Build, Scan and Rollout Multiarchitecture Containers

demo for devsecops on june 26 #153

Workflow file for this run

	name: Build, Scan and Rollout Multiarchitecture Containers

	env:
	## Quay Credentials
	QUAY_USERNAME: mmondics
	# QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} # used for quay.io
	QUAY_PASSWORD: ${{ secrets.REDHAT_PASSWORD }} # used for on-prem quay

	## Red Hat Credentials (for pulling images)
	REDHAT_USERNAME: mmondics
	REDHAT_PASSWORD: ${{ secrets.REDHAT_PASSWORD }}

	## Git Credentials (for opening PR)
	GIT_USERNAME: mmondics
	GIT_EMAIL: matt.mondics@ibm.com
	GH_TOKEN: ${{ github.token }}

	## SMTP Credentials
	SMTP_USERNAME: ibmwashingtonsystemscenter@gmail.com
	SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}

	## RHACS Target
	ROX_CENTRAL_ADDRESS: https://central-rhacs-operator.apps.atsocpd2.dmz:443
	ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}

	## Image name, tag, and registry
	APP_NAME: acmeair-mainservice-java
	MANIFEST_NAME: acmeair-mainservice-java-manifest
	Z_IMAGE_TAGS: s390x-${{ github.sha }}
	X_IMAGE_TAGS: amd64-${{ github.sha }}
	MANIFEST_IMAGE_TAG: manifest-${{ github.sha }}
	IMAGE_REGISTRY: quay-registry-quay-openshift-operators.apps.atsocppa.dmz/mmondics # used for on-prem quay
	# IMAGE_REGISTRY: quay.io/mmondics # used for quay.io

	on:
	push:
	paths:
	- acmeair/source/acmeair-mainservice-java/src/main/webapp/*
	branches:
	- DevSecOps
	# on: workflow_dispatch

	jobs:
	s390x-build-and-push:
	name: s390x build and push to Quay
	runs-on: [self-hosted, linux, s390x, native]
	environment: openshift

	# check out the GitHub repo
	steps:
	- name: Checkout
	id: checkout
	uses: actions/checkout@v2
	# uses: actions/checkout@v4
	with:
	ref: DevSecOps

	# build the app package for s390x
	- name: mvn clean package
	run: \|
	mvn clean package -f ./acmeair/source/acmeair-mainservice-java/pom.xml

	# build the container image for s390x
	- name: podman build
	run: \|
	podman version
	podman login registry.redhat.io -u ${{ env.REDHAT_USERNAME }} -p ${{ secrets.REDHAT_PASSWORD }}
	podman build -t ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }} ./acmeair/source/acmeair-mainservice-java
	podman login ${{ env.IMAGE_REGISTRY }} -u ${{ env.QUAY_USERNAME }} -p ${{ env.QUAY_PASSWORD }} --tls-verify=false
	podman push ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }} --tls-verify=false

	# # push the s390x container image to repo
	# - name: Push to Registry
	# id: push-to-registry
	# uses: redhat-actions/push-to-registry@v2.7
	# with:
	# image: ${{ env.APP_NAME }}
	# tags: ${{ env.Z_IMAGE_TAGS }}
	# registry: ${{ env.IMAGE_REGISTRY }}
	# username: ${{ env.QUAY_USERNAME }}
	# password: ${{ env.QUAY_PASSWORD }}
	# tls-verify: false

	amd64-build-and-push:
	name: amd64 build and push to Quay
	runs-on: [self-hosted, linux, x64, native]
	environment: openshift

	# checkout the GitHub repo
	steps:
	- name: Checkout
	id: checkout
	uses: actions/checkout@v4
	with:
	ref: DevSecOps

	# build the app package for amd64
	- name: mvn clean package
	run: \|
	mvn clean package -f ./acmeair/source/acmeair-mainservice-java/pom.xml

	# build the container image for amd64
	- name: podman build
	run: \|
	podman version
	podman login registry.redhat.io -u ${{ env.REDHAT_USERNAME }} -p ${{ secrets.REDHAT_PASSWORD }}
	podman build -t ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }} ./acmeair/source/acmeair-mainservice-java
	podman login ${{ env.IMAGE_REGISTRY }} -u ${{ env.QUAY_USERNAME }} -p ${{ env.QUAY_PASSWORD }} --tls-verify=false
	podman push ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }} --tls-verify=false

	# # push the amd64 container image to repo
	# - name: Push to Registry
	# id: push-to-registry
	# uses: redhat-actions/push-to-registry@v2
	# with:
	# image: ${{ env.APP_NAME }}
	# tags: ${{ env.X_IMAGE_TAGS }}
	# registry: ${{ env.IMAGE_REGISTRY }}
	# username: ${{ env.QUAY_USERNAME }}
	# password: ${{ env.QUAY_PASSWORD }}
	# tls-verify: false

	create-manifest:
	name: combine amd64 and s390x container images into a single manifest and push to Quay
	runs-on: [self-hosted, linux, s390x, native]
	needs:
	- s390x-build-and-push
	- amd64-build-and-push
	environment: openshift

