-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Software supply chain security feature cosign added and splitting of …
…workflows
- Loading branch information
1 parent
b7d5f32
commit b684c16
Showing
3 changed files
with
245 additions
and
81 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| name: NPM Build and Push Docker Image On PR | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| types: | ||
| - closed | ||
| branches: | ||
| - 'development' | ||
| - 'rc/**' | ||
| - 'hotfix/**' | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| GITHUB_REGISTRY: ghcr.io | ||
| DOCKER_IMAGE_NAME: <docker_image_name> | ||
| GITHUB_NAMESPACE: valtimo-cloud | ||
|
|
||
| jobs: | ||
| if_merged: | ||
| if: github.event.pull_request.merged == true | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: | | ||
| echo "The PR was merged" | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| needs: [ if_merged ] | ||
| outputs: | ||
| tagToDeploy: ${{ steps.prep.outputs.image_tag }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Node.js version | ||
| uses: actions/setup-node@v2 | ||
| with: | ||
| node-version: "16.x" | ||
|
|
||
| - name: 'Generate unique docker tag to deploy' | ||
| id: prep | ||
| run: | | ||
| branch=${GITHUB_REF##*/} | ||
| sha=${GITHUB_SHA::8} | ||
| ts=$(date +'%Y%m%d%H%M') | ||
| echo "image_tag=${branch}-${ts}-${sha}" >> "$GITHUB_OUTPUT" | ||
| - name: NPM install and build | ||
| run: | | ||
| npm install | ||
| npm run build | ||
| - name: Build artifacts | ||
| run: ./gradlew build | ||
|
|
||
| - name: Archive dist folder | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: valtimo-frontend-dist | ||
| path: deployment/ | ||
|
|
||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| needs: [build] | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/[email protected] | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Install Cosign | ||
| uses: sigstore/[email protected] | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Download dist artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: valtimo-frontend-dist | ||
|
|
||
| - name: 'Login to github packages' | ||
| uses: docker/login-action@v1 | ||
| with: | ||
| registry: ${{ env.GITHUB_REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - id: docker_meta | ||
| uses: docker/[email protected] | ||
| with: | ||
| images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }} | ||
| tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }} | ||
|
|
||
| - name: Build and push Docker image | ||
| uses: docker/[email protected] | ||
| id: build-and-push | ||
| with: | ||
| file: Dockerfile | ||
| context: . | ||
| push: true | ||
| tags: ${{ steps.docker_meta.outputs.tags }} | ||
|
|
||
| - name: Sign the images with GitHub OIDC Token | ||
| env: | ||
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
| TAGS: ${{ steps.docker_meta.outputs.tags }} | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes ${images} | ||
| - name: Verify the images | ||
| run: | | ||
| branch=${GITHUB_REF##*/} | ||
| cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \ | ||
| --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \ | ||
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| name: NPM Build and Push Docker Image On Push | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - 'feature/**' | ||
| - 'bugfix/**' | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| GITHUB_REGISTRY: ghcr.io | ||
| DOCKER_IMAGE_NAME: <docker_image_name> | ||
| GITHUB_NAMESPACE: valtimo-cloud | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| tagToDeploy: ${{ steps.prep.outputs.image_tag }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Node.js version | ||
| uses: actions/setup-node@v2 | ||
| with: | ||
| node-version: "16.x" | ||
|
|
||
| - name: 'Generate unique docker tag to deploy' | ||
| id: prep | ||
| run: | | ||
| branch=${GITHUB_REF##*/} | ||
| sha=${GITHUB_SHA::8} | ||
| ts=$(date +'%Y%m%d%H%M') | ||
| echo "image_tag=${branch}-${ts}-${sha}" >> "$GITHUB_OUTPUT" | ||
| - name: NPM install and build | ||
| run: | | ||
| npm install | ||
| npm run build | ||
| - name: Build artifacts | ||
| run: ./gradlew build | ||
|
|
||
| - name: Archive dist folder | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: valtimo-frontend-dist | ||
| path: deployment/ | ||
|
|
||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| needs: [build] | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/[email protected] | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Install Cosign | ||
| uses: sigstore/[email protected] | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/[email protected] | ||
|
|
||
| - name: Download dist artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: valtimo-frontend-dist | ||
|
|
||
| - name: 'Login to github packages' | ||
| uses: docker/login-action@v1 | ||
| with: | ||
| registry: ${{ env.GITHUB_REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - id: docker_meta | ||
| uses: docker/[email protected] | ||
| with: | ||
| images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }} | ||
| tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }} | ||
|
|
||
| - name: Build and push Docker image | ||
| uses: docker/[email protected] | ||
| id: build-and-push | ||
| with: | ||
| file: Dockerfile | ||
| context: . | ||
| push: true | ||
| tags: ${{ steps.docker_meta.outputs.tags }} | ||
|
|
||
| - name: Sign the images with GitHub OIDC Token | ||
| env: | ||
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
| TAGS: ${{ steps.docker_meta.outputs.tags }} | ||
| run: | | ||
| images="" | ||
| for tag in ${TAGS}; do | ||
| images+="${tag}@${DIGEST} " | ||
| done | ||
| cosign sign --yes ${images} | ||
| - name: Verify the images | ||
| run: | | ||
| branch=${GITHUB_REF##*/} | ||
| cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \ | ||
| --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \ | ||
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq | ||