Bump aws-actions/configure-aws-credentials from 3 to 4 #197
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: go | |
| on: | |
| pull_request: | |
| paths: [ 'go/**', '.github/workflows/go.yml' ] | |
| push: | |
| # If at least one path matches a pattern in the paths filter, the workflow runs | |
| paths: [ 'go/**', '.github/workflows/go.yml' ] | |
| branches: [ main ] | |
| jobs: | |
| build: | |
| # && github.ref == 'refs/heads/master' | |
| if: " ! contains(github.event.head_commit.message, 'skip ci') " | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| # avoid Resource not accessible by integration error on CodeQL action | |
| # https://github.com/github/codeql/issues/8843#issuecomment-1108467590 | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| - name: Set up Go 1.x | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ^1.20 | |
| id: go | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: eu-central-1 | |
| # https://stackoverflow.com/a/58178121/4292075, https://stackoverflow.com/a/51761312/4292075 | |
| - name: Pull Environment Config from AWS SSM ParamStore | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV | |
| echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
| echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
| # install SonarQube Scanner, we handle this ourselves | |
| - name: Cache node modules | |
| uses: actions/[email protected] | |
| with: | |
| path: | | |
| ~/.npm | |
| **/node_modules | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| - name: Node ${{ matrix.node-version }} | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Install SonarQube Scanner with npm | |
| working-directory: ./tools/sonar/ | |
| run: | | |
| npm install | |
| # https://github.com/actions/cache/blob/main/examples.md#go---modules | |
| - name: Cache Go modules packages | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Build with Go and run Sonar Scanner | |
| working-directory: ./go | |
| run: | | |
| make build | |
| SONAR_TOKEN=$(aws ssm get-parameter --name /angkor/prod/SONAR_TOKEN --with-decryption --query 'Parameter.Value' --output text) | |
| echo "Running SonarQube Scanner (make sonar)" | |
| SONAR_TOKEN=$SONAR_TOKEN make sonar | |
| # all go binaries are pushed to dockerhub as part of the image, but we (still) need polly binary for systemd service | |
| aws s3 cp --no-progress dist/polly ${{ secrets.AWS_DEPLOY_TARGET }}/tools/polly | |
| env: | |
| CI: true | |
| RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
| RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any | |
| - name: Lint Dockerfile with hadolint | |
| uses: brpaz/[email protected] | |
| with: | |
| dockerfile: ./go/Dockerfile | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur. | |
| # New: Test GH CR as an alternative to Dockerhub | |
| # https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry | |
| # https://docs.github.com/en/actions/publishing-packages/publishing-docker-images#publishing-images-to-github-packages | |
| # Practical Example: https://blog.codecentric.de/github-container-registry and | |
| # Code: https://github.com/jonashackt/docker-hello-world/blob/main/.github/workflows/publish.yml | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| registry: ghcr.io | |
| # You can use the ${{ github.actor }} context to automatically use the username of the user that triggered the workflow run. | |
| username: ${{ github.actor }} | |
| # we should be able to use our GITHUB_TOKEN to authenticate against the GitHub Container Registry instead of | |
| # using a separate PAT (see https://github.blog/changelog/2021-03-24-packages-container-registry-now-supports-github_token/)! | |
| password: ${{ secrets.GH_CR_PAT }} # ${{ secrets.GITHUB_TOKEN }} does not work unexpected status: 403 Forbidden | |
| # check https://stackoverflow.com/a/71438011/4292075 | |
| - name: Push to GitHub Container Registry | |
| uses: docker/build-push-action@v5 # https://github.com/docker/build-push-action | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| context: ./go | |
| file: ./go/Dockerfile | |
| platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386 | |
| push: true | |
| # can also use ${{ github.sha }} as tag | |
| tags: ghcr.io/${{ github.repository }}/angkor-tools:latest | |
| # https://stackoverflow.com/a/75021601/4292075 | |
| # org.opencontainers.image.revision="${{ github.sha }}" | |
| labels: | | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| build-args: | | |
| RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
| RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
| - name: Push to DockerHub | |
| uses: docker/build-push-action@v5 # https://github.com/docker/build-push-action | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| context: ./go | |
| file: ./go/Dockerfile | |
| platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386 | |
| push: true | |
| # can also use ${{ github.sha }} as tag | |
| tags: ${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest | |
| build-args: | | |
| RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
| RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
| - name: Publish Action Event | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-tools\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \ | |
| --message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}" | |
| env: | |
| TOPIC_ARN: ${{ secrets.TOPIC_ARN }} | |
| - name: Send Kafka Publish Event with Docker | |
| id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| run: | | |
| docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \ | |
| -ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \ | |
| -source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \ | |
| -type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-tools" \ | |
| -record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}" | |
| # Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action | |
| # - https://github.com/aquasecurity/trivy-action | |
| # - https://blog.aquasec.com/github-vulnerability-scanner-trivy | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| # additional options when not using GitHub Code Scanning with sarif format | |
| # format: 'table' | |
| # exit-code: '1' | |
| # ignore-unfixed: true | |
| # vuln-type: 'os,library' | |
| # severity: 'CRITICAL,HIGH' | |
| # Using Trivy with GitHub Code Scanning | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |