Skip to content

Update Dockerfile-mvn-no-local #30

Update Dockerfile-mvn-no-local

Update Dockerfile-mvn-no-local #30

Workflow file for this run

name: Docker Maven Build and Push Docker Image to MDACA ECR
on:
push:
branches:
- mdaca-3.0.1
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and Push Docker Image
env:
IMAGE_TAG: 3.0.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
run: |
# Set ENV for AWS ECR and CodeArtifact Creds
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set default.region $AWS_REGION
echo "Running Maven Build"
export GET_CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \
--domain ${{ secrets.CODEARTIFACT_DOMAIN }} \
--domain-owner $AWS_ACCOUNT_ID \
--region $AWS_REGION \
--query authorizationToken \
--output text) > codeartifcact-auth
export CODEARTIFACT_AUTH_TOKEN=$(cat codeartifcact-auth)
# Get token from ECR and Docker login
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
IMAGE_TAG=3.0.1
# Set ENV for Docker build
ECR_REPOSITORY=mdaca/ohdsi/webapi
REPOSITORY=$ECR_REPOSITORY
REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com
# Build the Docker image
docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
# Push the Docker image
docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
security:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Download Docker Image from ECR
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
IMAGE_TAG: 3.0.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
run: |
# Set ENV for AW Cred
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set default.region $AWS_REGION
# Get token from ECR and Docker login
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
IMAGE_TAG=3.0.1
docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
docker images
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Scan Docker Image with Trivy
env:
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
AWS_REGION: ${{ secrets.AWS_REGION }}
IMAGE_TAG: 3.0.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
run: |
trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Generate SBOM with Syft
env:
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
AWS_REGION: ${{ secrets.AWS_REGION }}
IMAGE_TAG: 3.0.1
ECR_REPOSITORY: mdaca/ohdsi/webapi
run: |
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-WEBAPI-sbom.tf
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: OHDSI-WEBAPI-sbom.tf