Skip to content

Commit

Permalink
Add github actions scripts
Browse files Browse the repository at this point in the history
  • Loading branch information
@sambles
sambles committed Nov 23, 2023
1 parent 47b2db3 commit a0a6338
Show file tree
Hide file tree
Showing 5 changed files with 618 additions and 0 deletions.
212 changes: 212 additions & 0 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,212 @@
name: OasisUI Build

on:
push:
workflow_dispatch:
inputs:
docker_push:
description: 'Push the docker image to dockerhub and outout reference'
required: false
default: 'false'
cve_severity:
description: 'Severities of vulnerabilities to scanned for, fails build if any found'
required: false
default: 'CRITICAL,HIGH'
#app_image_repo:
# description: 'Docker hub image repository'
# required: false
# default: 'coreoasis/github-actions'
#app_image_tag:
# description: 'Docker tag for image'
# required: false
# default: ''
#proxy_image_repo:
# description: 'Docker hub image repository'
# required: false
# default: 'coreoasis/github-actions'
#proxy_image_tag:
# description: 'Docker tag for image'
# required: false
# default: ''


workflow_call:
inputs:
docker_push:
description: 'Push the docker image to dockerhub and outout reference'
required: false
default: 'false'
type: string
cve_severity:
description: 'Severities of vulnerabilities to scanned for, fails build if any found'
required: false
default: 'CRITICAL,HIGH'
type: string
app_image_repo:
description: 'Docker hub image repository'
required: false
default: 'coreoasis/github-actions'
type: string
app_image_tag:
description: 'Docker tag for image'
required: false
default: ''
type: string
proxy_image_repo:
description: 'Docker hub image repository'
required: false
default: 'coreoasis/github-actions'
type: string
proxy_image_tag:
description: 'Docker tag for image'
required: false
default: ''
type: string

outputs:
app_image:
description:
value: ${{ jobs.shiny_app.outputs.image }}

proxy_image:
description:
value: ${{ jobs.shiny_proxy.outputs.image }}



jobs:
shiny_app:
env:
IMAGE_TAG: 'oasisui_app-${{ github.sha }}'
IMAGE_REPO: 'coreoasis/github-actions'
DOCKERFILE: 'docker/Dockerfile.oasisui_app'
SEVERITY: 'CRITICAL,HIGH'
runs-on: ubuntu-latest
outputs:
image: ${{ steps.docker_push.outputs.image }}
steps:
- name: Set inputs
if: github.event_name != 'push'
run: |
echo "SEVERITY=${{ inputs.cve_severity }}" >> $GITHUB_ENV
[[ -z "${{ inputs.app_image_tag }}" ]] || echo "IMAGE_TAG=${{ inputs.app_image_tag }}" >> $GITHUB_ENV
[[ -z "${{ inputs.app_image_repo }}" ]] || echo "IMAGE_REPO=${{ inputs.app_image_repo }}" >> $GITHUB_ENV
- name: Github context
run: echo "$GITHUB_CONTEXT"
shell: bash
env:
GITHUB_CONTEXT: ${{ toJson(github) }}

- uses: actions/checkout@v3
with:
ref: ${{ github.ref_name }}

- name: Docker Build
run: |
echo "Build from Branch ${{ github.ref_name }}"
docker build -f ${{ env.DOCKERFILE }} --pull --build-arg REF_BRANCH=${{ github.ref_name }} -t ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }} .
#Trivy Scan
- name: Trivy vulnerability scanner
if: env.SEVERITY != ''
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
format: 'table'
scan-type: 'image'
exit-code: '1'
ignore-unfixed: true
severity: ${{ env.SEVERITY }}
scanners: 'vuln'
output: 'app_image.txt'

- name: Store CVE report
if: always()
uses: actions/upload-artifact@v3
with:
name: app_image_scan
path: ./app_image.txt
retention-days: 3

- name: Login to Docker Hub
if: inputs.docker_push == 'true'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker push
id: docker_push
if: inputs.docker_push == 'true'
run: |
docker push ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
echo "image=${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT
shiny_proxy:
runs-on: ubuntu-latest
env:
IMAGE_TAG: 'oasisui_proxy-${{ github.sha }}'
IMAGE_REPO: 'coreoasis/github-actions'
DOCKERFILE: 'docker/Dockerfile.oasisui_proxy'
SEVERITY: 'CRITICAL,HIGH'
outputs:
image: ${{ steps.docker_push.outputs.image }}
steps:
- name: Set inputs
if: github.event_name != 'push'
run: |
echo "SEVERITY=${{ inputs.cve_severity }}" >> $GITHUB_ENV
[[ -z "${{ inputs.proxy_image_tag }}" ]] || echo "IMAGE_TAG=${{ inputs.proxy_image_tag }}" >> $GITHUB_ENV
[[ -z "${{ inputs.proxy_image_repo }}" ]] || echo "IMAGE_REPO=${{ inputs.proxy_image_repo }}" >> $GITHUB_ENV
- name: Github context
run: echo "$GITHUB_CONTEXT"
shell: bash
env:
GITHUB_CONTEXT: ${{ toJson(github) }}

- uses: actions/checkout@v3
with:
ref: ${{ github.ref_name }}

- name: Docker Build
run: |
docker build -f ${{ env.DOCKERFILE }} -t ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }} .
# NOTE: even the latest version of shiny proxy as CRITICAL CVE issues (warn but no fail)
- name: Trivy vulnerability scanner
if: env.SEVERITY != ''
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
format: 'table'
scan-type: 'image'
exit-code: '1'
ignore-unfixed: true
severity: ${{ env.SEVERITY }}
security-checks: 'vuln'
output: 'proxy_image.txt'

- name: Store CVE report
if: always()
uses: actions/upload-artifact@v3
with:
name: proxy_image_scan
path: ./proxy_image.txt
retention-days: 3

- name: Login to Docker Hub
if: inputs.docker_push == 'true'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker push
id: docker_push
if: inputs.docker_push == 'true'
run: |
docker push ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
echo "image=${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}" >> $GITHUB_OUTPUT
55 changes: 55 additions & 0 deletions .github/workflows/project-PR.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Add PR to project
on:
pull_request:
types:
- opened
jobs:
track_pr:
runs-on: ubuntu-latest
steps:
- name: Get project data
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_ACCESS_TOKEN }}
ORGANIZATION: Oasislmf
PROJECT_NUMBER: 44
run: |
gh api graphql -f query='
query($org: String!, $number: Int!) {
organization(login: $org){
projectV2(number: $number) {
id
fields(first:20) {
nodes {
... on ProjectV2Field {
id
name
}
... on ProjectV2SingleSelectField {
id
name
options {
id
name
}
}
}
}
}
}
}' -f org=$ORGANIZATION -F number=$PROJECT_NUMBER > project_data.json
echo 'PROJECT_ID='$(jq '.data.organization.projectV2.id' project_data.json) >> $GITHUB_ENV
- name: Add PR to project
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_ACCESS_TOKEN }}
PR_ID: ${{ github.event.pull_request.node_id }}
run: |
item_id="$( gh api graphql -f query='
mutation($project:ID!, $pr:ID!) {
addProjectV2ItemById(input: {projectId: $project, contentId: $pr}) {
item {
id
}
}
}' -f project=$PROJECT_ID -f pr=$PR_ID --jq '.data.addProjectV2ItemById.projectV2Item.id')"
55 changes: 55 additions & 0 deletions .github/workflows/project-issue.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Add issue to project
on:
issues:
types:
- opened
jobs:
track_issue:
runs-on: ubuntu-latest
steps:
- name: Get project data
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_ACCESS_TOKEN }}
ORGANIZATION: Oasislmf
PROJECT_NUMBER: 44
run: |
gh api graphql -f query='
query($org: String!, $number: Int!) {
organization(login: $org){
projectV2(number: $number) {
id
fields(first:20) {
nodes {
... on ProjectV2Field {
id
name
}
... on ProjectV2SingleSelectField {
id
name
options {
id
name
}
}
}
}
}
}
}' -f org=$ORGANIZATION -F number=$PROJECT_NUMBER > project_data.json
echo 'PROJECT_ID='$(jq '.data.organization.projectV2.id' project_data.json) >> $GITHUB_ENV
- name: Add issue to project
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_ACCESS_TOKEN }}
ISSUE_ID: ${{ github.event.issue.node_id }}
run: |
item_id="$( gh api graphql -f query='
mutation($project:ID!, $issue:ID!) {
addProjectV2ItemById(input: {projectId: $project, contentId: $issue}) {
item {
id
}
}
}' -f project=$PROJECT_ID -f issue=$ISSUE_ID --jq '.data.addProjectV2ItemById.projectV2Item.id')"
Loading

0 comments on commit a0a6338

Please sign in to comment.