Skip to content

Update README.md

Update README.md #242

Workflow file for this run

name: Build and update app
permissions:
contents: write
pull-requests: write
env:
#variables related with the repository
REPOSITORY_MAIN_BRANCH: "master"
#variables related with the docker imager registry
DOCKER_IMAGE_REPOSITORY: ikcap
DOCKER_IMAGE_NAME: disk_backend
DOCKER_FILE: "docker/backend/Dockerfile"
#variables related with the continuous delivery
MANIFEST_REPOSITORY: KnowledgeCaptureAndDiscovery/k8s
MANIFEST_REPOSITORY_BRANCH: master
KUSTOMIZE_IMAGE_NAME: backend-image-prod
MANIFEST_REPOSITORY_PATH: disk-server/disk/bikes
NEURO_MANIFEST_REPOSITORY_PATH: disk-server/disk/neuro
CLIMATE_MANIFEST_REPOSITORY_PATH: disk-server/disk/climate
DEV_MANIFEST_REPOSITORY_PATH: disk-server/disk/dev
#security level
VULNERABILITY_SCAN_LEVEL: "CRITICAL"
on:
push:
branches:
- "*"
tags:
- v*
pull_request:
jobs:
java:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 8
uses: actions/setup-java@v2
with:
java-version: "8"
distribution: "temurin"
cache: maven
- name: Build with Maven
run: mvn -B package --file pom.xml
env:
GITHUB_USERNAME: ${{ secrets.GITHUB_USERNAME }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: mkdir staging && cp server/target/*.war staging
- uses: actions/upload-artifact@v2
with:
name: Package
path: staging
# This job build the app and the image. Then, push it
build:
runs-on: ubuntu-latest
permissions:
contents: read
needs: [java]
name: "Build and push the Docker Image"
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v2
with:
name: Package
path: build/
- name: Create value as an environment variable
run: |
echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV
- name: Expose value
id: exposeValue
run: |
echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}"
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/[email protected]
with:
push: true
context: .
tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_TAG }}
file: ${{ env.DOCKER_FILE}}
outputs:
docker_tag: ${{ steps.exposeValue.outputs.docker_tag }}
security:
permissions:
contents: read
security-events: write
packages: write
name: "Scan vulnerabilities in the image"
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: ${{ env.DOCKER_IMAGE_REPOSITORY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: ${{ env.VULNERABILITY_SCAN_LEVEL }}
exit-code: "0"
ignore-unfixed: "true"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: always()
with:
sarif_file: "trivy-results.sarif"
update:
# This job the container running on k8s cluster
needs: [build, security]
name: "Deploy the app"
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
runs-on: ubuntu-latest
steps:
- name: Check out k8s manifests
uses: actions/checkout@v3
if: github.event_name != 'pull_request'
with:
repository: ${{ env.MANIFEST_REPOSITORY }}
ref: ${{ env.MANIFEST_REPOSITORY_BRANCH }}
ssh-key: ${{ secrets.BOT_SSH }}
persist-credentials: true
- name: Setup Kustomize
uses: imranismail/setup-kustomize@v1
if: github.event_name != 'pull_request'
with:
kustomize-version: "3.6.1"
- name: Update Kubernetes resources
if: github.event_name != 'pull_request'
run: |
cd ${{ env.MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Update Kubernetes resources neuro
if: github.event_name != 'pull_request'
run: |
cd ${{ env.NEURO_MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME}}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Update Kubernetes resources climate
if: github.event_name != 'pull_request'
run: |
cd ${{ env.CLIMATE_MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Update Kubernetes resources dev
if: github.event_name != 'pull_request'
run: |
cd ${{ env.DEV_MANIFEST_REPOSITORY_PATH }}
kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
cat kustomization.yaml
- name: Commit files
if: github.event_name != 'pull_request'
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git commit -am "Disk backend updated"
- name: Push changes
if: github.event_name != 'pull_request'
uses: ad-m/github-push-action@master
with:
ssh: true
branch: ${{ env.MANIFEST_REPOSITORY_BRANCH }}
repository: ${{ env.MANIFEST_REPOSITORY }}