Create, Scan and Publish KAITO image #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create, Scan and Publish KAITO image | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_version: | |
| description: 'tag to be created for this image (i.e. vxx.xx.xx)' | |
| required: true | |
| pull_request: | |
| types: [ closed ] | |
| permissions: | |
| id-token: write | |
| contents: write | |
| packages: write | |
| env: | |
| GO_VERSION: '1.20' | |
| IMAGE_NAME: 'workspace' | |
| REGISTRY: ghcr.io | |
| jobs: | |
| check-tag: | |
| if: >- | |
| github.event_name == 'workflow_dispatch' || | |
| ( | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.merged == true && | |
| contains(github.event.pull_request.title, 'update manifest and helm charts') | |
| ) | |
| runs-on: ubuntu-latest | |
| environment: preset-env | |
| outputs: | |
| tag: ${{ steps.get-tag.outputs.tag }} | |
| steps: | |
| - name: validate version | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$' | |
| - id: get-tag | |
| name: Get tag | |
| run: | | |
| if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then | |
| echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - id: check-tag | |
| name: Check for Tag | |
| run: | | |
| TAG="${{ steps.get-tag.outputs.tag }}" | |
| if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then | |
| echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT | |
| else | |
| echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT | |
| fi | |
| - name: 'Create tag' | |
| if: steps.check-tag.outputs.create_tag == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| github.rest.git.createRef({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}', | |
| sha: context.sha | |
| }) | |
| build-scan-publish-gh-images: | |
| runs-on: ubuntu-latest | |
| needs: [ check-tag ] | |
| environment: preset-env | |
| steps: | |
| - id: get-registry | |
| run: | | |
| # registry must be in lowercase | |
| echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT | |
| - id: get-tag | |
| name: Get tag | |
| run: | | |
| echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| submodules: true | |
| fetch-depth: 0 | |
| ref: ${{ needs.check-tag.outputs.tag }} | |
| - name: Login to ${{ steps.get-registry.outputs.registry_repository }} | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build image | |
| run: | | |
| OUTPUT_TYPE=type=registry make docker-build-kaito | |
| env: | |
| VERSION: ${{ needs.check-tag.outputs.tag }} | |
| REGISTRY: ${{ steps.get-registry.outputs.registry_repository }} | |
| - name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| timeout: '5m0s' | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| run-e2e-gh-image: | |
| needs: [ check-tag, build-scan-publish-gh-images ] | |
| uses: ./.github/workflows/e2e-workflow.yml | |
| with: | |
| git_sha: ${{ github.sha }} | |
| isRelease: true | |
| registry: ${{ needs.get-registry.outputs.registry_repository }} | |
| tag: ${{ needs.check-tag.outputs.tag }} | |
| secrets: | |
| E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
| E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }} | |
| E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }} | |
| E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }} | |
| publish-mcr-image: | |
| runs-on: ubuntu-latest | |
| environment: preset-env | |
| needs: [ check-tag, run-e2e-gh-image ] | |
| steps: | |
| - name: 'Dispatch release tag' | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| event-type: publish-mcr-image | |
| client-payload: '{"tag": "${{ needs.check-tag.outputs.tag }}"}' |