Build and push release images #70

Workflow file for this run

.github/workflows/build_push_release.yml at 74085dd

	name: Build and push release images

	on:
	workflow_dispatch:
	inputs:
	#checkov:skip=CKV_GHA_7:This is a false positive
	release:
	description: 'SecObserve release (without the v)'
	required: true

	permissions: read-all

	jobs:
	docker_backend_release:
	runs-on: ubuntu-latest
	steps:
	-
	name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: 'v${{ github.event.inputs.release }}'
	-
	name: Set up QEMU
	uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
	-
	name: Login to Docker Hub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	-
	name: Set current date as env variable
	run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
	-
	name: Build and push backend
	uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
	with:
	context: .
	file: ./docker/backend/prod/django/Dockerfile
	push: true
	tags: \|
	maibornwolff/secobserve-backend:${{ github.event.inputs.release }}
	maibornwolff/secobserve-backend:latest
	build-args: \|
	CREATED=${{ env.CREATED }}
	REVISION=${{ github.sha }}
	VERSION=${{ github.event.inputs.release }}

	docker_frontend_release:
	runs-on: ubuntu-latest
	steps:
	-
	name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: 'v${{ github.event.inputs.release }}'
	-
	name: Set up QEMU
	uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
	-
	name: Login to Docker Hub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	-
	name: Set current date as env variable
	run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
	-
	name: Build and push frontend
	uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
	with:
	context: .
	file: ./docker/frontend/prod/Dockerfile
	push: true
	tags: \|
	maibornwolff/secobserve-frontend:${{ github.event.inputs.release }}
	maibornwolff/secobserve-frontend:latest
	build-args: \|
	CREATED=${{ env.CREATED }}
	REVISION=${{ github.sha }}
	VERSION=${{ github.event.inputs.release }}

	vulnerability_scans_release:
	runs-on: ubuntu-latest
	needs: [docker_backend_release, docker_frontend_release]
	steps:
	-
	name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: 'v${{ github.event.inputs.release }}'
	-
	name: Run vulnerability scanners for images
	uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
	with:
	so_configuration: 'so_configuration_sca_current.yml'
	SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
	-
	name: Run vulnerability scanners for endpoints
	uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
	with:
	so_configuration: 'so_configuration_endpoints.yml'
	SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}

	generate_sboms:
	runs-on: ubuntu-latest
	needs: [docker_backend_release, docker_frontend_release]
	permissions:
	contents: write
	steps:
	- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
	with:
	node-version: 20
	-
	name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: 'v${{ github.event.inputs.release }}'
	-
	name: Install programs
	env:
	CDXGEN_VERSION: 10.9.4
	SBOM_UTILITY_VERSION: 0.16.0
	CYCLONE_DX_CLI_VERSION: 0.25.1
	run: \|
	npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
	cd /usr/local/bin
	wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - \| tar -zxf -
	wget --no-verbose https://github.com/CycloneDX/cyclonedx-cli/releases/download/v"$CYCLONE_DX_CLI_VERSION"/cyclonedx-linux-x64
	cp cyclonedx-linux-x64 /usr/local/bin/cyclonedx
	chmod +x /usr/local/bin/cyclonedx
	-
	name: Generate SBOM for backend application
	env:
	VERSION: ${{ github.event.inputs.release }}
	FETCH_LICENSE: 1
	working-directory: ./sbom
	run: \|
	mv ../backend/poetry_requirements.txt ../backend/poetry_requirements.sic
	sed -i "s\|REPLACE_VERSION\|$VERSION\|g" ./configuration/patch_backend_application.json
	cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
	sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_backend_application.json \
	\| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
	\| sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json
	sbom-utility validate --input-file sbom_backend_application_"$VERSION".json
	rm sbom_backend_application.json
	mv ../backend/poetry_requirements.sic ../backend/poetry_requirements.txt
	-
	name: Generate SBOM for frontend application
	env:
	VERSION: ${{ github.event.inputs.release }}
	working-directory: ./sbom
	run: \|
	sed -i "s\|REPLACE_VERSION\|$VERSION\|g" ./configuration/patch_frontend_application.json
	cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
	sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_frontend_application.json \
	\| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
	\| sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json
	sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json
	rm sbom_frontend_application.json
	-
	name: Generate SBOM for backend container
	env:
	VERSION: ${{ github.event.inputs.release }}
	working-directory: ./sbom
	run: \|
	sed -i "s\|REPLACE_VERSION\|$VERSION\|g" ./configuration/patch_backend_container.json
	cdxgen maibornwolff/secobserve-backend:$VERSION --type container --exclude-type python --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_backend_container.json
	sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_backend_container.json \
	\| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
	\| sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json
	sbom-utility validate --input-file sbom_backend_container_"$VERSION".json
	rm sbom_backend_container.json
	-
	name: Generate SBOM for frontend container
	env:
	VERSION: ${{ github.event.inputs.release }}
	working-directory: ./sbom
	run: \|
	sed -i "s\|REPLACE_VERSION\|$VERSION\|g" ./configuration/patch_frontend_container.json
	cdxgen maibornwolff/secobserve-frontend:$VERSION --type container --exclude-type npm --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_frontend_container.json
	sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_frontend_container.json \
	\| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
	\| sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json
	sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json
	rm sbom_frontend_container.json
	-
	name: Merge SBOMs
	env:
	VERSION: ${{ github.event.inputs.release }}
	working-directory: ./sbom
	run: \|
	sed -i "s\|REPLACE_VERSION\|$VERSION\|g" ./configuration/patch_complete.json
	cyclonedx merge --hierarchical --name "SecObserve" --version "$VERSION" --input-files sbom_backend_application_"$VERSION".json sbom_frontend_application_"$VERSION".json sbom_backend_container_"$VERSION".json sbom_frontend_container_"$VERSION".json --output-format json \
	\| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
	\| sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json
	sbom-utility validate --input-file sbom_"$VERSION".json
	-
	name: Commit SBOMs
	uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
	with:
	skip_fetch: true
	create_branch: true
	commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}"
	branch: "chore/sboms_release_${{ github.event.inputs.release }}"
	file_pattern: "sbom/sbom*.json"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and push release images #70

Workflow file

Build and push release images #70

Jobs

Run details

Workflow file for this run