diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index d36ba2c6f2a..377842fa283 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -267,3 +267,23 @@ jobs: uses: EnricoMi/publish-unit-test-result-action@v1 with: files: "artifacts/**/*.xml" + - name: Deploy to IBM Cloud Foundry + # You may pin to the exact commit or the version. + # uses: IBM/cloudfoundry-deploy@fcb5a74cb36e7cd0bfe9f9b5d9d57aab85d00bd1 + uses: IBM/cloudfoundry-deploy@v2.1 + with: + # IBM Cloud API key + IBM_CLOUD_API_KEY: + # IBM Cloud Foundry API endpoint + IBM_CLOUD_CF_API: + # IBM Cloud Foundry organization name + IBM_CLOUD_CF_ORG: + # IBM Cloud Foundry space name + IBM_CLOUD_CF_SPACE: + # App Manifest file + APP_MANIFEST_FILE: # optional, default is manifest.yml + # App variables file + APP_VARS_FILE: # optional + # IBM Cloud Foundry resource group + RESOURCE_GROUP: # optional + diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml new file mode 100644 index 00000000000..c0b06af0a1d --- /dev/null +++ b/.github/workflows/defender-for-devops.yml @@ -0,0 +1,68 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github + +name: "Microsoft Defender For Devops" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '15 23 * * 2' + +jobs: + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-dotnet@v3 + with: + dotnet-version: | + 5.0.x + 6.0.x + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} + - name: Create Artifact YAML + # You may pin to the exact commit or the version. + # uses: opencontextinc/create-artifact-yaml@218aadb9180fd982c8f2aaa592573297bdb9550e + uses: opencontextinc/create-artifact-yaml@v1.0.1 + with: + # Type of artifact. One of sbom, container, package, or image + type: + # URL/URI of the artifact + url: + # Directory to save YAML files to. If not specified then the directory oc-artifact-yaml will be used. + directory: # optional + - name: OpenShift Client Installer + # You may pin to the exact commit or the version. + # uses: redhat-actions/oc-installer@35b60c3f9757ae4301521556e1b75ff6f59f8d7c + uses: redhat-actions/oc-installer@v1.2 + with: + # "oc version to install. It can be a version (eg. 4.6) or a URL pointing to an oc download. +If left blank, the latest oc is installed." + + oc_version: # default is latest + diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml new file mode 100644 index 00000000000..d52cc8506b4 --- /dev/null +++ b/.github/workflows/google.yml @@ -0,0 +1,149 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when there is a push to the "master" branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Create and configure a Workload Identity Provider for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Change the values for the GAR_LOCATION, GKE_ZONE, GKE_CLUSTER, IMAGE, REPOSITORY and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke-kustomize + +name: Build and Deploy to GKE + +on: + push: + branches: [ "master" ] + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GAR_LOCATION: us-central1 # TODO: update region of the Artifact Registry + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + REPOSITORY: samples # TODO: update to Artifact Registry docker repository + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + permissions: + contents: 'read' + id-token: 'write' + + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Configure Workload Identity Federation and generate an access token. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' + service_account: 'my-service-account@my-project.iam.gserviceaccount.com' + + # Alternative option - authentication via credentials json + # - id: 'auth' + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Docker configuration + run: |- + echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev + # Get the GKE credentials so we can deploy to the cluster + - name: Set up GKE credentials + uses: google-github-actions/get-gke-credentials@v0 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + # Push the Docker image to Google Artifact Registry + - name: Publish + run: |- + docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide + - name: Armory Continuous Deployment-as-a-Service + # You may pin to the exact commit or the version. + # uses: armory/cli-deploy-action@36fc96b3e295e960d22f96513ef781bb9865a87c + uses: armory/cli-deploy-action@v1.0.0 + with: + # Path to the configuration YAML file used to configure your deployment + path-to-file: + # extra args to the deployment start command + applicationName: # optional + # extra context params to the deployment start command + addContext: # optional + # ClientId for Armory Cloud + clientId: + # ClientSecret for Armory Cloud + clientSecret: + # Intended audience of requests that will use your Armory Cloud authentication token. Is deployHostUrl by default + audience: # optional, default is https://api.cloud.armory.io + # Armory Cloud authentication provider url + tokenIssuerUrl: # optional, default is https://auth.cloud.armory.io/oauth + # Location of the Armory Cloud API which will handle your deployment + deployHostUrl: # optional, default is api.cloud.armory.io + + - name: Login to Oracle Cloud Infrastructure Registry (OCIR) + # You may pin to the exact commit or the version. + # uses: oracle-actions/login-ocir@f3bf26a0a3fcb7cfe437c605fd5394f05258714f + uses: oracle-actions/login-ocir@v1.2.1 + with: + # Auth token for the OCI user to login with + auth_token: + + - name: Teleport Setup + # You may pin to the exact commit or the version. + # uses: teleport-actions/setup@176c25dfcd19cd31a252f275d579822b243e7b9c + uses: teleport-actions/setup@v1.0.6 + with: + # Specify whether to use the enterprise binaries. + enterprise: # optional, default is false + # Specify the Teleport version without the preceding "v" + version: + - name: Azure PowerShell Action + uses: Azure/powershell@v2 + with: + # Specify the Az PowerShell script here. + inlineScript: + # Azure PS version to be used to execute the script, example: 1.8.0, 2.8.0, 3.4.0. To use the latest version, specify "latest". + azPSVersion: + # Select the value of the ErrorActionPreference variable for executing the script. Options: stop, continue, silentlyContinue. Default is Stop. + errorActionPreference: # optional, default is Stop + # If this is true, this task will fail if any errors are written to the error pipeline, or if any data is written to the Standard Error stream. + failOnStandardError: # optional, default is false + # Used to pull Az module from Azure/az-ps-module-versions. Since there's a default, this is typically not supplied by the user. + githubToken: # optional, default is ${{ github.token }} + + - name: Install powershell + # You may pin to the exact commit or the version. + # uses: cakhanif/action-install-powershell@9287716f19f5547fb975cd59dc23b286fabffdf8 + uses: cakhanif/action-install-powershell@v1 +