Skip to content

Rename Docker images in kubernetes #1

Rename Docker images in kubernetes

Rename Docker images in kubernetes #1

Workflow file for this run

name: "Webserver Service Build"
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
branches: [main]
# Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- ".nvmrc"
- "package.json"
- "package-lock.json"
- "src/*/static/**"
- ".github/workflows/**"
- ".github/scripts/**"
- "docker/webserver/**"
pull_request:
paths:
- ".nvmrc"
- "package.json"
- "package-lock.json"
- "src/*/static/**"
- ".github/workflows/**"
- ".github/scripts/**"
- "docker/webserver/**"
workflow_dispatch: # Manually
env:
REGISTRY: ghcr.io/noaa-gsl/unified-graphics/webserver
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"
cache-dependency-path: "package-lock.json"
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint:code
build:
runs-on: ubuntu-latest
needs: [lint]
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Build & tag image
run: |
docker build -t ${{ env.REGISTRY }}:${{ env.BRANCH }} -f docker/webserver/Dockerfile .
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker push ${{ env.REGISTRY }}:${{ env.BRANCH }}
scan:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ env.REGISTRY }}:${{ env.BRANCH }}"
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
exit-code: "1"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
deploy:
if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes
runs-on: ubuntu-latest
environment: vlab
concurrency: vlab
needs: scan
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- name: retag image and push
run: |
docker pull ${{ env.REGISTRY }}:${{ env.BRANCH }}
docker tag ${{ env.REGISTRY }}:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/webserver:${{ env.BRANCH }}
docker push ${{ secrets.AWS_REGISTRY }}/webserver:${{ env.BRANCH }}