Build Image #53
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Image | |
| permissions: | |
| contents: write | |
| id-token: write | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Which account the ECR repository is in' | |
| type: environment | |
| fail_on_trivy_scan: | |
| type: boolean | |
| description: fail the build if vulnerabilities are found | |
| required: true | |
| default: false | |
| jobs: | |
| build: | |
| name: Build Image | |
| runs-on: ubuntu-latest | |
| env: | |
| ECR_REPOSITORY: bento-frontend | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 | |
| - name: Set Image Tag | |
| env: | |
| BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
| run: | | |
| # Get all tags for the repo and find the latest tag for the branch being built | |
| git fetch --tags --force --quiet | |
| tag=$(git tag -l $BRANCH_NAME* | tail -1) | |
| if [ ! -z "$tag" ]; | |
| then | |
| # Increment the build number if a tag is found | |
| build_num=$(echo "${tag##*.}") | |
| build_num=$((build_num+1)) | |
| echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV | |
| else | |
| # If no tag is found create a new tag name | |
| build_num=1 | |
| echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV | |
| fi | |
| - name: Build | |
| id: build-image | |
| run: | | |
| docker build -t $ECR_REPOSITORY:$IMAGE_TAG . | |
| - name: Set Trivy exit code | |
| run: | | |
| if [[ ${{ inputs.fail_on_trivy_scan }} == true ]]; | |
| then | |
| echo 'TRIVY_EXIT_CODE=1' >> $GITHUB_ENV | |
| else | |
| echo 'TRIVY_EXIT_CODE=0' >> $GITHUB_ENV | |
| fi | |
| - name: Run Trivy vulnerability scanner | |
| id: trivy-scan | |
| uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 | |
| with: | |
| image-ref: '${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}' | |
| format: 'table' | |
| exit-code: '${{ env.TRIVY_EXIT_CODE }}' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| - name: Create Git tag for Image | |
| run: | | |
| git config user.name "GitHub Actions" | |
| git config user.email "[email protected]" | |
| git tag ${{ env.IMAGE_TAG }} | |
| git push origin ${{ env.IMAGE_TAG }} | |
| - name: AWS OIDC Authentication | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 | |
| with: | |
| role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-session-name: ${{ github.actor }} | |
| - name: Login to Amazon ECR | |
| id: login-aws-ecr | |
| uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 | |
| - name: Push to Amazon ECR | |
| id: push-image | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }} | |
| run: | | |
| docker tag $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| - name: Slack Notification | |
| uses: act10ns/slack@87c73aef9f8838eb6feae81589a6b1487a4a9e08 | |
| with: | |
| status: ${{ job.status }} | |
| steps: ${{ toJson(steps) }} | |
| if: always() |