Skip to content

Commit

Permalink
add reusable workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@Arvind644
Arvind644 committed Jul 30, 2023
1 parent b6f7040 commit 8de3408
Showing 1 changed file with 59 additions and 168 deletions.
227 changes: 59 additions & 168 deletions .github/workflows/build-push-chart.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,187 +17,78 @@ permissions: read-all

jobs:
setenv:
runs-on: ubuntu-latest

outputs:
short_sha: ${{ steps.env.outputs.short_sha }}
chart_version: ${{ steps.env.outputs.chart_version }}
image_version: ${{ steps.env.outputs.image_version }}
image_tag: ${{ steps.env.outputs.image_tag }}
image_repo_tag: ${{ steps.env.outputs.image_repo_tag }}
image_repository: ${{ steps.env.outputs.image_repository }}
registry: ${{ steps.env.outputs.registry }}
branch: ${{ steps.env.outputs.branch }}
compname: ${{ steps.env.outputs.compname }}
dhurl: ${{ steps.env.outputs.dhurl }}
gh_handle: ${{ steps.env.outputs.gh_handle }}

steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
fetch-depth: 1

- name: Export env
id: env
env:
DHURL: https://console.deployhub.com
REGISTRY: quay.io
BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
BRANCH=$(echo "${{ env.BRANCH }}" | cut -d'/' -f1)
BASE_VERSION=$(curl -s "https://ortelius.github.io/${{ github.event.repository.name }}/index.yaml" | grep version: | awk '{print $2}' | cut -f1-2 -d. | sort -u -r --version-sort | head -1)
SHORT_SHA=$(echo ${{ github.sha }} | cut -c 1-6)
{
echo "dhurl=${{ env.DHURL }}"
echo "branch=${BRANCH}"
echo "chart_version=${BASE_VERSION}.${{ github.run_number }}"
echo "compname=${{ github.event.repository.name }}"
echo "image_repo_tag=${{ env.REGISTRY }}/${{ github.repository }}:${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
echo "image_repository=${{ env.REGISTRY }}/${{ github.repository }}"
echo "image_tag=${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
echo "image_version=${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
echo "registry=${{ env.REGISTRY }}"
echo "short_sha=${SHORT_SHA}"
echo "gh_handle=$GITHUB_ACTOR"
} >> "$GITHUB_OUTPUT"
uses: ortelius/workflow-toolkit/.github/workflows/env-config-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596
with:
gh_head_ref: ${{ github.head_ref }}
gh_ref_name: ${{ github.ref_name }}
gh_event_repo_name: ${{ github.event.repository.name }}
gh_sha: ${{ github.sha }}
gh_repo: ${{ github.repository }}
gh_run_number: ${{ github.run_number }}

release:
runs-on: ubuntu-latest
uses: ortelius/workflow-toolkit/.github/workflows/container-release-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596
needs: setenv

outputs:
digest: ${{ steps.build.outputs.digest }}

steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

- name: Login to Quay
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
id: login
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ${{ needs.setenv.outputs.registry }}
username: ${{ secrets.QUAY_USERID }}
password: ${{ secrets.QUAY_PASSWORD }}

- name: Build and Push Docker Image
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
id: build
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
push: true
tags: ${{ needs.setenv.outputs.image_repo_tag }}

- name: Build Docker Image
if: ${{ !(github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main') }}
id: build_only
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
tags: ${{ needs.setenv.outputs.image_repo_tag }}
with:
gh_repository_owner: ${{ github.repository_owner }}
gh_event_name: ${{ github.event_name }}
gh_ref: ${{ github.ref }}
registry: ${{ needs.setenv.outputs.registry }}
image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }}
secrets:
QUAY_USERID: ${{ secrets.QUAY_USERID }}
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}

trivy:
runs-on: ubuntu-latest
needs: [setenv, release]

permissions:
security-events: write
statuses: write

if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # master
with:
image-ref: ${{ needs.setenv.outputs.image_repo_tag }}
format: "sarif"
output: "trivy-results.sarif"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
if: always()
with:
sarif_file: "trivy-results.sarif"

