Publish #186
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| # Controls when the workflow will run | |
| on: | |
| push: | |
| tags: | |
| - v* # publish only on version tags | |
| workflow_dispatch: | |
| inputs: | |
| tags: | |
| description: 'Define the tag (ex: v2.3.1)' | |
| required: true | |
| type: string | |
| publish: | |
| description: 'Check if you want to publish the image' | |
| required: true | |
| type: boolean | |
| env: | |
| IMAGE_REGISTRY: ghcr.io | |
| REGISTRY_USER: ${{ github.actor }} | |
| REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| FLEDGE_IMAGE_NAME: 'fledgepower/fledge' | |
| FLEDGE_GUI_IMAGE_NAME: 'fledgepower/fledge-gui' | |
| #IMAGE_TAG: '1.0.0-amd64' | |
| #IMAGE_TAG: 'latest' | |
| IMAGE_TAG: ${{ github.ref_name }} | |
| #IMAGE_TAG: ${{ github.event.inputs.tags || github.ref_name }} | |
| TASE2_REPO_ACCESS_TOKEN: ${{ secrets.TASE2_REPO_ACCESS_TOKEN }} | |
| LATEST_TAG: "${{ github.event_name == 'workflow_dispatch' && 'latest-dev' || 'latest' }}" | |
| jobs: | |
| build-and-push-image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| # Download and install Docker | |
| - name: Download and install Docker | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install \ | |
| ca-certificates \ | |
| curl \ | |
| gnupg \ | |
| lsb-release | |
| curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg | |
| echo \ | |
| "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \ | |
| $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| sudo apt-get update | |
| sudo apt-get install docker-ce docker-ce-cli containerd.io | |
| # Download and install yq yaml processor | |
| - name: Download and install yq | |
| env: | |
| YQ_REPO: "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64" | |
| run: | | |
| sudo wget -qO /usr/local/bin/yq ${{ env.YQ_REPO }} | |
| sudo chmod a+x /usr/local/bin/yq | |
| # Download fledgepower deployment | |
| - name: Download fledgepower deployment | |
| env: | |
| FP_DEPLOY_REPO: "https://github.com/fledge-power/fledgepower-deployment.git" | |
| run: | | |
| git clone ${{ env.FP_DEPLOY_REPO }} --branch ${{ github.ref_name }} --single-branch | |
| # Log in to the Container registry ghcr.io | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ env.REGISTRY_PASSWORD }} | |
| # Build image | |
| - name: Build images | |
| run: | | |
| cd ./fledgepower-deployment/all-plugins-ubuntu2404/fledge/ | |
| sudo chmod +x ./buildContainerfile.sh | |
| ./buildContainerfile.sh | |
| sudo -E docker build -f fledge.dockerfile -t ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_IMAGE_NAME }}:${{ env.IMAGE_TAG }} . --label ${{ github.ref }} | |
| cd ../fledge-gui | |
| sudo -E docker build -f fledge-gui.dockerfile -t ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_GUI_IMAGE_NAME }}:${{ env.IMAGE_TAG }} . --label ${{ github.ref }} | |
| # Updated version on pmc.yml with the release tag | |
| - name: Updated version on pmc.yml | |
| run: | | |
| yq '.application.version = "'${{ github.event.inputs.tags || github.ref_name }}'"' -i fledgepower-deployment/all-plugins-ubuntu2404/fledge/pmc.yml | |
| # Archive configuration for sonar report, generated by previous bash script | |
| - name: Archive sonar report configuration files | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: yml-and-ini-files | |
| path: | | |
| fledgepower-deployment/all-plugins-ubuntu2404/fledge/sonarcloud.ini | |
| fledgepower-deployment/all-plugins-ubuntu2404/fledge/pmc.yml | |
| # Run Snyk to check Docker image for vulnerabilities | |
| - name: Snyk scan | |
| continue-on-error: true | |
| uses: snyk/actions/docker@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| args: --file=fledgepower-deployment/all-plugins-ubuntu2404/fledge/fledge.dockerfile | |
| # Tag image with latest image | |
| - name: Tag image | |
| run: | | |
| sudo -E docker tag ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_IMAGE_NAME }}:${{ env.LATEST_TAG }} | |
| sudo -E docker tag ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_GUI_IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_GUI_IMAGE_NAME }}:${{ env.LATEST_TAG }} | |
| # Replace security-severity undefined for license-related findings | |
| - name: Replace security-severity undefined for license-related findings | |
| run: | | |
| sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif | |
| sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif | |
| cat snyk.sarif | |
| # As of July 22nd 2025, Github does not support uploading Snyk SARIF with multiple runs | |
| # Upload result to GitHub Code Scanning | |
| - name: Snyk results upload | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: snyk.sarif | |
| # Push to ghcr.io (Github Image Registry) only when it's required | |
| - name: Push images | |
| if: ${{ github.event_name == 'push' || inputs.publish }} | |
| run: | | |
| sudo -E docker push ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| sudo -E docker push ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_IMAGE_NAME }}:${{ env.LATEST_TAG }} | |
| sudo -E docker push ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_GUI_IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| sudo -E docker push ${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/${{ env.FLEDGE_GUI_IMAGE_NAME }}:${{ env.LATEST_TAG }} | |
| generate-sonar-report: | |
| runs-on: ubuntu-latest | |
| needs: build-and-push-image | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| steps: | |
| # Download rte-sonar-report | |
| - name: Download rte-sonar-report | |
| env: | |
| RTE_SONAR_REPORT_REPO: "https://github.com/rte-france/rte-sonar-report.git" | |
| run: | | |
| git clone ${{ env.RTE_SONAR_REPORT_REPO }} --branch 2025.3.0 --single-branch | |
| # Set up Python | |
| - name: Set up Python 3.9 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.9 | |
| # Install dependencies | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get install build-essential | |
| sudo apt install libcairo2-dev pkg-config python3-dev | |
| python -m pip install --upgrade pip setuptools wheel | |
| # Install rte-sonar-report | |
| - name: Install rte-sonar-report | |
| run: | | |
| cd ./rte-sonar-report | |
| python -m pip install . | |
| # Download sonar configuration files from previous job | |
| - name: Download sonar configuration files | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: yml-and-ini-files | |
| # Generate the Sonar report for RTE prescription enforcement | |
| - name: Generate Sonar report | |
| run: | | |
| python -m rte_sonar_reports -a pmc.yml -c sonarcloud.ini -o pmc_${{ github.event.inputs.tags || github.ref_name }}.pdf | |
| # Archive sonar report file | |
| - name: Archive sonar report file | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sonar-report-pdf | |
| path: | | |
| pmc_${{ github.event.inputs.tags || github.ref_name }}.pdf | |