-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudbuild.yaml
103 lines (91 loc) · 2.82 KB
/
cloudbuild.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
substitutions:
_REGION: us-central1
_REPOSITORY: from-legacy-to-cloud
_IMAGE: from-legacy-to-cloud
_SEVERITY: '"CRITICAL|HIGH"'
_SERVICE_NAME: from-legacy-to-cloud
steps:
#Step 0: Install dependencies
- name: 'python:3.10-slim'
entrypoint: '/bin/bash'
args:
- '-c'
- |
pip install --user -r cloud_run/requirements.txt
id: 'install-dependencies'
#off GCP Test
# Step 1: Run unit tests
# - name: 'python:3.10-slim'
# entrypoint: '/bin/bash'
# args:
# - '-c'
# - |
# export TESTING=True
# cd cloud_run
# python -m unittest test.py
# id: 'run-tests'
# Step 1: Run unit tests
- name: 'python:3.10-slim'
entrypoint: '/bin/bash'
args:
- '-c'
- |
cd cloud_run
python -m unittest test.py
id: 'run-tests'
# Step 2: Build the Docker image
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '--no-cache', '-t', '$_REGION-docker.pkg.dev/$PROJECT_ID/$_REPOSITORY/$_IMAGE:$COMMIT_SHA', 'cloud_run/']
waitFor: ['run-tests']
id: 'build-image'
# Step 3: Inspect the Docker image and write the digest to a file.
- name: 'gcr.io/cloud-builders/docker'
entrypoint: '/bin/bash'
args:
- '-c'
- |
docker image inspect $_REGION-docker.pkg.dev/$PROJECT_ID/$_REPOSITORY/$_IMAGE:$COMMIT_SHA --format '{{index .RepoTags 0}}@{{.Id}}' > /workspace/image-digest.txt &&
cat /workspace/image-digest.txt
id: 'inspect-image'
# Step 4: Scan the Docker image for vulnerabilities
- id: scan
name: gcr.io/google.com/cloudsdktool/cloud-sdk
entrypoint: /bin/bash
args:
- -c
- |
gcloud artifacts docker images scan $_REGION-docker.pkg.dev/$PROJECT_ID/$_REPOSITORY/$_IMAGE:$COMMIT_SHA \
--format='value(response.scan)' > /workspace/scan_id.txt
# Step 5: Check the severity of any vulnerabilities found
- id: severity check
name: gcr.io/google.com/cloudsdktool/cloud-sdk
entrypoint: /bin/bash
args:
- -c
- |
gcloud artifacts docker images list-vulnerabilities $(cat /workspace/scan_id.txt) \
--format='value(vulnerability.effectiveSeverity)' | if grep -Exq $_SEVERITY; \
then echo 'Failed vulnerability check' && exit 1; else exit 0; fi
# Step 6: Push the Docker image to Google Cloud Artifact Registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', '$_REGION-docker.pkg.dev/$PROJECT_ID/$_REPOSITORY/$_IMAGE:$COMMIT_SHA']
id: 'push-image'
waitFor: ['severity check']
#Step 8: Deploy the image to Cloud Run
- id: 'deploy-image'
name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: 'gcloud'
args:
- 'run'
- 'deploy'
- '$_SERVICE_NAME'
- '--image'
- '$_REGION-docker.pkg.dev/$PROJECT_ID/$_REPOSITORY/$_IMAGE:$COMMIT_SHA'
- '--region'
- '$_REGION'
- '--platform'
- 'managed'
- '--allow-unauthenticated'
waitFor: ['push-image']
images:
- '$_REGION-docker.pkg.dev/$PROJECT_ID/$_REPOSITORY/$_IMAGE:$COMMIT_SHA'