mirror of
https://github.com/sartography/spiff-arena.git
synced 2025-01-31 03:35:39 +00:00
189 lines
8.1 KiB
YAML
189 lines
8.1 KiB
YAML
name: Build Docker Images
|
|
# we want to be able to sort by tag name to find the newest and trace back to source control
|
|
# on every commit to main:
|
|
# frontend:main-20230223164322-b8becd1-45
|
|
# frontend:main-latest
|
|
# we settled on:
|
|
# main-2023-02-24_16-16-40
|
|
# because the labels on the docker image itself have the git sha and everything else :)
|
|
# on every tag:
|
|
# frontend:latest
|
|
#
|
|
# Example docker image labels:
|
|
# "Labels": {
|
|
# "description": "Software development platform for building, running, and monitoring executable diagrams",
|
|
# "org.opencontainers.image.created": "2023-02-24T16:43:00.844Z",
|
|
# "org.opencontainers.image.description": "",
|
|
# "org.opencontainers.image.licenses": "LGPL-2.1",
|
|
# "org.opencontainers.image.revision": "54064a050fbf9f366648f0f2e2c60ce244fcc421",
|
|
# "org.opencontainers.image.source": "https://github.com/sartography/spiff-arena",
|
|
# "org.opencontainers.image.title": "spiff-arena",
|
|
# "org.opencontainers.image.url": "https://github.com/sartography/spiff-arena",
|
|
# "org.opencontainers.image.version": "main-latest",
|
|
# "source": "https://github.com/sartography/spiff-arena"
|
|
# }
|
|
#
|
|
# Git tags for an image:
|
|
# curl -H "Authorization: Bearer $(echo -n $TOKEN | base64 -w0)" https://ghcr.io/v2/sartography/spiffworkflow-backend/tags/list | jq -r '.tags | sort_by(.)'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- keycloak-realm-with-groups
|
|
- fail-fast-off
|
|
tags: [v*]
|
|
|
|
jobs:
|
|
create_docker_images:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- image_name: sartography/spiffworkflow-frontend
|
|
context: spiffworkflow-frontend
|
|
description: "Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
|
|
- image_name: sartography/spiffworkflow-backend
|
|
context: spiffworkflow-backend
|
|
description: "Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams"
|
|
- image_name: sartography/connector-proxy-demo
|
|
context: connector-proxy-demo
|
|
description: "Connector proxy component of SpiffWorkflow, providing integration capabilities for external services"
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ matrix.image_name }}
|
|
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
security-events: write # Required for uploading Trivy scan results to GitHub Security
|
|
steps:
|
|
- name: Check out the repository
|
|
uses: actions/checkout@v4
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Log in to the Container registry
|
|
uses: docker/login-action@v3.3.0
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Get current date
|
|
id: date
|
|
run: echo "date=$(date -u +'%Y-%m-%d_%H-%M-%S')" >> "$GITHUB_OUTPUT"
|
|
- name: Get short commit sha
|
|
id: commit_sha
|
|
run: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5.6.1
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
labels: |
|
|
org.opencontainers.image.description=${{ matrix.description }}
|
|
org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
|
|
tags: |
|
|
type=ref,event=branch,branch=main,suffix=-latest
|
|
type=ref,event=branch,suffix=-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}
|
|
type=ref,event=tag,enable=true,format={{version}}
|
|
type=ref,event=tag,enable=true,format=latest
|
|
|
|
- name: Write app version info
|
|
working-directory: ${{ matrix.context }}
|
|
run: echo "$DOCKER_METADATA_OUTPUT_JSON" | jq '.labels' > version_info.json
|
|
- name: Generate full image tag
|
|
id: full_tag
|
|
run: echo "full_tag=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}" >> "$GITHUB_OUTPUT"
|
|
- name: Build Docker image
|
|
uses: docker/build-push-action@v6.10.0
|
|
with:
|
|
context: ${{ matrix.context }}
|
|
push: false # Don't push yet
|
|
load: true # Load image to local Docker daemon
|
|
tags: ${{ steps.full_tag.outputs.full_tag }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
# While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns.
|
|
# The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here.
|
|
# It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable.
|
|
platforms: linux/amd64
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.29.0
|
|
with:
|
|
image-ref: "${{ steps.full_tag.outputs.full_tag }}"
|
|
scan-type: "image"
|
|
hide-progress: false
|
|
limit-severities-for-sarif: true
|
|
format: "sarif"
|
|
output: "trivy-results.sarif"
|
|
severity: "CRITICAL"
|
|
exit-code: 1 # Fail the workflow if critical vulnerabilities are found
|
|
timeout: 15m0s
|
|
ignore-unfixed: true
|
|
- name: Check if Trivy results exist
|
|
if: always()
|
|
# trivy will fail if vulnerabilities are found but we need to upload them anyway
|
|
run: |
|
|
if [ -f "trivy-results.sarif" ]; then
|
|
echo "UPLOAD_TRIVY_RESULTS=true" >> "$GITHUB_ENV"
|
|
else
|
|
echo "Trivy results file not found. Skipping upload."
|
|
echo "UPLOAD_TRIVY_RESULTS=false" >> "$GITHUB_ENV"
|
|
fi
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always() && env.UPLOAD_TRIVY_RESULTS == 'true'
|
|
with:
|
|
sarif_file: "trivy-results.sarif"
|
|
|
|
- name: Push Docker image
|
|
uses: docker/build-push-action@v6.10.0
|
|
with:
|
|
context: ${{ matrix.context }}
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
platforms: linux/amd64,linux/arm64
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
- name: Adding markdown
|
|
run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY"
|
|
|
|
quickstart-guide-test:
|
|
runs-on: ubuntu-latest
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [create_docker_images]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Setup Apps
|
|
run: ./bin/run_arena_with_docker_compose
|
|
- name: wait_for_backend
|
|
working-directory: ./spiffworkflow-backend
|
|
run: ./bin/wait_for_backend_to_be_up 5 8000
|
|
- name: wait_for_frontend
|
|
working-directory: ./spiffworkflow-frontend
|
|
run: ./bin/wait_for_frontend_to_be_up 5 8001
|
|
- name: wait_for_connector
|
|
working-directory: ./connector-proxy-demo
|
|
run: ./bin/wait_for_connector_to_be_up 5 8004
|
|
- name: Cypress run
|
|
uses: cypress-io/github-action@v6
|
|
with:
|
|
working-directory: ./spiffworkflow-frontend
|
|
browser: chromium
|
|
# just run one test to make sure we didn't completely break it
|
|
spec: cypress/e2e/process_groups.cy.js
|
|
env:
|
|
# pass GitHub token to allow accurately detecting a build vs a re-run build
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "false"
|
|
CYPRESS_SPIFFWORKFLOW_FRONTEND_USERNAME: "admin"
|
|
CYPRESS_SPIFFWORKFLOW_FRONTEND_PASSWORD: "admin"
|
|
SPIFFWORKFLOW_FRONTEND_PORT: 8001
|