New workflow variables selectors #273

Workflow file for this run

.github/workflows/docker-publish.yml at c67f782

	name: Build and update app

	permissions:
	contents: write
	pull-requests: write

	env:
	#variables related with the repository
	REPOSITORY_MAIN_BRANCH: "master"
	#variables related with the docker imager registry
	DOCKER_IMAGE_REPOSITORY: ikcap
	DOCKER_IMAGE_NAME: disk_frontend
	DOCKER_FILE: ".Dockerfile-actions"
	#variables related with the continuous delivery
	MANIFEST_REPOSITORY: KnowledgeCaptureAndDiscovery/k8s
	MANIFEST_REPOSITORY_BRANCH: master
	MANIFEST_REPOSITORY_PATH: disk-server/disk/bikes
	NEURO_MANIFEST_REPOSITORY_PATH: disk-server/disk/neuro
	CLIMATE_MANIFEST_REPOSITORY_PATH: disk-server/disk/climate
	DEV_MANIFEST_REPOSITORY_PATH: disk-server/disk/dev
	KUSTOMIZE_IMAGE_NAME: frontend-image-prod

	#security level
	VULNERABILITY_SCAN_LEVEL: "CRITICAL"

	on:
	push:
	branches:
	- "*"
	tags:
	- v*
	pull_request:

	jobs:
	yarn:
	runs-on: ubuntu-latest
	strategy:
	matrix:
	node-version: [14.x]
	steps:
	- uses: actions/checkout@v2
	- name: Use Node.js ${{ matrix.node-version }}
	uses: actions/setup-node@v2
	with:
	node-version: ${{ matrix.node-version }}

	- name: Get Yarn cache directory
	id: yarn-cache-dir-path
	run: echo "::set-output name=dir::$(yarn cache dir)"

	- name: Use Yarn cache
	uses: actions/cache@v2
	id: yarn-cache
	with:
	path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
	key: ${{ runner.os }}-yarn-${{ matrix.node-version }}-${{ hashFiles('**/yarn.lock') }}

	- name: Install dependencies
	run: yarn install --prefer-offline --frozen-lockfile

	- name: Build (webpack)
	run: CI=false; yarn build

	- uses: actions/upload-artifact@v2
	with:
	name: nextjs-build
	path: ./build/
	retention-days: 1

	build:
	needs: yarn
	name: Create Docker image
	runs-on: ubuntu-latest
	if: github.event_name == 'push'
	steps:
	- uses: actions/checkout@v2

	- uses: actions/download-artifact@v2
	with:
	name: nextjs-build
	path: build/

	- name: Create value as an environment variable
	run: \|
	echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV
	- name: Expose value
	id: exposeValue
	run: \|
	echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}"

	- name: Login to DockerHub
	uses: docker/login-action@v1
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push Docker image
	uses: docker/[email protected]
	if: github.event_name != 'pull_request'
	with:
	push: true
	context: .
	tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_TAG }},${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:latest
	file: ${{ env.DOCKER_FILE}}
	outputs:
	docker_tag: ${{ steps.exposeValue.outputs.docker_tag }}

	security:
	permissions:
	contents: read
	security-events: write
	packages: write
	name: "Scan vulnerabilities in the image"
	needs: [build]
	runs-on: ubuntu-latest
	steps:
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
	with:
	image-ref: ${{ env.DOCKER_IMAGE_REPOSITORY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "trivy-results.sarif"
	severity: ${{ env.VULNERABILITY_SCAN_LEVEL }}
	exit-code: "0"
	ignore-unfixed: "true"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v1
	if: always()
	with:
	sarif_file: "trivy-results.sarif"

	update:
	# This job the container running on k8s cluster
	needs: [build, security]
	name: "Deploy the app"
	if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
	runs-on: ubuntu-latest
	steps:
	- name: Check out k8s manifests
	uses: actions/checkout@v3
	if: github.event_name != 'pull_request'
	with:
	repository: ${{ env.MANIFEST_REPOSITORY }}
	ref: ${{ env.MANIFEST_REPOSITORY_BRANCH }}
	ssh-key: ${{ secrets.BOT_SSH }}
	persist-credentials: true

	- name: Setup Kustomize
	uses: imranismail/setup-kustomize@v1
	if: github.event_name != 'pull_request'
	with:
	kustomize-version: "3.6.1"

	- name: Update Kubernetes resources
	if: github.event_name != 'pull_request'
	run: \|
	cd ${{ env.MANIFEST_REPOSITORY_PATH }}
	kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
	cat kustomization.yaml

	- name: Update Kubernetes resources neuro
	if: github.event_name != 'pull_request'
	run: \|
	cd ${{ env.NEURO_MANIFEST_REPOSITORY_PATH }}
	kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
	cat kustomization.yaml

	- name: Update Kubernetes resources climate
	if: github.event_name != 'pull_request'
	run: \|
	cd ${{ env.CLIMATE_MANIFEST_REPOSITORY_PATH }}
	kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
	cat kustomization.yaml

	- name: Update Kubernetes resources dev
	if: github.event_name != 'pull_request'
	run: \|
	cd ${{ env.DEV_MANIFEST_REPOSITORY_PATH }}
	kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
	cat kustomization.yaml

	- name: Commit files
	if: github.event_name != 'pull_request'
	run: \|
	git config --local user.email "[email protected]"
	git config --local user.name "GitHub Action"
	git commit -am "Disk frontend updated"
	- name: Push changes
	if: github.event_name != 'pull_request'
	uses: ad-m/github-push-action@master
	with:
	ssh: true
	branch: ${{ env.MANIFEST_REPOSITORY_BRANCH }}
	repository: ${{ env.MANIFEST_REPOSITORY }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New workflow variables selectors #273

Workflow file

New workflow variables selectors #273

Jobs

Run details

Workflow file for this run