Skip to content

Consistent labeling for resources managed by the Application contro… #130

Consistent labeling for resources managed by the Application contro…

Consistent labeling for resources managed by the Application contro… #130

Workflow file for this run

name: Main
## This Github Action workflow is triggered, if code is pushed to the main branch or a Pull Request
## (PR) is opened / edited from the dev branch.
## In real world scenario, pushing directly to the main branch should be blocked.
on:
push:
branches: [main]
## Adding this allows us to trigger this workflow manually (Just for debugging purposes).
workflow_dispatch: {}
jobs:
scan_sourcecode:
name: Scanning sourcecode to find vulberabilities, misconfigurations and exposed secrets
runs-on: ubuntu-latest
permissions:
contents: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Create outputs directory
run: mkdir -p ./outputs/trivy
- name: Run Trivy vulnerability and secret scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
trivy-config: trivy.yaml
format: sarif
output: ./outputs/trivy/fs-scan-result.sarif
- name: Upload the scan result as Github artifact
uses: actions/upload-artifact@v3
with:
name: trivy.fs-scan-result.sarif
path: ./outputs/trivy/fs-scan-result.sarif
- name: Detect IaC vulnerabilities and misconfigurations using Trivy
uses: aquasecurity/trivy-action@master
with:
scan-type: config
scan-ref: .
trivy-config: trivy.yaml
format: sarif
output: ./outputs/trivy/config-scan-result.sarif
- name: Upload the scan result as Github artifact
uses: actions/upload-artifact@v3
with:
name: trivy.config-scan-result.sarif
path: ./outputs/trivy/config-scan-result.sarif
## The Trivy scan results will be uploaded to Github CodeQL only when code is being pushed to
## the main branch.
- name: Upload the scan results to Github CodeQL
if: github.ref == 'refs/heads/main'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./outputs/trivy
build_push_sign_and_scan_container_images:
name: Build, push, sign and scan container images
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
security-events: write
strategy:
matrix:
microservice:
- name: users-microservice
path: backend/microservices/users
manifest: kubernetes/manifests/microservices/users/application.yaml
path_filters: |
changed:
- backend/microservices/users/**
- backend/lib.rs
- backend/sql/mod.rs
- name: profiles-microservice
path: backend/microservices/profiles
manifest: kubernetes/manifests/microservices/profiles/application.yaml
path_filters: |
changed:
- backend/microservices/profiles/**
- backend/lib.rs
- backend/sql/mod.rs
- name: followships-microservice
path: backend/microservices/followships
manifest: kubernetes/manifests/microservices/followships/application.yaml
path_filters: |
changed:
- backend/microservices/followships/**
- backend/lib.rs
- backend/sql/mod.rs
- name: posts-microservice
path: backend/microservices/posts
manifest: kubernetes/manifests/microservices/posts/application.yaml
path_filters: |
changed:
- backend/microservices/posts/**
- backend/lib.rs
- backend/sql/mod.rs
- name: feeds-microservice
path: backend/microservices/feeds
manifest: kubernetes/manifests/microservices/feeds/application.yaml
path_filters: |
changed:
- backend/microservices/feeds/**
- backend/lib.rs
- backend/sql/mod.rs
- name: gateway
path: backend/gateway
manifest: kubernetes/manifests/microservices/gateway/application.yaml
path_filters: |
changed:
- backend/gateway/**
- go.work.sum
- name: application-controller
path: kubernetes/operators/application
manifest: kubernetes/manifests/application-controller/deployment.yaml
path_filters: |
changed:
- kubernetes/operators/application/**
- go.work.sum
steps:
- name: Checkout code
uses: actions/checkout@v3
## If sourcecode of the microservice has changed, only then we will rebuild, push, sign
## and scan the container image.
- name: Detect sourcecode change
