-
Notifications
You must be signed in to change notification settings - Fork 63
64 lines (57 loc) · 4.93 KB
/
push-lite-to-docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Push Heimdall Lite to Docker Hub on every merge to master and tag as latest
on:
push:
branches: [master]
pull_request: # remove
branches: [master]
env:
IRONBANK_HEIMDALL_PROJECT_ID: 5450 # this is for heimdall, not heimdall-lite (mainline) - I think these can be in-line envs instead of supplied by github repo/org level secrets/values since each push/release workflow will have a unique ironbank id due to the mainline vs release + heimdalllite vs heimdall matrix
jobs:
docker:
runs-on: ubuntu-22.04
steps:
- name: Checkout the Heimdall Repository
uses: actions/checkout@v4
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3
# - name: Login to DockerHub
# uses: docker/login-action@v3
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# - name: Build and push
# id: docker_build
# uses: docker/build-push-action@v6
# with:
# context: .
# file: Dockerfile.lite
# push: false # revert
# platforms: linux/amd64
# tags: mitre/heimdall-lite:latest # ,mitre/heimdall-lite:${{ github.event.pull_request.head.sha }} # should be ${{ github.sha }} but pull requests are weird
- name: Get Docker SHA
shell: bash
id: get-docker-sha
run: echo "DOCKER_SHA=$(docker pull mitre/heimdall-lite:latest > /dev/null 2>&1 && docker inspect --format='{{index .RepoDigests 0}}' mitre/heimdall-lite:latest | cut -d '@' -f 2)" >> $GITHUB_ENV
- name: Make working directory for Iron Bank changes
run: mkdir ../ironbank_heimdall
- name: Clone Iron Bank repo
working-directory: ../ironbank_heimdall
run: |
git clone https://repo1.dso.mil/dsop/mitre/security-automation-framework/heimdall2.git . # need to swap to right repo
- name: Update local copy of Iron Bank repo to have the latest digest
working-directory: ../ironbank_heimdall
run: |
git switch -c "${{ github.event.pull_request.head.sha }}" # swap to sha
yq e -i '.resources[1].url="docker://docker.io/mitre/heimdall2@${{ env.DOCKER_SHA }}"' hardening_manifest.yaml # need to swap to right image
git diff
git add hardening_manifest.yaml
git -c "user.name=Automated Heimdall Release" -c "[email protected]" commit -s -m "updating Heimdall to ${{ github.event.pull_request.head.sha }}" # swap to sha, wonder if it's possible to grab the email address of the person who is actually doing the release instead of using mine
- name: Create issue, branch, and merge request for Iron Bank repo
working-directory: ../ironbank_heimdall
run: |
# ISSUE=$(glab issue create -t "Update Heimdall to $1" -d="" --no-editor -y | cut -d/ -f10)
# MR_NUMBER=$(glab mr create --allow-collaboration --fill --copy-issue-labels -i $ISSUE --push -y --squash-before-merge | awk -F '/' 'NR==2 {print $NF}')
ISSUE=$(curl -X POST --header "PRIVATE-TOKEN: ${{ secrets.REPO1_PAT_AMANN_MAXIMAL }}" --header "Content-Type: application/json" --data '{"title": "DRAFT: TESTING ONLY DO NOT MERGE Update Heimdall to ${{ github.event.pull_request.head.sha }}"}' "https://repo1.dso.mil/api/v4/projects/${{ env.IRONBANK_HEIMDALL_PROJECT_ID }}/issues" | jq ".iid") # need to fix the title here and also swap out the commit hash
git push 'https://amann:${{ secrets.REPO1_PAT_AMANN_MAXIMAL }}@repo1.dso.mil/dsop/mitre/security-automation-framework/heimdall2.git' "${{ github.event.pull_request.head.sha }}":"${ISSUE}-update-heimdall-to-${{ github.event.pull_request.head.sha }}"
curl -X POST --header "PRIVATE-TOKEN: ${{ secrets.REPO1_PAT_AMANN_MAXIMAL }}" --header "Content-Type: application/json" --data "{\"allow_collaboration\": true, \"squash\": true, \"source_branch\": \"${ISSUE}-update-heimdall-to-${{ github.event.pull_request.head.sha }}\", \"target_branch\": \"development\", \"title\": \"Resolve \\\"DRAFT: TESTING ONLY DO NOT MERGE Update Heimdall to ${{ github.event.pull_request.head.sha }}\\\"\", \"description\": \"Closes #${ISSUE}\"}" "https://repo1.dso.mil/api/v4/projects/${{ env.IRONBANK_HEIMDALL_PROJECT_ID }}/merge_requests" # gitsha doesn't need changing but when we want to convert a semver to replace periods with hyphens will probably need to replace the sha variable with this command `$(echo "$however_we_get_the_semver" | sed 's/[\. ]/-/g')`
# need to 1) manually push local branch to upstream so that branch exists there, 2) make source_branch equal to that thing - maybe will require making the branch after making the issue so that i can grab the issue number?, 3) make the target branch exactly equal to 'development' but maybe i can use the api to get the default branch name which might be development?, 4) figure out how to do the substitution properly so that it'll put the actual issue number in there instead of the word ISSUE