echo "Trivy results file not found. Skipping upload." echo "UPLOAD_TRIVY_RESULTS=false" >> "$GITHUB_ENV" fi - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() && env.UPLOAD_TRIVY_RESULTS == 'true' with: sarif_file: "trivy-results.sarif" - name: Push Docker image uses: docker/build-push-action@v6.10.0 with: context: ${{ matrix.context }} push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max - name: Adding markdown run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY" quickstart-guide-test: runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') needs: [create_docker_images] steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Apps run: ./bin/run_arena_with_docker_compose - name: wait_for_backend working-directory: ./spiffworkflow-backend run: ./bin/wait_for_backend_to_be_up 5 8000 - name: wait_for_frontend working-directory: ./spiffworkflow-frontend run: ./bin/wait_for_frontend_to_be_up 5 8001 - name: wait_for_connector working-directory: ./connector-proxy-demo run: ./bin/wait_for_connector_to_be_up 5 8004 - name: Cypress run uses: cypress-io/github-action@v6 with: working-directory: ./spiffworkflow-frontend browser: chromium # just run one test to make sure we didn't completely break it spec: cypress/e2e/process_groups.cy.js env: # pass GitHub token to allow accurately detecting a build vs a re-run build GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "false" CYPRESS_SPIFFWORKFLOW_FRONTEND_USERNAME: "admin" CYPRESS_SPIFFWORKFLOW_FRONTEND_PASSWORD: "admin" SPIFFWORKFLOW_FRONTEND_PORT: 8001