Prepare workflows for Kosli trails (#18)

cyber-dojo · Dec 13, 2023 · 0d7e454 · 0d7e454
1 parent 2beff54
commit 0d7e454
Show file tree

Hide file tree

Showing 6 changed files with 304 additions and 48 deletions.
diff --git a/.github/workflows/main_staging.yml b/.github/workflows/main_staging.yml
@@ -55,9 +55,9 @@ jobs:
       - name: Report image to Kosli flow
         run: |
           IMAGE_TAG="$(echo $GITHUB_SHA | head -c7)"
-          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${IMAGE_TAG}
-          docker pull ${IMAGE_NAME}     
-          kosli report artifact ${IMAGE_NAME} \
+          IMAGE_NAME="cyberdojo/${{ env.KOSLI_FLOW }}:${IMAGE_TAG}"
+          docker pull "${IMAGE_NAME}"     
+          kosli report artifact "${IMAGE_NAME}" \
             --artifact-type=docker
 
   test:

diff --git a/.github/workflows/main_staging_trails.yml.ready b/.github/workflows/main_staging_trails.yml.ready
@@ -0,0 +1,116 @@
+name: Main - reports Trails to https://staging.app.kosli.com
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}
+  KOSLI_HOST: https://staging.app.kosli.com
+  KOSLI_ORG: cyber-dojo-trails
+  KOSLI_FLOW: ${{ vars.KOSLI_FLOW }}
+  KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+
+jobs:
+
+  variables:
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.vars.outputs.image_tag }}
+      kosli_host: ${{ steps.vars.outputs.kosli_host }}
+      kosli_org: ${{ steps.vars.outputs.kosli_org }}
+    steps:
+    - name: Prepare
+      id: vars
+      run: |
+        echo "image_tag=$(echo $GITHUB_SHA | head -c7)" >> ${GITHUB_OUTPUT}
+        echo "kosli_host=${{ env.KOSLI_HOST }}"         >> ${GITHUB_OUTPUT}
+        echo "kosli_org=${{ env.KOSLI_ORG }}"           >> ${GITHUB_OUTPUT}        
+
+  create-kosli-flow:
+    needs: [variables]
+    uses: ./.github/workflows/trails/sub_create_kosli_flow.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+    with:
+      KOSLI_HOST: ${{ needs.variables.outputs.kosli_host }}
+      KOSLI_ORG: ${{ needs.variables.outputs.kosli_org }}
+
+  wait-for-image:
+    needs: [create-kosli-flow]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Wait for image to be built in main.yml
+        run:
+          ./sh/wait_for_image.sh
+
+      - name: Setup Kosli CLI
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Report image to Kosli flow
+        run: |
+          IMAGE_TAG="$(echo $GITHUB_SHA | head -c7)"
+          IMAGE_NAME="cyberdojo/${{ env.KOSLI_FLOW }}:${IMAGE_TAG}"
+          docker pull "${IMAGE_NAME}"     
+          kosli attest artifact "${IMAGE_NAME}" \
+            --artifact-type=docker \
+            --name=dashboard \
+            --trail="${GITHUB_SHA}"
+
+  test:
+    needs: [variables, wait-for-image]
+    uses: ./.github/workflows/trails/sub_test.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    with:
+      KOSLI_HOST: ${{ needs.variables.outputs.kosli_host }}
+      KOSLI_ORG: ${{ needs.variables.outputs.kosli_org }}
+      IMAGE_TAG: ${{ needs.variables.outputs.image_tag }}
+
+  sdlc-gate:
+    needs: [variables, test]
+    uses: ./.github/workflows/sub_sdlc_gate.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+    with:
+      KOSLI_HOST: ${{ needs.variables.outputs.kosli_host }}
+      KOSLI_ORG: ${{ needs.variables.outputs.kosli_org }}
+      IMAGE_TAG: ${{ needs.variables.outputs.image_tag }}
+
+  approve-deployment-to-beta:
+    needs: [variables, sdlc-gate]
+    uses: ./.github/workflows/sub_approve_deployment.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+    with:
+      KOSLI_HOST: ${{ needs.variables.outputs.kosli_host }}
+      KOSLI_ORG: ${{ needs.variables.outputs.kosli_org }}
+      KOSLI_ENVIRONMENT: aws-beta
+      IMAGE_TAG: ${{ needs.variables.outputs.image_tag }}
+
+  approve-deployment-to-prod:
+    needs: [variables, approve-deployment-to-beta]
+    uses: ./.github/workflows/sub_approve_deployment.yml
+    secrets:
+      KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+    with:
+      KOSLI_HOST: ${{ needs.variables.outputs.kosli_host }}
+      KOSLI_ORG: ${{ needs.variables.outputs.kosli_org }}
+      KOSLI_ENVIRONMENT: aws-prod
+      IMAGE_TAG: ${{ needs.variables.outputs.image_tag }}
+
+  push-latest:
+    needs: [variables, approve-deployment-to-prod]
+    uses: ./.github/workflows/sub_push_latest.yml
+    secrets:
+      DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
+      DOCKER_USER: ${{ secrets.DOCKER_USER }}
+    with:
+      IMAGE_TAG: ${{ needs.variables.outputs.image_tag }}
+
diff --git a/.github/workflows/sub_create_kosli_flow.yml b/.github/workflows/sub_create_kosli_flow.yml
@@ -37,8 +37,3 @@ jobs:
             --description="UX for a group practice dashboard" 
             --template=artifact,snyk-scan,lint,pull-request
 
-#      - name: Report Kosli Trail
-#        run:
-#          kosli report trail ${GITHUB_SHA}
-#            --flow="${{ env.KOSLI_FLOW }}
-#            --attestation_file=.kosli.yml
diff --git a/.github/workflows/sub_test.yml b/.github/workflows/sub_test.yml
@@ -81,16 +81,6 @@ jobs:
             --name=snyk-scan  \
             --scan-results=snyk.json
 
-#      - name: Report Snyk results to Kosli Trail
-#        run: |
-#          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
-#          docker pull ${IMAGE_NAME}
-#          kosli attest snyk \
-#            --fingerprint-docker=${IMAGE_NAME} \
-#            --name=dashboard.snyk-scan \
-#            --scan-results=snyk.json \
-#            --trail-name="${GITHUB_SHA}"
-
   lint:
     runs-on: ubuntu-latest
     steps:
@@ -124,25 +114,6 @@ jobs:
             --evidence-paths="${LINT_EVIDENCE_DIR}" \
             --name=lint
 
-#      - name: Report Lint results to Kosli Trail
-#        run: |
-#          repo_root() { git rev-parse --show-toplevel; }
-#          export LINT_EVIDENCE_DIR=/tmp/evidence/lint
-#          mkdir -p "${LINT_EVIDENCE_DIR}"
-#          cp "$(repo_root)/.rubocop.yml" "${LINT_EVIDENCE_DIR}"
-#          gem install rubocop
-#          if [ rubocop "$(repo_root)" | tee "${LINT_EVIDENCE_DIR}"/rubocop.log ]; then
-#            export KOSLI_LINT_COMPLIANT=true
-#          else
-#            export KOSLI_LINT_COMPLIANT=false
-#          fi
-#
-#          kosli attest generic \
-#            --compliant="${KOSLI_LINT_COMPLIANT}" \
-#            --evidence-paths="${LINT_EVIDENCE_DIR}" \
-#            --name=dashboard.lint \
-#            --trail-name="${GITHUB_SHA}"
-
   pull-request:
     if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
@@ -166,14 +137,3 @@ jobs:
             --artifact-type=docker \
             --github-token ${{ secrets.GITHUB_TOKEN }} \
             --name=pull-request
-
-#      - name: Report pull-request evidence to Kosli
-#        run: |
-#          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
-#          docker pull ${IMAGE_NAME}
-#          kosli attest pullrequest github \
-#            --fingerprint-docker=${IMAGE_NAME} \
-#            --github-token ${{ secrets.GITHUB_TOKEN }} \
-#            --name=dashboard.pull-request \
-#            --trail-name="${GITHUB_SHA}"
-
diff --git a/.github/workflows/trails/sub_create_kosli_flow.yml b/.github/workflows/trails/sub_create_kosli_flow.yml
@@ -0,0 +1,42 @@
+name: Sub - create kosli flow
+
+on:
+  workflow_call:
+    secrets:
+      KOSLI_API_TOKEN:
+        required: true
+    inputs:
+      KOSLI_HOST:
+        default: https://app.kosli.com
+        required: false
+        type: string
+      KOSLI_ORG:
+        default: cyber-dojo
+        required: false
+        type: string
+
+env:
+  KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}
+  KOSLI_HOST: ${{ inputs.KOSLI_HOST }}
+  KOSLI_ORG: ${{ inputs.KOSLI_ORG }}
+  KOSLI_FLOW: ${{ vars.KOSLI_FLOW }}
+  KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+
+jobs:
+  create-kosli-flow:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Kosli CLI
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Create Kosli Flow
+        run:
+          kosli create flow2 ${{ env.KOSLI_FLOW }} 
+            --description="UX for a group practice dashboard" 
+            --template-file=.kosli.yml
+
+      - name: Begin Kosli Trail
+        run:
+          kosli begin trail "${GITHUB_SHA}"
diff --git a/.github/workflows/trails/sub_test.yml b/.github/workflows/trails/sub_test.yml
@@ -0,0 +1,143 @@
+name: Sub - test image
+
+on:
+  workflow_call:
+    secrets:
+      KOSLI_API_TOKEN:
+        required: true
+      SNYK_TOKEN:
+        required: true
+    inputs:
+      KOSLI_HOST:
+        default: https://app.kosli.com
+        required: false
+        type: string
+      KOSLI_ORG:
+        default: cyber-dojo
+        required: false
+        type: string
+      IMAGE_TAG:
+        required: true
+        type: string
+
+env: 
+  KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}
+  KOSLI_HOST: ${{ inputs.KOSLI_HOST }}
+  KOSLI_ORG: ${{ inputs.KOSLI_ORG }}
+  KOSLI_FLOW: ${{ vars.KOSLI_FLOW }}
+  KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+jobs:
+
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run tests
+        run: |
+          # docker-compose.yml uses this:
+          #
+          # volumes:
+          #  - type: tmpfs
+          #    target: /tmp
+          #    tmpfs:
+          #      mode: 01777
+          #
+          # and the mode: option is not supported in the version of docker-compose
+          # currently installed in ubuntu-latest in the Github Action's main.yml
+          # https://stackoverflow.com/questions/49839028
+          sudo curl -L "https://github.com/docker/compose/releases/download/`curl -fsSLI -o /dev/null -w %{url_effective} https://github.com/docker/compose/releases/latest | sed 's#.*tag/##g' && echo`/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && sudo chmod +x /usr/local/bin/docker-compose                    
+          ./sh/run_tests_with_coverage.sh          
+
+  snyk-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Kosli CLI
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+
+      - name: Run Snyk to check Docker image for vulnerabilities
+        continue-on-error: true
+        run:
+           snyk container test cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }} 
+            --file=Dockerfile 
+            --json-file-output=snyk.json 
+            --policy-path=.snyk
+
+      - name: Report Snyk results to Kosli Trail
+        run: |
+          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
+          docker pull ${IMAGE_NAME}
+          kosli attest snyk ${IMAGE_NAME} \
+            --artifact-type=docker \
+            --name=dashboard.snyk-scan \
+            --scan-results=snyk.json \
+            --trail="${GITHUB_SHA}"
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Kosli CLI
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2.0
+          bundler-cache: true
+
+      - name: Run Rubocop linter on source, report results to Kosli Trail
+        run: |
+          repo_root() { git rev-parse --show-toplevel; }
+          export LINT_EVIDENCE_DIR=/tmp/evidence/lint
+          mkdir -p "${LINT_EVIDENCE_DIR}"
+          cp "$(repo_root)/.rubocop.yml" "${LINT_EVIDENCE_DIR}"
+          gem install rubocop
+          if [ rubocop "$(repo_root)" | tee "${LINT_EVIDENCE_DIR}"/rubocop.log ]; then
+            export KOSLI_LINT_COMPLIANT=true
+          else
+            export KOSLI_LINT_COMPLIANT=false
+          fi
+
+          kosli attest generic \
+            --compliant="${KOSLI_LINT_COMPLIANT}" \
+            --evidence-paths="${LINT_EVIDENCE_DIR}" \
+            --name=dashboard.lint \
+            --trail="${GITHUB_SHA}"
+
+  pull-request:
+    if: ${{ github.ref == 'refs/heads/main' }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Kosli CLI
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Report pull-request evidence to Kosli
+        run: |
+          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
+          docker pull ${IMAGE_NAME}
+          kosli attest pullrequest github ${IMAGE_NAME} \
+            --artifact-type=docker \
+            --github-token=${{ secrets.GITHUB_TOKEN }} \
+            --name=dashboard.pull-request \
+            --trail="${GITHUB_SHA}"
+