Create LICENSE #288
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and update app | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| env: | |
| #variables related with the repository | |
| REPOSITORY_MAIN_BRANCH: "master" | |
| #variables related with the docker imager registry | |
| DOCKER_IMAGE_REPOSITORY: ikcap | |
| DOCKER_IMAGE_NAME: disk_frontend | |
| DOCKER_FILE: ".Dockerfile-actions" | |
| #variables related with the continuous delivery | |
| MANIFEST_REPOSITORY: KnowledgeCaptureAndDiscovery/k8s | |
| MANIFEST_REPOSITORY_BRANCH: master | |
| MANIFEST_REPOSITORY_PATH: disk-server/disk/bikes | |
| NEURO_MANIFEST_REPOSITORY_PATH: disk-server/disk/neuro | |
| CLIMATE_MANIFEST_REPOSITORY_PATH: disk-server/disk/climate | |
| DEV_MANIFEST_REPOSITORY_PATH: disk-server/disk/dev | |
| KUSTOMIZE_IMAGE_NAME: frontend-image-prod | |
| #security level | |
| VULNERABILITY_SCAN_LEVEL: "CRITICAL" | |
| on: | |
| push: | |
| branches: | |
| - "*" | |
| tags: | |
| - v* | |
| pull_request: | |
| jobs: | |
| yarn: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: [14.x] | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Use Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Get Yarn cache directory | |
| id: yarn-cache-dir-path | |
| run: echo "::set-output name=dir::$(yarn cache dir)" | |
| - name: Use Yarn cache | |
| uses: actions/cache@v2 | |
| id: yarn-cache | |
| with: | |
| path: ${{ steps.yarn-cache-dir-path.outputs.dir }} | |
| key: ${{ runner.os }}-yarn-${{ matrix.node-version }}-${{ hashFiles('**/yarn.lock') }} | |
| - name: Install dependencies | |
| run: yarn install --prefer-offline --frozen-lockfile | |
| - name: Build (webpack) | |
| run: CI=false; yarn build | |
| - uses: actions/upload-artifact@v2 | |
| with: | |
| name: nextjs-build | |
| path: ./build/ | |
| retention-days: 1 | |
| build: | |
| needs: yarn | |
| name: Create Docker image | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: actions/download-artifact@v2 | |
| with: | |
| name: nextjs-build | |
| path: build/ | |
| - name: Create value as an environment variable | |
| run: | | |
| echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV | |
| - name: Expose value | |
| id: exposeValue | |
| run: | | |
| echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}" | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and push Docker image | |
| uses: docker/[email protected] | |
| if: github.event_name != 'pull_request' | |
| with: | |
| push: true | |
| context: . | |
| tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_TAG }},${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:latest | |
| file: ${{ env.DOCKER_FILE}} | |
| outputs: | |
| docker_tag: ${{ steps.exposeValue.outputs.docker_tag }} | |
| security: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| packages: write | |
| name: "Scan vulnerabilities in the image" | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 | |
| with: | |
| image-ref: ${{ env.DOCKER_IMAGE_REPOSITORY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }} | |
| format: "template" | |
| template: "@/contrib/sarif.tpl" | |
| output: "trivy-results.sarif" | |
| severity: ${{ env.VULNERABILITY_SCAN_LEVEL }} | |
| exit-code: "0" | |
| ignore-unfixed: "true" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v1 | |
| if: always() | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| update: | |
| # This job the container running on k8s cluster | |
| needs: [build, security] | |
| name: "Deploy the app" | |
| if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out k8s manifests | |
| uses: actions/checkout@v3 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| repository: ${{ env.MANIFEST_REPOSITORY }} | |
| ref: ${{ env.MANIFEST_REPOSITORY_BRANCH }} | |
| ssh-key: ${{ secrets.BOT_SSH }} | |
| persist-credentials: true | |
| - name: Setup Kustomize | |
| uses: imranismail/setup-kustomize@v1 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| kustomize-version: "3.6.1" | |
| - name: Update Kubernetes resources | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cd ${{ env.MANIFEST_REPOSITORY_PATH }} | |
| kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }} | |
| cat kustomization.yaml | |
| - name: Update Kubernetes resources neuro | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cd ${{ env.NEURO_MANIFEST_REPOSITORY_PATH }} | |
| kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }} | |
| cat kustomization.yaml | |
| - name: Update Kubernetes resources climate | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cd ${{ env.CLIMATE_MANIFEST_REPOSITORY_PATH }} | |
| kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }} | |
| cat kustomization.yaml | |
| - name: Update Kubernetes resources dev | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| cd ${{ env.DEV_MANIFEST_REPOSITORY_PATH }} | |
| kustomize edit set image ${{ env.KUSTOMIZE_IMAGE_NAME }}=${{ secrets.DOCKERHUB_USERNAME }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }} | |
| cat kustomization.yaml | |
| - name: Commit files | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| git config --local user.email "[email protected]" | |
| git config --local user.name "GitHub Action" | |
| git commit -am "Disk frontend updated" | |
| - name: Push changes | |
| if: github.event_name != 'pull_request' | |
| uses: ad-m/github-push-action@master | |
| with: | |
| ssh: true | |
| branch: ${{ env.MANIFEST_REPOSITORY_BRANCH }} | |
| repository: ${{ env.MANIFEST_REPOSITORY }} |