Docker Maven Build and Push Docker Image to MDACA ECR

Update ci.yaml #28

Summary
Jobs
- build
- security
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Docker Maven Build and Push Docker Image to MDACA ECR

	on:
	push:
	branches:
	- mdaca-3.0.1

	jobs:
	build:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build and Push Docker Image
	env:
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	run: \|
	# Set ENV for AWS ECR and CodeArtifact Creds
	aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
	aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
	aws configure set default.region $AWS_REGION
	echo "Running Maven Build"
	export GET_CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
	--domain ${{ secrets.CODEARTIFACT_DOMAIN }} \
	--domain-owner $AWS_ACCOUNT_ID \
	--region $AWS_REGION \
	--query authorizationToken \
	--output text)

	# Get token from ECR and Docker login
	aws ecr get-login-password --region $AWS_REGION \| docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
	IMAGE_TAG=3.0.1

	# Set ENV for Docker build
	ECR_REPOSITORY=mdaca/ohdsi/webapi
	REPOSITORY=$ECR_REPOSITORY
	REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com

	# Build the Docker image
	docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$GET_CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .

	# Push the Docker image
	docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG

	security:
	runs-on: ubuntu-latest
	needs: build

	steps:
	- name: Checkout repository
	uses: actions/checkout@v3


	- name: Download Docker Image from ECR
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	run: \|
	# Set ENV for AW Cred
	aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
	aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
	aws configure set default.region $AWS_REGION

	# Get token from ECR and Docker login
	aws ecr get-login-password --region $AWS_REGION \| docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
	IMAGE_TAG=3.0.1

	docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
	docker images
	- name: Install Trivy
	run: \|
	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \| sudo sh -s -- -b /usr/local/bin

	- name: Scan Docker Image with Trivy
	env:
	AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	run: \|
	trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG

	- name: Install Syft
	run: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sudo sh -s -- -b /usr/local/bin

	- name: Generate SBOM with Syft
	env:
	AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	run: \|
	syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
	syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-WEBAPI-sbom.tf

	- name: Upload SBOM
	uses: actions/upload-artifact@v3
	with:
	name: sbom
	path: OHDSI-WEBAPI-sbom.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update ci.yaml #28

Workflow file

Update ci.yaml #28

Jobs

Run details

Workflow file for this run