From 0fcf0c01ab75b1a78594e4f799ebe727327a8b0d Mon Sep 17 00:00:00 2001 From: sulmo <50662170+sulmoJ@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:27:41 +0900 Subject: [PATCH] feat: add dev_build action (#2693) * feat: add dev_build action Signed-off-by: sulmo * fix: fix minor thing Signed-off-by: sulmo --------- Signed-off-by: sulmo --- .github/workflows/dispatch_dev_build.yaml | 146 ++++++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 .github/workflows/dispatch_dev_build.yaml diff --git a/.github/workflows/dispatch_dev_build.yaml b/.github/workflows/dispatch_dev_build.yaml new file mode 100644 index 0000000000..f55c1dbcca --- /dev/null +++ b/.github/workflows/dispatch_dev_build.yaml @@ -0,0 +1,146 @@ +name: "[Dispatch] Dev build" + +on: + workflow_dispatch: + +env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + +jobs: + docker: + runs-on: ubuntu-latest + outputs: + TIME: ${{ steps.get_date.outputs.TIME }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.ref }} + token: ${{ secrets.PAT_TOKEN }} + submodules: recursive + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.CLOUDFORET_DOCKER_USERNAME }} + password: ${{ secrets.CLOUDFORET_DOCKER_PASSWORD }} + + - name: Get Date + run: | + sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime + CURRENT_TIME=$(date +'%Y%m%d.%H%M%S') + + echo "TIME=$CURRENT_TIME" >> $GITHUB_ENV + echo "TIME=$CURRENT_TIME" >> $GITHUB_OUTPUT + + - name: Build and push to dockerhub + uses: docker/build-push-action@v4 + with: + context: . + file: ./apps/web/Dockerfile + push: true + tags: | + ${{ secrets.CLOUDFORET_DOCKER_USERNAME }}/${{ github.event.repository.name }}:latest + ${{ secrets.CLOUDFORET_DOCKER_USERNAME }}/${{ github.event.repository.name }}:${{ env.TIME }} + cache-from: cloudforetdev/${{ env.SERVICE }}:latest + cache-to: type=inline + provenance: false + + - name: Notice when job fails + if: failure() + uses: 8398a7/action-slack@v3.15.0 + with: + status: ${{job.status}} + fields: repo,workflow,job + author_name: Github Action Slack + + scan: + needs: docker + runs-on: ubuntu-20.04 + steps: + - name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + image-ref: cloudforetdev/${{ github.event.repository.name }}:${{ needs.docker.outputs.TIME }} + format: 'sarif' + output: 'trivy-results.sarif' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + - name: Count vulnerabilities + id: vulnerabilities + run: | + count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c) + echo "result_count=$count" >> $GITHUB_OUTPUT + echo "$count" + + - name: slack + if: ${{ steps.vulnerabilities.outputs.result_count != 0 }} + uses: 8398a7/action-slack@v3 + with: + status: custom + fields: workflowRun + custom_payload: | + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": ":warning: Image vulnerability detected" + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Image:*\ncloudforetdev/${{ github.event.repository.name }}:${{ needs.docker.outputs.TIME }} + }, + { + "type": "mrkdwn", + "text": "*Repo name:*\n${{ github.repository }}" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "emoji": true, + "text": "View Detail" + }, + "style": "danger", + "url": "https://github.com/${{ github.repository }}/security/code-scanning" + } + ] + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}} + + notification: + needs: docker + runs-on: ubuntu-latest + steps: + - name: Slack + if: always() + uses: 8398a7/action-slack@v3.15.0 + with: + status: ${{job.status}} + fields: repo,message,commit,author,action,ref,workflow,job + author_name: Github Action Slack