Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add new action #3

Merged
merged 3 commits into from
Dec 23, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,26 @@ jobs:
@semantic-release/git@10.0.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Log in to the Container registry
id: docker_login
if: steps.release.outputs.new_release_published == 'true'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push Docker image
id: docker_build_push
if: steps.release.outputs.new_release_published == 'true'
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: |
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:v${{ steps.release.outputs.new_release_version }}
labels: |
maintainer=https://pagopa.it
org.opencontainers.image.source=https://github.com/${{ github.repository }}
52 changes: 52 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Docker security scan

on:
push:
branches: [ "main", "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main", "master" ]
schedule:
- cron: '00 07 * * *'

permissions:
contents: read

jobs:
trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-22.04"
steps:
- name: Checkout code
# from https://github.com/actions/checkout/commits/main
uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707

- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

- name: Run Trivy vulnerability scanner
# from https://github.com/aquasecurity/trivy-action/commits/master
uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
timeout: '10m0s'

- name: Upload Trivy scan results to GitHub Security tab
# from https://github.com/github/codeql-action/commits/main
uses: github/codeql-action/upload-sarif@f0a12816612c7306b485a22cb164feb43c6df818
with:
sarif_file: 'trivy-results.sarif'
84 changes: 73 additions & 11 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,82 @@ name: "OpEx Dashboard"
description: "Automate OpEx Dashboard generation process"

inputs:
client-id:
description: "Azure client-id"
required: true
tenant-id:
description: "Azure tenant-id"
required: true
subscription-id:
description: "Azure subscription-id"
required: true
subscription-name:
description: "Azure subscription-name"
required: true
config:
description: "A yaml file with all params to create the template"
required: true
template:
description: "Name of the template"
api-name:
description: "Api name"
required: true
environment:
description: "Environment"
required: true
version:
description: "docker version"
required: true
template-dir:
description: "Temp directory"
required: true
default: azure-dashboard

runs:
using: "docker"
image: "Dockerfile"
args:
- ${{ inputs.template }}
- ${{ inputs.config }}

branding:
icon: "git-commit"
color: "green"
using: "composite"

steps:

# this action create a folder named /azure-dashboard
- name: Run opex dashbaord
shell: bash
run: |
docker run test ${{ inputs.template-dir }} ${{ inputs.config }}

# we need to set env variables in the folder /azure-dashboard
- name: Copy Environments
shell: bash
run: |
cp -R .opex/${{ inputs.api-name }}/env ./${{ inputs.template-dir }}

- name: Read terraform version
id: read-version
shell: bash
run: |
echo "TERRAFORM_VERSION=`cat .terraform-version`" >> $GITHUB_ENV

- name: Setup Terraform
id: setup_terraform
# from https://github.com/hashicorp/setup-terraform/commits/main
uses: hashicorp/setup-terraform@8feba2b913ea459066180f9cb177f58a881cf146
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}

- name: Login
id: login
# from https://github.com/Azure/login/commits/master
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
with:
client-id: ${{ inputs.client-id }}
tenant-id: ${{ inputs.tenant-id }}
subscription-id: ${{ inputs.subscription-id }}

# now is possible to launch the command: terraform apply
- name: Terraform Apply
shell: bash
run: |
cd ./${{ inputs.template-dir }}
export ARM_CLIENT_ID="${{ inputs.client-id }}"
export ARM_TENANT_ID="${{ inputs.tenant-id }}"
export ARM_SUBSCRIPTION_ID="${{ inputs.subscription-id }}"
export ARM_USE_OIDC=true

bash ./terraform.sh apply ${{ matrix.environment }} -auto-approve