Skip to content
Ghost V4 alpine

Ghost V4 alpine #19

Sign in to view logs

Ghost V4 alpine

Ghost V4 alpine #19

Workflow file for this run

.github/workflows/ghostv4.yml at 909508f
# The beauty of our CI setup is that it will build Dockerfile and set variables from the Dockerfile.
# by https://pascalandy.com at https://firepress.org
# GNU v3 https://github.com/firepress-org/ghostfire/blob/master/LICENSE
# Difference between v4 and v5 ci
# pull_request branch = lts_v4
# not push for standalone tags: edge or stable
name: Ghost V4 alpine
on:
schedule:
- cron: "0 0 1 * *" # once a month
pull_request:
branches: [lts_v4]
push:
tags:
- "4.*.*"
# branches: [master, main]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
# needed to define path within 'uses'
SUB_DIR: "v4"
defaults:
run:
shell: "bash -Eeuo pipefail -x {0}"
# works within 'run' but not with 'uses'
working-directory: "v4"
jobs:
# ----------------------------------------------
# SET VARIABLES
# More context about the way we set variables https://github.com/firepress-org/ghostfire/issues/46
# ----------------------------------------------
myvars:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Github Actions system status
uses: crazy-max/ghaction-github-status@v4.0.0
with:
overall_threshold: minor
git_threshold: degraded_performance
actions_threshold: operational
# Commits from a PR use docker image tag: edge
# When a PR is merge/rebase into master, the docker image tag: stable
- name: Create dir for our varz
run: mkdir -pv ~/varz
- name: edge | Set BRANCH_NAME
if: github.ref_type != 'tag'
run: echo "edge" > ~/varz/BRANCH_NAME
- name: stable | Set BRANCH_NAME
if: github.ref_type == 'tag'
run: echo "stable" > ~/varz/BRANCH_NAME
- name: Define and save variables to disk
run: |
cat Dockerfile | grep APP_NAME= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/APP_NAME
cat Dockerfile | grep VERSION= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/VERSION
cat Dockerfile | grep DOCKERHUB_USER= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/DOCKERHUB_USER
cat Dockerfile | grep GITHUB_ORG= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_ORG
cat Dockerfile | grep GITHUB_REGISTRY= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_REGISTRY
echo "$(cat ~/varz/DOCKERHUB_USER)/$(cat ~/varz/APP_NAME)" > ~/varz/DKR_PREFIX
echo "ghcr.io/$(cat ~/varz/GITHUB_ORG)/$(cat ~/varz/GITHUB_REGISTRY)/$(cat ~/varz/APP_NAME)" > ~/varz/GPR_PREFIX
git rev-parse --short HEAD > ~/varz/SHORT_HASH_COMMIT
date "+%Y-%m-%d_%HH%M" > ~/varz/DATE
echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/VERSION_HASH_ONLY
echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)_$(cat ~/varz/DATE)" > ~/varz/VERSION_HASH_DATE
echo "$(cat ~/varz/APP_NAME):$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/_NOTI_MESSAGE
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_DKR_VERSION
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_DKR_BRANCH_NAME
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_DKR_VERSION_HASH_ONLY
echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_DKR_VERSION_HASH_DATE
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_GPR_VERSION
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_GPR_BRANCH_NAME
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_GPR_VERSION_HASH_ONLY
echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_GPR_VERSION_HASH_DATE
- name: Upload variables as artifact
uses: actions/upload-artifact@master
with:
name: variables_on_disk
path: ~/varz
- name: Expose variables to all jobs
id: myvars
run: |
echo "::set-output name=APP_NAME::$(cat ~/varz/APP_NAME)"
echo "::set-output name=VERSION::$(cat ~/varz/VERSION)"
echo "::set-output name=DOCKERHUB_USER::$(cat ~/varz/DOCKERHUB_USER)"
echo "::set-output name=GITHUB_ORG::$(cat ~/varz/GITHUB_ORG)"
