Merge pull request #639 from smoy/google-workspace-users #884
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build container | |
# This builds the container upon a push event in noqdev/iambic repository | |
on: | |
# Testing this is burdensome | |
# One way to test is to enable event type pull_request; however, our setup | |
# is restrictive on who can assume the container building role. You can consider | |
# temporarily opening the role to allow the pull_request or via specific branch to | |
# do the image building in the aws assume role side. | |
# pull_request: | |
push: | |
branches: | |
- main | |
jobs: | |
build-container: | |
if: ${{ github.repository == 'noqdev/iambic' && github.event.commits[0].author.name != 'Version Auto Bump' }} | |
runs-on: ubuntu-latest | |
name: Build Container | |
permissions: | |
id-token: write | |
contents: write | |
pull-requests: write | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
token: ${{ secrets.VERSION_BUMP_TOKEN }} | |
# VERSION_BUMP_TOKEN is a Github Fine Grain Access token. It belongs to a github user that | |
# can bypass the repository code review rules. It needs to be granted the following: | |
# 1. The repository it needs to bump access to. | |
# 2. Read and Write access to code (also known as Contents of the Repository Permission) | |
# 3. Because point 2, it will include Read access to Metadata | |
- name: bootstrap | |
run: | | |
python3.10 -m venv build-env | |
. build-env/bin/activate && pip install poetry setuptools pip --upgrade | |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.37.3 | |
- name: set git identity | |
run: | | |
git config user.name "Version Auto Bump" | |
git config user.email "github-action-version-auto-bump@noq.dev" | |
- name: bump version | |
id: bump-version | |
run: | | |
. build-env/bin/activate && python build_utils/tag_and_build_container.py bump-version | |
git add pyproject.toml | |
git commit -m "Bump version" | |
git push origin HEAD:${BRANCH_NAME} | |
git tag v$(. build-env/bin/activate && python build_utils/tag_and_build_container.py print-current-version) | |
git push --tags | |
env: | |
BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
role-to-assume: arn:aws:iam::242345320040:role/iambic_image_builder | |
aws-region: us-east-1 | |
- name: build container | |
id: build-container | |
run: | | |
docker logout ghcr.io | |
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/iambic | |
. build-env/bin/activate && make build_docker | |
make trivy_scan | |
make trivy_sbom | |
make upload_docker | |
docker logout public.ecr.aws/iambic | |
docker buildx prune --filter=until=96h -f | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: trivy-sbom | |
path: iambic.sbom.json | |
# Uncomment after OSS (Requires for GH Advanced Security): | |
# - name: Upload Trivy scan results to GitHub Security tab | |
# uses: github/codeql-action/upload-sarif@v2 | |
# with: | |
# sarif_file: 'iambic.sbom.json' |