[Snyk] Security upgrade alpine from 3.15 to 3.16 #303
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| setup: | |
| name: Set up | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-tag: ${{ steps.image-tag.outputs.tag }} | |
| build-date: ${{ steps.build-date.outputs.builddate }} | |
| ci-url: ${{ steps.ci-url.outputs.ciurl }} | |
| isledc-commit: ${{ steps.establish-isledc-head.outputs.isledc-commit }} | |
| buildkit-commit: ${{ steps.establish-buildkit-head.outputs.buildkit-commit }} | |
| steps: | |
| - name: Checkout idc-isle-dc | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: jhu-idc/idc-isle-dc | |
| path: idc-isle-dc | |
| - name: Establish idc-isle-dc HEAD ref | |
| id: establish-isledc-head | |
| working-directory: idc-isle-dc | |
| run: echo "::set-output name=isledc-commit::$(git log -1 --format='%H')" | |
| - run: echo "Using idc-isle-dc ref ${{ steps.establish-isledc-head.outputs.isledc-commit }} for tests" | |
| - name: Checkout idc-isle-buildkit | |
| uses: actions/checkout@v2 | |
| with: | |
| # Required for generating the Docker image tag | |
| fetch-depth: 0 | |
| path: buildkit | |
| - name: Establish idc-buildkit HEAD ref | |
| id: establish-buildkit-head | |
| working-directory: buildkit | |
| run: echo "::set-output name=buildkit-commit::$(git log -1 --format='%H')" | |
| - run: echo "Using idc-buildkit ref ${{ steps.establish-buildkit-head.outputs.buildkit-commit }} for images" | |
| - name: Generate Docker image tag | |
| working-directory: buildkit | |
| id: image-tag | |
| run: echo "::set-output name=tag::$(git describe --tags --always --first-parent)" | |
| - run: echo "Using buildkit image tag ${{ steps.image-tag.outputs.tag }}" | |
| - name: Generate build datetime | |
| id: build-date | |
| run: echo "::set-output name=builddate::$(jq -rn 'now|todateiso8601')" | |
| - name: Generate CI url | |
| id: ci-url | |
| run: echo "::set-output name=ciurl::$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | |
| build: | |
| name: Build and Push Docker Images | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 120 | |
| needs: setup | |
| strategy: | |
| matrix: | |
| image-name: | |
| - activemq | |
| - alpaca | |
| - cantaloupe | |
| - crayfish | |
| - crayfits | |
| - dlq | |
| - drupal | |
| - drupal-dev | |
| - fits | |
| - homarus | |
| - houdini | |
| - hypercube | |
| - idp | |
| - ldap | |
| - mariadb | |
| - solr | |
| steps: | |
| - name: Checkout idc-isle-buildkit | |
| uses: actions/checkout@v2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.setup.outputs.buildkit-commit }} | |
| - name: Setup Java | |
| uses: actions/setup-java@v1 | |
| with: | |
| java-version: 8 | |
| - name: Enable buildkit | |
| shell: bash | |
| run: | | |
| echo '{"experimental": "enabled"}' > ~/.docker/config.json | |
| - name: Build & Push Image | |
| run: ./gradlew --console plain -PregistryUrl=${{ secrets.REGISTRY_URL }} -PregistryUsername=${{ secrets.REGISTRY_USER }} -PregistryPassword=${{ secrets.REGISTRY_PASS }} -Prepository=${{ secrets.REPOSITORY }} ${{ matrix.image-name }}:push | |
| - name: Label Image | |
| run: | | |
| if [ "${{github.event_name}}" == "pull_request" ] ; then | |
| export IMAGE_DESC="IDC ${{matrix.image-name}} image (via idc-isle-buildkit PR head ${{ github.event.pull_request.head.sha }}, base ${{ github.event.pull_request.base.sha }}, merge ${{ github.sha }})" | |
| else | |
| export IMAGE_DESC="IDC ${{matrix.image-name}} image (via idc-isle-buildkit commit ${{ github.sha }})" | |
| fi | |
| echo "FROM ${{ secrets.REPOSITORY }}/${{matrix.image-name}}:${{needs.setup.outputs.image-tag}}" | \ | |
| docker build -t ${{ secrets.REPOSITORY }}/${{matrix.image-name}}:${{needs.setup.outputs.image-tag}} \ | |
| --label org.opencontainers.image.title="idc-isle-buildkit ${{matrix.image-name}}"\ | |
| --label org.opencontainers.image.description="${IMAGE_DESC}" \ | |
| --label org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/tree/${{github.event.repository.default_branch}}/${{matrix.image-name}} \ | |
| --label org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY \ | |
| --label org.opencontainers.image.version=${{needs.setup.outputs.image-tag}} \ | |
| --label org.opencontainers.image.created=${{needs.setup.outputs.build-date}} \ | |
| --label org.opencontainers.image.revision=${{github.sha}} \ | |
| --label org.opencontainers.image.licenses=MIT \ | |
| --label org.opencontainers.image.ref.name=${{ secrets.REPOSITORY }}/${{matrix.image-name}}:${{needs.setup.outputs.image-tag}} \ | |
| --label ci.url=${{needs.setup.outputs.ci-url}} \ | |
| - | |
| docker inspect -f "{{json .Config.Labels }}" ${{ secrets.REPOSITORY }}/${{matrix.image-name}}:${{needs.setup.outputs.image-tag}} | |
| docker history ${{ secrets.REPOSITORY }}/${{matrix.image-name}}:${{needs.setup.outputs.image-tag}} | |
| docker login -u '${{ secrets.REGISTRY_USER }}' -p '${{ secrets.REGISTRY_PASS }}' '${{ secrets.REGISTRY_URL }}' | |
| docker push ${{ secrets.REPOSITORY }}/${{matrix.image-name}}:${{needs.setup.outputs.image-tag}} | |
| static: | |
| name: Create and Push Drupal Static Image | |
| needs: [ setup, build ] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 120 | |
| defaults: | |
| run: | |
| working-directory: isle-dc | |
| steps: | |
| - name: Checkout idc-isle-dc | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: jhu-idc/idc-isle-dc | |
| ref: ${{ needs.setup.outputs.isledc-commit }} | |
| path: isle-dc | |
| - name: Set image tag | |
| run: | | |
| echo "Using image tag ${{needs.setup.outputs.image-tag}}" | |
| sed -i.bak -e 's@^TAG.*$@TAG=${{needs.setup.outputs.image-tag}}@' .env | |
| grep TAG .env | |
| - name: Make static image | |
| run: make static-docker-compose.yml up || { docker-compose logs drupal && exit 1; } | |
| - name: Drush test | |
| run: docker-compose exec -T drupal drush -d status | |
| - name: Label static image | |
| run: | | |
| if [ "${{github.event_name}}" == "pull_request" ] ; then | |
| export IMAGE_DESC="IDC drupal-static image (via idc-isle-buildkit PR head ${{ github.event.pull_request.head.sha }}, base ${{ github.event.pull_request.base.sha }}, merge ${{ github.sha }})" | |
| else | |
| export IMAGE_DESC="IDC drupal-static image (via idc-isle-buildkit commit ${{ github.sha }})" | |
| fi | |
| export STATIC_TAG=$(docker images | grep ${{ secrets.REPOSITORY }}/drupal-static | awk '{print $2}') | |
| echo "FROM ${{ secrets.REPOSITORY }}/drupal-static:${STATIC_TAG}" | \ | |
| docker build -t ${{ secrets.REPOSITORY }}/drupal-static:${{needs.setup.outputs.image-tag}} \ | |
| --label org.opencontainers.image.title="idc-isle-buildkit drupal-static" \ | |
| --label org.opencontainers.image.description="${IMAGE_DESC}" \ | |
| --label org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/tree/${{github.event.repository.default_branch}}/drupal \ | |
| --label org.opencontainers.image.source="$(git remote get-url origin)" \ | |
| --label org.opencontainers.image.version=${{needs.setup.outputs.image-tag}} \ | |
| --label org.opencontainers.image.created="$(date)" \ | |
| --label org.opencontainers.image.revision="$(git log -1 --format='%h')" \ | |
| --label org.opencontainers.image.licenses=MIT \ | |
| --label org.opencontainers.image.ref.name=${{ secrets.REPOSITORY }}/drupal-static:${{needs.setup.outputs.image-tag}} \ | |
| --label ci.url="${{needs.setup.outputs.ci-url}}" \ | |
| - | |
| - name: Push static image | |
| run: | | |
| docker login -u '${{ secrets.REGISTRY_USER }}' -p '${{ secrets.REGISTRY_PASS }}' '${{ secrets.REGISTRY_URL }}' | |
| docker push ${{ secrets.REPOSITORY }}/drupal-static:${{needs.setup.outputs.image-tag}} | |
| test-matrix: | |
| name: Generate idc-isle-dc test matrix | |
| needs: setup | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.excludes-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout idc-isle-dc | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: jhu-idc/idc-isle-dc | |
| ref: ${{ needs.setup.outputs.isledc-commit }} | |
| - name: Generate Test Matrix | |
| id: test-matrix | |
| uses: jhu-idc/[email protected] | |
| - name: Exclude nightly jobs | |
| id: excludes-matrix | |
| uses: jhu-idc/[email protected] | |
| with: | |
| glob: '*nightly*.sh' | |
| exclude: true | |
| matrix: ${{ steps.test-matrix.outputs.matrix }} | |
| - name: Dump Test Matrix | |
| env: | |
| MATRIX: ${{ steps.excludes-matrix.outputs.matrix }} | |
| run: echo ${MATRIX} | |
| test: | |
| name: Run idc-isle-dc tests | |
| runs-on: ubuntu-latest | |
| needs: [ build, static, test-matrix, setup ] | |
| strategy: | |
| matrix: ${{ fromJSON(needs.test-matrix.outputs.matrix) }} | |
| fail-fast: false | |
| steps: | |
| - name: Checkout idc-isle-dc | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: jhu-idc/idc-isle-dc | |
| ref: ${{ needs.setup.outputs.isle-dccommit }} | |
| - name: Set image tag | |
| run: | | |
| echo "Using image tag ${{needs.setup.outputs.image-tag}}" | |
| sed -i.bak -e 's@^TAG.*$@TAG=${{needs.setup.outputs.image-tag}}@' .env | |
| grep TAG .env | |
| - name: Use Static Drupal Image | |
| run: | | |
| echo "Pulling static image ${{ secrets.REPOSITORY }}/drupal-static:${{needs.setup.outputs.image-tag}}" | |
| docker login -u '${{ secrets.REGISTRY_USER }}' -p '${{ secrets.REGISTRY_PASS }}' '${{ secrets.REGISTRY_URL }}' && \ | |
| docker pull ${{ secrets.REPOSITORY }}/drupal-static:${{needs.setup.outputs.image-tag}} && \ | |
| make static-docker-compose.yml | |
| - name: Run ${{ matrix.test }} | |
| run: make up test test=${{ matrix.test }} | |
| - name: Capture Logs | |
| if: failure() | |
| run: | | |
| mkdir -p end-to-end/reports/${{ matrix.test }} | |
| docker-compose logs drupal 2>&1 | tee end-to-end/reports/${{ matrix.test }}/docker-drupal.log | |
| docker-compose logs 2>&1 | tee end-to-end/reports/${{ matrix.test }}/docker-allcontainers.log | |
| - name: Upload Logs | |
| if: failure() | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: reports-${{matrix.test}} | |
| path: end-to-end/reports | |
| image-locations: | |
| name: Comment with image locations | |
| if: ${{github.event_name == 'pull_request'}} | |
| runs-on: ubuntu-latest | |
| needs: [ build, static, test-matrix, setup, test ] | |
| steps: | |
| - name: Generate idc-isle-dc commit url | |
| id: isledc-commit-url | |
| run: echo "::set-output name=isledc-commit-url::$GITHUB_SERVER_URL/jhu-idc/idc-isle-dc/tree/${{needs.setup.outputs.isledc-commit}}" | |
| - name: Create comment with image tags | |
| run: | | |
| cat << 'EOF' > image.md | |
| #### Images for idc-isle-buildkit commit `${{github.event.pull_request.head.sha}}` | |
| * Buildkit images were built from idc-isle-buildkit head `${{github.head_ref}}` (`${{github.event.pull_request.head.sha}}`) | |
| * Base ref: `${{github.base_ref}}` (`${{github.event.pull_request.base.sha}}`) | |
| * Merge ref: `${{github.sha}}` | |
| * All images have been pushed to `${{ secrets.REPOSITORY }}` with tag `${{needs.setup.outputs.image-tag}}` | |
| * `drupal-static` was built from [idc-isle-dc commit `${{needs.setup.outputs.isledc-commit}}`](${{steps.isledc-commit-url.outputs.isledc-commit-url}}) | |
| * Workflow logs for these images may be viewed [here](${{needs.setup.outputs.ci-url}}) | |
| Example docker pull command: | |
| ``` | |
| docker pull ${{ secrets.REPOSITORY }}/drupal-static:${{needs.setup.outputs.image-tag}} | |
| ``` | |
| EOF | |
| - name: Add failure warning | |
| if: failure() | |
| run: | | |
| echo -e "> **Warning**: idc-isle-dc [tests failed](${{needs.setup.outputs.ci-url}}), so the images may not be useful for testing.\n\n$(cat image.md)" > image.md | |
| - name: Post comment | |
| uses: machine-learning-apps/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| path: image.md |