uses: dorny/paths-filter@v2
id: path-filter
with:
base: ${{ github.ref }}
filters: ${{ matrix.microservice.path_filters }}
- name: Set up QEMU
if: steps.path-filter.outputs.changed == 'true'
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
if: steps.path-filter.outputs.changed == 'true'
uses: docker/setup-buildx-action@v2
- name: Login to GitHub Container Registry
if: steps.path-filter.outputs.changed == 'true'
uses: docker/[email protected]
with:
registry: ghcr.io
username: archisman-mridha
password: ${{ secrets.GITHUB_TOKEN }}
- name: Restore cached Cargo dependencies (if exists)
if: steps.path-filter.outputs.changed == 'true'
uses: actions/cache/restore@v3
with:
path: |
/usr/local/cargo/registry/
target/
key: ${{ runner.os }}-cargo-${{ matrix.microservice.name }}-${{ hashFiles('**/Cargo.lock') }}
- name: Build and push AMD64 container image
if: steps.path-filter.outputs.changed == 'true'
uses: docker/build-push-action@v4
with:
context: .
file: ${{ matrix.microservice.path }}/Dockerfile
## It takes pretty long to build container images for the ARM64 platform (even when using
## QEMU). So skipping it !
platforms: linux/amd64
push: true
tags: ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }}
## Experimental cache exporter for GitHub Actions provided by buildx and BuildKit.
## It uses the GitHub Cache API to fetch and load the Docker layer cache blobs across
## builds.
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Cache Cargo dependencies
if: steps.path-filter.outputs.changed == 'true'
uses: actions/cache@v3
with:
path: |
/usr/local/cargo/registry/
target/
key: ${{ runner.os }}-cargo-${{ matrix.microservice.name }}-${{ hashFiles('**/Cargo.lock') }}
- name: Remove cached folders from local machine
if: steps.path-filter.outputs.changed == 'true'
run: |
rm -rf /usr/local/cargo/registry/ target/
## Cosign is a command line utility that can sign and verify software artifact, such as
## container images and blobs.
- name: Install Cosign
if: steps.path-filter.outputs.changed == 'true'
uses: sigstore/[email protected]
with:
cosign-release: v2.2.1
- name: Sign the published container image
if: steps.path-filter.outputs.changed == 'true'
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
mkdir -p ~/.temp
echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > ~/.temp/cosign.key
cosign sign --key ~/.temp/cosign.key \
-a "repo=instagram-clone" \
-a "owner=Archisman-Mridha" \
ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }} -y
- name: Create outputs directory
if: steps.path-filter.outputs.changed == 'true'
run: mkdir -p ./outputs/trivy
- name: Scan container image for vulnerabilities
if: steps.path-filter.outputs.changed == 'true'
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/archisman-mridha/instagram-clone-${{ matrix.microservice.name }}:${{ github.sha }}
ignore-unfixed: true
vuln-type: os,library
trivy-config: trivy.yaml
format: sarif
output: ./outputs/trivy/${{ matrix.microservice.name }}.container-image-scan-result.sarif
- name: Upload the scan result as Github artifact
if: steps.path-filter.outputs.changed == 'true'
uses: actions/upload-artifact@v3
with:
name: trivy.${{ matrix.microservice.name }}-microservice.container-image-scan-result.sarif
path: ./outputs/trivy/${{ matrix.microservice.name }}.container-image-scan-result.sarif
- name: Update container image tag in Kubernetes manifests
if: steps.path-filter.outputs.changed == 'true'
run: |
git config --global user.name "Archisman-Mridha"
git config --global user.email "[email protected]"
git config --global pull.rebase false
git pull origin main -f
sed -i 's/instagram-clone-\(.*\):[[:alnum:]]\+/instagram-clone-\1:${{ github.sha }}/g' ${{ matrix.microservice.manifest }}
git add .
git commit -m "🤖 Update container image tag for ${{ matrix.microservice.name }} to ${{ github.sha }}"
git push --set-upstream origin main