This repository has been archived by the owner on Sep 23, 2024. It is now read-only.
DEVOPS-2546 syntax fix #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build pipeline for agglayer-dev" | |
on: | |
push: | |
branches: | |
- DEVOPS-2546/dev-deploy | |
env: | |
PROJECT_ID: "prj-polygonlabs-shared-dev" | |
GAR_LOCATION: "europe-west2" | |
WIF_PROVIDER: "projects/595403903631/locations/global/workloadIdentityPools/build-pipeline-pool/providers/buildpipeline" | |
WIF_SERVICE_ACCOUNT: "gcp-apps-build-pipeline-sa@prj-polygonlabs-shared-dev.iam.gserviceaccount.com" | |
CRITICAL_COUNT: 5 | |
IMAGE_NAME: "europe-west2-docker.pkg.dev/prj-polygonlabs-shared-dev/polygonlabs-docker-dev/agglayer" | |
DOCKERFILE_NAME: "Dockerfile" | |
DOCKERFILE_PATH: "docker/" | |
HELM_VALUES_PATH: "helm-values/dev-values.yaml" | |
ATTESTOR_PROJECT_ID: "prj-polygonlabs-shared-dev" | |
KEY_RING: "gcp-apps-build-pipeline-ring" | |
KEY: "gcp-apps-build-pipeline-key" | |
ATTESTOR: "gcp-apps-build-pipeline-attestor" | |
jobs: | |
build-pipeline: | |
name: "Build pipeline for agglayer-dev" | |
permissions: | |
contents: "write" | |
id-token: "write" | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: google-github-actions/setup-gcloud@v1 | |
- id: auth | |
uses: google-github-actions/auth@v1 | |
with: | |
token_format: "access_token" | |
workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
service_account: ${{ env.WIF_SERVICE_ACCOUNT }} | |
- id: docker-auth | |
uses: docker/login-action@v1 | |
with: | |
username: "oauth2accesstoken" | |
password: ${{ steps.auth.outputs.access_token }} | |
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
- id: build-docker-image | |
run: |- | |
docker build -t "${{ env.IMAGE_NAME }}:${{ github.sha }}" -f ${{ env.DOCKERFILE_NAME }} ${{ env.DOCKERFILE_PATH }} | |
shell: bash | |
- id: push-docker-image | |
run: |- | |
docker push "${{ env.IMAGE_NAME }}:${{ github.sha }}" | |
shell: bash | |
- id: scan-vulnerabilities | |
run: |- | |
(gcloud artifacts docker images scan "${{ env.IMAGE_NAME }}:${{ github.sha }}" --format="value(response.scan)" --remote --quiet) > ./scan_id.txt | |
shell: bash | |
- id: check-critical-vulnerabilities | |
run: |- | |
#!/bin/bash | |
# Check if the scan_id.txt file exists | |
if [ ! -f ./scan_id.txt ]; then | |
echo "Error: scan_id.txt not found." | |
exit 1 | |
fi | |
# Use gcloud to list vulnerabilities and check for CRITICAL severity | |
severity=$(gcloud artifacts docker images list-vulnerabilities \ | |
"$(cat ./scan_id.txt)" \ | |
--format="value(vulnerability.effectiveSeverity)") | |
# Check if CRITICAL vulnerability is found | |
chk=$(echo "$severity" | grep -c "CRITICAL") | |
if [ "$chk" -gt ${{ env.CRITICAL_COUNT }} ]; then | |
echo "Failed vulnerability check for CRITICAL level" | |
exit 1 | |
else | |
echo "No CRITICAL vulnerability found. Congratulations!" | |
exit 0 | |
fi | |
shell: bash | |
- id: sign-docker-image | |
run: |- | |
export CLOUDSDK_CORE_DISABLE_PROMPTS=1 | |
gcloud components install beta --quiet | |
DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)') | |
gcloud beta container binauthz attestations sign-and-create \ | |
--artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \ | |
--attestor="${{ env.ATTESTOR }}" \ | |
--attestor-project="${{ env.ATTESTOR_PROJECT_ID }}" \ | |
--keyversion-project="${{ env.ATTESTOR_PROJECT_ID }}" \ | |
--keyversion-location="${{ env.GAR_LOCATION }}" \ | |
--keyversion-keyring="${{ env.KEY_RING }}" \ | |
--keyversion-key="${{ env.KEY }}" \ | |
--keyversion="1" | |
shell: bash | |
- id: update-helm-values | |
run: |- | |
DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} \ | |
--format='get(image_summary.digest)') | |
sed -i "s|image:.*|image: ${{ env.IMAGE_NAME }}@${DIGEST}|" ${{ env.HELM_VALUES_PATH }} | |
shell: bash | |
- id: push-back | |
uses: stefanzweifel/git-auto-commit-action@v5 | |
with: | |
commit_message: Apply automatic changes to Update image repository in Helm values | |
file_pattern: ${{ env.HELM_VALUES_PATH }} |