Skip to content

test-release

test-release #73

Workflow file for this run

name: OasisUI Build
on:
push:
workflow_dispatch:
inputs:
docker_push:
description: 'Push the docker image to dockerhub and outout reference'
required: false
default: 'false'
cve_severity:
description: 'Severities of vulnerabilities to scanned for, fails build if any found'
required: false
default: 'CRITICAL,HIGH'
#app_image_repo:
# description: 'Docker hub image repository'
# required: false
# default: 'coreoasis/github-actions'
#app_image_tag:
# description: 'Docker tag for image'
# required: false
# default: ''
#proxy_image_repo:
# description: 'Docker hub image repository'
# required: false
# default: 'coreoasis/github-actions'
#proxy_image_tag:
# description: 'Docker tag for image'
# required: false
# default: ''
workflow_call:
inputs:
docker_push:
description: 'Push the docker image to dockerhub and outout reference'
required: false
default: 'false'
type: string
cve_severity:
description: 'Severities of vulnerabilities to scanned for, fails build if any found'
required: false
default: 'CRITICAL,HIGH'
type: string
app_image_repo:
description: 'Docker hub image repository'
required: false
default: 'coreoasis/github-actions'
type: string
app_image_tag:
description: 'Docker tag for image'
required: false
default: ''
type: string
proxy_image_repo:
description: 'Docker hub image repository'
required: false
default: 'coreoasis/github-actions'
type: string
proxy_image_tag:
description: 'Docker tag for image'
required: false
default: ''
type: string
outputs:
app_image:
description:
value: ${{ jobs.shiny_app.outputs.image }}
proxy_image:
description:
value: ${{ jobs.shiny_proxy.outputs.image }}
jobs:
shiny_app:
env:
IMAGE_TAG: 'oasisui_app-${{ github.sha }}'
IMAGE_REPO: 'coreoasis/github-actions'
DOCKERFILE: 'docker/Dockerfile.oasisui_app'
SEVERITY: 'CRITICAL,HIGH'
runs-on: ubuntu-latest
outputs:
image: ${{ steps.docker_push.outputs.image }}
steps:
- name: Set inputs
if: github.event_name != 'push'
run: |
echo "SEVERITY=${{ inputs.cve_severity }}" >> $GITHUB_ENV
[[ -z "${{ inputs.app_image_tag }}" ]] || echo "IMAGE_TAG=${{ inputs.app_image_tag }}" >> $GITHUB_ENV
[[ -z "${{ inputs.app_image_repo }}" ]] || echo "IMAGE_REPO=${{ inputs.app_image_repo }}" >> $GITHUB_ENV
- name: Github context
run: echo "$GITHUB_CONTEXT"
shell: bash
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
- uses: actions/checkout@v3
with:
ref: ${{ github.ref_name }}
- name: Docker Build
run: |
echo "Build from Branch ${{ github.ref_name }}"
docker build -f ${{ env.DOCKERFILE }} --pull --build-arg REF_BRANCH=${{ github.ref_name }} -t ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }} .
#Trivy Scan
- name: Trivy vulnerability scanner
if: env.SEVERITY != ''
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
format: 'table'
scan-type: 'image'
exit-code: '1'
ignore-unfixed: true
severity: ${{ env.SEVERITY }}
scanners: 'vuln'
output: 'app_image.txt'
- name: Store CVE report
if: always()
uses: actions/upload-artifact@v3
with:
name: app_image_scan
path: ./app_image.txt
retention-days: 3
- name: Login to Docker Hub
if: inputs.docker_push == 'true'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker push
id: docker_push
if: inputs.docker_push == 'true'
run: |
docker push ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
echo "image=${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT
shiny_proxy:
runs-on: ubuntu-latest
env:
IMAGE_TAG: 'oasisui_proxy-${{ github.sha }}'
IMAGE_REPO: 'coreoasis/github-actions'
DOCKERFILE: 'docker/Dockerfile.oasisui_proxy'
SEVERITY: 'CRITICAL,HIGH'
outputs:
image: ${{ steps.docker_push.outputs.image }}
steps:
- name: Set inputs
if: github.event_name != 'push'
run: |
echo "SEVERITY=${{ inputs.cve_severity }}" >> $GITHUB_ENV
[[ -z "${{ inputs.proxy_image_tag }}" ]] || echo "IMAGE_TAG=${{ inputs.proxy_image_tag }}" >> $GITHUB_ENV
[[ -z "${{ inputs.proxy_image_repo }}" ]] || echo "IMAGE_REPO=${{ inputs.proxy_image_repo }}" >> $GITHUB_ENV
- name: Github context
run: echo "$GITHUB_CONTEXT"
shell: bash
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
- uses: actions/checkout@v3
with:
ref: ${{ github.ref_name }}
- name: Docker Build
run: |
docker build -f ${{ env.DOCKERFILE }} -t ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }} .
# NOTE: even the latest version of shiny proxy as CRITICAL CVE issues (warn but no fail)
- name: Trivy vulnerability scanner
if: env.SEVERITY != ''
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
format: 'table'
scan-type: 'image'
exit-code: '1'
ignore-unfixed: true
severity: ${{ env.SEVERITY }}
security-checks: 'vuln'
output: 'proxy_image.txt'
- name: Store CVE report
if: always()
uses: actions/upload-artifact@v3
with:
name: proxy_image_scan
path: ./proxy_image.txt
retention-days: 3
- name: Login to Docker Hub
if: inputs.docker_push == 'true'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker push
id: docker_push
if: inputs.docker_push == 'true'
run: |
docker push ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
echo "image=${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT