Skip to content

Core key vault firewall should not be set to "Allow public access from all networks" #9044

Core key vault firewall should not be set to "Allow public access from all networks"

Core key vault firewall should not be set to "Allow public access from all networks" #9044

---
name: Docker build
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
- 'feature/**'
workflow_dispatch:
# for each ref (branch/pr) run just the most recent, cancel
# other pending/running ones
concurrency:
group: "${{ github.workflow }}-${{ github.head_ref }}"
cancel-in-progress: true
jobs:
docker_build:
name: Build images
runs-on: ubuntu-latest
steps:
- name: Upload Event File
# this step is required to publish test results from forks
uses: actions/upload-artifact@v4
with:
name: Event File
path: ${{ github.event_path }}
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Filter changes
uses: dorny/paths-filter@v3
id: filter
with:
filters: |
api:
- 'api_app/**/*'
api_version:
- 'api_app/_version.py'
resource_processor:
- 'resource_processor/**/*'
resource_processor_version:
- 'resource_processor/_version.py'
guacamole_server:
- 'templates/workspace_services/guacamole/guacamole-server/**/*'
guacamole_server_version:
- 'templates/workspace_services/guacamole/guacamole-server/docker/version.txt'
gitea:
- 'templates/shared_services/gitea/docker/**/*'
gitea_version:
- 'templates/shared_services/gitea/docker/version.txt'
airlock_processor:
- 'airlock_processor/**/*'
airlock_processor_version:
- 'airlock_processor/_version.py'
ui_app:
- 'ui/app/**/*'
ui_app_version:
- 'ui/app/package.json'
- name: "Stale version: api"
if: ${{ steps.filter.outputs.api == 'true' &&
steps.filter.outputs.api_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: "Stale version: resource_processor"
if: ${{ steps.filter.outputs.resource_processor == 'true' &&
steps.filter.outputs.resource_processor_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: "Stale version: guacamole_server"
if: ${{ steps.filter.outputs.guacamole_server == 'true' &&
steps.filter.outputs.guacamole_server_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: "Stale version: gitea"
if: ${{ steps.filter.outputs.gitea == 'true' &&
steps.filter.outputs.gitea_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: "Stale version: airlock_processor"
if: ${{ steps.filter.outputs.airlock_processor == 'true' &&
steps.filter.outputs.airlock_processor_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: "Stale version: ui_app"
if: ${{ steps.filter.outputs.ui_app == 'true' &&
steps.filter.outputs.ui_app_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
# Unit Tests are executed by calling the 'test-results' target in the
# Dockerfile's. Test runner exit codes must be swallowed (and kept) so we
# can output the test results. This means we have to check for failure
# trigger files in later steps.
- name: "Test image: api"
# test should be before build since its docker target
# is prior to runtime
if: |
(steps.filter.outputs.api == 'true'
|| github.event_name == 'workflow_dispatch')
uses: docker/build-push-action@v5
with:
context: ./api_app/
file: ./api_app/Dockerfile
outputs: type=local,dest=test-results
target: test-results
cache-from: type=gha
cache-to: type=gha,mode=max
- name: "Check pytest failure file existence"
id: check_api_test_result
uses: andstor/file-existence-action@v3
with:
files: "test-results/pytest_api_unit_failed"
- name: "Build image: api"
if: |
(steps.filter.outputs.api == 'true'
|| github.event_name == 'workflow_dispatch')
&& steps.check_api_test_result.outputs.files_exists == 'false'
uses: docker/build-push-action@v5
with:
context: ./api_app/
file: ./api_app/Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
- name: "Build image: resource_processor"
if: |
(steps.filter.outputs.resource_processor == 'true'
|| github.event_name == 'workflow_dispatch')
uses: docker/build-push-action@v5
with:
context: ./resource_processor
file: ./resource_processor/vmss_porter/Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
- name: "Test image: guacamole_server"
if: |
(steps.filter.outputs.guacamole_server == 'true'
|| github.event_name == 'workflow_dispatch')
uses: docker/build-push-action@v5
with:
context: ./templates/workspace_services/guacamole/guacamole-server
file: ./templates/workspace_services/guacamole/guacamole-server/docker/Dockerfile
outputs: type=local,dest=test-results
target: test-results
cache-from: type=gha
cache-to: type=gha,mode=max
- name: "Check maven failure file existence"
id: check_maven_test_result
uses: andstor/file-existence-action@v3
with:
files: "test-results/guacamole_package_failed"
- name: "Build image: guacamole_server"
if: |
(steps.filter.outputs.guacamole_server == 'true'
|| github.event_name == 'workflow_dispatch')
&& steps.check_maven_test_result.outputs.files_exists == 'false'
uses: docker/build-push-action@v5
with:
context: ./templates/workspace_services/guacamole/guacamole-server
file: ./templates/workspace_services/guacamole/guacamole-server/docker/Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
- name: "Build image: gitea"
if: |
(steps.filter.outputs.gitea == 'true'
|| github.event_name == 'workflow_dispatch')
uses: docker/build-push-action@v5
with:
context: ./templates/shared_services/gitea/docker
file: ./templates/shared_services/gitea/docker/Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
# Unit Tests are executed by calling the 'test-results' target in the
# Dockerfile's. Test runner exit codes must be swallowed (and kept) so we
# can output the test results. This means we have to check for failure
# trigger files in later steps.
- name: "Test image: airlock_processor"
# test should be before build since its docker target
# is prior to runtime
if: |
(steps.filter.outputs.airlock_processor == 'true'
|| github.event_name == 'workflow_dispatch')
uses: docker/build-push-action@v5
with:
context: ./airlock_processor/
file: ./airlock_processor/Dockerfile
outputs: type=local,dest=test-results
target: test-results
cache-from: type=gha
cache-to: type=gha,mode=max
- name: "Check pytest failure file existence"
id: check_airlock_processor_test_result
uses: andstor/file-existence-action@v3
with:
files: "test-results/pytest_airlock_processor_unit_failed"
- name: "Build image: airlock_processor"
if: |
(steps.filter.outputs.airlock_processor == 'true'
|| github.event_name == 'workflow_dispatch')
&& steps.check_airlock_processor_test_result.outputs.files_exists == 'false'
uses: docker/build-push-action@v5
with:
context: ./airlock_processor/
file: ./airlock_processor/Dockerfile
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Upload Unit Test Results
if: always()
uses: actions/upload-artifact@v4
with:
name: test-results
path: test-results