echo "::set-output name=GITHUB_REGISTRY::$(cat ~/varz/GITHUB_REGISTRY)"
echo "::set-output name=DKR_PREFIX::$(cat ~/varz/DKR_PREFIX)"
echo "::set-output name=GPR_PREFIX::$(cat ~/varz/GPR_PREFIX)"
echo "::set-output name=SUB_DIR::$(cat ~/varz/SUB_DIR)"
echo "::set-output name=SHORT_HASH_COMMIT::$(cat ~/varz/SHORT_HASH_COMMIT)"
echo "::set-output name=DATE::$(cat ~/varz/DATE)"
echo "::set-output name=BRANCH_NAME::$(cat ~/varz/BRANCH_NAME)"
echo "::set-output name=VERSION_HASH_ONLY::$(cat ~/varz/VERSION_HASH_ONLY)"
echo "::set-output name=VERSION_HASH_DATE::$(cat ~/varz/VERSION_HASH_DATE)"
echo "::set-output name=_NOTI_MESSAGE::$(cat ~/varz/_NOTI_MESSAGE)"
echo "::set-output name=TAG_DKR_VERSION::$(cat ~/varz/TAG_DKR_VERSION)"
echo "::set-output name=TAG_DKR_BRANCH_NAME::$(cat ~/varz/TAG_DKR_BRANCH_NAME)"
echo "::set-output name=TAG_DKR_VERSION_HASH_ONLY::$(cat ~/varz/TAG_DKR_VERSION_HASH_ONLY)"
echo "::set-output name=TAG_DKR_VERSION_HASH_DATE::$(cat ~/varz/TAG_DKR_VERSION_HASH_DATE)"
echo "::set-output name=TAG_GPR_VERSION::$(cat ~/varz/TAG_GPR_VERSION)"
echo "::set-output name=TAG_GPR_BRANCH_NAME::$(cat ~/varz/TAG_GPR_BRANCH_NAME)"
echo "::set-output name=TAG_GPR_VERSION_HASH_ONLY::$(cat ~/varz/TAG_GPR_VERSION_HASH_ONLY)"
echo "::set-output name=TAG_GPR_VERSION_HASH_DATE::$(cat ~/varz/TAG_GPR_VERSION_HASH_DATE)"
outputs:
APP_NAME: ${{ steps.myvars.outputs.APP_NAME }}
VERSION: ${{ steps.myvars.outputs.VERSION }}
SUB_DIR: ${{ steps.myvars.outputs.SUB_DIR }}
DOCKERHUB_USER: ${{ steps.myvars.outputs.DOCKERHUB_USER }}
GITHUB_ORG: ${{ steps.myvars.outputs.GITHUB_ORG }}
GITHUB_REGISTRY: ${{ steps.myvars.outputs.GITHUB_REGISTRY }}
DKR_PREFIX: ${{ steps.myvars.outputs.DKR_PREFIX }}
GPR_PREFIX: ${{ steps.myvars.outputs.GPR_PREFIX }}
SHORT_HASH_COMMIT: ${{ steps.myvars.outputs.SHORT_HASH_COMMIT }}
DATE: ${{ steps.myvars.outputs.DATE }}
BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }}
VERSION_HASH_ONLY: ${{ steps.myvars.outputs.VERSION_HASH_ONLY }}
VERSION_HASH_DATE: ${{ steps.myvars.outputs.VERSION_HASH_DATE }}
_NOTI_MESSAGE: ${{ steps.myvars.outputs._NOTI_MESSAGE }}
TAG_DKR_VERSION: ${{ steps.myvars.outputs.TAG_DKR_VERSION }}
TAG_DKR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_DKR_BRANCH_NAME }}
TAG_DKR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
TAG_DKR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
TAG_GPR_VERSION: ${{ steps.myvars.outputs.TAG_GPR_VERSION }}
TAG_GPR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_GPR_BRANCH_NAME }}
TAG_GPR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
TAG_GPR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
# ----------------------------------------------
# build / edge OR stable
# tags are not the same between edge or stable
# ----------------------------------------------
build_edge:
needs: [myvars]
if: github.ref_type != 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
with:
version: v0.6.0
- uses: docker/login-action@v3.0.0
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ needs.myvars.outputs.GITHUB_ORG }}
password: ${{ secrets.TOKEN_GPR }}
- name: Build and push image (edge)
uses: docker/build-push-action@v5
with:
context: .
file: ./${{ env.SUB_DIR }}/Dockerfile
platforms: |
linux/amd64
# linux/arm64/v8
# linux/arm/v8
# linux/arm/v7
push: false
tags: |
${{ github.run_id }}
# The order for <docker push -tag> matters for our CD down the line
cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }}, mode=max
- name: UAT run edge | Wait for container to run
timeout-minutes: 2
# These two VAR are here to force SQLite over Mysql
# database__client=s
# database__connection__filename=
run: |
docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ github.run_id }}
echo "--- Wait for ghostUAT --->"
until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do
echo "--- ghostUAT is starting..."
sleep 1
done;
echo "--- ghostUAT is running! --->"
- name: UAT docker test edge | docker-library tests
# Ghost V5 grep "0o0o"
# Ghost V4 grep "Thoughts, stories and ideas"
# Ghost V3 grep "The professional publishing platform"
run: |
curl http://localhost:2368 | grep "Thoughts, stories and ideas"
git clone --depth 1 https://github.com/docker-library/official-images.git official-images
cp ./test/config.sh official-images/test/config.sh
official-images/test/run.sh ${{ github.run_id }}
- name: Checkpoint | image ls
run: docker image ls
build_stable:
needs: [myvars]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
with:
version: v0.6.0
- uses: docker/login-action@v3.0.0
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ needs.myvars.outputs.GITHUB_ORG }}
password: ${{ secrets.TOKEN_GPR }}
- name: Build and push image (stable)
uses: docker/build-push-action@v5
with:
context: .
file: ./${{ env.SUB_DIR }}/Dockerfile
platforms: |
linux/amd64
# linux/arm64/v8
# linux/arm/v8
# linux/arm/v7
push: true
tags: |
${{ needs.myvars.outputs.TAG_DKR_VERSION }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
${{ needs.myvars.outputs.TAG_GPR_VERSION }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
# The order for <docker push -tag> matters for our CD down the line
cache-from: type=gha, scope=${{ github.workflow }}
cache-to: type=gha, scope=${{ github.workflow }}, mode=max
- name: UAT run stable | Wait for container to run
timeout-minutes: 2
# These two VAR are here to force SQLite over Mysql
# database__client=s
# database__connection__filename=
run: |
docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
echo "--- Wait for ghostUAT --->"
until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do
echo "--- ghostUAT is starting..."
sleep 1
done;
echo "--- ghostUAT is running! --->"
- name: UAT docker test stable | docker-library tests
# Ghost V5 grep "0o0o"
# Ghost V4 grep "Thoughts, stories and ideas"
# Ghost V3 grep "The professional publishing platform"
run: |
curl http://localhost:2368 | grep "Thoughts, stories and ideas"
git clone --depth 1 https://github.com/docker-library/official-images.git official-images
cp ./test/config.sh official-images/test/config.sh
official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | image ls
run: docker image ls
# ----------------------------------------------
# UAT / edge OR stable
# This job is bypassed: weird bug on the uat job. Ci complain about docker login. So the UAT is under the build job.
# ----------------------------------------------
# ----------------------------------------------
# Continuous Deployment / edge OR stable
# I duplicate this in two jobs to have a better visual representation
# ----------------------------------------------
cd_edge:
needs: [build_edge]
if: github.ref_type != 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: cd edge
uses: appleboy/ssh-action@v1.0.0
with:
host: ${{ secrets.NODE1 }}
port: ${{ secrets.SSH_PORT }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_KEY_ACTIONS }}
passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }}
script: |
${{ secrets.SSH_CMD__UPDATE_DKR_IMG_EDGE }}
hostname
#sync: true
#host: "${{ secrets.NODE1 }},${{ secrets.NODE2 }},${{ secrets.NODE3 }}"
# alt projet: fifsky/ssh-action@master https://github.com/appleboy/ssh-action/issues/80#issuecomment-759473472
- name: Add a comment (from a PR)
run: |
echo '## For reference' >> $GITHUB_STEP_SUMMARY
echo 'Docker image: ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}' >> $GITHUB_STEP_SUMMARY
echo 'Please use docker images that were build from a tag. More details: https://github.com/firepress-org/ghostfire/issues/265' >> $GITHUB_STEP_SUMMARY
cd_stable:
needs: [build_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: cd stable
uses: appleboy/ssh-action@v1.0.0
with:
host: ${{ secrets.NODE1 }}
port: ${{ secrets.SSH_PORT }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_KEY_ACTIONS }}
passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }}
script: |
${{ secrets.SSH_CMD__UPDATE_DKR_IMG_STABLE }}
hostname
- name: Add a comment (from a tag)
run: |
echo '## Offical Docker Image :rocket:' >> $GITHUB_STEP_SUMMARY
echo 'Docker image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}' >> $GITHUB_STEP_SUMMARY
