Skip to content

Commit

Permalink
Merge remote-tracking branch 'cloudforet-io/master' into feature-work…
Browse files Browse the repository at this point in the history
…space-fundametals

Signed-off-by: sulmo <[email protected]>
  • Loading branch information
sulmoJ committed Dec 28, 2023
2 parents 2416826 + 0fcf0c0 commit f2325c6
Showing 1 changed file with 146 additions and 0 deletions.
146 changes: 146 additions & 0 deletions .github/workflows/dispatch_dev_build.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
name: "[Dispatch] Dev build"

on:
workflow_dispatch:

env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

jobs:
docker:
runs-on: ubuntu-latest
outputs:
TIME: ${{ steps.get_date.outputs.TIME }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.ref }}
token: ${{ secrets.PAT_TOKEN }}
submodules: recursive

- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.CLOUDFORET_DOCKER_USERNAME }}
password: ${{ secrets.CLOUDFORET_DOCKER_PASSWORD }}

- name: Get Date
run: |
sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime
CURRENT_TIME=$(date +'%Y%m%d.%H%M%S')
echo "TIME=$CURRENT_TIME" >> $GITHUB_ENV
echo "TIME=$CURRENT_TIME" >> $GITHUB_OUTPUT
- name: Build and push to dockerhub
uses: docker/build-push-action@v4
with:
context: .
file: ./apps/web/Dockerfile
push: true
tags: |
${{ secrets.CLOUDFORET_DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest
${{ secrets.CLOUDFORET_DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ env.TIME }}
cache-from: cloudforetdev/${{ env.SERVICE }}:latest
cache-to: type=inline
provenance: false

- name: Notice when job fails
if: failure()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,workflow,job
author_name: Github Action Slack

scan:
needs: docker
runs-on: ubuntu-20.04
steps:
- name: Run Trivy vulnerability scanner
id: trivy-scan
uses: aquasecurity/trivy-action@master
with:
image-ref: cloudforetdev/${{ github.event.repository.name }}:${{ needs.docker.outputs.TIME }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'

- name: Count vulnerabilities
id: vulnerabilities
run: |
count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c)
echo "result_count=$count" >> $GITHUB_OUTPUT
echo "$count"
- name: slack
if: ${{ steps.vulnerabilities.outputs.result_count != 0 }}
uses: 8398a7/action-slack@v3
with:
status: custom
fields: workflowRun
custom_payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":warning: Image vulnerability detected"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Image:*\ncloudforetdev/${{ github.event.repository.name }}:${{ needs.docker.outputs.TIME }}
},
{
"type": "mrkdwn",
"text": "*Repo name:*\n${{ github.repository }}"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "View Detail"
},
"style": "danger",
"url": "https://github.com/${{ github.repository }}/security/code-scanning"
}
]
}
]
}
env:
SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}}

notification:
needs: docker
runs-on: ubuntu-latest
steps:
- name: Slack
if: always()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
fields: repo,message,commit,author,action,ref,workflow,job
author_name: Github Action Slack

1 comment on commit f2325c6

@vercel
Copy link

@vercel vercel bot commented on f2325c6 Dec 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.