	# Create image manifest, add the s390x and amd64 container images, then push the manifest to the repository.
	steps:
	- name: podman login
	run: \|
	podman login --tls-verify=false ${{ env.IMAGE_REGISTRY }} -u ${{ env.QUAY_USERNAME }} -p ${{ env.QUAY_PASSWORD }}
	- name: create manifest list
	run: podman manifest create ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}
	- name: pull new container images
	run: \|
	podman pull --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }}
	podman pull --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }}
	- name: add container images to manifest
	run: \|
	podman manifest add --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }}
	podman manifest add --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }}
	- name: push manifest list
	run: podman manifest push --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}

	# update the deployment YAML file with new image manifest
	update-app-yaml:
	name: update acmeair mainservice application YAML to use new image manifest
	runs-on: ubuntu-latest
	needs: create-manifest
	environment: openshift

	steps:
	- name: checkout
	uses: actions/checkout@v4
	with:
	ref: DevSecOps
	- name: replace container image in YAML
	# The yq command is similar to json's `jq`. The following command will find the container image line in the deployment YAML file, and replace it with the newly created manifest file.
	run: \|
	yq e -i "select(documentIndex == 0).spec.template.spec.containers[0].image = \"${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}\"" ./acmeair/deployments/deploy-acmeair-mainservice-java.yaml
	- name: git config
	run: \|
	git config --global user.email ${{ env.GIT_EMAIL }}
	git config --global user.name ${{ env.GIT_USERNAME }}
	git status
	git add .
	git commit -m "update deploy-acmeair-mainservice-java.yaml via GitHub Actions"
	git fetch origin DevSecOps
	git push origin HEAD:DevSecOps
	gh pr create --base main --head DevSecOps --title "update deploy-acmeair-mainservice-java.yaml via GitHub Actions" --body "Using image manfest ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}"

	# scan the deployment & container image manifest with RHACS from OCP on Z cluster
	acs-image-scan:
	name: Scan container manifest with Red Hat Advanced Cluster Security
	runs-on: [self-hosted, linux, s390x, ocp]
	environment: openshift
	needs: update-app-yaml
	continue-on-error: true

	# Image scan is initated on self-hosted IBM Z runner.
	# Image scan is performed by ACS server running on IBM Z.
	steps:
	# check out the GitHub repo
	- name: Checkout
	id: checkout
	uses: actions/checkout@v4
	with:
	ref: DevSecOps
	- name: install roxctl cli
	run: \|
	curl -O https://mirror.openshift.com/pub/rhacs/assets/4.3.0/bin/Linux/roxctl-s390x
	chmod +x roxctl-s390x
	ln -s roxctl-s390x roxctl
	continue-on-error: true
	- name: deployment-check
	run: \|
	./roxctl --insecure-skip-tls-verify deployment check --endpoint ${{ env.ROX_CENTRAL_ADDRESS }} -f ./acmeair/deployments/deploy-acmeair-mainservice-java.yaml 2>&1 \| tee deployment_check.txt
	- name: image-scan
	run: \|
	./roxctl --insecure-skip-tls-verify image scan --endpoint ${{ env.ROX_CENTRAL_ADDRESS }} --image ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} 2>&1 \| tee image_scan.txt
	- name: image-check
	run: \|
	./roxctl --insecure-skip-tls-verify image check --endpoint ${{ env.ROX_CENTRAL_ADDRESS }} --image ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} 2>&1 \| tee image_check.txt

	# Send results of security scans through email.
	- name: Send email
	uses: dawidd6/action-send-mail@v3
	with:
	server_address: smtp.gmail.com
	server_port: 465
	secure: true
	username: ${{ env.SMTP_USERNAME }}
	password: ${{ env.SMTP_PASSWORD }}
	subject: Security Scan for image ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}
	to: matt.mondics@ibm.com
	from: Matt Mondics <matt.mondics@ibm.com>
	attachments: deployment_check.txt,image_scan.txt,image_check.txt
	# Body of mail message (could be a filename prefixed with file:// to read from)
	body: \|
	Red Hat Advanced Cluster Security scans for image:
	${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}

	See attachments for deployment check, image check, and image scan.

	Update the application code to remediate security findings described in the attached files.

	Per IBM security practices, failed security scans do not prevent commits to development branches, but they will prevent merging to main branches.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

demo for devsecops on june 26 #153

Workflow file

demo for devsecops on june 26 #153

Jobs

Run details

Workflow file for this run