|
1 | 1 | name: "[Push] Build dev" |
2 | 2 |
|
3 | 3 | on: |
4 | | - push: |
5 | | - branches: |
6 | | - - master |
7 | | - paths-ignore: |
8 | | - - '.github/**' |
9 | | - - 'src/VERSION' |
10 | | - - 'docs/**' |
11 | 4 | workflow_dispatch: |
12 | 5 |
|
13 | | -env: |
14 | | - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |
15 | | - |
16 | 6 | jobs: |
17 | | - versioning: |
18 | | - runs-on: ubuntu-latest |
19 | | - outputs: |
20 | | - version: ${{ steps.versioning.outputs.VERSION }} |
21 | | - steps: |
22 | | - - uses: actions/checkout@v2 |
23 | | - - name: get current date |
24 | | - run: | |
25 | | - sudo ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime |
26 | | - echo "TIME=$(date +'%Y%m%d.%H%M%S')" >> $GITHUB_ENV |
27 | | - - name: set version with current date |
28 | | - id: versioning |
29 | | - run: | |
30 | | - echo "VERSION=$(cat src/VERSION | cut -c 2-).${{ env.TIME }}" >> $GITHUB_OUTPUT |
31 | | - - name: Notice when job fails |
32 | | - if: failure() |
33 | | - uses: 8398a7/action-slack@v3.2.0 |
34 | | - with: |
35 | | - status: ${{job.status}} |
36 | | - fields: repo,workflow,job |
37 | | - author_name: Github Action Slack |
38 | | - |
39 | | - docker: |
40 | | - if: github.repository_owner == 'cloudforet-io' |
41 | | - needs: versioning |
42 | | - runs-on: ubuntu-latest |
43 | | - env: |
44 | | - VERSION: ${{ needs.versioning.outputs.version }} |
45 | | - steps: |
46 | | - - uses: actions/checkout@v2 |
47 | | - - name: get service name |
48 | | - run: | |
49 | | - echo "SERVICE=$(echo ${{ github.repository }} | cut -d '/' -f2)" >> $GITHUB_ENV |
50 | | - - name: Upload docker |
51 | | - uses: docker/build-push-action@v1 |
52 | | - with: |
53 | | - path: . |
54 | | - repository: pyengine/${{ env.SERVICE }} |
55 | | - username: ${{ secrets.DOCKER_USERNAME }} |
56 | | - password: ${{ secrets.DOCKER_PASSWORD }} |
57 | | - tags: ${{ env.VERSION }} |
58 | | - - name: Notice when job fails |
59 | | - if: failure() |
60 | | - uses: 8398a7/action-slack@v3.2.0 |
61 | | - with: |
62 | | - status: ${{job.status}} |
63 | | - fields: repo,workflow,job |
64 | | - author_name: Github Action Slack |
65 | | - |
66 | | - scan: |
67 | | - needs: [versioning, docker] |
68 | | - runs-on: ubuntu-20.04 |
69 | | - env: |
70 | | - VERSION: ${{ needs.versioning.outputs.version }} |
71 | | - steps: |
72 | | - - name: Run Trivy vulnerability scanner |
73 | | - id: trivy-scan |
74 | | - uses: aquasecurity/trivy-action@master |
75 | | - with: |
76 | | - image-ref: pyengine/${{ github.event.repository.name }}:${{ env.VERSION }} |
77 | | - format: 'sarif' |
78 | | - output: 'trivy-results.sarif' |
79 | | - ignore-unfixed: true |
80 | | - vuln-type: 'os,library' |
81 | | - severity: 'CRITICAL,HIGH' |
82 | | - |
83 | | - - name: Upload Trivy scan results to GitHub Security tab |
84 | | - uses: github/codeql-action/upload-sarif@v2 |
85 | | - with: |
86 | | - sarif_file: 'trivy-results.sarif' |
87 | | - |
88 | | - - name: Count vulnerabilities |
89 | | - id: vulnerabilities |
90 | | - run: | |
91 | | - count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c) |
92 | | - echo "result_count=$count" >> $GITHUB_OUTPUT |
93 | | - echo "$count" |
94 | | -
|
95 | | - - name: slack |
96 | | - if: ${{ steps.vulnerabilities.outputs.result_count != 0 }} |
97 | | - uses: 8398a7/action-slack@v3 |
98 | | - with: |
99 | | - status: custom |
100 | | - fields: workflowRun |
101 | | - custom_payload: | |
102 | | - { |
103 | | - "blocks": [ |
104 | | - { |
105 | | - "type": "section", |
106 | | - "text": { |
107 | | - "type": "mrkdwn", |
108 | | - "text": ":warning: Image vulnerability detected" |
109 | | - } |
110 | | - }, |
111 | | - { |
112 | | - "type": "section", |
113 | | - "fields": [ |
114 | | - { |
115 | | - "type": "mrkdwn", |
116 | | - "text": "*Image:*\npyengine/${{ github.event.repository.name }}:${{ env.VERSION }}" |
117 | | - }, |
118 | | - { |
119 | | - "type": "mrkdwn", |
120 | | - "text": "*Repo name:*\n${{ github.repository }}" |
121 | | - } |
122 | | - ] |
123 | | - }, |
124 | | - { |
125 | | - "type": "actions", |
126 | | - "elements": [ |
127 | | - { |
128 | | - "type": "button", |
129 | | - "text": { |
130 | | - "type": "plain_text", |
131 | | - "emoji": true, |
132 | | - "text": "View Detail" |
133 | | - }, |
134 | | - "style": "danger", |
135 | | - "url": "https://github.com/${{ github.repository }}/security/code-scanning" |
136 | | - } |
137 | | - ] |
138 | | - } |
139 | | - ] |
140 | | - } |
141 | | - env: |
142 | | - SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}} |
143 | | - |
144 | | - notification: |
145 | | - runs-on: ubuntu-latest |
146 | | - needs: docker |
| 7 | + none: |
| 8 | + run-on: ubuntu-latest |
147 | 9 | steps: |
148 | | - - name: Slack |
149 | | - if: always() |
150 | | - uses: 8398a7/action-slack@v3.2.0 |
151 | | - with: |
152 | | - status: ${{job.status}} |
153 | | - fields: repo,message,commit,author,action,ref,workflow,job |
154 | | - author_name: Github Action Slack |
| 10 | + - name: none |
| 11 | + run: echo "This is deprecated." |
| 12 | + |
| 13 | +# deprecated workflow |
0 commit comments