Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use hardened images #77

Merged
merged 2 commits into from
Jun 25, 2024
Merged

Use hardened images #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b536206
update to use hardened images
dandersonsw Jun 25, 2024
5e71c4d
use general-task image
dandersonsw Jun 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
160 changes: 99 additions & 61 deletions ci/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,87 +1,125 @@
---
jobs:
- name: set-self
plan:
- get: cf-service-connect-repo
trigger: true
- set_pipeline: self
file: cf-service-connect-repo/ci/pipeline.yml

- name: set-self
plan:
- get: cf-service-connect-repo
trigger: true
- set_pipeline: self
file: cf-service-connect-repo/ci/pipeline.yml
- name: run-tests
plan:
- get: cf-service-connect-repo
passed: [set-self]
trigger: true
- get: general-task
- task: run-tests
image: general-task
file: cf-service-connect-repo/ci/run-tests.yml

- name: run-tests
plan:
- get: cf-service-connect-repo
passed: [set-self]
trigger: true
- task: run-tests
file: cf-service-connect-repo/ci/run-tests.yml

- name: create-release
plan:
- get: cf-service-connect-repo
passed: [run-tests]
trigger: true
- task: prepare-release
file: cf-service-connect-repo/ci/prepare-release.yml
- put: cf-service-connect-release
- name: create-release
plan:
- get: cf-service-connect-repo
passed: [run-tests]
trigger: true
- get: general-task
- task: prepare-release
image: general-task
file: cf-service-connect-repo/ci/prepare-release.yml
- put: cf-service-connect-release
params:
name: cf-service-connect-repo/tag
tag: cf-service-connect-repo/tag
generate_release_notes: true
globs:
- cf-service-connect-repo/cf-service-connect_*
on_failure:
put: slack
params:
name: cf-service-connect-repo/tag
tag: cf-service-connect-repo/tag
generate_release_notes: true
globs:
- cf-service-connect-repo/cf-service-connect_*
on_failure:
put: slack
params:
text: |
:x: FAILED to release cf-service-connect
<$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details>
:x: FAILED to release cf-service-connect
<$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details>
channel: ((slack-failure-channel))
username: ((slack-username))
icon_url: ((slack-icon-url))
on_success:
put: slack
params:
on_success:
put: slack
params:
text: |
:white_check_mark: Successfully released cf-service-connect
<$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details>
:white_check_mark: Successfully released cf-service-connect
<$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details>
channel: ((slack-success-channel))
username: ((slack-username))
icon_url: ((slack-icon-url))

resources:
# this resource is this repo
# NOTE: we only execute on tag changes not commits, see tag_regex
- name: cf-service-connect-repo
type: git
source:
uri: https://github.com/cloud-gov/cf-service-connect.git
# only run on new tags matching pattern like: v0.1.5
tag_regex: '^v([0-9]+\.){0,2}(\*|[0-9]+)$'
commit_verification_keys: ((cloud-gov-pgp-keys))
# this resource is this repo
# NOTE: we only execute on tag changes not commits, see tag_regex
- name: cf-service-connect-repo
type: git
source:
uri: https://github.com/cloud-gov/cf-service-connect.git
# only run on new tags matching pattern like: v0.1.5
tag_regex: '^v([0-9]+\.){0,2}(\*|[0-9]+)$'
commit_verification_keys: ((cloud-gov-pgp-keys))

# This resource for posting to slack
- name: slack
type: slack-notification
source:
url: ((slack-webhook-url))
# This resource for posting to slack
- name: slack
type: slack-notification
source:
url: ((slack-webhook-url))

# Resource for creating a new release
- name: cf-service-connect-release
type: github-release
source:
owner: cloud-gov
repository: cf-service-connect
access_token: ((cg-ci-bot-ghtoken))
# Resource for creating a new release
- name: cf-service-connect-release
type: github-release
source:
owner: cloud-gov
repository: cf-service-connect
access_token: ((cg-ci-bot-ghtoken))

- name: general-task
type: registry-image
source:
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: general-task
aws_region: us-gov-west-1
tag: latest

resource_types:
- name: registry-image
type: registry-image
source:
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: registry-image-resource
aws_region: us-gov-west-1
tag: latest

- name: slack-notification
type: docker-image
type: registry-image
source:
repository: cfcommunity/slack-notification-resource
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: slack-notification-resource
aws_region: us-gov-west-1
tag: latest

- name: github-release
type: registry-image
source:
repository: concourse/github-release-resource
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: github-release-resource
aws_region: us-gov-west-1
tag: latest

- name: git
type: registry-image
source:
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: git-resource
aws_region: us-gov-west-1
tag: latest

13 changes: 2 additions & 11 deletions ci/prepare-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,11 @@
---
platform: linux

image_resource:
type: registry-image
source:
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: harden-concourse-task
aws_region: us-gov-west-1
tag: ((harden-concourse-task-tag))

inputs:
- name: cf-service-connect-repo
- name: cf-service-connect-repo

outputs:
- name: cf-service-connect-repo
- name: cf-service-connect-repo

run:
dir: cf-service-connect-repo
Expand Down
11 changes: 1 addition & 10 deletions ci/run-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,8 @@
---
platform: linux

image_resource:
type: registry-image
source:
aws_access_key_id: ((ecr_aws_key))
aws_secret_access_key: ((ecr_aws_secret))
repository: harden-concourse-task
aws_region: us-gov-west-1
tag: ((harden-concourse-task-tag))

inputs:
- name: cf-service-connect-repo
- name: cf-service-connect-repo

run:
dir: cf-service-connect-repo
Expand Down