Merge pull request #4 from digitalservicebund/dependabot/github_actio… #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time | |
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle | |
name: Pipeline | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# Allow to run this workflow manually | |
workflow_dispatch: | |
env: | |
CONTAINER_REGISTRY: ghcr.io | |
CONTAINER_IMAGE_NAME: ${{ github.repository }} | |
CONTAINER_IMAGE_VERSION: ${{ github.sha }} | |
jobs: | |
vulnerability-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build Docker Image | |
run: | | |
docker build -t ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} . | |
- name: Run Trivy vulnerability scanner | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Generate cosign vulnerability scan record | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
with: | |
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
format: "cosign-vuln" | |
output: "vuln.json" | |
- name: Upload cosign vulnerability scan record | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "vuln.json" | |
path: "vuln.json" | |
if-no-files-found: error | |
- name: Send status to Slack | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
build-and-push-image: | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
needs: [vulnerability-scan] | |
permissions: | |
contents: read | |
id-token: write # This is used to complete the identity challenge with sigstore/fulcio.. | |
packages: write | |
outputs: | |
version: ${{ steps.set-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build Docker Image | |
run: | | |
docker build -t ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} . | |
- name: Login to container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: "ghcr.io" | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push image | |
run: | | |
docker tag ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} ghcr.io/${{ env.CONTAINER_IMAGE_NAME }} | |
docker tag ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} ghcr.io/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
docker push --all-tags ghcr.io/${{ env.CONTAINER_IMAGE_NAME }} | |
- name: Install cosign | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
- name: Log into container registry | |
# Third-party action, pin to commit SHA! | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Sign the published Docker image | |
run: cosign sign --yes ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Download cosign vulnerability scan record | |
uses: actions/download-artifact@v4 | |
with: | |
name: "vuln.json" | |
- name: Attest vulnerability scan | |
run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- id: set-version | |
run: echo "version=$CONTAINER_IMAGE_VERSION" >> $GITHUB_OUTPUT | |
- name: Create SBOM | |
uses: digitalservicebund/create-sbom@9535ef832c2895b44b7266f84e16ad7598d1ead9 | |
with: | |
image_name: ${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
- name: Send status to Slack | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
deploy-staging: | |
runs-on: ubuntu-latest | |
concurrency: deploy-staging | |
needs: | |
- build-and-push-image | |
environment: staging | |
permissions: | |
id-token: write # Enable OIDC for gitsign | |
steps: | |
- uses: chainguard-dev/actions/setup-gitsign@98ff6d6ff2a7802d68c12d10fdfc98c5446b3f7b | |
- name: Deploy new images | |
uses: digitalservicebund/argocd-deploy@4fac1bb67c92ed168f6d9b22f8779ce241a9e412 # v1.0.0 | |
with: | |
environment: staging | |
version: ${{ github.sha }} | |
deploying_repo: ris-norms-migration-import | |
infra_repo: ris-norms-infra | |
deploy_key: ${{ secrets.DEPLOY_KEY }} | |
app: ris-norms-staging | |
argocd_pipeline_password: ${{ secrets.ARGOCD_PIPELINE_PASSWORD }} | |
argocd_server: ${{ secrets.ARGOCD_SERVER }} | |
- name: Send status to Slack | |
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
if: ${{ failure() }} | |
with: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |