v0.3.70 #84
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update Strelka Docker Images | |
on: | |
release: | |
types: [published] | |
jobs: | |
push_to_registry: | |
name: Build & Push to Registries | |
strategy: | |
matrix: | |
arch: [arm64, amd64] | |
include: | |
- arch: arm64 | |
runner: arm-8vcpu-ubuntu-22-public | |
- arch: amd64 | |
runner: ubuntu-latest-4-cores-public | |
runs-on: ${{ matrix.runner }} | |
environment: production | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v2 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
id: login-aws | |
continue-on-error: true | |
with: | |
output-credentials: true | |
role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-east-1 | |
- name: 2nd Attempt Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
if: ${{ steps.login-aws.outputs.aws-access-key-id == '' }} | |
with: | |
role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-east-1 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Configure AWS credentials (Gov Cloud) | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
continue-on-error: true | |
id: login-aws-gov-cloud | |
with: | |
output-credentials: true | |
unset-current-credentials: true | |
role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-gov-west-1 | |
- name: 2nd Attempt Configure AWS credentials (Gov Cloud) | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
if: ${{ steps.login-aws-gov-cloud.outputs.aws-access-key-id == '' }} | |
with: | |
unset-current-credentials: true | |
role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-gov-west-1 | |
- name: Login to Amazon ECR (GovCloud) | |
id: login-ecr-gov-cloud | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Validate ECR Repos | |
run: | | |
# If something is wrong with the GovCloud login the GovCloud ECR login will succeed using the standard creds | |
# Make sure we have two different ECR repos to make this clear. | |
if [[ ${{ steps.login-ecr.outputs.registry }} = ${{ steps.login-ecr-gov-cloud.outputs.registry }} ]]; then | |
exit 1 | |
fi | |
- name: Determine the version from the tag | |
id: get_ver | |
run: | | |
SEM_VER=$(echo "${{ github.ref }}" | grep -E -o "[0-9]+\.[0-9]+\.[0-9]*") | |
test -n "$SEM_VER" | |
echo "::set-output name=SEM_VER::$SEM_VER" | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v1 | |
with: | |
driver: docker | |
- name: Build FrontEnd | |
uses: docker/build-push-action@v2 | |
with: | |
file: build/go/frontend/Dockerfile | |
context: . | |
platforms: linux/${{ matrix.arch }} | |
load: true | |
tags: | | |
sublimesec/strelka-frontend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
${{ steps.login-ecr.outputs.registry }}/strelka-frontend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
${{ steps.login-ecr-gov-cloud.outputs.registry }}/strelka-frontend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
- name: Build BackEnd | |
uses: docker/build-push-action@v2 | |
with: | |
file: build/python/backend/Dockerfile | |
context: . | |
platforms: linux/${{ matrix.arch }} | |
load: true | |
tags: | | |
sublimesec/strelka-backend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
${{ steps.login-ecr.outputs.registry }}/strelka-backend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
${{ steps.login-ecr-gov-cloud.outputs.registry }}/strelka-backend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
- name: Build Manager | |
uses: docker/build-push-action@v2 | |
with: | |
file: build/go/manager/Dockerfile | |
context: . | |
platforms: linux/${{ matrix.arch }} | |
load: true | |
tags: | | |
sublimesec/strelka-manager:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
${{ steps.login-ecr.outputs.registry }}/strelka-manager:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
${{ steps.login-ecr-gov-cloud.outputs.registry }}/strelka-manager:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
- name: Push FrontEnd | |
env: | |
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
run: | | |
docker push --all-tags $ECR_REGISTRY/strelka-frontend | |
docker push --all-tags $ECR_GC_REGISTRY/strelka-frontend | |
docker push --all-tags sublimesec/strelka-frontend | |
- name: Push BackEnd | |
env: | |
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
run: | | |
docker push --all-tags $ECR_REGISTRY/strelka-backend | |
docker push --all-tags $ECR_GC_REGISTRY/strelka-backend | |
docker push --all-tags sublimesec/strelka-backend | |
- name: Push Manager | |
env: | |
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
run: | | |
docker push --all-tags $ECR_REGISTRY/strelka-manager | |
docker push --all-tags $ECR_GC_REGISTRY/strelka-manager | |
docker push --all-tags sublimesec/strelka-manager | |
manifest_image: | |
name: Build Manifest Image and Push | |
needs: push_to_registry | |
runs-on: ubuntu-20.04 | |
environment: production | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
