Add files via upload #37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and update app | |
permissions: | |
contents: write | |
pull-requests: write | |
env: | |
#docker env | |
DOCKER_IMAGE_REPOSITORY: mintproject | |
DOCKER_IMAGE_NAME: model-catalog-endpoint | |
DOCKER_FILE: "Dockerfile" | |
#security level | |
VULNERABILITY_SCAN_LEVEL: "CRITICAL" | |
on: | |
push: | |
branches: | |
- "*" | |
tags: | |
- v* | |
pull_request: | |
jobs: | |
# This job build the app and the image. Then, push it | |
build: | |
runs-on: ubuntu-latest | |
name: "Build and push the Docker Image" | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
lfs: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Create value as an environment variable | |
run: | | |
echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV | |
- name: Expose value | |
id: exposeValue | |
run: | | |
echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}" | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and push Docker image | |
uses: docker/[email protected] | |
with: | |
push: true | |
context: . | |
tags: mintproject/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_TAG }} | |
platforms: linux/amd64,linux/arm64 | |
outputs: | |
docker_tag: ${{ steps.exposeValue.outputs.docker_tag }} | |
security: | |
permissions: | |
contents: read | |
security-events: write | |
packages: write | |
name: "Scan vulnerabilities in the image" | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 | |
with: | |
image-ref: ${{ env.DOCKER_IMAGE_REPOSITORY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }} | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "trivy-results.sarif" | |
severity: ${{ env.VULNERABILITY_SCAN_LEVEL }} | |
exit-code: "0" | |
ignore-unfixed: "true" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v1 | |
if: always() | |
with: | |
sarif_file: "trivy-results.sarif" | |
update: | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Create environment variable with the commit id | |
run: | | |
echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV | |
- name: Expose the commit id | |
id: exposeValue | |
run: | | |
echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}" | |
- name: Checkout MINT Instances Repository | |
uses: actions/checkout@v3 | |
with: | |
repository: mintproject/mint-instances | |
path: infrastructure | |
token: ${{ secrets.MINT_INSTANCES }} | |
ref: master | |
- name: Checkout MINT Chart Repository | |
uses: actions/checkout@v3 | |
if: github.ref == 'refs/heads/master' | |
with: | |
repository: mintproject/mint | |
path: mint-chart | |
token: ${{ secrets.MINT_INSTANCES }} | |
ref: main | |
- name: Update MINT ISI master | |
uses: fjogeleit/yaml-update-action@main | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
with: | |
valueFile: isi/values.yaml | |
propertyPath: "MINT.components.model_catalog_endpoint.image.tag" | |
value: ${{ env.DOCKER_TAG }} | |
message: "Update model catalog endpoint" | |
repository: mintproject/mint-instances | |
workDir: infrastructure | |
branch: master | |
token: ${{ secrets.MINT_INSTANCES }} | |
- name: Update MINT ISI WIFIRE | |
uses: fjogeleit/yaml-update-action@main | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
with: | |
valueFile: wifire/values.yaml | |
propertyPath: "MINT.components.model_catalog_endpoint.image.tag" | |
value: ${{ env.DOCKER_TAG }} | |
message: "Update model catalog endpoint" | |
repository: mintproject/mint-instances | |
workDir: infrastructure | |
branch: master | |
token: ${{ secrets.MINT_INSTANCES }} | |
- name: Update MINT ISI tacc | |
uses: fjogeleit/yaml-update-action@main | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
with: | |
valueFile: tacc/values.yaml | |
propertyPath: "MINT.components.model_catalog_endpoint.image.tag" | |
value: ${{ env.DOCKER_TAG }} | |
message: "Update model catalog endpoint" | |
repository: mintproject/mint-instances | |
workDir: infrastructure | |
branch: master | |
token: ${{ secrets.MINT_INSTANCES }} | |
- name: Update MINT ISI dev | |
uses: fjogeleit/yaml-update-action@main | |
if: github.event_name == 'push' && github.ref == 'refs/heads/dev' | |
with: | |
valueFile: isi-dev/values.yaml | |
propertyPath: "MINT.components.model_catalog_endpoint.image.tag" | |
value: ${{ env.DOCKER_TAG }} | |
message: "Update model catalog endpoint" | |
repository: mintproject/mint-instances | |
workDir: infrastructure | |
branch: master | |
token: ${{ secrets.MINT_INSTANCES }} | |
# - name: Update helm charts | |
# uses: fjogeleit/yaml-update-action@main | |
# if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
# with: | |
# valueFile: helm/values.yaml | |
# propertyPath: "components.model_catalog_endpoint.image.tag" | |
# value: ${{ env.DOCKER_TAG }} | |
# message: "Update model catalog endpoint" | |
# repository: mintproject/mint | |
# workDir: mint-chart/ | |
# branch: main | |
# token: ${{ secrets.MINT_INSTANCES }} |