fix: docker build gha provenance to false #119

Workflow file for this run

.github/workflows/deploy.yml at 2035a3b

	name: Deploy

	on:
	push:
	branches: [terraform]
	paths-ignore:
	- LICENSE
	- README.md
	concurrency: ${{ github.ref }}
	env:
	tf_version: "1.4.5" # must match value in terraform-iac/*/app/main.tf
	node_version: "16.x" # must match value in log-analyzer/sorter-lambda/package.json

	jobs:
	env:
	name: Set Env Vars
	runs-on: ubuntu-latest
	steps:
	- name: Set up DEV Environment Variables
	if: github.ref == 'refs/heads/terraform'
	run: \|
	matrix='{
	"env":[
	{
	"aws_account":"863362256468",
	"aws_gha_role":"web-cdn-dev-gha",
	"rfc_key_name":"standard_change_sandbox_client_key",
	"rfc_secret_name":"standard_change_sandbox_client_secret",
	"rfc_template_id":"Codepipeline-Standard-Change",
	"assembler_ecr_repo_name" : "cdn-terraform-assembler-dev",
	"eager_redirect_ecr_repo_name" : "cdn-terraform-eager-redirect-dev",
	"webhooks_ecr_repo_name" : "cdn-terraform-webhooks-dev",
	"enhanced_headers_ecr_repo_name" : "cdn-terraform-enhanced-headers-dev",
	"log_sorter_ecr_repo_name" : "cdn-terraform-log-sorter-dev",
	"tf_working_dir":"./iac/dev/app"
	}
	]
	}'
	echo matrix=`echo $matrix \| jq -c .` >> $GITHUB_ENV

	# TODO: Update for prd
	- name: Set up PRD Environment Variables
	if: github.ref == 'refs/heads/master'
	run: \|
	matrix='{
	"env":[
	{
	"aws_account":"204581410681",
	"aws_gha_role":"web-cdn-prd-gha",
	"rfc_key_name":"standard_change_production_client_key",
	"rfc_secret_name":"standard_change_production_client_secret",
	"rfc_template_id":"Codepipeline-Standard-Change",
	"assembler_ecr_repo_name" : "cdn-terraform-assembler-prd",
	"eager_redirect_ecr_repo_name" : "cdn-terraform-eager-redirect-prd",
	"webhooks_ecr_repo_name" : "cdn-terraform-webhooks-dev",
	"enhanced_headers_ecr_repo_name" : "cdn-terraform-enhanced-headers-prd",
	"log_sorter_ecr_repo_name" : "cdn-terraform-log-sorter-prd"
	"tf_working_dir":"./iac/prd/app"
	}
	]
	}'
	echo matrix=`echo $matrix \| jq -c .` >> $GITHUB_ENV

	outputs:
	matrix: ${{ env.matrix }}

	build_and_deploy:
	name: Build CDN pipeline
	runs-on: ubuntu-latest
	needs: env
	strategy:
	matrix: ${{ fromJson(needs.env.outputs.matrix) }}
	permissions: write-all
	steps:
	- name: Check out
	uses: actions/checkout@v3

	- name: Disallow Concurrent Runs
	uses: byu-oit/github-action-disallow-concurrent-runs@v2
	with:
	token: ${{ github.token }}

	- name: Configure AWS Credentials
	id: awscreds
	uses: aws-actions/configure-aws-credentials@v2
	with:
	role-to-assume: "arn:aws:iam::${{ matrix.env.aws_account }}:role/${{ matrix.env.aws_gha_role }}"
	role-session-name: ${{ github.sha }}
	aws-region: us-east-1

	- name: Set up Node.js
	uses: actions/setup-node@v3
	with:
	node-version: ${{ env.node_version }}

	- name: Copy main-config.yml to /webhooks and /assembler
	run: cp ./main-config.yml ./assembler/main-config.yml && cp ./main-config.yml ./webhooks/main-config.yml

	- name: Log into Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v1

	- name: Get Current Timestamp
	id: date
	run: echo "timestamp=$(date +'%Y-%m-%d_%H-%M-%S')" >> $GITHUB_OUTPUT

