Rename Docker images in kubernetes #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Webserver Service Build" | |
| on: | |
| push: | |
| tags: | |
| - "[0-9]+.[0-9]+.[0-9]+" | |
| - "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" | |
| branches: [main] | |
| # Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore | |
| paths: | |
| - ".nvmrc" | |
| - "package.json" | |
| - "package-lock.json" | |
| - "src/*/static/**" | |
| - ".github/workflows/**" | |
| - ".github/scripts/**" | |
| - "docker/webserver/**" | |
| pull_request: | |
| paths: | |
| - ".nvmrc" | |
| - "package.json" | |
| - "package-lock.json" | |
| - "src/*/static/**" | |
| - ".github/workflows/**" | |
| - ".github/scripts/**" | |
| - "docker/webserver/**" | |
| workflow_dispatch: # Manually | |
| env: | |
| REGISTRY: ghcr.io/noaa-gsl/unified-graphics/webserver | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".nvmrc" | |
| cache: "npm" | |
| cache-dependency-path: "package-lock.json" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npm run lint:code | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [lint] | |
| permissions: | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Extract branch/tag name | |
| run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
| - name: Build & tag image | |
| run: | | |
| docker build -t ${{ env.REGISTRY }}:${{ env.BRANCH }} -f docker/webserver/Dockerfile . | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push image | |
| run: | | |
| docker push ${{ env.REGISTRY }}:${{ env.BRANCH }} | |
| scan: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Extract branch/tag name | |
| run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
| - name: Scan image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "${{ env.REGISTRY }}:${{ env.BRANCH }}" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| ignore-unfixed: true | |
| severity: "CRITICAL,HIGH" | |
| exit-code: "1" | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| deploy: | |
| if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes | |
| runs-on: ubuntu-latest | |
| environment: vlab | |
| concurrency: vlab | |
| needs: scan | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Extract branch/tag name | |
| run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - name: Login to ECR | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: retag image and push | |
| run: | | |
| docker pull ${{ env.REGISTRY }}:${{ env.BRANCH }} | |
| docker tag ${{ env.REGISTRY }}:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/webserver:${{ env.BRANCH }} | |
| docker push ${{ secrets.AWS_REGISTRY }}/webserver:${{ env.BRANCH }} |