[CI] Deploy CI

admin-cloudforet · admin-cloudforet · commit ba36a9f821ac · 2023-10-17T15:15:14.000+09:00
diff --git a/.github/workflows/dispatch_build_dev.yaml b/.github/workflows/dispatch_build_dev.yaml
@@ -0,0 +1,164 @@
+name: "[Dispatch] Build Dev"
+
+on:
+  workflow_dispatch:
+
+env:
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+jobs:
+  versioning:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.versioning.outputs.VERSION }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: get current date
+        run: |
+          sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime
+          echo "TIME=$(date +'%Y%m%d.%H%M%S')" >> $GITHUB_ENV
+      - name: set version with current date
+        id: versioning
+        run: |
+          echo "VERSION=$(cat src/VERSION | cut -c 2-).${{ env.TIME }}" >> $GITHUB_OUTPUT
+      - name: Notice when job fails
+        if: failure()
+        uses: 8398a7/action-slack@v3.2.0
+        with:
+          status: ${{job.status}}
+          fields: repo,workflow,job
+          author_name: Github Action Slack
+
+  docker:
+      if: github.repository_owner == 'cloudforet-io'
+      needs: versioning
+      runs-on: ubuntu-latest
+      env:
+        VERSION: ${{ needs.versioning.outputs.version }}
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v3
+          with:
+            token: ${{ secrets.PAT_TOKEN }}
+  
+        - name: get service name
+          run: |
+            echo "SERVICE=$(echo ${{ github.repository }} | cut -d '/' -f2)" >> $GITHUB_ENV
+            
+        - name: Set up QEMU
+          uses: docker/setup-qemu-action@v2
+  
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v2
+  
+        - name: Login to Docker Hub
+          uses: docker/login-action@v2
+          with:
+            username: ${{ secrets.DOCKER_USERNAME }}
+            password: ${{ secrets.DOCKER_PASSWORD }}
+            
+        - name: Build and push to pyengine
+          uses: docker/build-push-action@v4
+          with:
+            context: .
+            platform: ${{ env.ARCH }}
+            push: true 
+            tags: pyengine/${{ env.SERVICE }}:${{ env.VERSION }}
+            
+        - name: Notice when job fails
+          if: failure()
+          uses: 8398a7/action-slack@v3.2.0
+          with:
+            status: ${{job.status}}
+            fields: repo,workflow,job
+            author_name: Github Action Slack
+
+  scan:
+    needs: [versioning, docker]
+    runs-on: ubuntu-20.04
+    env:
+      VERSION: ${{ needs.versioning.outputs.version }}
+    steps:
+      - name: Run Trivy vulnerability scanner
+        id: trivy-scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pyengine/${{ github.event.repository.name }}:${{ env.VERSION }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Count vulnerabilities
+        id: vulnerabilities
+        run: |
+          count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c)
+          echo "result_count=$count" >> $GITHUB_OUTPUT
+          echo "$count"
+
+      - name: slack
+        if:  ${{ steps.vulnerabilities.outputs.result_count != 0 }}
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          fields: workflowRun
+          custom_payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":warning: Image vulnerability detected"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Image:*\npyengine/${{ github.event.repository.name }}:${{ env.VERSION }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Repo name:*\n${{ github.repository }}"
+                    }
+                  ]
+                },
+                {
+                  "type": "actions",
+                  "elements": [
+                    {
+                      "type": "button",
+                      "text": {
+                        "type": "plain_text",
+                        "emoji": true,
+                        "text": "View Detail"
+                      },
+                      "style": "danger",
+                      "url": "https://github.com/${{ github.repository }}/security/code-scanning"
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}}
+
+  notification:
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:
+      - name: Slack
+        if: always()
+        uses: 8398a7/action-slack@v3.2.0
+        with:
+          status: ${{job.status}}
+          fields: repo,message,commit,author,action,ref,workflow,job
+          author_name: Github Action Slack