# ----------------------------------------------
# Reviews
# ----------------------------------------------
review_myvars:
needs: [myvars]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Show variables
run: |
echo "Final Docker image name:"
echo "= = = = = = = = = ="
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION }}
echo ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION }}
echo ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }}
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
echo "---"
echo "Core environment variables:"
echo "---"
echo "${{ env.SUB_DIR }} << SUB_DIR"
echo "${{ needs.myvars.outputs.APP_NAME }} << APP_NAME"
echo "${{ needs.myvars.outputs.DOCKERHUB_USER }} << DOCKERHUB_USER"
echo "${{ needs.myvars.outputs.GITHUB_ORG }} << GITHUB_ORG"
echo "${{ needs.myvars.outputs.GITHUB_REGISTRY }} << GITHUB_REGISTRY"
echo "${{ needs.myvars.outputs.DKR_PREFIX }} << DKR_PREFIX"
echo "${{ needs.myvars.outputs.GPR_PREFIX }} << GPR_PREFIX"
echo "${{ needs.myvars.outputs.VERSION }} << VERSION"
echo "${{ needs.myvars.outputs.SHORT_HASH_COMMIT }} << SHORT_HASH_COMMIT"
echo "${{ needs.myvars.outputs.DATE }} << DATE"
echo "${{ needs.myvars.outputs.BRANCH_NAME }} << BRANCH_NAME"
echo "${{ needs.myvars.outputs.VERSION_HASH_ONLY }} << VERSION_HASH_ONLY"
echo "${{ needs.myvars.outputs.VERSION_HASH_DATE }} << VERSION_HASH_DATE"
echo "${{ needs.myvars.outputs._NOTI_MESSAGE }} << _NOTI_MESSAGE"
echo "---"
echo "Environment variables provided Github Actions :"
echo "---"
echo "${GITHUB_WORKFLOW} << GITHUB_WORKFLOW"
echo "${GITHUB_RUN_ID} << GITHUB_RUN_ID"
echo "${GITHUB_RUN_NUMBER} << GITHUB_RUN_NUMBER"
echo "${GITHUB_JOB} << GITHUB_JOB"
echo "${GITHUB_ACTION} << GITHUB_ACTION"
echo "${GITHUB_ACTOR} << GITHUB_ACTOR"
echo "${GITHUB_REPOSITORY} << GITHUB_REPOSITORY"
echo "${GITHUB_EVENT_NAME} << GITHUB_EVENT_NAME"
echo "${GITHUB_EVENT_PATH} << GITHUB_EVENT_PATH"
echo "${GITHUB_WORKSPACE} << GITHUB_WORKSPACE"
echo "${GITHUB_SHA} << GITHUB_SHA"
echo "${GITHUB_REF} << GITHUB_REF"
echo "${GITHUB_SERVER_URL} << GITHUB_SERVER_URL"
echo "${GITHUB_API_URL} << GITHUB_API_URL"
echo "${GITHUB_GRAPHQL_URL} << GITHUB_GRAPHQL_URL"
echo "${RUNNER_OS} << RUNNER_OS"
echo "${RUNNER_TEMP} << RUNNER_TEMP"
echo "${RUNNER_TOOL_CACHE} << RUNNER_TOOL_CACHE"
echo "${GITHUB_ACTIONS} << GITHUB_ACTIONS"
# https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#context-availability
# if: github.event_name != 'pull_request'
# if: ${{ github.ref == 'refs/heads/main' }}
# $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
review_snyk_opt:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Checkpoint | Scanner by Snyk
# https://github.com/snyk/actions/tree/master/docker
uses: snyk/actions/docker@0.4.0
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.TOKEN_SNYK }}
with:
image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
args: --file=./${{ env.SUB_DIR }}/Dockerfile --severity-threshold=high
- name: Checkpoint | Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
review_trivy_opt:
needs: [myvars, build_stable, cd_stable]
#permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Checkpoint | Scanner Trivy for HIGH,CRITICAL CVEs and report (blocking)
continue-on-error: true
uses: aquasecurity/trivy-action@0.13.0
with:
image-ref: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
exit-code: 0
format: table
ignore-unfixed: true
vuln-type: "os,library"
severity: "HIGH,CRITICAL"
#output: "trivy-results.sarif"
#- name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# if: always()
# with:
# sarif_file: "trivy-results.sarif"
review_dockle:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Checkpoint | Scanner by Dockle
run: |
docker run --rm goodwithtech/dockle:latest ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
# review_superlinter_call:
# needs: [myvars, build]
# uses: firepress-org/reusable_workflows/.github/workflows/super-linter.yaml@master
review_linter_opt:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Checkpoint | Linter
continue-on-error: true
uses: docker://ghcr.io/github/super-linter:slim-v4
# github/super-linter@v4
# docker://ghcr.io/github/super-linter:slim-v4
env:
DISABLE_ERRORS: true # Flag to have the linter complete with exit code 0 even if errors were detected.