helm:
runs-on: ubuntu-latest
uses: ortelius/workflow-toolkit/.github/workflows/trivy-scan-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596
needs: [setenv, release]
with:
gh_repository_owner: ${{ github.repository_owner }}
gh_event_name: ${{ github.event_name }}
gh_ref: ${{ github.ref }}
image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }}

helm:
permissions:
contents: write
uses: ortelius/workflow-toolkit/.github/workflows/helm-release-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596
needs: [setenv, release]
with:
gh_repository_owner: ${{ github.repository_owner }}
gh_event_name: ${{ github.event_name }}
gh_ref: ${{ github.ref }}
gh_handle: ${{ needs.setenv.outputs.gh_handle }}
chart: chart/${{ needs.setenv.outputs.compname }}
chart_version: ${{ needs.setenv.outputs.chart_version }}
image_repository: ${{ needs.setenv.outputs.image_repository }}
image_tag: ${{ needs.setenv.outputs.image_tag }}
image_digest: ${{ needs.release.outputs.digest }}
secrets:
GPG_KEYRING_BASE64: ${{ secrets.GPG_KEYRING_BASE64 }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_KEY: ${{ secrets.GPG_KEY }}
gh_token: ${{ secrets.HELM_INDEXER_TOKEN }}

if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Helm Chart Releaser
uses: ortelius/ms-cr-action@d98a4163765db41dbc8159f3a31f30f77bbe23bd # v1.2
with:
gpg_keyring_base64: ${{ secrets.GPG_KEYRING_BASE64 }}
gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
gpg_key: ${{ secrets.GPG_KEY }}
gh_token: ${{ secrets.HELM_INDEXER_TOKEN }}
gh_handle: ${{ needs.setenv.outputs.gh_handle }}
chart: chart/${{ needs.setenv.outputs.compname }}
chart_version: ${{ needs.setenv.outputs.chart_version }}
image_repository: ${{ needs.setenv.outputs.image_repository }}
image_tag: ${{ needs.setenv.outputs.image_tag }}
image_digest: ${{ needs.release.outputs.digest }}

- name: Trigger Rebuild of Main Chart
uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2
with:
workflow: generate-main-chart.yml
repo: ortelius/ortelius-charts
token: ${{ secrets.HELM_INDEXER_TOKEN }}

sbom:
runs-on: ubuntu-latest
uses: ortelius/workflow-toolkit/.github/workflows/sbom-generation-workflow.yml@cf5621d9d515b30f327262fcc356f36190ace596
needs: [setenv, release]

if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: SBOM
uses: ortelius/ms-sbom-action@78faa3aadef42708432a337fa2953a82ddfd2512 # v1.0.0
with:
dhpass: ${{ secrets.DHPASS }}
dhurl: ${{ needs.setenv.outputs.dhurl }}
dhuser: ${{ secrets.DHUSER }}
compname: ${{ needs.setenv.outputs.compname }}
chart_version: ${{ needs.setenv.outputs.chart_version }}
git_branch: ${{ needs.setenv.outputs.branch }}
image_digest: ${{ needs.release.outputs.digest }}
image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }}
image_repository: ${{ needs.setenv.outputs.image_repository }}
image_tag: ${{ needs.setenv.outputs.image_tag }}
image_version: ${{ needs.setenv.outputs.image_version }}
with:
gh_repository_owner: ${{ github.repository_owner }}
gh_event_name: ${{ github.event_name }}
gh_ref: ${{ github.ref }}
dhurl: ${{ needs.setenv.outputs.dhurl }}
compname: ${{ needs.setenv.outputs.compname }}
chart_version: ${{ needs.setenv.outputs.chart_version }}
branch: ${{ needs.setenv.outputs.branch }}
digest: ${{ needs.release.outputs.digest }}
image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }}
image_repository: ${{ needs.setenv.outputs.image_repository }}
image_tag: ${{ needs.setenv.outputs.image_tag }}
image_version: ${{ needs.setenv.outputs.image_version }}
secrets:
DHPASS: ${{ secrets.DHPASS }}
DHUSER: ${{ secrets.DHUSER }}

Check failure on line 94 in .github/workflows/build-push-chart.yml

View workflow job for this annotation

GitHub Actions / MegaLinter 

94:36 [new-line-at-end-of-file] no new line character at the end of file

0 comments on commit 8de3408

Please sign in to comment.