Skip to content

[Dispatch] Dev build #16

[Dispatch] Dev build

[Dispatch] Dev build #16

name: "[Dispatch] Dev build"
on:
workflow_dispatch:
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
jobs:
docker:
runs-on: ubuntu-latest
outputs:
TIME: ${{ steps.get_date.outputs.TIME }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.ref }}
token: ${{ secrets.PAT_TOKEN }}
submodules: recursive
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.CLOUDFORET_DEV_DOCKER_USERNAME }}
password: ${{ secrets.CLOUDFORET_DEV_DOCKER_PASSWORD }}
- name: Get Date
run: |
sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime
CURRENT_TIME=$(date +'%Y%m%d.%H%M%S')
echo "TIME=$CURRENT_TIME" >> $GITHUB_ENV
echo "TIME=$CURRENT_TIME" >> $GITHUB_OUTPUT
- name: Build and push to dockerhub
uses: docker/build-push-action@v4
with:
context: .
file: ./apps/web/Dockerfile
push: true
tags: |
cloudforetdev/${{ github.event.repository.name }}:latest
cloudforetdev/${{ github.event.repository.name }}:${{ env.TIME }}
cache-from: cloudforetdev/${{ env.SERVICE }}:latest
cache-to: type=inline
provenance: false
- name: Notice when job fails
if: failure()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,workflow,job
author_name: Github Action Slack
scan:
needs: docker
runs-on: ubuntu-20.04
steps:
- name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
image-ref: cloudforetdev/${{ github.event.repository.name }}:${{ needs.docker.outputs.TIME }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Count vulnerabilities
id: vulnerabilities
run: |
count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c)
echo "result_count=$count" >> $GITHUB_OUTPUT
echo "$count"
- name: slack
if: ${{ steps.vulnerabilities.outputs.result_count != 0 }}
uses: 8398a7/action-slack@v3
with:
status: custom
fields: workflowRun
custom_payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":warning: Image vulnerability detected"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Image:*\ncloudforetdev/${{ github.event.repository.name }}:${{ needs.docker.outputs.TIME }}
},
{
"type": "mrkdwn",
"text": "*Repo name:*\n${{ github.repository }}"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "View Detail"
},
"style": "danger",
"url": "https://github.com/${{ github.repository }}/security/code-scanning"
}
]
}
]
}
env:
SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}}
notification:
needs: docker
runs-on: ubuntu-latest
steps:
- name: Slack
if: always()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,message,commit,author,action,ref,workflow,job
author_name: Github Action Slack