VALIDATE_ALL_CODEBASE: false
VALIDATE_MARKDOWN: false
VALIDATE_DOCKERFILE: false
VALIDATE_JSCPD: false
DEFAULT_BRANCH: edge
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
review_inspect:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Login to DockerHub registry
uses: docker/login-action@v3.0.0
with:
username: ${{ needs.myvars.outputs.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GitHub registry
uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ needs.myvars.outputs.GITHUB_ORG }}
password: ${{ secrets.TOKEN_GPR }}
- name: Checkpoint | docker pull
run: |
docker pull ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | See platforms
run: |
docker run --rm mplatform/mquery ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | docker history
run: |
docker history --human ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | docker image inspect
run: |
docker image inspect ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
- name: Checkpoint | docker info
run: |
docker info
- name: Checkpoint | docker version
run: |
docker version
- name: Checkpoint | uname
run: |
uname -a && echo && echo
review_lighthouse:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Checkpoint | Lighthouse
uses: treosh/lighthouse-ci-action@10.1.0
with:
urls: |
https://trial.firepress.link/edge/welcome/
https://trial.firepress.link/edge/tag/getting-started/
#budgetPath: ./budget.json # test performance budgets
uploadArtifacts: true # save results as an action artifacts
temporaryPublicStorage: true # upload lighthouse report to the temporary storage
review_artillery:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Checkpoint | Artillery
id: load-test
uses: kenju/github-actions-artillery@master
with:
filepath: ./.github/load-test.yml
# https://trial.firepress.link/edge
review_slack:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Notify on Slack
run: |
docker run --rm \
--name noti \
-e NOTI_MESSAGE='${{ needs.myvars.outputs._NOTI_MESSAGE }}' \
-e SLACK_CHANNEL="github-actions" \
-e SLACK_TOKEN_CRON="${{ secrets.TOKEN_SLACK }}" \
devmtl/noti:stable sh -c \
' NOTI_SLACK_TOKEN="$SLACK_TOKEN_CRON" \
NOTI_SLACK_CHANNEL="$SLACK_CHANNEL" \
noti -k -m "$NOTI_MESSAGE" '
# ----------------------------------------------
# Actions after continuous_deployment
# ----------------------------------------------
update_readme:
needs: [myvars, build_stable, cd_stable]
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Update README on Dockerhub
run: |
docker run --rm \
-v $(pwd)/README.md:/data/README.md \
-e DOCKERHUB_USERNAME=${{ needs.myvars.outputs.DOCKERHUB_USER }} \
-e DOCKERHUB_PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }} \
-e DOCKERHUB_REPO_PREFIX=${{ needs.myvars.outputs.DOCKERHUB_USER }} \
-e DOCKERHUB_REPO_NAME=${{ needs.myvars.outputs.APP_NAME }} \
devmtl/readme-to-dockerhub:stable
comment_within_pr:
needs: [myvars, build_stable, cd_stable]
permissions:
pull-requests: write # needed to create and update comments in PRs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: zcong1993/setup-timezone@v2.0.0
with:
timezone: America/Montreal
- name: Find comment for image tags
# If PR, put image tags in the PR comments
# from https://github.com/marketplace/actions/create-or-update-comment
uses: peter-evans/find-comment@v2
if: github.event_name == 'pull_request'
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-includes: Docker image tag(s) pushed
# If PR, put image tags in the PR comments
- name: Create or update comment for image tags
uses: peter-evans/create-or-update-comment@v3
if: github.event_name == 'pull_request'
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
Docker image tag(s) pushed:
```text
${{ needs.myvars.outputs.TAG_DKR_VERSION }}
${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}
${{ needs.myvars.outputs.TAG_GPR_VERSION }}
${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }}
${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }}
```
edit-mode: replace