Skip to content

chore(limit): modify as well #962

chore(limit): modify as well

chore(limit): modify as well #962

Workflow file for this run

name: publish
on:
push:
branches:
- jupyter-apis-aaw2.0
pull_request:
types:
- 'opened'
- 'synchronize'
- 'reopened'
schedule:
- cron: '0 23 * * *'
env:
REGISTRY_NAME: k8scc01covidacr
# Dev Registry cannot be used in 2.0 since we don't have access to the acrdev
DEV_REGISTRY_NAME: k8scc01covidacrdev
TRIVY_VERSION: "v0.57.0"
TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: 5
TRIVY_RETRY_DELAY: 20
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
HADOLINT_VERSION: "2.12.0"
jobs:
build:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
# Determine if pushing to ACR or DEV ACR
# Bypassed for dev, only push if has auto-deploy tag
- name: Set ENV variables for a PR
if: github.event_name == 'pull_request'
run: echo "REGISTRY=${{env.REGISTRY_NAME}}.azurecr.io" >> "$GITHUB_ENV"
- name: Set ENV variable for pushes to main branch of 2.0
if: github.event_name == 'push' && github.ref == 'refs/heads/jupyter-apis-aaw2.0'
run: echo "REGISTRY=${{env.REGISTRY_NAME}}.azurecr.io" >> "$GITHUB_ENV"
# Push image to ACR
# Pushes if this is a push to master or an update to a PR that has auto-deploy label
- name: Test if we should push to ACR
id: should-i-push
if: |
github.event_name == 'push' ||
(
github.event_name == 'pull_request' &&
contains( github.event.pull_request.labels.*.name, 'auto-deploy')
)
run: echo "::set-output name=boolean::true"
- uses: actions/checkout@master
# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# Connect to Azure DEV Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.DEV_REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.DEV_REGISTRY_USERNAME }}
password: ${{ secrets.DEV_REGISTRY_PASSWORD }}
- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint ./Dockerfile --no-fail
- name: Build image locally
run: |
docker build -f Dockerfile -t localhost:5000/jupyter-apis-aaw2:${{ github.sha }} .
docker push localhost:5000/jupyter-apis-aaw2:${{ github.sha }}
docker image prune
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
set +e # Lets trivy return an error without it being fatal
for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."
trivy image \
--db-repository ${{ env.TRIVY_DATABASES }} \
--java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
localhost:5000/jupyter-apis-aaw2:${{ github.sha }} \
--exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL \
--skip-dirs /usr/local/SASHome
EXIT_CODE=$?
if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 10 ]]; then
echo "Trivy scan completed successfully. Some vulnerabilities were found."
exit 10
elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then
echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
sleep ${{ env.TRIVY_RETRY_DELAY }}
else
echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
exit 1
fi
done
# Container build and push to a Azure Container registry (ACR)
- name: Push to ACR if necessary
if: steps.should-i-push.outputs.boolean == 'true'
run: |
docker pull localhost:5000/jupyter-apis-aaw2:${{ github.sha }}
docker tag localhost:5000/jupyter-apis-aaw2:${{ github.sha }} ${{ env.REGISTRY }}/jupyter-apis-aaw2:${{ github.sha }}
docker push ${{ env.REGISTRY }}/jupyter-apis-aaw2:${{ github.sha }}
- name: Slack Notification
if: failure() && github.event_name=='schedule'
uses: act10ns/slack@v1
with:
status: failure
message: jupyter-apis build failed. https://github.com/StatCan/jupyter-apis/actions/runs/${{github.run_id}}