Skip to content
.github/workflows/smurf.yml

added smurf job as 2 jobs #9

Sign in to view logs

added smurf job as 2 jobs

added smurf job as 2 jobs #9

Workflow file for this run

.github/workflows/smurf.yml at c426f37
name: Smurf
on:
workflow_call:
secrets:
docker-username:
description: 'Docker Hub username'
required: false
docker-password:
description: 'Docker Hub token'
required: false
ecr-registry:
description: 'ECR registry URL'
required: false
AWS_ACCESS_KEY_ID:
required: false
description: 'AWS Access Key ID for direct authentication'
AWS_SECRET_ACCESS_KEY:
required: false
description: 'AWS Secret Access Key for direct authentication'
AWS_SESSION_TOKEN:
required: false
description: 'AWS Session Token for direct authentication'
WORKLOAD_IDENTITY_PROVIDER:
required: false
description: 'GCP Workload Identity Provider identifier'
SERVICE_ACCOUNT:
required: false
description: 'GCP Service Account to use'
DOCKERHUB_USERNAME:
required: false
description: 'Dockerhub Username'
DOCKERHUB_PASSWORD:
required: false
description: 'Dockerhub Password'
env-vars:
required: false
description: 'Additional environment variables in JSON format'
inputs:
docker_enable:
description: 'Set to true to run docker commands'
type: string
required: false
default: 'false'
helm_enable:
description: 'Set to true to run helm commands'
type: string
required: false
default: 'false'
command:
description: 'Command to run with tool'
type: string
required: false
branch:
description: 'Branch to checkout'
type: string
default: 'master'
aws-role:
description: 'AWS IAM role ARN to assume'
type: string
required: false
aws-region:
description: 'AWS region'
type: string
default: 'us-east-1'
aws_auth_method:
description: 'AWS Auth method to use'
type: string
required: false
docker_scan:
description: 'Set true for docker scan'
type: string
required: false
docker_scan_command:
description: 'Command for docker scan'
type: string
required: false
docker_push:
description: 'Set true for docker push'
type: string
required: false
docker_push_command:
description: 'Command for docker push'
type: string
required: false
docker_build_command:
description: 'Command for docker build'
type: string
required: false
docker_tag_command:
description: 'Command for docker tag'
type: string
required: false
severity:
description: 'severities of vulnerabilities to be displayed'
required: false
type: string
default: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
# Helm-specific inputs
eks-cluster:
description: 'EKS cluster name'
type: string
required: false
ecr-repository:
description: 'ECR repository URL'
type: string
required: false
dockerfile-path:
description: 'Path to Dockerfile'
type: string
required: false
helm-values-path:
description: 'Path to Helm values file'
type: string
required: false
helm-chart-path:
description: 'Path to Helm chart'
type: string
required: false
namespace:
description: 'Kubernetes namespace'
type: string
required: false
default: 'testing-smurf'
timeout:
description: 'Timeout in seconds'
type: number
default: 30
helm_scan_command:
description: 'Command for helm scan (lint+template)'
type: string
required: false
helm_deploy_command:
description: 'Command for helm deploy'
type: string
required: false
# Docker-specific inputs
image-name:
description: 'Docker image name'
type: string
required: false
image-tag:
description: 'Docker image tag'
type: string
required: false
image-tar:
description: 'Docker image tar'
type: string
required: false
jobs:
docker-build:
if: inputs.docker_enable == 'true'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Configure AWS credentials with OIDC
if: inputs.aws_auth_method == 'oidc'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws-role }}
aws-region: ${{ inputs.aws-region }}
- name: Configure AWS credentials with access keys
if: inputs.aws_auth_method == 'keys'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
AWS_REGION: ${{ inputs.aws-region }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
if [[ -n "$AWS_SESSION_TOKEN" ]]; then
aws configure set aws_session_token $AWS_SESSION_TOKEN
fi
aws configure set region $AWS_REGION
- name: Set environment variables
run: |
echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
- name: Docker Image Build
uses: clouddrove/[email protected]
with:
tool: sdkr
command: ${{ inputs.docker_build_command }}
- name: Save Docker Image as Artifact
run: |
docker save ${{ inputs.image-name }}:${{ inputs.image-tag }} -o ${{ inputs.image-tar }}
- name: Upload Docker Image Artifact
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.image-name }}
path: ${{ inputs.image-tar }}
docker-scan-push:
if: inputs.docker_enable == 'true' && inputs.docker_scan == 'true' && inputs.docker_push == 'true'
runs-on: ubuntu-latest
needs: docker-build
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/[email protected]
with:
ref: ${{ inputs.branch }}
- name: Download Docker Image Artifact
uses: actions/download-artifact@v4
with:
name: ${{ inputs.image-name }}
- name: Load Docker Image
run: |
docker load -i ${{ inputs.image-tar }}
- name: Configure AWS credentials with OIDC
if: inputs.aws_auth_method == 'oidc'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws-role }}
aws-region: ${{ inputs.aws-region }}
- name: Configure AWS credentials with access keys
if: inputs.aws_auth_method == 'keys'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
AWS_REGION: ${{ inputs.aws-region }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
if [[ -n "$AWS_SESSION_TOKEN" ]]; then
aws configure set aws_session_token $AWS_SESSION_TOKEN
fi
aws configure set region $AWS_REGION
- name: Set environment variables
run: |
echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
- name: Docker Scan with trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
exit-code: '1'
format: 'table'
severity: ${{ inputs.severity}}
- name: Docker Image Tag
if: inputs.docker_push == 'true'
uses: clouddrove/[email protected]
with:
tool: sdkr
command: ${{ inputs.docker_tag_command }}
- name: Docker Image Push
if: inputs.docker_push == 'true'
uses: clouddrove/[email protected]
with:
tool: sdkr
command: ${{ inputs.docker_push_command }}
helm-scan:
if: inputs.helm_enable == 'true'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Check out code
uses: actions/[email protected]
with:
ref: ${{ inputs.branch }}
- name: Configure AWS credentials with OIDC
if: inputs.aws_auth_method == 'oidc'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws-role }}
aws-region: ${{ inputs.aws-region }}
- name: Configure AWS credentials with access keys
if: inputs.aws_auth_method == 'keys'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
AWS_REGION: ${{ inputs.aws-region }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
if [[ -n "$AWS_SESSION_TOKEN" ]]; then
aws configure set aws_session_token $AWS_SESSION_TOKEN
fi
aws configure set region $AWS_REGION
- name: Set environment variables
run: |
echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
- name: Helm Scan (Lint + Template)
uses: clouddrove/[email protected]
with:
tool: selm
command: ${{ inputs.helm_scan_command }}
helm-deploy:
if: inputs.helm_enable == 'true'
runs-on: ubuntu-latest
needs: [helm-scan, docker-scan-push]
if: |

