1.3.26.6ce7183 #196

Workflow file for this run

.github/workflows/prereleased.yaml at 6ce7183

	name: Prereleased



	on:
	release:
	types:
	- prereleased



	env:
	COMPONENT: aws-adapter
	COMPONENT_PATH: distributions/aws/

	PRIVATE_ECR_REGION: ${{ secrets.AWS_ECR_REGION }}
	ECR_ROLE_ARN: ${{ secrets.AWS_ECR_ROLE_ARN }}

	DOCKER_REPOSITORY: aws-adapter
	CONTAINER: aws-adapter-container-image

	DOCKERHUB_REGISTRY: ydata
	DOCKER_REPOSITORY_PREFIX: aws-adapter

	AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
	SBOM_FILENAME: docker-sbom
	NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}



	permissions:
	id-token: write
	contents: read
	packages: read



	jobs:
	cancel_previous:
	name: 'Cancel Previous Runs'
	runs-on: ubuntu-22.04
	timeout-minutes: 3

	steps:
	- uses: ydataai/[email protected]
	with:
	ignore_sha: true
	access_token: ${{ secrets.ACCESS_TOKEN }}


	prepare:
	name: Prepare
	runs-on: ubuntu-22.04

	needs:
	- cancel_previous

	outputs:
	version: ${{ steps.version.outputs.value }}

	steps:
	- name: Version
	id: version
	run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT


	build:
	name: Build
	runs-on: ubuntu-22.04

	needs:
	- prepare

	strategy:
	fail-fast: true
	matrix:
	package: [metering, quota]

	steps:
	- uses: actions/checkout@v4

	- name: Build Docker Image
	id: docker_build
	uses: docker/build-push-action@v5
	env:
	DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}/${{ matrix.package }}:${{ needs.prepare.outputs.version }}
	with:
	build-args: \|
	COMPILE_CMD=${{ matrix.package }}
	context: .
	push: false
	load: true
	tags: ${{ env.DOCKER_IMAGE_TAG }}

	- name: Create Docker SBOM
	uses: anchore/sbom-action@v0
	with:
	upload-artifact-retention: 1
	image: ${{ steps.docker_build.outputs.imageId }}
	format: spdx-json
	upload-release-assets: false
	output-file: ${{ env.SBOM_FILENAME }}.spdx.json

	- name: Scan SBOM
	id: scan_sbom
	uses: anchore/scan-action@v3
	with:
	sbom: ${{ env.SBOM_FILENAME }}.spdx.json
	output-format: sarif
	fail-build: false

	- name: Determine number of noticiable vulnerabilities
	id: count_vulnerabilities
	run: echo "value=$(grep -cE "(medium\|high\|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
	aws-region: ${{ env.AWS_S3_REGION }}

	- name: Copy SBOM to S3
	run: \|
	aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
	aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif

	- name: Update Notion Page
	uses: ydataai/update-notion-page@v1
	env:
	STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' \|\| '"⚠️"' }}
	STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' \|\| format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
	with:
	notion_secret: ${{ secrets.NOTION_SECRET }}
	notion_database_id: ${{ env.NOTION_DATABASE_ID }}
	notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
	notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ env.ECR_ROLE_ARN }}
	aws-region: ${{ env.PRIVATE_ECR_REGION }}

	- name: Login to Amazon ECR
	id: ecr_password
	uses: aws-actions/amazon-ecr-login@v2

	- name: Push Docker Image
	env:
	DOCKER_IMAGE_TAG: ${{ steps.ecr_password.outputs.registry }}/${{ env.DOCKER_REPOSITORY }}/${{ matrix.package }}:${{ needs.prepare.outputs.version }}
	run: \|
	docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
	docker push ${{ env.DOCKER_IMAGE_TAG }}

	- name: Login to Dockerhub Registry
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_PASSWORD }}

	- name: Push Docker Image
	env:
	DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_PREFIX }}-${{ matrix.package }}:${{ needs.prepare.outputs.version }}
	run: \|
	docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
	docker push ${{ env.DOCKER_IMAGE_TAG }}


	update-manifests:
	name: Update Manifests
	runs-on: ubuntu-22.04

	needs:
	- prepare
	- build

	strategy:
	fail-fast: true
	max-parallel: 1
	matrix:
	package: [metering, quota]

	steps:
	- name: Checkout Manifests repo
	uses: actions/checkout@v4
	with:
	repository: ydataai/manifests
	token: ${{ secrets.ACCESS_TOKEN }}

	- uses: imranismail/setup-kustomize@v2
	with:
	kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }}

	- name: Update kustomization image tag
	env:
	CONTAINER_PKG: ${{ matrix.package }}-${{ env.CONTAINER }}
	DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}/${{ matrix.package }}:${{ needs.prepare.outputs.version }}
	VERSION: ${{ needs.prepare.outputs.version }}
	run: \|
	cd ${COMPONENT_PATH}
	kustomize edit set image ${CONTAINER_PKG}=${DOCKER_IMAGE_TAG}

	- name: setup-yq
	uses: chrisdickinson/[email protected]
	env:
	ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'

	- name: Change cronjob on metering
	if: matrix.package == 'metering'
	env:
	DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_PREFIX }}-${{ matrix.package }}:${{ needs.prepare.outputs.version }}
	run: \|
	cd ${COMPONENT_PATH}
	yq w -i metering-adapter/base/cronjob.yaml 'spec.jobTemplate.spec.template.spec.containers[0].image' ${DOCKER_IMAGE_TAG}

	- name: Change deployment on quota
	if: matrix.package == 'quota'
	env:
	DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_PREFIX }}-${{ matrix.package }}:${{ needs.prepare.outputs.version }}
	run: \|
	cd ${COMPONENT_PATH}
	yq w -i quota-adapter/base/deployment.yaml 'spec.template.spec.containers[0].image' ${DOCKER_IMAGE_TAG}

	- name: Commit and push image update into manifests repo
	env:
	VERSION: ${{ needs.prepare.outputs.version }}
	run: \|
	git config user.email "[email protected]"
	git config user.name "Azory YData Bot"
	git commit -a -m "chore(bump): [CI] [DEV] bump ${{ env.COMPONENT }} package ${{ matrix.package }} to $VERSION"
	git push origin master

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1.3.26.6ce7183 #196

Workflow file

1.3.26.6ce7183 #196

Jobs

Run details

Workflow file for this run