vapor-ware · AdamIsrael · Jul 13, 2023 · Jul 13, 2023 · Jul 13, 2023 · Jul 13, 2023
diff --git a/.github/actions/build-pr-image/README.md b/.github/actions/build-pr-image/README.md
@@ -0,0 +1,47 @@
+## Build PR Image Action
+
+This Action provides automation for a Docker builder for a PR. An image is then pushed to a given registry.
+
+## Parameters
+
+### Inputs
+
+ * `REGISTRY`: The image registry where the action is pulling from. Images can be found in https://hub.docker.com/?namespace=vaporio
+ * `BUILDERIMAGE`: A base image containing the build tool chain
+ * `SLIMIMAGE`: A smaller image for deploys
+ * `DOCKERFILE`: Name of the Dockerfile. Usually just `Dockerfile`
+ * `USERNAME`: Login user for the image registry
+ * `PASSWORD`: Password for image registry
+ * `IMAGENAME`: Name of the image to push into the registry
+
+### Usage
+
+Since this Action is located in a private repo, a step will checkout this repo with a token so then it can be used
+in the next step.
+
+```
+# .github/workflows/deploy.yml
+name: build
+on: ['build']
+
+jobs:
+  image_build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          repository: vapor-ware/workflows
+          token: ${{ secrets.VIO_REPO_READ }}
+          ref: main
+          path: vapor-ware-workflows # Checkouts directory path name for the next step
+
+      - uses: ./vapor-ware-workflows/.github/actions/build-pr-image
+        with:
+          REGISTRY: docker.io
+          BUILDERIMAGE: ubuntu:22.04
+          SLIMIMAGE: ubuntu:22.04
+          DOCKERFILE: Dockerfile
+          USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
+          IMAGENAME: my_image
+```
diff --git a/.github/actions/build-pr-image/action.yml b/.github/actions/build-pr-image/action.yml
@@ -0,0 +1,99 @@
+name: build pr image
+description: build an image for current pr
+inputs:
+  REGISTRY:
+    required: true
+    default: "docker.io"
+    description: registry to use, defaults to docker.io
+  ORGANIZATION:
+    required: true
+    default: "vaporio"
+    description: organization name used in image
+  USERNAME:
+    required: true
+  PASSWORD:
+    required: true
+  BUILDERIMAGE:
+    required: true
+  SLIMIMAGE:
+    required: false
+  DOCKERFILE:
+    required: true
+  IMAGENAME:
+    required: true
+  IMAGETAG:
+    required: false
+
+outputs:
+  timestamp:
+    value: ${{ steps.generate-timestamp.outputs.current-timestamp }}
+    description: timestamp for use in other actions
+  tag:
+    value: ${{ steps.generate-tag.outputs.tag }}
+    description: image tag for use in other actions, defaults to github.event.number
+  image-archive:
+    value: ${{ steps.image-archive.outputs.image-archive }}
+    description: docker image archive of built image
+  image:
+    value: ${{ steps.generate-image.outputs.image }}
+    description: full base image name
+
+runs:
+  using: composite
+  steps:
+    - name: Log in to docker.io
+      uses: redhat-actions/podman-login@v1.5
+      with:
+        registry: ${{ inputs.REGISTRY }}
+        username: ${{ inputs.USERNAME }}
+        password: ${{ inputs.PASSWORD }}
+
+    - id: generate-image
+      run: echo "image=$(echo ${{ inputs.REGISTRY }}/${{ inputs.ORGANIZATION }}/${{ inputs.IMAGENAME }})" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - id: generate-timestamp
+      run: echo "current-timestamp=$(date +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - id: generate-tag
+      run: echo "tag=$(echo pr.${{ inputs.IMAGETAG || github.event.number }})" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Pull builder image
+      run: podman pull ${{ inputs.BUILDERIMAGE }}
+      shell: bash
+
+    - name: Pull slim image
+      run: podman pull ${{ inputs.SLIMIMAGE }}
+      if: ${{ inputs.SLIMIMAGE }}
+      shell: bash
+
+    - name: build image
+      run: |
+        podman build . \
+          -f ${{ inputs.DOCKERFILE }} \
+          --format docker \
+          --label org.opencontainers.image.created=${{ steps.generate-timestamp.outputs.timestamp }} \
+          --label org.opencontainers.image.revision=${{ github.sha }} \
+          --label org.opencontainers.image.version=${{ github.ref_name }} \
+          --label io.vapor.image.build.number=${{ github.run_id }} \
+          --label io.vapor.image.build.ref=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} \
+          --label io.vapor.image.build.id=${{ github.base_ref }} \
+          --label io.vapor.image.build.branch=${{ github.event.pull_request.head.ref }} \
+          -t ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }}
+      shell: bash
+
+    - name: save image
+      run: |
+        podman save --quiet -o ${{ inputs.IMAGENAME }}.tar ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }}
+      shell: bash
+
+    - id: image-archive
+      run: echo "image-archive=$(echo docker-archive:${{ inputs.IMAGENAME }}.tar)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: push image
+      run: |
+        podman push ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }}
+      shell: bash
diff --git a/.github/actions/scan-image/README.md b/.github/actions/scan-image/README.md
diff --git a/.github/actions/scan-image/action.yml b/.github/actions/scan-image/action.yml
@@ -0,0 +1,37 @@
+name: scan image
+description: scan a container image for vulnerabilities
+inputs:
+  image:
+    required: true
+    description: container image to scan
+
+outputs:
+  sarif:
+    value: ${{ steps.output-sarif.outputs.sarif }}
+    description: results of the container scan in SARIF format
+
+runs:
+  using: composite
+  steps:
+    - name: scan container image
+      uses: anchore/scan-action@v3
+      id: scan
+      with:
+        image: ${{ inputs.image }}
+        acs-report-enable: true
+        fail-build: false
+        severity-cutoff: high
+
+    - id: output-sarif
+      run: echo "sarif=${{ steps.scan.outputs.sarif }}" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: inspect action SARIF report
+      run: cat ${{ steps.scan.outputs.sarif }}
+      shell: bash
+
+    # TODO: submit sarif report to an API endpoint
+    # PAT auth to an API that stores sarif reports.
+    - name: submit SARIF report
+      run: echo "submitting SARIF report"
+      shell: bash
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,30 @@
+name: build
+on:
+  pull_request:
+    branches:
+      - develop
+  workflow_dispatch:
+
+jobs:
+  image_build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/build-pr-image
+        id: build-env
+        with:
+          REGISTRY: docker.io
+          BUILDERIMAGE: docker.io/library/python:3.9
+          SLIMIMAGE: docker.io/library/python:3.9-slim
+          DOCKERFILE: Dockerfile
+          USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
+          IMAGENAME: synse-server
+
+      - uses: ./.github/actions/scan-image
+        id: scan-image
+        with:
+          image: ${{ steps.build-env.outputs.image-archive }}
+          fail-build: false
+          severity-cutoff: high
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,24 @@
+name: release
+on:
+  workflow_run:
+    workflows: [build]
+    types:
+      - completed
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      -
+        name: Update Helm Chart
+        uses: vapor-ware/chart-releaser-action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.VIO_PUBLIC_REPO }}
+        with:
+          args: update --diff --debug
diff --git a/.jenkins b/.jenkins