continue-on-error: true | |
id: login-aws | |
with: | |
output-credentials: true | |
role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-east-1 | |
- name: 2nd Attempt Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
if: ${{ steps.login-aws.outputs.aws-access-key-id == '' }} | |
with: | |
role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-east-1 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Configure AWS credentials (Gov Cloud) | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
continue-on-error: true | |
id: login-aws-gov-cloud | |
with: | |
output-credentials: true | |
unset-current-credentials: true | |
role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-gov-west-1 | |
- name: 2nd Attempt Configure AWS credentials (Gov Cloud) | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
if: ${{ steps.login-aws-gov-cloud.outputs.aws-access-key-id == '' }} | |
with: | |
unset-current-credentials: true | |
role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-gov-west-1 | |
- name: Login to Amazon ECR (GovCloud) | |
id: login-ecr-gov-cloud | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Validate ECR Repos | |
run: | | |
# If something is wrong with the GovCloud login the GovCloud ECR login will succeed using the standard creds | |
# Make sure we have two different ECR repos to make this clear. | |
if [[ ${{ steps.login-ecr.outputs.registry }} = ${{ steps.login-ecr-gov-cloud.outputs.registry }} ]]; then | |
exit 1 | |
fi | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Determine the version from the tag | |
id: get_ver | |
run: | | |
SEM_VER=$(echo "${{ github.ref }}" | grep -E -o "[0-9]+\.[0-9]+\.[0-9]*") | |
test -n "$SEM_VER" | |
echo "::set-output name=SEM_VER::$SEM_VER" | |
- name: Build and Push Final Manifests to ECR & DockerHub | |
env: | |
SEM_VER: ${{ steps.get_ver.outputs.SEM_VER }} | |
MINOR_VERSION: ${{ steps.get_ver.outputs.MINOR_VERSION }} | |
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
run: | | |
amd_tag=amd64-$SEM_VER | |
arm_tag=arm64-$SEM_VER | |
# Backend | |
docker_hub=sublimesec/strelka-backend | |
ecr=$ECR_REGISTRY/strelka-backend | |
ecr_gc=$ECR_GC_REGISTRY/strelka-backend | |
docker manifest create $docker_hub:$SEM_VER \ | |
$docker_hub:$amd_tag \ | |
$docker_hub:$arm_tag | |
docker manifest create $ecr:$SEM_VER \ | |
$ecr:$amd_tag \ | |
$ecr:$arm_tag | |
docker manifest create $ecr_gc:$SEM_VER \ | |
$ecr_gc:$amd_tag \ | |
$ecr_gc:$arm_tag | |
docker manifest push $docker_hub:$SEM_VER | |
docker manifest push $ecr:$SEM_VER | |
docker manifest push $ecr_gc:$SEM_VER | |
# Frontend | |
docker_hub=sublimesec/strelka-frontend | |
ecr=$ECR_REGISTRY/strelka-frontend | |
ecr_gc=$ECR_GC_REGISTRY/strelka-frontend | |
docker manifest create $docker_hub:$SEM_VER \ | |
$docker_hub:$amd_tag \ | |
$docker_hub:$arm_tag | |
docker manifest create $ecr:$SEM_VER \ | |
$ecr:$amd_tag \ | |
$ecr:$arm_tag | |
docker manifest create $ecr_gc:$SEM_VER \ | |
$ecr_gc:$amd_tag \ | |
$ecr_gc:$arm_tag | |
docker manifest push $docker_hub:$SEM_VER | |
docker manifest push $ecr:$SEM_VER | |
docker manifest push $ecr_gc:$SEM_VER | |
# Manager | |
docker_hub=sublimesec/strelka-manager | |
ecr=$ECR_REGISTRY/strelka-manager | |
ecr_gc=$ECR_GC_REGISTRY/strelka-manager | |
docker manifest create $docker_hub:$SEM_VER \ | |
$docker_hub:$amd_tag \ | |
$docker_hub:$arm_tag | |
docker manifest create $ecr:$SEM_VER \ | |
$ecr:$amd_tag \ | |
$ecr:$arm_tag | |
docker manifest create $ecr_gc:$SEM_VER \ | |
$ecr_gc:$amd_tag \ | |
$ecr_gc:$arm_tag | |
docker manifest push $docker_hub:$SEM_VER | |
docker manifest push $ecr:$SEM_VER | |
docker manifest push $ecr_gc:$SEM_VER | |
validate_x_region_replication: | |
name: Validate that ECR Images Have Propagated to All Regions | |
runs-on: ubuntu-latest | |
environment: production | |
permissions: | |
id-token: write | |
contents: read | |
needs: manifest_image | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v2 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
continue-on-error: true | |
id: login-aws | |
with: | |
output-credentials: true | |
role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-east-1 | |
- name: 2nd Attempt Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
if: ${{ steps.login-aws.outputs.aws-access-key-id == '' }} | |
with: | |
role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
role-duration-seconds: 7200 # 2 hours | |
aws-region: us-east-1 | |
- name: Validate All X-Region Replication | |
run: | | |
SEM_VER=$(echo "${{ github.ref }}" | grep -E -o "[0-9]+\.[0-9]+.[0-9]*") | |
.github/workflows/check_images_x_region.sh $SEM_VER | |
if [ $? != 0 ]; then | |
exit 1 | |
fi | |
- name: Slack Notification | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_Z_LOG_DOCKER_BUILDS }} | |
SLACK_TITLE: Strelka Images Updated |