Skip to content

Merge pull request #73 from koenighotze/dependabot/github_actions/act… #50

Merge pull request #73 from koenighotze/dependabot/github_actions/act…

Merge pull request #73 from koenighotze/dependabot/github_actions/act… #50

name: Build main
on:
push:
branches: [main]
tags:
- "v*"
paths-ignore:
- '**.md'
workflow_dispatch:
permissions:
contents: read
env:
CONTAINER_REGISTRY: ${{ secrets.CONTAINER_REGISTRY }}
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
jobs:
security-scan-code:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/golang@0.4.0
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Run vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.12.0
with:
scan-type: "fs"
ignore-unfixed: false
format: "table"
exit-code: "1"
severity: "CRITICAL"
qa:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: "^1.17.0"
- name: Lint Go code
uses: golangci/golangci-lint-action@v3
- name: Vet Go code
run: go vet
- name: Check Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
verbose: true
- name: Check shell scripts
uses: ludeeus/action-shellcheck@2.0.0
with:
severity: warning
scandir: './scripts'
test:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: "^1.17.0"
- name: Install dependencies
run: go mod download
- name: Unit test with coverage
run: go test -coverprofile=coverage.out ./...
- name: Upload coverage
run: |
bash <(curl -Ls https://coverage.codacy.com/get.sh) report --force-coverage-parser go -r coverage.out
env:
CODACY_PROJECT_NAME: bodleian-service
CODACY_ORGANIZATION_PROVIDER: gh
CODACY_USERNAME: ${{ github.repository_owner }}
CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
build-container:
needs:
- qa
- test
- security-scan-code
permissions:
id-token: write
contents: read
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate
uses: google-github-actions/auth@v1
id: auth
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }}
token_format: id_token
id_token_audience: ${{ secrets.CLOUD_RUN_BACKEND_URL }}
id_token_include_email: true
- name: Set up GCP environment
uses: google-github-actions/setup-gcloud@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build image
run: ./scripts/containerize.sh
- name: Run vulnerability scanner
uses: aquasecurity/trivy-action@0.12.0
with:
image-ref: ${{ env.image-name }}
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Push image
run: ./scripts/containerize.sh
env:
OUTPUT_MODE: push
- name: Deploy
id: deploy
uses: google-github-actions/deploy-cloudrun@v1.0.2
with:
image: ${{ env.image-name }}
service: ${{ secrets.CLOUD_RUN_SERVICE }}
region: ${{ secrets.CLOUD_RUN_REGION }}
timeout: 10 # allow enough time to startup container
no_traffic: true
flags: '--concurrency=1 --cpu=1 --max-instances=1'
# no_traffic: ${{ !startsWith(github.event.ref, 'refs/tags/v') }}
tag: ${{ env.git-tag }}
- name: Test if service is up
run: |
./scripts/is-service-up.sh
env:
BASE_URL: ${{ steps.deploy.outputs.url }}
BEARER_TOKEN: ${{ steps.auth.outputs.id_token }}
- name: Report failures to Slack
uses: ravsamhq/notify-slack-action@v2
if: always()
with:
status: ${{ job.status }}
token: ${{ secrets.GITHUB_TOKEN }}
notification_title: "{workflow} has {status_message}"
message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>"
footer: "Linked Repo <{repo_url}|{repo}> | <{workflow_url}|View Workflow>"
notify_when: "failure"
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Route traffic to new version
# TODO: check why using the deploy-action does not work with tags.
if: ${{ startsWith(github.event.ref, 'refs/tags/v') }}
run: |
echo "Routing full traffic to tag $git-tag"
gcloud run services update-traffic --region=${{ secrets.CLOUD_RUN_REGION }} ${{ secrets.CLOUD_RUN_SERVICE }} --to-tags="${{ env.git-tag }}=100"
# Cannot do this because url contains a 'secret'
# outputs:
# service_url: ${{ steps.deploy.outputs.url }}