Skip to content
This repository has been archived by the owner on Nov 22, 2023. It is now read-only.

Bump docker/login-action from 2.1.0 to 3.0.0 #20

Bump docker/login-action from 2.1.0 to 3.0.0

Bump docker/login-action from 2.1.0 to 3.0.0 #20

Workflow file for this run

name: Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allow to run this workflow manually
workflow_dispatch:
env:
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: validate github workflow files to have pinned versions
uses: digitalservicebund/github-actions/github-actions-linter@5009471245d84903ea1af84104eb1908f8e2b2a2
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: .node-version
cache: npm
- name: Cache npm dependencies
id: cache-npm-deps
uses: actions/cache@v3
with:
path: |
**/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
if: steps.cache-npm-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Check build
run: npm run build
- name: Check format
run: npm run format:check
- name: Lint
run: npm run lint:check
- name: Run tests
run: npm test
- name: Install E2E test dependencies
run: |
npx --yes playwright install --with-deps
- name: Run E2E tests
run: npm run test:e2e
- uses: actions/upload-artifact@v3
if: ${{ failure() }}
with:
name: playwright-test-results
path: test-results
- name: Build an image from Dockerfile
run: |
docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Create SBOM
uses: digitalservicebund/github-actions/create-sbom@24b9a8a55f22d21cebeae777aede3ae1b2fd3889
with:
image_name: ${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 # == v3.0.0
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Build :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
audit-licenses:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: validate github workflow files to have pinned versions
uses: digitalservicebund/github-actions/github-actions-linter@5009471245d84903ea1af84104eb1908f8e2b2a2
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: .node-version
cache: npm
- name: Cache npm dependencies
id: cache-npm-deps
uses: actions/cache@v3
with:
path: |
**/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
if: steps.cache-npm-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Audit used licences
run: npm run audit:licences
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 # == v3.0.0
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "License audit :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
vulnerability-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: validate github workflow files to have pinned versions
uses: digitalservicebund/github-actions/github-actions-linter@5009471245d84903ea1af84104eb1908f8e2b2a2
- name: Run Trivy vulnerability scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: "fs"
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1" # Fail the build!
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd # == v2
if: always() # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 # == v3.0.0
if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Vulnerability scan :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}
build-and-push-image:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- build
- audit-licenses
- vulnerability-scan
permissions:
contents: read
id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: validate github workflow files to have pinned versions
uses: digitalservicebund/github-actions/github-actions-linter@5009471245d84903ea1af84104eb1908f8e2b2a2
- name: Build image from Dockerfile
run: docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Login to container registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign the published Docker image
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: cosign sign ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: Push image
run: |
docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}
docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }}
deploy-staging:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- build-and-push-image
environment: staging
steps:
# - name: Report Deployment
# uses: digitalservicebund/github-actions/track-deployment@34a48d29a9c4cc2fd6710b8eb37e13618a08fa88
# with:
# project: remix-application-example
# environment: staging
# metrics_deployment_webhook_url: ${{ secrets.METRICS_DEPLOYMENT_WEBHOOK_URL }}
# metrics_webhook_token: ${{ secrets.METRICS_WEBHOOK_TOKEN }}
- name: Deploy new staging image
uses: digitalservicebund/github-actions/argocd-deploy@38716f8c30bd393d7d6d7f3fde433367c5fdff85
with:
environment: staging
version: ${{ github.sha }}
deploying_repo: remix-application-example
infra_repo: remix-application-example-infra
deploy_key: ${{ secrets.DEPLOY_KEY }}
app: remix-application-example-staging
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }}
argocd_server: ${{ secrets.ARGOCD_SERVER }}
argocd_sync_timeout: 300