Check failure on line 331 in .github/workflows/smurf.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/smurf.yml

Invalid workflow file 

You have an error in your yaml syntax on line 331
always() &&
needs.helm-scan.result == 'success' &&
(inputs.docker_enable != 'true' || needs.docker-scan-push.result == 'success')
permissions:
id-token: write
contents: read
steps:
- name: Check out code
uses: actions/[email protected]
with:
ref: ${{ inputs.branch }}
- name: Configure AWS credentials with OIDC
if: inputs.aws_auth_method == 'oidc'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws-role }}
aws-region: ${{ inputs.aws-region }}
- name: Configure AWS credentials with access keys
if: inputs.aws_auth_method == 'keys'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
AWS_REGION: ${{ inputs.aws-region }}
run: |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
if [[ -n "$AWS_SESSION_TOKEN" ]]; then
aws configure set aws_session_token $AWS_SESSION_TOKEN
fi
aws configure set region $AWS_REGION
- name: Set environment variables
run: |
echo "AWS_DEFAULT_REGION=${{ inputs.aws-region }}" >> $GITHUB_ENV
echo "EKS_CLUSTER_NAME=${{ inputs.eks-cluster }}" >> $GITHUB_ENV
- name: Configure kubectl
run: |
aws eks update-kubeconfig --name $EKS_CLUSTER_NAME --region $AWS_DEFAULT_REGION
- name: Helm Deploy
uses: clouddrove/[email protected]
with:
tool: selm
command: ${{ inputs.helm_deploy_command }}