Skip to content

Commit

Permalink
Cleanup github action yaml file
Browse files Browse the repository at this point in the history
  • Loading branch information
@ukanga
ukanga committed Jun 24, 2024
1 parent 8f728de commit 18b00dc
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 33 deletions.
75 changes: 55 additions & 20 deletions .github/workflows/ecr-image-build-w-arm-runner.yml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
---
name: AWS ECR Build Image with ARM Runner

on:
on: # yamllint disable-line rule:truthy
release:
types:
- "released"
types:
- "released"
push:
branches:
- "main"
- "*-rc"
- "fix-arm-build"
tags:
- "v*"

Expand Down Expand Up @@ -68,34 +70,49 @@ jobs:

- name: Get the branch name
id: get-branch-name
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
if: >
github.event_name == 'push'
|| github.event_name == 'workflow_dispatch'
run: echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV

- name: Get docker repository URL
id: get-repo-url
run: |
echo "docker_repo=${{ steps.login-ecr.outputs.registry }}\
"/onaio/onadata:${{ env.version || github.ref_name }}"\
>> $GITHUB_ENV
- name: (Ubuntu) Build and push
id: docker-build-ubuntu
uses: docker/build-push-action@v5
with:
context: .
file: ./docker/onadata-uwsgi/Dockerfile.ubuntu
platforms: ${{ matrix.platforms[0] }}
cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ env.version || github.ref_name }}
cache-from: type=registry,ref=${{ env.docker_repo }}
cache-to: type=inline
ssh: |
default=/tmp/ssh-agent.sock
build-args: |
optional_packages=PyYAML django-redis ${{ secrets.ECR_OPTIONAL_PACKAGES }}
build-args: >
optional_packages=PyYAML
django-redis
${{ secrets.ECR_OPTIONAL_PACKAGES }}
push: true
labels: ${{ steps.meta.outputs.labels }}
provenance: false
outputs: type=image,name=${{ steps.login-ecr.outputs.registry }}/onaio/onadata,push-by-digest=true,name-canonical=true,push=true
-
name: Export digest
outputs: >
type=image,
name=${{ steps.login-ecr.outputs.registry }}/onaio/onadata,
push-by-digest=true,
name-canonical=true,
push=true
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.docker-build-ubuntu.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
-
name: Upload digest
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
Expand Down Expand Up @@ -141,17 +158,24 @@ jobs:
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ steps.login-ecr.outputs.registry }}/onaio/onadata@sha256:%s ' *)
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' \
<<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ steps.login-ecr.outputs.registry }}\
/onaio/onadata@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect \
${{ steps.login-ecr.outputs.registry }}/onaio/onadata\
:${{ steps.meta.outputs.version }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }}
image-ref: |
${{ steps.login-ecr.outputs.registry }}\
/onaio/onadata:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'

Expand All @@ -164,13 +188,19 @@ jobs:
- name: Run Trivy vulnerability scanner for Slack
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }}
image-ref: |
${{ steps.login-ecr.outputs.registry }}\
/onaio/onadata:${{ steps.meta.outputs.version }}
format: json
output: 'trivy-results.json'

- name: Create summary of trivy issues
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
summary=$(jq -r '.Results[] | select(.Vulnerabilities) \
| .Vulnerabilities | group_by(.Severity) \
| map({Severity: .[0].Severity, Count: length}) \
| .[] | [.Severity, .Count] | join(": ")' trivy-results.json \
| awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z $summary ]
then
summary="0 Issues"
Expand All @@ -182,7 +212,8 @@ jobs:
with:
payload: |
{
"text": "Trivy scan results for ${{ steps.meta.outputs.version }}",
"text":
"Trivy scan results for ${{ steps.meta.outputs.version }}",
"blocks": [
{
"type": "section",
Expand All @@ -195,7 +226,11 @@ jobs:
"type": "section",
"text": {
"type": "mrkdwn",
"text": "View scan results: https://github.com/${{ github.repository }}/security/code-scanning?query=branch:${{ env.version || github.ref_name }}+is:open++"
"text": "View scan results: \
https://github.com/${{ github.repository }}\
/security/code-scanning\
?query=branch:${{ env.version || github.ref_name }}\
+is:open++"
}
}
]
Expand Down
26 changes: 13 additions & 13 deletions docker/onadata-uwsgi/Dockerfile.ubuntu
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
FROM onaio/python-deps:3.10.14 as base
FROM onaio/python-deps:3.10.14 AS base

ARG optional_packages

# Silence configuration prompts
ENV DEBIAN_FRONTEND noninteractive
ENV DEBIAN_FRONTEND=noninteractive

ENV PYTHONUNBUFFERED 1
ENV PYTHONUNBUFFERED=1

ENV DJANGO_SETTINGS_MODULE onadata.settings.docker
ENV DJANGO_SETTINGS_MODULE=onadata.settings.docker

USER root

Expand Down Expand Up @@ -35,10 +35,10 @@ RUN python -m pip install --no-cache-dir -U pip && \
python -m pip install --no-cache-dir -r requirements/azure.pip && \
python -m pip install --no-cache-dir pyyaml==6.0.1 uwsgitop==0.12 supervisor==4.2.5

FROM base as docs
FROM base AS docs

ENV PYENV_ROOT="$HOME/.pyenv"
ENV PATH $PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH
ENV PATH=$PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH
COPY --from=base /home/appuser/.pyenv/ /home/appuser/.pyenv/
COPY --from=base /srv/onadata/ /srv/onadata/

Expand All @@ -53,18 +53,18 @@ RUN python -m pip install --no-cache-dir -r requirements/docs.pip && \
make -C docs html


FROM ubuntu:jammy-20240405 as runtime
FROM ubuntu:jammy-20240405 AS runtime

ENV DEBIAN_FRONTEND noninteractive
ENV DEBIAN_FRONTEND=noninteractive

# Install prerequisite packages
RUN apt-get update -q && \
apt-get install -y --no-install-recommends locales netcat

# # Generate and set en_US.UTF-8 locale
RUN locale-gen en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LC_CTYPE en_US.UTF-8
ENV LC_ALL=en_US.UTF-8
ENV LC_CTYPE=en_US.UTF-8
RUN dpkg-reconfigure locales


Expand Down Expand Up @@ -93,9 +93,9 @@ RUN chown -R appuser:appuser /srv/onadata /home/appuser/.pyenv
USER appuser
WORKDIR /srv/onadata

ENV HOME /home/appuser
ENV PYTHON_VERSION 3.10.14
ENV HOME=/home/appuser
ENV PYTHON_VERSION=3.10.14
ENV PYENV_ROOT="$HOME/.pyenv"
ENV PATH $PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH
ENV PATH=$PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH

CMD ["uwsgi", "--ini", "uwsgi.ini"]

0 comments on commit 18b00dc

Please sign in to comment.