Skip to content

Merge pull request #663 from noqdev/dependabot/npm_and_yarn/docs/web/… #913

Merge pull request #663 from noqdev/dependabot/npm_and_yarn/docs/web/…

Merge pull request #663 from noqdev/dependabot/npm_and_yarn/docs/web/… #913

name: Build container
# This builds the container upon a push event in noqdev/iambic repository
on:
# Testing this is burdensome
# One way to test is to enable event type pull_request; however, our setup
# is restrictive on who can assume the container building role. You can consider
# temporarily opening the role to allow the pull_request or via specific branch to
# do the image building in the aws assume role side.
# pull_request:
push:
branches:
- main
jobs:
build-container:
if: ${{ github.repository == 'noqdev/iambic' && github.event.commits[0].author.name != 'Version Auto Bump' }}
runs-on: ubuntu-latest
name: Build Container
permissions:
id-token: write
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.VERSION_BUMP_TOKEN }}
# VERSION_BUMP_TOKEN is a Github Fine Grain Access token. It belongs to a github user that
# can bypass the repository code review rules. It needs to be granted the following:
# 1. The repository it needs to bump access to.
# 2. Read and Write access to code (also known as Contents of the Repository Permission)
# 3. Because point 2, it will include Read access to Metadata
- name: bootstrap
run: |
python3.10 -m venv build-env
. build-env/bin/activate && pip install poetry setuptools pip --upgrade
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.37.3
- name: set git identity
run: |
git config user.name "Version Auto Bump"
git config user.email "github-action-version-auto-bump@noq.dev"
- name: bump version
id: bump-version
run: |
. build-env/bin/activate && python build_utils/tag_and_build_container.py bump-version
git add pyproject.toml
git commit -m "Bump version"
git push origin HEAD:${BRANCH_NAME}
git tag v$(. build-env/bin/activate && python build_utils/tag_and_build_container.py print-current-version)
git push --tags
env:
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::242345320040:role/iambic_image_builder
aws-region: us-east-1
- name: build container
id: build-container
run: |
docker logout ghcr.io
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/iambic
. build-env/bin/activate && make build_docker
make trivy_scan
make trivy_sbom
make upload_docker
docker logout public.ecr.aws/iambic
docker buildx prune --filter=until=96h -f
- uses: actions/upload-artifact@v3
with:
name: trivy-sbom
path: iambic.sbom.json
# Uncomment after OSS (Requires for GH Advanced Security):
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'iambic.sbom.json'