-
Notifications
You must be signed in to change notification settings - Fork 29
celery worker github workflow #304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,107 @@ | ||||||||||||||||
| name: (Develop) Build and Push Wavefront Celery Worker app to AWS, GCP and Azure | ||||||||||||||||
|
|
||||||||||||||||
| on: | ||||||||||||||||
| workflow_dispatch: | ||||||||||||||||
|
|
||||||||||||||||
| env: | ||||||||||||||||
| PROJECT_ID: aesy-330511 | ||||||||||||||||
| GCP_REGION: asia-south1 | ||||||||||||||||
| GAR_LOCATION: asia-south1-docker.pkg.dev/aesy-330511/root-hub | ||||||||||||||||
| IMAGE_NAME: wavefront-celery_worker | ||||||||||||||||
|
|
||||||||||||||||
| AWS_REGION: ap-south-1 | ||||||||||||||||
| ECR_REGISTRY: 025066241490.dkr.ecr.ap-south-1.amazonaws.com | ||||||||||||||||
| ECR_REPOSITORY: rootflo/wavefront-celery_worker | ||||||||||||||||
|
|
||||||||||||||||
| ACR_REGISTRY_NAME: rootflo | ||||||||||||||||
| ACR_REGISTRY: rootflo.azurecr.io | ||||||||||||||||
| ACR_REPOSITORY: wavefront-celery_worker | ||||||||||||||||
|
|
||||||||||||||||
| jobs: | ||||||||||||||||
| build-push-artifact: | ||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||
|
Comment on lines
+20
to
+22
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win Gate this develop publish job to the develop ref. This workflow is named/scoped as a develop build, but a manual dispatch can otherwise publish an image from a non-develop ref into the same registries. Suggested guard jobs:
build-push-artifact:
+ if: github.ref == 'refs/heads/develop'
runs-on: ubuntu-latest📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
| steps: | ||||||||||||||||
| - name: "Checkout" | ||||||||||||||||
| uses: "actions/checkout@v3" | ||||||||||||||||
|
Comment on lines
+25
to
+26
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n 'actions/checkout@v3|google-github-actions/(auth|setup-gcloud)`@v1`|persist-credentials' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fiRepository: rootflo/wavefront Length of output: 2311 🏁 Script executed: #!/bin/bash
set -euo pipefail
workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"
echo '--- file outline ---'
ast-grep outline "$workflow" --view expanded || true
echo '--- relevant lines ---'
nl -ba "$workflow" | sed -n '1,140p'
echo '--- checkout/auth/gcloud/cache references ---'
rg -n 'checkout|auth@|setup-gcloud|cache@|persist-credentials|push|git ' "$workflow"Repository: rootflo/wavefront Length of output: 315 🏁 Script executed: #!/bin/bash
set -euo pipefail
workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"
echo '--- numbered file slice ---'
awk 'NR>=1 && NR<=140 {printf "%4d %s\n", NR, $0}' "$workflow"
echo '--- git/push-related commands ---'
rg -n 'git (push|tag|commit)|push:|persist-credentials|checkout|docker push|gcloud|auth@|setup-gcloud' "$workflow"Repository: rootflo/wavefront Length of output: 5382 Upgrade the workflow actions and disable checkout credentials
🧰 Tools🪛 actionlint (1.7.12)[error] 26-26: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue (action) 🪛 zizmor (1.26.1)[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||
|
|
||||||||||||||||
| - name: Get commit hash | ||||||||||||||||
| id: get-commit-hash | ||||||||||||||||
| run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)" | ||||||||||||||||
|
|
||||||||||||||||
| - name: Get timestamp | ||||||||||||||||
| id: get-timestamp | ||||||||||||||||
| run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')" | ||||||||||||||||
|
Comment on lines
+28
to
+34
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n '::set-output|GITHUB_OUTPUT' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fiRepository: rootflo/wavefront Length of output: 2328 🏁 Script executed: #!/bin/bash
set -euo pipefail
file=".github/workflows/build-wavefront-celery_worker-develop.yaml"
cat -n "$file" | sed -n '1,120p'Repository: rootflo/wavefront Length of output: 4910 Replace deprecated 🧰 Tools🪛 actionlint (1.7.12)[error] 30-30: workflow command "set-output" was deprecated. use (deprecated-commands) [error] 34-34: workflow command "set-output" was deprecated. use (deprecated-commands) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||
