chore(ci-deps): Update files based on repository configuration (#256)

Co-authored-by: pleo-file-distributor[bot] <114988919+pleo-file-distributor[bot]@users.noreply.github.com> Co-authored-by: Damian Potyralski <[email protected]>
pleo-io · Jul 3, 2024 · d207f2d · d207f2d
1 parent 8c4724f
commit d207f2d
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 123 deletions.
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -32,7 +32,7 @@ jobs:
       result: ${{ steps.only-config-changed.outputs.only_configuration_files_have_changed }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: ${{ (github.event.repository.default_branch == github.ref_name && 2) || 0 }}
           ref: ${{ github.event.repository.default_branch }}
@@ -77,7 +77,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout code
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
         # Login to AWS for fetching CI/CD cache.
       - name: Configure AWS credentials
@@ -152,7 +152,7 @@ jobs:
       - name: Publish Detekt SARIF report to GitHub
         continue-on-error: true
         if: ${{ github.ref == 'refs/heads/main' }}
-        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3
         with:
           sarif_file: build/reports/detekt/detekt.sarif
 

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -28,6 +28,7 @@ env:
   CONFIG_FILE: ""
   RUN_ON_DEFAULT_BRANCH: true
   GRADLE_SCRIPT_PATH: ./gradlew
+  RUN_WIZCLI_DEPS_SCAN: <<runWizCliDepsScan>>>
 
 jobs:
   preflight:
@@ -70,14 +71,20 @@ jobs:
         run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_OUTPUT"
 
   wiz-cli:
-    name: Scan Dependencies with Wiz CLI
+    name: Wiz-CLI
+    runs-on: ubuntu-latest
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'feature-deploy') && (github.ref != 'refs/heads/main' || github.event_name != 'push') }}
-    uses: pleo-io/reusable-workflows/.github/workflows/wiz-cli.yaml@main
-    with:
-      scan_deps: false
-      deps_scan_path: .
-      deps_policy: Pleo-Default-vulnerabilities-policy
-    secrets: inherit
+    steps:
+      - name: Scan Dependencies with Wiz-CLI
+        uses: pleo-io/reusable-actions/wizcli@main
+        if: ${{ env.RUN_WIZCLI_DEPS_SCAN == 'true' }}
+        with:
+          scan_deps: ${{ env.RUN_WIZCLI_DEPS_SCAN }}
+          deps_scan_path: .
+          deps_policy: Pleo-Default-vulnerabilities-policy
+          wiz_client_id: ${{ secrets.WIZ_CLIENT_ID }}
+          wiz_client_secret: ${{ secrets.WIZ_CLIENT_SECRET }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
   analyze-code:
     name: Analyze code with CodeQL
@@ -92,7 +99,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       - name: Set Working Language
         run: echo "WORKING_LANGUAGE=${{needs.preflight.outputs.working_language}}" >> "$GITHUB_ENV"
       # Set up a JDK environment for building, testing and releasing.
@@ -120,7 +127,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3
         with:
           languages: ${{ github.event.repository.language }}
           ram: 4096
@@ -137,6 +144,6 @@ jobs:
           JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3
         with:
           ram: 4096
diff --git a/.github/workflows/pr-help.yaml b/.github/workflows/pr-help.yaml
@@ -40,7 +40,7 @@ jobs:
     if: ${{ github.event.label.name == 'automerge' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
       - id: enable-automerge
         name: Enable Pull Request Automerge

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -25,6 +25,7 @@ env:
   productionDeploymentEnabled: true
   generateChangelogUpdate: true
   forceReleaseOpenAPIDocument: 
+  RUN_WIZCLI_CONTAINER_SCAN: true
 
 jobs:
   determine-version:
@@ -41,7 +42,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
           fetch-depth: 0
 
@@ -141,7 +142,7 @@ jobs:
 
       # Checkout the code with the elevated token to allow default branch pushes.
       - name: Checkout code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
           fetch-depth: 0
           ref: main
@@ -263,7 +264,7 @@ jobs:
     steps:
       # Checkout the code to publish.
       - name: Checkout code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
           fetch-depth: 0
           ref: main
@@ -425,7 +426,7 @@ jobs:
       # Checkout the code to publish.
       - name: Checkout code
         if: env.deploymentEnabled == 'true'
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
           fetch-depth: 0
           ref: main
@@ -476,8 +477,20 @@ jobs:
             GRADLE_USER=${{ secrets.GITHUB_ACTOR }}
             GRADLE_READ_KEY=${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
 
+      - name: Scan Docker Image with Wiz-CLI
+        if: ${{ env.deploymentEnabled == 'true' && env.RUN_WIZCLI_CONTAINER_SCAN == 'true' }}
+        uses: pleo-io/reusable-actions/wizcli@main
+        id: image_scan
+        with:
+          scan_container: ${{ env.RUN_WIZCLI_CONTAINER_SCAN }}
+          container_tag: ${{ github.sha }}
+          deps_policy: Pleo-Default-vulnerabilities-policy
+          wiz_client_id: ${{ secrets.WIZ_CLIENT_ID }}
+          wiz_client_secret: ${{ secrets.WIZ_CLIENT_SECRET }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Configure shared services AWS credentials
-        if: env.deploymentEnabled == 'true'
+        if: ${{ env.deploymentEnabled == 'true' && steps.image_scan.outcome == 'success' }}
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_SHARED_SERVICES}}:role/github/repository/${{ github.event.repository.name }}-github-actions
@@ -486,101 +499,17 @@ jobs:
           special-characters-workaround: true
 
       - name: Login to Amazon ECR shared-services
-        if: env.deploymentEnabled == 'true'
+        if: ${{ env.deploymentEnabled == 'true' && steps.image_scan.outcome == 'success' }}
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
 
       - name: Push Docker Image to AWS ECR shared services
-        if: env.deploymentEnabled == 'true'
+        if: ${{ env.deploymentEnabled == 'true' && steps.image_scan.outcome == 'success' }}
         run: |
           ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_SHARED_SERVICES }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
           docker tag ${{ github.sha }} ${ecr_repo_url}
           docker push ${ecr_repo_url}
           docker rmi -f ${ecr_repo_url}
 
-      - name: Configure product-dev AWS credentials
-        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_PRODUCT_DEV}}:role/github/repository/${{ github.event.repository.name }}-github-actions
-          role-session-name: GitHubActions
-          aws-region: eu-west-1
-          special-characters-workaround: true
-
-      - name: Login to Amazon ECR product-dev
-        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-
-      - name: Push Docker Image to AWS ECR product-dev
-        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
-        run: |
-          ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_PRODUCT_DEV }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
-          docker tag ${{ github.sha }} ${ecr_repo_url}
-          docker push ${ecr_repo_url}
-          docker rmi -f ${ecr_repo_url}
-
-      - name: Configure product-staging AWS credentials
-        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_PRODUCT_STAGING}}:role/github/repository/${{ github.event.repository.name }}-github-actions
-          role-session-name: GitHubActions
-          aws-region: eu-west-1
-          special-characters-workaround: true
-
-      - name: Login to Amazon ECR product-staging
-        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-
-      - name: Push Docker Image to AWS ECR product-staging
-        if: env.deploymentEnabled == 'true' && env.environmentTenant == 'product'
-        run: |
-          ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_PRODUCT_STAGING }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
-          docker tag ${{ github.sha }} ${ecr_repo_url}
-          docker push ${ecr_repo_url}
-          docker rmi -f ${ecr_repo_url}
-
-      - name: Configure product-production AWS credentials
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'product'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_PRODUCT_PRODUCTION}}:role/github/repository/${{ github.event.repository.name }}-github-actions
-          role-session-name: GitHubActions
-          aws-region: eu-west-1
-          special-characters-workaround: true
-
-      - name: Login to AWS ECR product-production
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'product'
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-
-      - name: Push Docker Image to AWS ECR product-production
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'product'
-        run: |
-          ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_PRODUCT_PRODUCTION }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
-          docker tag ${{ github.sha }} ${ecr_repo_url}
-          docker push ${ecr_repo_url}
-          docker rmi -f ${ecr_repo_url}
-
-      - name: Configure tooling-production AWS credentials
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'tooling'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          role-to-assume: arn:aws:iam::${{vars.AWS_ACCOUNT_ID_TOOLING_PRODUCTION}}:role/github/repository/${{ github.event.repository.name }}-github-actions
-          role-session-name: GitHubActions
-          aws-region: eu-west-1
-          special-characters-workaround: true
-
-      - name: Login to Amazon ECR tooling-production
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'tooling'
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-
-      - name: Push Docker Image to AWS ECR tooling-production
-        if: env.deploymentEnabled == 'true' && env.productionDeploymentEnabled == 'true' && env.environmentTenant == 'tooling'
-        run: |
-          ecr_repo_url="${{ vars.AWS_ACCOUNT_ID_TOOLING_PRODUCTION }}.dkr.ecr.eu-west-1.amazonaws.com/pleo/${{ github.event.repository.name }}:${{ github.sha }}"
-          docker tag ${{ github.sha }} ${ecr_repo_url}
-          docker push ${ecr_repo_url}
-          docker rmi -f ${ecr_repo_url}
-
   get-env-variables:
     name: Prepare env variables
     outputs:
@@ -594,25 +523,12 @@ jobs:
           echo "deploymentEnabled=${{ env.deploymentEnabled }}" >> "$GITHUB_OUTPUT"
           echo "environmentTenant=${{ env.environmentTenant }}" >> "$GITHUB_OUTPUT"
 
-  wiz-cli:
-    name: Scan Image with Wiz CLI
-    uses: pleo-io/reusable-workflows/.github/workflows/wiz-cli.yaml@main
-    needs:
-      - publish-docker-image
-      - get-env-variables
-    with:
-      scan_container: false
-      container_tag: ${{ github.sha }}
-      deps_policy: Pleo-Default-vulnerabilities-policy
-    secrets: inherit
-
   trigger-deploy-gitops-product-dev:
     name: Trigger deployment (GitOps)- Update product-dev image
     concurrency: update-image-tag
     needs:
       - publish-docker-image
       - get-env-variables
-      - wiz-cli
     if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'product'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
@@ -628,7 +544,6 @@ jobs:
     needs:
       - publish-docker-image
       - get-env-variables
-      - wiz-cli
     if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'product'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
@@ -644,7 +559,6 @@ jobs:
     needs:
       - publish-docker-image
       - get-env-variables
-      - wiz-cli
     if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'tooling'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
@@ -660,7 +574,6 @@ jobs:
     needs:
       - publish-docker-image
       - get-env-variables
-      - wiz-cli
     if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'data-integration'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
@@ -676,7 +589,6 @@ jobs:
     needs:
       - publish-docker-image
       - get-env-variables
-      - wiz-cli
     if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'data-integration'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with:
@@ -692,7 +604,6 @@ jobs:
     needs:
       - publish-docker-image
       - get-env-variables
-      - wiz-cli
     if: needs.get-env-variables.outputs.deploymentEnabled == 'true' && needs.get-env-variables.outputs.environmentTenant == 'data-integration'
     uses: pleo-io/reusable-workflows/.github/workflows/update-image-tag.yaml@main
     with: