ballerine-io · codechirag123 · Dec 3, 2024 · Nov 25, 2024 · Nov 26, 2024 · Nov 26, 2024
diff --git a/.github/workflows/build-preview-environment.yml b/.github/workflows/build-preview-environment.yml
@@ -0,0 +1,108 @@
+# Deploys a temporary environment for testing a version of the code when a pull request is created / updated with a 'deploy-pr' label
+name: Deploy PR Environment
+concurrency:
+  group: "deploy-${{ github.event.pull_request.head.ref }}"
+  cancel-in-progress: false
+
+on:
+  pull_request:
+    types: [ labeled, synchronize ]
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+env:
+  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref_name || github.event_name == 'pull_request' && github.event.pull_request.head.sha }}
+
+jobs:
+  deploy-dev-pr-environment:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy-pr')
+    runs-on: ubuntu-latest
+    outputs:
+      env_name: ${{ steps.env-name.outputs.PR_ENV_NAME }}
+    steps:
+      - name: Checkout the Tool and actions
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.REF }}
+          fetch-depth: 1
+
+      - name: "Sanitize ENV name"
+        id: sanitize_env
+        shell: bash
+        run: |
+          SANITIZED_BRANCH_NAME=$(echo -n ${{ env.REF }} | tr "/" "-")
+          echo "Sanitized branch name: $SANITIZED_BRANCH_NAME"
+          TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
+          echo "sanitized_env_name=$SANITIZED_BRANCH_NAME" >> $GITHUB_OUTPUT;
+          echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;
+
+      - name: Environment deployment
+        id: env-name
+        run: |
+          echo "deploying environment"
+          echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_ENV
+          echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_OUTPUT
+
+  build-wf-service:
+    needs: deploy-dev-pr-environment
+    uses: ./.github/workflows/build-push-docker-images.yml
+    with:
+      registry: ghcr.io/${{ github.repository_owner }}
+      context: services/workflows-service
+      image_name: workflows-service
+      ref: ${{ github.event.pull_request.head.sha }}
+      tag: ${{ needs.deploy-dev-pr-environment.outputs.env_name }}
+
+  build-backoffice:
+    needs: deploy-dev-pr-environment
+    uses: ./.github/workflows/build-push-docker-images.yml
+    with:
+      registry: ghcr.io/${{ github.repository_owner }}
+      context: apps/backoffice-v2
+      image_name: backoffice
+      ref: ${{ github.event.pull_request.head.sha }}
+      tag: ${{ needs.deploy-dev-pr-environment.outputs.env_name }}
+
+  build-kyb:
+    needs: deploy-dev-pr-environment
+    uses: ./.github/workflows/build-push-docker-images.yml
+    with:
+      registry: ghcr.io/${{ github.repository_owner }}
+      context: apps/kyb-app
+      image_name: kyb-app
+      ref: ${{ github.event.pull_request.head.sha }}
+      tag: ${{ needs.deploy-dev-pr-environment.outputs.env_name }}
+
+  build-dashboard:
+    needs: deploy-dev-pr-environment
+    uses: ./.github/workflows/build-push-docker-images.yml
+    with:
+      registry: ghcr.io/${{ github.repository_owner }}
+      context: apps/workflows-dashboard
+      image_name: workflows-dashboard
+      ref: ${{ github.event.pull_request.head.sha }}
+      tag: ${{ needs.deploy-dev-pr-environment.outputs.env_name }}
+
+  deploy-preview:
+    needs: [deploy-dev-pr-environment,build-wf-service,build-backoffice,build-kyb,build-dashboard]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger workflow in another repo
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GH_TOKEN }}
+          script: |
+            const refValue = ('${{ github.event_name }}' === 'workflow_dispatch') 
+            ? '${{ github.ref_name }}' 
+            : '${{ github.event.pull_request.head.sha }}';
+            await github.rest.repos.createDispatchEvent({
+              owner: 'ballerine-io',
+              repo: 'ballerine',
+              event_type: 'deploy-preview',
+              client_payload: {
+                'ref': '${{ needs.deploy-dev-pr-environment.outputs.env_name }}'
+              }
+            });
diff --git a/.github/workflows/build-push-docker-images.yml b/.github/workflows/build-push-docker-images.yml
@@ -0,0 +1,140 @@
+name: Build and Push Docker Images
+
+on:
+  workflow_call:
+    inputs:
+      registry:
+        required: true
+        description: "The Docker registry URL"
+        type: string
+      context:
+        required: true
+        description: "The build context path for the Docker image"
+        type: string
+      image_name:
+        required: true
+        description: "The name of the Docker image"
+        type: string
+      ref:
+        required: true
+        description: "Branch name of the Preview"
+        type: string
+      tag:
+        required: true
+        description: "Tag name of the Preview Image"
+        type: string
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+          sparse-checkout: |
+            ${{ inputs.context }}
+          sparse-checkout-cone-mode: true
+
+      - name: Get tags
+        run: git fetch --tags origin
+
+      - name: Get version
+        if: ${{ inputs.image_name }} == 'workflows-service'
+        id: version
+        run: |
+          TAG=$(git tag -l "$(echo ${{ inputs.image_name }}@)*" | sort -V -r | head -n 1)
+          echo "tag=$TAG"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "TAG=$TAG" >> "$GITHUB_ENV"
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          echo "sha_short=$SHORT_SHA" >> "$GITHUB_OUTPUT"
+          echo "SHORT_SHA=$SHORT_SHA" >> "$GITHUB_ENV"
+
+      - name: Bump version
+        id: bump-version
+        if: ${{ inputs.image_name }} == 'workflows-service'
+        uses: ./.github/actions/bump-version
+        with:
+          tag: ${{ steps.version.outputs.tag }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: 'arm64,arm'
+
+      - name: Cache Docker layers
+        id: cache
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-docker-${{ hashFiles('**/Dockerfile') }}
+          restore-keys: |
+            ${{ runner.os }}-docker-${{ hashFiles('**/Dockerfile') }}
+            ${{ runner.os }}-docker-
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata for Docker images
+        id: docker_meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ inputs.registry }}/${{ inputs.image_name }}
+          tags: |
+            type=raw,value=${{ inputs.tag }}
+            type=sha,format=short
+
+      - name: Print docker version outputs
+        run: |
+          echo "Metadata: ${{ steps.docker_meta.outputs.tags }}"
+
+          echo "sha_short: ${{ steps.version.outputs.sha_short }}"
+          echo "docker_meta-tags: ${{ steps.docker_meta.outputs.tags }}"
+          echo "bump-version-version: ${{ steps.bump-version.outputs.version }}"
+          echo "bump-version-tag: ${{ steps.bump-version.outputs.tag }}"
+
+      - name: Build and push Docker image
+        if: ${{ inputs.image_name }} == 'workflows-service'
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ inputs.context }}
+          platforms: linux/amd64
+          push: true
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          build-args: |
+            "RELEASE=${{ steps.version.outputs.tag }}"
+            "SHORT_SHA=${{ steps.version.outputs.sha_short }}"
+
+
+      - name: Build and push Docker image
+        if: ${{ inputs.image_name }} != 'workflows-service'
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ inputs.context }}
+          platforms: linux/amd64
+          push: true
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          tags: ${{ steps.docker_meta.outputs.tags }}
+
+      - name: Scan Docker Image
+        uses: aquasecurity/trivy-action@master
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.docker_meta.outputs.tags }}
+          format: 'table'
+          ignore-unfixed: true
+          exit-code: 1
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'