Update base image to fix snyk vulnerability (#60) #302
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main | |
| on: | |
| push: | |
| branches: | |
| - main | |
| env: | |
| KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} # False | |
| KOSLI_HOST: ${{ vars.KOSLI_HOST }} # https://app.kosli.com | |
| KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo | |
| KOSLI_FLOW: ${{ vars.KOSLI_FLOW }} # differ | |
| KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }} | |
| jobs: | |
| variables: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_name: ${{ steps.vars.outputs.image_name }} | |
| image_tag: ${{ steps.vars.outputs.image_tag }} | |
| steps: | |
| - name: Prepare | |
| id: vars | |
| run: | | |
| TAG=$(echo $GITHUB_SHA | head -c7) | |
| echo "image_name=cyberdojo/${{ env.KOSLI_FLOW }}:${TAG}" >> ${GITHUB_OUTPUT} | |
| echo "image_tag=${TAG}" >> ${GITHUB_OUTPUT} | |
| create-kosli-flow: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Create Kosli flow | |
| run: | |
| kosli create flow ${{ env.KOSLI_FLOW }} | |
| --description="Diff files from two traffic-lights" | |
| --template=artifact,lint,pull-request,unit-test,branch-coverage,snyk-scan | |
| lint: | |
| needs: [variables, create-kosli-flow] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: 3.2.0 | |
| bundler-cache: true | |
| - name: Run Rubocop linter on source | |
| run: | | |
| LINT_EVIDENCE_DIR=/tmp/evidence/lint | |
| mkdir -p "${LINT_EVIDENCE_DIR}" | |
| gem install rubocop | |
| set +e | |
| rubocop --raise-cop-error . > "${LINT_EVIDENCE_DIR}"/rubocop.log | |
| STATUS=$? | |
| set -e | |
| cp .rubocop.yml "${LINT_EVIDENCE_DIR}" | |
| echo "LINT_EVIDENCE_DIR=${LINT_EVIDENCE_DIR}" >> ${GITHUB_ENV} | |
| KOSLI_LINT_COMPLIANT=$([ ${STATUS} = 0 ] && echo true || echo false) | |
| echo "KOSLI_LINT_COMPLIANT=${KOSLI_LINT_COMPLIANT}" >> ${GITHUB_ENV} | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report Rubocop results to Kosli | |
| env: | |
| LINT_EVIDENCE_DIR: ${{ env.LINT_EVIDENCE_DIR }} | |
| KOSLI_LINT_COMPLIANT: ${{ env.KOSLI_LINT_COMPLIANT }} | |
| run: | |
| kosli report evidence commit generic | |
| --compliant="${KOSLI_LINT_COMPLIANT}" | |
| --evidence-paths="${LINT_EVIDENCE_DIR}" | |
| --name=lint | |
| pull-request: | |
| needs: [variables, create-kosli-flow] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report pull-request evidence to Kosli | |
| run: | |
| kosli report evidence commit pullrequest github | |
| --flows="${{ env.KOSLI_FLOW }}" | |
| --github-token ${{ secrets.GITHUB_TOKEN }} | |
| --name=pull-request | |
| build-image: | |
| needs: [variables, create-kosli-flow] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PASS }} | |
| - name: Build and push image to Dockerhub Registry | |
| id: docker_build | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ needs.variables.outputs.image_name }} | |
| build-args: | |
| COMMIT_SHA=${{ github.sha }} | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report image to Kosli flow | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull "${IMAGE_NAME}" | |
| kosli report artifact "${IMAGE_NAME}" \ | |
| --artifact-type=docker | |
| unit-tests: | |
| needs: [variables, build-image] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run tests, save results to evidence.json file | |
| run: | | |
| source ./sh/run_tests_with_coverage.sh | |
| if run_tests_with_coverage; then | |
| echo "KOSLI_COMPLIANT=true" >> ${GITHUB_ENV} | |
| else | |
| echo "KOSLI_COMPLIANT=false" >> ${GITHUB_ENV} | |
| fi | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report test and coverage results to Kosli | |
| env: | |
| KOSLI_COMPLIANT: ${{ env.KOSLI_COMPLIANT }} | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| kosli report evidence artifact junit "${IMAGE_NAME}" \ | |
| --artifact-type=docker \ | |
| --name=unit-test \ | |
| --results-dir=test/reports/junit | |
| kosli report evidence artifact generic "${IMAGE_NAME}" \ | |
| --artifact-type=docker \ | |
| --compliant=${KOSLI_COMPLIANT} \ | |
| --description="server & client branch-coverage reports" \ | |
| --name=branch-coverage \ | |
| --user-data=./test/reports/evidence.json | |
| snyk-scan: | |
| needs: [variables, build-image] | |
| runs-on: ubuntu-latest | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Snyk | |
| uses: snyk/actions/setup@master | |
| - name: Run Snyk to check Docker image for vulnerabilities | |
| continue-on-error: true | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| snyk container test ${IMAGE_NAME} \ | |
| --file=Dockerfile \ | |
| --json-file-output=snyk.json \ | |
| --policy-path=.snyk | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report Snyk results to Kosli | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull ${IMAGE_NAME} | |
| kosli report evidence artifact snyk ${IMAGE_NAME} \ | |
| --artifact-type=docker \ | |
| --name=snyk-scan \ | |
| --scan-results=snyk.json | |
| sdlc-control-gate: | |
| needs: [variables, lint, pull-request, unit-tests, snyk-scan] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Kosli SDLC gate to short-circuit-the-flow | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull ${IMAGE_NAME} | |
| kosli assert artifact ${IMAGE_NAME} \ | |
| --artifact-type=docker | |
| approve-deployment-to-beta: | |
| needs: [variables, sdlc-control-gate] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report approval of deployment to Kosli | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull ${IMAGE_NAME} | |
| kosli report approval ${IMAGE_NAME} \ | |
| --artifact-type=docker \ | |
| --environment=aws-beta \ | |
| --approver="${{ github.actor }}" | |
| - name: Report expected deployment to Kosli | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull ${IMAGE_NAME} | |
| kosli expect deployment ${IMAGE_NAME} \ | |
| --artifact-type=docker \ | |
| --description="Deployed to aws-beta in Github Actions pipeline" \ | |
| --environment=aws-beta | |
| deploy-to-beta: | |
| needs: [variables, approve-deployment-to-beta] | |
| uses: ./.github/workflows/sub_deploy_to_beta.yml | |
| with: | |
| IMAGE_TAG: ${{ needs.variables.outputs.image_tag }} | |
| approve-deployment-to-prod: | |
| needs: [variables, deploy-to-beta] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Kosli CLI | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Report approval of deployment to Kosli | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull ${IMAGE_NAME} | |
| kosli report approval ${IMAGE_NAME} \ | |
| --artifact-type=docker \ | |
| --environment=aws-prod \ | |
| --approver="${{ github.actor }}" | |
| - name: Report expected deployment to Kosli | |
| run: | | |
| IMAGE_NAME=${{ needs.variables.outputs.image_name }} | |
| docker pull ${IMAGE_NAME} | |
| kosli expect deployment ${IMAGE_NAME} \ | |
| --artifact-type=docker \ | |
| --description="Deployed to aws-prod in Github Actions pipeline" \ | |
| --environment=aws-prod | |
| deploy-to-prod: | |
| needs: [variables, approve-deployment-to-prod] | |
| uses: ./.github/workflows/sub_deploy_to_prod.yml | |
| with: | |
| IMAGE_TAG: ${{ needs.variables.outputs.image_tag }} |