diff --git a/.github/workflows/base-build-image.yml b/.github/workflows/base-build-image.yml new file mode 100644 index 0000000..5b165c6 --- /dev/null +++ b/.github/workflows/base-build-image.yml @@ -0,0 +1,58 @@ +name: Build base images (Generally from basin repo) + +on: + workflow_call: + inputs: + image_tag: + required: true + type: string + +jobs: + docker-build-and-push: + + runs-on: ubuntu-22.04 #ubuntu-latest + + steps: + - id: get-id + name: Get a unique tag for this build + run: | + echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; + + - name: Print image name + run: | + echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - uses: actions/checkout@v4 + + - name: Login to Docker Container Registry + # if: ${{ github.event_name == 'push' }} + uses: docker/login-action@v3 + with: + registry: ${{ vars.docker_repo2_registry }} + username: ${{ vars.docker_repo2_username }} + password: ${{ vars.docker_repo2_password }} + + - name: Build and push the Docker image + run: | + docker build \ + --file context/Dockerfile \ + --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ + ./context; + + - name: Container details + run: | + IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; + echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - name: Scan Docker Image for vulnerabilities with Grype + uses: anchore/scan-action@v6 + with: + image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} + cache-db: true #Cache Grype DB in Github Actions + output-format: table + only-fixed: true + severity-cutoff: critical + fail-build: true + + - name: Push the container image + run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} diff --git a/.github/workflows/pr-lint-and-check.yml b/.github/workflows/pr-lint-and-check.yml index 64443b8..daa0b32 100644 --- a/.github/workflows/pr-lint-and-check.yml +++ b/.github/workflows/pr-lint-and-check.yml @@ -13,8 +13,6 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 22 - registry-url: ${{ vars.NPM_REGISTRY }} - token: ${{ secrets.NPM_TOKEN }} - name: Install npm dependencies run: | diff --git a/.github/workflows/container-push.yml b/.github/workflows/push-container.yml similarity index 88% rename from .github/workflows/container-push.yml rename to .github/workflows/push-container.yml index a9f7221..2fbdcf5 100644 --- a/.github/workflows/container-push.yml +++ b/.github/workflows/push-container.yml @@ -7,7 +7,8 @@ env: REPO: ${{ github.repository }} jobs: - container-push: + + container-build-and-push: runs-on: ubuntu-22.04 steps: - id: get-id @@ -29,9 +30,9 @@ jobs: - name: Login to docker container registry uses: docker/login-action@v3 with: - registry: ${{ vars.docker_repo2_registry }} - username: ${{ vars.docker_repo2_username }} - password: ${{ vars.docker_repo2_password }} + registry: ${{ secrets.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} - name: Build the container image run: | diff --git a/.github/workflows/pr-image-scan.yml b/.github/workflows/push-image-scan.yml similarity index 88% rename from .github/workflows/pr-image-scan.yml rename to .github/workflows/push-image-scan.yml index 7a28969..326a84d 100644 --- a/.github/workflows/pr-image-scan.yml +++ b/.github/workflows/push-image-scan.yml @@ -4,7 +4,7 @@ on: workflow_call: env: - REPO: ${{ github.repository }}/temp #Add /temp for PR workflow + REPO: ${{ github.repository }}/temp #Add /temp for temporary images jobs: @@ -31,9 +31,9 @@ jobs: - name: Login to docker container registry uses: docker/login-action@v3 with: - registry: ${{ vars.docker_repo2_registry }} - username: ${{ vars.docker_repo2_username }} - password: ${{ vars.docker_repo2_password }} + registry: ${{ secrets.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} - name: Build the container image (quick, without PUBLIC_BUILD_VERSION) # Commenting this from docker build for speed: --build-arg PUBLIC_BUILD_VERSION=$BUILD_ID \ diff --git a/.github/workflows/push-npm.yml b/.github/workflows/push-npm.yml new file mode 100644 index 0000000..5b67bc6 --- /dev/null +++ b/.github/workflows/push-npm.yml @@ -0,0 +1,47 @@ +name: Reusable container push workflow + +on: + workflow_call: + +env: + REPO: ${{ github.repository }} + +jobs: + + npm-push: + runs-on: ubuntu-22.04 + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push the + # added or changed files to the repository. + contents: write + + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: 22 + registry-url: ${{ vars.NPM_REGISTRY }} + token: ${{ secrets.NPM_TOKEN }} + + - name: Install npm dependencies + run: | + npm install -g pnpm + pnpm install + + - run: pnpm build + + - name: Increment package version and push + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + git config --global user.name 'bot-build' + git config --global user.email 'techbots+build@gmetri.com' + + export N=`node -p require\(\'./package.json\'\).name` && echo $N + pnpm version patch --message "v%s: $N [CI SKIP]" + + npm publish + + git push origin + git push --tags origin diff --git a/.github/workflows/push-s3.yml b/.github/workflows/push-s3.yml new file mode 100644 index 0000000..5b4b9ca --- /dev/null +++ b/.github/workflows/push-s3.yml @@ -0,0 +1,73 @@ +name: Docker Image CI + +on: + workflow_call: + +# Org Secrets are available on push event. Not pull_request event. + +env: + REPO: ${{ github.repository }} + REPO_SHORT_NAME: ${{ github.event.repository.name }} + +jobs: + + s3-push: + runs-on: ubuntu-22.04 + steps: + - id: get-id + name: Get a unique tag for this build + run: | + SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; + BUILD_ID=$BRANCH_NAME-${SHA:0:8}; + DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; + echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; + echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; + + - name: Print build id and image name + run: | + echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; + echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; + + - uses: actions/checkout@v4 + + - name: Login to docker container registry + uses: docker/login-action@v3 + with: + registry: ${{ secrets.docker_repo2_registry }} + username: ${{ secrets.docker_repo2_username }} + password: ${{ secrets.docker_repo2_password }} + + - name: Build the container image + run: | + docker build \ + --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \ + --file fab/d/actions-build.Dockerfile \ + --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ + .; + + - name: Extract cloud files + run: | + image=${{ steps.get-id.outputs.DOCKER_IMAGE }} + source_path=/cloud + destination_path=cloud + + container_id=$(docker create "$image") + docker cp "$container_id:$source_path" "$destination_path" + docker rm "$container_id" + + echo "Running: ls $destination_path" + ls $destination_path + + - name: Upload cloud files + uses: sahil87/aws-cli-action@v1.3 + env: + AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }} + AWS_DEFAULT_REGION: ${{ vars.aws_default_region }} + with: + args: > + s3 cp \ + --recursive \ + --cache-control max-age=31536000\ + --storage-class 'STANDARD_IA' \ + cloud/ s3://${{ vars.aws_upload_bucket }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}