Skip to content

Merge pull request #130 from wallarm/NODE-5847 #87

Merge pull request #130 from wallarm/NODE-5847

Merge pull request #130 from wallarm/NODE-5847 #87

Workflow file for this run

name: Build release
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+\-[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+\-rc[0-9]+'
permissions:
contents: read
security-events: write
jobs:
build:
name: Build and push
runs-on: self-hosted-amd64-1cpu
outputs:
release_type: ${{ steps.check_release.outputs.type }}
env:
CONTAINER_VERSION: ${{ github.ref_name }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2
- name: Import secrets
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
id: secrets
with:
exportEnv: false
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
path: kubernetes-ci
secrets: |
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
- name: Login
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
with:
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Check release type
id: check_release
run: |
TYPE="production"
if [[ ${CONTAINER_VERSION} =~ "rc" ]]; then
TYPE="release-candidate"
fi
echo "Release type: ${TYPE}"
echo "type=${TYPE}" >> $GITHUB_OUTPUT
- name: Build and push
run: make BUILDX_ARGS=--push build
- name: Push latest
if: steps.check_release.outputs.type == 'production'
run: make push-latest
sign:
name: Sign images
runs-on: self-hosted-amd64-1cpu
needs:
- build
if: needs.build.outputs.release_type == 'production'
steps:
- name: Import secrets
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
id: secrets
with:
exportEnv: false
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
path: kubernetes-ci
secrets: |
kv-gitlab-ci/data/node/build/cosign password | COSIGN_PASSWORD ;
kv-gitlab-ci/data/node/build/cosign private_key | COSIGN_PRIVATE_KEY ;
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
- name: Docker login
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
with:
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Sign image
id: sign
env:
IMAGE_NAME: docker.io/wallarm/node:${{ github.ref_name }}
COSIGN_PRIVATE_KEY: ${{ steps.secrets.outputs.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ steps.secrets.outputs.COSIGN_PASSWORD }}
run: |
docker pull -q ${IMAGE_NAME}
IMAGE_TAG=$(echo ${IMAGE_NAME} | awk -F':' '{print $2}')
IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME})
IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/')
SBOM_SPDX="node_${IMAGE_TAG}_spdx.json"
syft -o spdx-json ${IMAGE_NAME} > ${SBOM_SPDX}
cosign attach sbom --sbom ${SBOM_SPDX} ${IMAGE_DIGEST}
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_URI}.sbom"
cosign sign --recursive --yes --key env://COSIGN_PRIVATE_KEY ${IMAGE_DIGEST}
echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
- name: Upload SBOM
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
with:
retention-days: 30
name: ${{ steps.sign.outputs.sbom }}
path: ${{ steps.sign.outputs.sbom }}
update_version:
name: Update package version
if: needs.build.outputs.release_type == 'production'
runs-on: self-hosted-amd64-1cpu
needs: build
steps:
- name: Import secrets
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
id: secrets
with:
exportEnv: true
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
path: kubernetes-ci
secrets: |
kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN ;
kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN_NAME ;
kv-gitlab-ci/data/github/shared/versions-repo-creds host | GITLAB_HOST ;
kv-gitlab-ci/data/github/shared/versions-repo-creds repo | GITLAB_REPO ;
- name: Update package version
env:
COMPONENT_NAME: wallarm-nginx-docker
COMPONENT_VERSION: ${{ github.ref_name }}
run: |
PR_BRANCH="update/${COMPONENT_NAME}/${COMPONENT_VERSION}"
COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}"
GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}"
git clone ${GITLAB_REPO_URL}
cd packages_versions
git checkout -b ${PR_BRANCH}
git config --local user.name 'project_808_bot'
git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}'
cd packages_versions
cat latest.json | jq -r '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' > latest.new.json
mv latest.new.json latest.json
git add latest.json
git commit -m "${COMMIT_MESSAGE}"
git push ${GITLAB_REPO_URL} ${PR_BRANCH}
glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN}
echo "Creating merge request ..."
glab mr create \
--fill \
--yes \
--label ${COMPONENT_NAME} \
--source-branch ${PR_BRANCH} \
--repo https://${GITLAB_HOST}/${GITLAB_REPO}
echo "Approving merge request ..."
glab mr approve \
${PR_BRANCH} \
--repo https://${GITLAB_HOST}/${GITLAB_REPO}
# Sometimes merging is failed without delay
echo "Sleep ..."
sleep 20
echo "Merging ..."
glab mr merge \
${PR_BRANCH} \
--yes \
--remove-source-branch \
--when-pipeline-succeeds=false \
--repo https://${GITLAB_HOST}/${GITLAB_REPO}
scan:
name: Vulnerability scanner
runs-on: self-hosted-amd64-1cpu
needs: build
steps:
- name: Import secrets
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
id: secrets
with:
exportEnv: false
url: ${{ secrets.VAULT_URL }}
role: ${{ secrets.VAULT_ROLE }}
method: kubernetes
path: kubernetes-ci
secrets: |
kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
- name: Docker Scout
uses: docker/scout-action@v1
with:
command: cves
image: docker.io/wallarm/node:${{ github.ref_name }}
to: docker.io/wallarm/node:latest
only-severities: critical,high
sarif-file: sarif.output.json
dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Upload scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: needs.build.outputs.release_type == 'production'
with:
sarif_file: sarif.output.json
token: ${{ github.token }}