|
|
||||||||||||||||
| - name: Cache Docker layers | ||||||||||||||||
| id: cache-docker-layers | ||||||||||||||||
| uses: actions/cache@v3 | ||||||||||||||||
| with: | ||||||||||||||||
| path: /tmp/.buildx-cache | ||||||||||||||||
| key: ${{ runner.os }}-docker-${{ github.sha }} | ||||||||||||||||
| restore-keys: | | ||||||||||||||||
| ${{ runner.os }}-docker- | ||||||||||||||||
|
|
||||||||||||||||
| - name: Set up Docker Buildx | ||||||||||||||||
| uses: docker/setup-buildx-action@v3 | ||||||||||||||||
|
|
||||||||||||||||
| - name: Build Docker Image | ||||||||||||||||
| id: build-image | ||||||||||||||||
| run: | | ||||||||||||||||
| docker build -f wavefront/server/docker/celery_worker.Dockerfile -t rootflo:${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }} . | ||||||||||||||||
| echo "IMAGE_TAG=${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }}" >> $GITHUB_ENV | ||||||||||||||||
|
|
||||||||||||||||
| - id: "Auth-to-GCP" | ||||||||||||||||
| uses: "google-github-actions/auth@v1" | ||||||||||||||||
| with: | ||||||||||||||||
| credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" | ||||||||||||||||
|
|
||||||||||||||||
| - name: "Set up Cloud SDK" | ||||||||||||||||
| uses: "google-github-actions/setup-gcloud@v1" | ||||||||||||||||
|
|
||||||||||||||||
| - name: "Docker auth for GCP" | ||||||||||||||||
| run: |- | ||||||||||||||||
| gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet | ||||||||||||||||
|
|
||||||||||||||||
| - name: Tag and push image to GCP Artifact Registry | ||||||||||||||||
| run: | | ||||||||||||||||
| docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||||||||||||||||
| docker push ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||||||||||||||||
|
|
||||||||||||||||
| # Configure AWS credentials and push to ECR | ||||||||||||||||
| - name: Configure AWS credentials | ||||||||||||||||
| uses: aws-actions/configure-aws-credentials@v4 | ||||||||||||||||
| with: | ||||||||||||||||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||||||||||||||||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||||||||||||||||
| aws-region: ${{ env.AWS_REGION }} | ||||||||||||||||
|
|
||||||||||||||||
| - name: Login to Amazon ECR | ||||||||||||||||
| id: login-ecr | ||||||||||||||||
| uses: aws-actions/amazon-ecr-login@v1 | ||||||||||||||||
|
|
||||||||||||||||
| - name: Tag and push image to Amazon ECR | ||||||||||||||||
| run: | | ||||||||||||||||
| docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||||||||||||||||
| docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||||||||||||||||
|
|
||||||||||||||||
| # Configure Azure credentials and push to ACR | ||||||||||||||||
| - name: Login to Azure | ||||||||||||||||
| uses: azure/login@v2 | ||||||||||||||||
| with: | ||||||||||||||||
| creds: ${{ secrets.AZURE_CREDENTIALS }} | ||||||||||||||||
|
|
||||||||||||||||
| - name: Docker auth for Azure ACR | ||||||||||||||||
| run: az acr login --name ${{ env.ACR_REGISTRY_NAME }} | ||||||||||||||||
|
|
||||||||||||||||
| - name: Tag and push image to Azure Container Registry | ||||||||||||||||
| run: | | ||||||||||||||||
| docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||||||||||||||||
| docker push ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||||||||||||||||
|
|
||||||||||||||||
| - name: Cleanup Docker images | ||||||||||||||||
| run: | | ||||||||||||||||
| docker rmi rootflo:${{ env.IMAGE_TAG }} || true | ||||||||||||||||
| docker rmi ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} || true | ||||||||||||||||
| docker rmi ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true | ||||||||||||||||
| docker rmi ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true | ||||||||||||||||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
|
||||||||||||||||
|
Comment on lines
+22
to
+107
|
||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set minimal
GITHUB_TOKENpermissions.The workflow only needs repository read access for checkout, so add an explicit top-level permission block.
Suggested permission block
📝 Committable suggestion
🤖 Prompt for AI Agents
Source: Linters/SAST tools