	- name: Setup Docker Buildx
	uses: docker/setup-buildx-action@v2

	- name: Build and push the Assembler Docker image
	env:
	ASSEMBLER_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	ASSEMBLER_ECR_REPO: ${{ matrix.env.assembler_ecr_repo_name }}
	ASSEMBLER_IMAGE_TAG: ${{ steps.date.outputs.timestamp }}
	uses: docker/build-push-action@v3
	with:
	context: assembler
	push: true
	tags: ${{ env.ASSEMBLER_ECR_REGISTRY }}/${{ env.ASSEMBLER_ECR_REPO }}:${{ env.ASSEMBLER_IMAGE_TAG }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Build and push the Log Sorter Docker image
	env:
	ANALYZER_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	ANALYZER_ECR_REPO: ${{ matrix.env.log_sorter_ecr_repo_name }}
	ANALYZER_IMAGE_TAG: ${{ steps.date.outputs.timestamp }}
	uses: docker/build-push-action@v3
	with:
	context: log-analyzer/sorter-lambda
	provenance: false
	push: true
	tags: ${{ env.ANALYZER_ECR_REGISTRY }}/${{ env.ANALYZER_ECR_REPO }}:${{ env.ANALYZER_IMAGE_TAG }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Build and push the Eager Redirect Docker image
	env:
	EAGER_REDIRECT_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	EAGER_REDIRECT_ECR_REPO: ${{ matrix.env.eager_redirect_ecr_repo_name }}
	EAGER_REDIRECT_IMAGE_TAG: ${{ steps.date.outputs.timestamp }}
	uses: docker/build-push-action@v3
	with:
	context: edge-lambdas/eager-redirect
	provenance: false
	push: true
	tags: ${{ env.EAGER_REDIRECT_ECR_REGISTRY }}/${{ env.EAGER_REDIRECT_ECR_REPO }}:${{ env.EAGER_REDIRECT_IMAGE_TAG }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Build and push the Enhanced Headers Docker image
	env:
	ENHANCED_HEADERS_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	ENHANCED_HEADERS_ECR_REPO: ${{ matrix.env.enhanced_headers_ecr_repo_name }}
	ENHANCED_HEADERS_IMAGE_TAG: ${{ steps.date.outputs.timestamp }}
	uses: docker/build-push-action@v3
	with:
	context: edge-lambdas/eager-redirect
	provenance: false
	push: true
	tags: ${{ env.ENHANCED_HEADERS_ECR_REGISTRY }}/${{ env.ENHANCED_HEADERS_ECR_REPO }}:${{ env.ENHANCED_HEADERS_IMAGE_TAG }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Build and push the Webhook Docker image
	env:
	WEBHOOKS_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	WEBHOOKS_ECR_REPO: ${{ matrix.env.webhooks_ecr_repo_name }}
	WEBHOOKS_IMAGE_TAG: ${{ steps.date.outputs.timestamp }}
	uses: docker/build-push-action@v3
	with:
	context: webhooks
	provenance: false
	push: true
	tags: ${{ env.WEBHOOKS_ECR_REGISTRY }}/${{ env.WEBHOOKS_ECR_REPO }}:${{ env.WEBHOOKS_IMAGE_TAG }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Terraform Setup
	uses: hashicorp/setup-terraform@v2
	with:
	terraform_version: ${{ env.tf_version }}
	terraform_wrapper: false

	- name: Terraform Init
	working-directory: ${{ matrix.env.tf_working_dir }}
	run: terraform init

	- name: Terraform Format
	working-directory: "./"
	run: terraform fmt -check -recursive

	- name: Terraform Plan
	working-directory: ${{ matrix.env.tf_working_dir }}
	run: terraform plan -var 'image_tag=${{ steps.date.outputs.timestamp }}' -input=false -out=plan

	- name: Analyze Terraform Plan
	uses: byu-oit/github-action-tf-plan-analyzer@v2
	with:
	working-directory: ${{ matrix.env.tf_working_dir }}
	terraform-plan-file: plan
	divvycloud-username: ${{ secrets.DIVVYCLOUD_USERNAME }}
	divvycloud-password: ${{ secrets.DIVVYCLOUD_PASSWORD }}

	- name: Start Standard Change
	uses: byu-oit/github-action-start-standard-change@v1
	id: start-standard-change
	with:
	client-key: ${{ secrets[matrix.env.rfc_key_name] }}
	client-secret: ${{ secrets[matrix.env.rfc_secret_name] }}
	template-id: ${{ matrix.env.rfc_template_id }}

	- name: Terraform Apply
	working-directory: ${{ matrix.env.tf_working_dir }}
	run: terraform apply plan

	- name: End Standard Change
	uses: byu-oit/github-action-end-standard-change@v1
	if: always() && steps.start-standard-change.outcome == 'success' # Run if RFC started, even if the deploy failed
	with:
	client-key: ${{ secrets[matrix.env.rfc_key_name] }}
	client-secret: ${{ secrets[matrix.env.rfc_secret_name] }}
	change-sys-id: ${{ steps.start-standard-change.outputs.change-sys-id }}
	work-start: ${{ steps.start-standard-change.outputs.work-start }}
	success: ${{ job.status == 'success' }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: docker build gha provenance to false #119

Workflow file

fix: docker build gha provenance to false #119

Jobs

Run details

Workflow file for this run