-
Notifications
You must be signed in to change notification settings - Fork 4
106 lines (104 loc) · 4.37 KB
/
build-and-deploy-service-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Build and Deploy Service Image
on:
workflow_dispatch:
inputs:
service_name:
description: "Name of the service"
required: true
jobs:
build-image:
runs-on: self-hosted
steps:
- name: Check out repository code
uses: actions/checkout@v3
- name: Install python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install dependencies
uses: BSFishy/pip-action@v1
with:
requirements: vuln_images/requirements.txt
- name: Build the image
run: python3 build_image.py ../services/${{ github.event.inputs.service_name }}/deploy.yaml
working-directory: "${{ github.workspace }}/vuln_images/"
env:
DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
- name: Set owners # Otherwise git can not commit changes, see https://nvd.nist.gov/vuln/detail/cve-2022-24765
run: chown -R $(id -u):$(id -g) .
working-directory: "${{ github.workspace }}"
- name: Commit changes
uses: EndBug/add-and-commit@v9
with:
add: ansible/cloud/cloud_master/files/api_srv/do_vulnimages.json
message: "[${{ github.event.inputs.service_name }}] New image built on ${{ github.sha }}"
committer_name: GitHub Actions
committer_email: [email protected]
pull: '--rebase --autostash'
## Disabled by @andgein
# deploy-image:
# runs-on: self-hosted
# needs: [build-image]
# steps:
# - name: Check out repository code
# uses: actions/checkout@v2
# with:
# fetch-depth: 0
# ref: main
# - name: Save private keys
# run: |-
# echo "$SSH_KEY" > ~/cloud_ssh_private_key;
# chmod 600 ~/cloud_ssh_private_key;
# echo "$DO_DEPLOY_KEY" > "${{ github.workspace }}/ansible/cloud/cloud_master/files/api_srv/do_deploy_key";
# echo "$DO_TOKENS_PY" > "${{ github.workspace }}/ansible/cloud/cloud_master/files/api_srv/do_tokens.py";
# shell: bash
# env:
# SSH_KEY: ${{ secrets.CLOUD_SSH_PRIVATE_KEY }}
# DO_DEPLOY_KEY: ${{ secrets.DO_DEPLOY_KEY }}
# DO_TOKENS_PY: ${{ secrets.DO_TOKENS_PY }}
# - name: Deploy new image to the cloud
# run: ansible-playbook -vv --private-key=~/cloud_ssh_private_key cloud_master.yaml
# working-directory: "${{ github.workspace }}/ansible/cloud/"
# recreate-team-vms:
# runs-on: self-hosted
# needs: [deploy-image]
# steps:
# - name: Check out repository code
# uses: actions/checkout@v2
# - name: Save private key
# run: 'echo "$SSH_KEY" > ~/cloud_ssh_private_key; chmod 600 ~/cloud_ssh_private_key'
# shell: bash
# env:
# SSH_KEY: ${{ secrets.CLOUD_SSH_PRIVATE_KEY }}
# - name: Copy script
# run: scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/cloud_ssh_private_key .github/scripts/recreate_team_vms.sh [email protected]:~/
# - name: Recreate team VMs
# run: ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/cloud_ssh_private_key [email protected] '~/recreate_team_vms.sh ${{ github.event.inputs.service_name }}'
# deploy-proxies:
# runs-on: self-hosted
# needs: [deploy-image]
# steps:
# - name: Check out repository code
# uses: actions/checkout@v2
# - name: Install python
# uses: actions/setup-python@v4
# with:
# python-version: '3.10'
# - name: Install dependencies
# uses: BSFishy/pip-action@v1
# with:
# requirements: vuln_images/requirements.txt
# - name: Save private key
# run: |-
# echo "$DO_DEPLOY_KEY" > "${{ github.workspace }}/ansible/cloud/cloud_master/files/api_srv/do_deploy_key";
# shell: bash
# env:
# DO_DEPLOY_KEY: ${{ secrets.DO_DEPLOY_KEY }}
# - name: Deploy proxies
# run: python3 deploy_proxies.py --skip-preparation ../services/${{ github.event.inputs.service_name }}/deploy.yaml # --skip-dns
# working-directory: "${{ github.workspace }}/vuln_images/"
# env:
# DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
# CERTIFICATES_FOLDER: /etc/letsencrypt/live
# PROXY_SSH_KEY: "${{ github.workspace }}/ansible/cloud/cloud_master/files/api_srv/do_deploy_key"
# TEAMS_COUNT: 1