From 355897c054c0637c2848a4e9ebfdcf5a8d8393f5 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Mon, 28 Apr 2025 15:04:47 +0100 Subject: [PATCH 1/2] Add GH action for PRs and tags --- .../build-and-push-guardrails-gateway.yaml | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 .github/workflow/build-and-push-guardrails-gateway.yaml diff --git a/.github/workflow/build-and-push-guardrails-gateway.yaml b/.github/workflow/build-and-push-guardrails-gateway.yaml new file mode 100644 index 0000000..25b6ce5 --- /dev/null +++ b/.github/workflow/build-and-push-guardrails-gateway.yaml @@ -0,0 +1,124 @@ +name: Build and Push - Regex Detector +on: + push: + branches: + - main + paths-ignore: + - "README.md" + - "LICENCE" + - "curl.sh" + tags: + - v* + pull_request_target: + paths-ignore: + - "README.md" + - "LICENCE" + - "curl.sh" + types: [labeled, opened, synchronize, reopened] +jobs: + # Ensure that tests pass before publishing a new image. + build-and-push-ci: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + steps: # Assign context variable for various action contexts (tag, main, CI) + - name: Assigning CI context + if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') + run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV + - name: Assigning tag context + if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v') + run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV + - name: Assigning main context + if: github.head_ref == '' && github.ref == 'refs/heads/main' + run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV + # + # Run checkouts + - uses: mheap/github-action-required-labels@v4 + if: env.BUILD_CONTEXT == 'ci' + with: + mode: minimum + count: 1 + labels: "ok-to-test, lgtm, approved" + - uses: actions/checkout@v3 + if: env.BUILD_CONTEXT == 'ci' + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v3 + if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag' + # + # Print variables for debugging + - name: Log reference variables + run: | + echo "CONTEXT: ${{ env.BUILD_CONTEXT }}" + echo "GITHUB.REF: ${{ github.ref }}" + echo "GITHUB.HEAD_REF: ${{ github.head_ref }}" + echo "SHA: ${{ github.event.pull_request.head.sha }}" + echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest" + echo "CI IMAGE AT: quay.io/trustyai/regex-detector-ci:${{ github.event.pull_request.head.sha }}" + + # Set environments depending on context + - name: Set CI environment + if: env.BUILD_CONTEXT == 'ci' + run: | + echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + echo "IMAGE_NAME=quay.io/trustyai/regex-detector-ci" >> $GITHUB_ENV + - name: Set main-branch environment + if: env.BUILD_CONTEXT == 'main' + run: | + echo "TAG=latest" >> $GITHUB_ENV + echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + - name: Set tag environment + if: env.BUILD_CONTEXT == 'tag' + run: | + echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV + echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + # + # Run docker commands + - name: Put expiry date on CI-tagged image + if: env.BUILD_CONTEXT == 'ci' + run: echo 'LABEL quay.expires-after=7d#' >> Dockerfile + - name: Build image + run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f Dockerfile . + - name: Log in to Quay + run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io + - name: Push to Quay CI repo + run: docker push ${{ env.IMAGE_NAME }}:$TAG + + # Leave comment + - uses: peter-evans/find-comment@v3 + name: Find Comment + if: env.BUILD_CONTEXT == 'ci' + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: PR image build completed successfully + - uses: peter-evans/create-or-update-comment@v4 + if: env.BUILD_CONTEXT == 'ci' + name: Generate/update success message comment + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + edit-mode: replace + body: | + PR image build completed successfully! + + 📦 [PR image](https://quay.io/trustyai/regex-detector-ci?tab=tags): `quay.io/trustyai/regex-detector-ci:${{ github.event.pull_request.head.sha }}` + - name: Trivy scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}" + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + exit-code: '0' + ignore-unfixed: false + vuln-type: 'os,library' + + - name: Update Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From b3634d7e9471dd8b2f3cbdbff2c02d1a81034443 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Mon, 28 Apr 2025 15:08:00 +0100 Subject: [PATCH 2/2] Update directory name --- .../build-and-push-guardrails-gateway.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{workflow => workflows}/build-and-push-guardrails-gateway.yaml (100%) diff --git a/.github/workflow/build-and-push-guardrails-gateway.yaml b/.github/workflows/build-and-push-guardrails-gateway.yaml similarity index 100% rename from .github/workflow/build-and-push-guardrails-gateway.yaml rename to .github/workflows/build-and-push-guardrails-gateway.yaml