Update ci.yaml #29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Maven Build and Push Docker Image to MDACA ECR | |
on: | |
push: | |
branches: | |
- mdaca-3.0.1 | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build and Push Docker Image | |
env: | |
IMAGE_TAG: 3.0.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
run: | | |
# Set ENV for AWS ECR and CodeArtifact Creds | |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID | |
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | |
aws configure set default.region $AWS_REGION | |
echo "Running Maven Build" | |
export GET_CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \ | |
--domain ${{ secrets.CODEARTIFACT_DOMAIN }} \ | |
--domain-owner $AWS_ACCOUNT_ID \ | |
--region $AWS_REGION \ | |
--query authorizationToken \ | |
--output text) > codeartifcact-auth | |
export CODEARTIFACT_AUTH_TOKEN=$(cat codeartifcact-auth) | |
# Get token from ECR and Docker login | |
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com | |
IMAGE_TAG=3.0.1 | |
# Set ENV for Docker build | |
ECR_REPOSITORY=mdaca/ohdsi/webapi | |
REPOSITORY=$ECR_REPOSITORY | |
REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com | |
# Build the Docker image | |
docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$REPOSITORY:$IMAGE_TAG . | |
# Push the Docker image | |
docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG | |
security: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Download Docker Image from ECR | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
IMAGE_TAG: 3.0.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
run: | | |
# Set ENV for AW Cred | |
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID | |
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY | |
aws configure set default.region $AWS_REGION | |
# Get token from ECR and Docker login | |
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com | |
IMAGE_TAG=3.0.1 | |
docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | |
docker images | |
- name: Install Trivy | |
run: | | |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin | |
- name: Scan Docker Image with Trivy | |
env: | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
IMAGE_TAG: 3.0.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
run: | | |
trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | |
- name: Install Syft | |
run: | | |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin | |
- name: Generate SBOM with Syft | |
env: | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
IMAGE_TAG: 3.0.1 | |
ECR_REPOSITORY: mdaca/ohdsi/webapi | |
run: | | |
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG | |
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-WEBAPI-sbom.tf | |
- name: Upload SBOM | |
uses: actions/upload-artifact@v3 | |
with: | |
name: sbom | |
path: OHDSI-WEBAPI-sbom.tf |