-
Notifications
You must be signed in to change notification settings - Fork 1
149 lines (138 loc) · 5.7 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Release
on:
repository_dispatch:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- "CONTRIBUTING.md"
- "README.md"
- ".github/**"
- ".gitignore"
- ".pre-commit-config.yaml"
permissions: read-all
env:
PYTHON_VERSION: "3.11"
jobs:
update-checkov:
runs-on: [self-hosted, public, linux, x64]
permissions:
contents: write
outputs:
version: ${{ steps.version.outputs.version }}
major_version: ${{ steps.version.outputs.major_version }}
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pipenv"
cache-dependency-path: "Pipfile.lock"
- name: Get latest checkov version tag
id: version
run: |
version=$(curl -s curl -s https://api.github.com/repos/bridgecrewio/checkov/tags | jq -r '.[0].name')
echo "version=$version" >> "$GITHUB_OUTPUT"
# grab major version for later image tag usage
major_version=$(echo "${version}" | head -c1)
echo "major_version=$major_version" >> "$GITHUB_OUTPUT"
- name: Update checkov dependency
run: |
# install needed tools
python -m pip install --no-cache-dir --upgrade pipenv
# update Pipfile
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install checkov==${{ steps.version.outputs.version }}
pipenv lock
- uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4
with:
commit_message: Bump checkov version to ${{ steps.version.outputs.version }} [skip ci]
tagging_message: ${{ steps.version.outputs.version }}
publish-image:
needs: update-checkov
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
packages: write
id-token: write # Enable OIDC
env:
DH_IMAGE_NAME: bridgecrew/whorf
GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
FULL_IMAGE_TAG: ${{ needs.update-checkov.outputs.version }}
SHORT_IMAGE_TAG: ${{ needs.update-checkov.outputs.major_version }}
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3
with:
ref: main
- uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2
- uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2 # needed for self-hosted builds
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and export image to Docker
# buildx changes the driver to 'docker-container' which doesn't expose the image to the host,
# so it is built and loaded to Docker and in the next step pushed to the registry
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3
with:
context: .
no-cache: true
load: true
tags: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
- name: Push Docker image
id: docker_push
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3
with:
context: .
push: true
tags: |
${{ env.DH_IMAGE_NAME }}:latest
${{ env.DH_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
${{ env.GHCR_IMAGE_NAME }}:latest
${{ env.GHCR_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
${{ env.GHCR_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
- name: Generate SBOM
continue-on-error: true
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.BC_API_KEY }}
docker_image: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
dockerfile_path: Dockerfile
output_format: cyclonedx_json
output_file_path: cyclonedx.json,
- name: Sign and attest image
run: |
# sign image
cosign sign ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
cosign sign -f ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
# attest SBOM
cosign attest \
--type cyclonedx \
--predicate cyclonedx.json \
${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
cosign attest -f \
--type cyclonedx \
--predicate cyclonedx.json \
${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: 1 # needed for keyless signing
- name: Update deployment
uses: jacobtomlinson/gha-find-replace@a51bbcd94d000df9ca0fcb54ec8be69aad8374b0 # v3
with:
find: "image: bridgecrew/whorf@sha256:[a-f0-9]{64}"
replace: "image: ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}"
include: "k8s/deployment.yaml"
- uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4
with:
commit_message: update k8s deployment [skip ci]
file_pattern: k8s/*.yaml