added custom action & updated readme

README.md

@@ -1,51 +1,68 @@
-<!-- PROJECT SHIELDS -->
-![Build][Build-badge]
-[![Coverage][Coverage-badge]][Sonar-url]
-[![Vulnerabilities][Vulnerability-badge]][Sonar-url]
+# GCP Build Pipeline
 
-# 0xPolygon Pipelines
-This repo serves as the repository for shared pipelines across the Polygon organization. To learn more about using 
-shared pipelines, please see the [Shared Pipelines Documentation](https://docs.github.com/en/actions/creating-actions/sharing-actions-and-workflows-with-your-organization).
+## Overview
+This GitHub Actions workflow sets up a build pipeline for Docker images on Google Cloud Platform (GCP) with the following key features:
 
-### Built With
+- Building and pushing Docker images to Google Cloud Artifact Registry.
+- Scanning Docker images for vulnerabilities and checking for critical severity.
+- Signing Docker images using Binary Authorization.
+- Updating Helm chart values with the latest Docker image details.
+- Automatically committing changes to the Helm values file.
 
-![Static Badge](https://img.shields.io/badge/alcohol-sarcasm-8A2BE2?logo=polygon)
+## Inputs
+The workflow accepts the following parameters:
 
-## Getting Started
+- `workload_identity_provider`: Full identifier of the Workload Identity Provider.
+- `service_account`: Email address or unique identifier of the Google Cloud service account.
+- `gar_location`: Google Cloud Artifact Registry location.
+- `docker_image`: Full name of the Docker image.
+- `dockerfile_name`: Name of the Dockerfile (default: 'Dockerfile').
+- `dockerfile_path`: Path to the Dockerfile (default: '.').
+- `critical_count`: Critical vulnerabilities count (default: '5').
+- `helm_values_path`: Path to the Helm values file for configuration (default: './helm-charts/values.yaml').
+- `attestor`: Name of the attestor for signing Docker images.
+- `attestor_project`: GCP project where the attestor is located.
+- `keyversion_project`: GCP project where the key version is stored.
+- `keyversion_location`: Location/region of the key version.
+- `keyversion_keyring`: Keyring associated with the key version.
+- `keyversion_key`: Key associated with the key version.
 
-### Local Development
+## Workflow Steps
+1. **Checkout Code:** Uses `actions/checkout` to fetch the source code.
+2. **Set up GCP CLI:** Uses `google-github-actions/setup-gcloud` to configure the Google Cloud CLI.
+3. **Authenticate:** Authenticates with GCP using the specified service account and workload identity provider.
+4. **Docker Login:** Logs in to the Google Cloud Artifact Registry using the provided credentials.
+5. **Build Docker Image:** Builds the Docker image with the specified Dockerfile.
+6. **Push Docker Image:** Pushes the Docker image to the Google Cloud Artifact Registry.
+7. **Scan Vulnerabilities:** Scans the pushed Docker image for vulnerabilities.
+8. **Check Critical Vulnerabilities:** Checks if the number of critical vulnerabilities exceeds the specified count.
+9. **Sign Docker Image:** Signs the Docker image using Binary Authorization.
+10. **Update Helm Values:** Updates the Helm chart values with the latest Docker image details.
+11. **Push Back Changes:** Automatically commits changes to the Helm values file.
 
-## Usage
-
-TODO
-
-## Contributing
-
-This is the place to document your delivery workflow. For example:
-
-1. Clone the project
-2. Create a feature branch beginning with the ticket number (`git checkout -b INC-7689/update-readme`)
-3. Commit your changes (`git commit -m 'Update README.me with default template`)
-4. Push to the branch (`git push origin INC-7689/update-readme`)
-5. Open a Pull Request
-6. After review and approval, changes are deployed immediately
-
-## Contact
-
-![Email][Email-badge]
-![Slack][Slack-badge]
+## Notes
+- The workflow utilizes Google Cloud CLI and Docker commands for building, pushing, and scanning Docker images.
+- Binary Authorization is used to sign Docker images for security.
+- Helm chart values are updated with the latest Docker image details automatically.
 
+## Usage
+To use this workflow, provide the required inputs when triggering the workflow run. Ensure that the necessary secrets and permissions are configured in your GitHub repository for GCP authentication and Docker image pushing.
 
-<!-- MARKDOWN LINKS AND IMAGES (update/replace as needed for your application) -->
-[Build-badge]: https://github.com/0xPolygon/learn-api/actions/workflows/main.yml/badge.svg
-[Coverage-badge]: https://sonarqube.polygon.technology/api/project_badges/measure?project=TODO
-[Vulnerability-badge]: https://sonarqube.polygon.technology/api/project_badges/measure?project=TODO
-[Sonar-url]: https://sonarqube.polygon.technology/dashboard?id=TODO
-[Language-badge]: https://img.shields.io/badge/Nodejs-18.0-informational
-[Language-url]: https://nodejs.org/en
-[Email-badge]: https://img.shields.io/badge/Email-devops@polygon.technology-informational?logo=gmail
-[Slack-badge]: https://img.shields.io/badge/Slack-team_devops-informational?logo=slack
-[Production-badge]: https://img.shields.io/badge/Production_URL-polygon.technology-informational
-[Production-url]: https://link.to/prod
-[Staging-badge]: https://img.shields.io/badge/Staging_URL-staging.polygon.technology-informational
-[Staging-url]: https://link.to/staging
+    steps:
+    - id: custom-action
+      uses: 0xPolygon/gcp-build-pipeline-action@v1
+      with:
+        workload_identity_provider: ${{ env.WIF_PROVIDER }}
+        service_account: ${{ env.WIF_SERVICE_ACCOUNT }}
+        gar_location: ${{ env.GAR_LOCATION }}
+        docker_image: ${{ env.IMAGE_NAME }}
+        dockerfile_name: Dockerfile
+        dockerfile_path: .
+        critical_count: ${{ env.CRITICAL_COUNT }}
+        helm_values_path: './helm-chart/values.yaml'
+        attestor: ${{ env.ATTESTOR }}
+        attestor_project: ${{ env.ATTESTOR_PROJECT_ID }}
+        keyversion_project: ${{ env.ATTESTOR_PROJECT_ID }}
+        keyversion_location: ${{ env.GAR_LOCATION }}
+        keyversion_keyring: ${{ env.KEY_RING }}
+        keyversion_key: ${{ env.KEY }}

action.yml

@@ -0,0 +1,140 @@
+name: 'GCP Build Pipeline'
+description: 'Build and push Docker image to Google Cloud Artifact Registry'
+inputs:
+  workload_identity_provider:
+    description: 'Full identifier of Workload Identity Provider (e.g., project number, pool name, provider name).'
+    required: true
+  service_account:
+    description: 'Email address or unique identifier of the Google Cloud service account for which to generate credentials.'
+    required: true
+  gar_location:
+    description: 'Google Cloud Artifact Registry location.'
+    required: true
+  docker_image:
+    description: 'Full name of the Docker image.'
+    required: true
+  dockerfile_name:
+    description: 'Name of the Dockerfile.'
+    required: true
+    default: 'Dockerfile'
+  dockerfile_path:
+    description: 'Path to the Dockerfile.'
+    required: true
+    default: '.'
+  critical_count:
+    description: 'Critical vulnerabilities count.'
+    required: true
+    default: '5'
+  helm_values_path:
+    description: 'Path to the Helm values file for configuration.'
+    required: true
+    default: './helm-charts/values.yaml'
+  attestor:
+    description: 'Name of the attestor to be used for signing the docker images.'
+    required: true
+  attestor_project:
+    description: 'Google Cloud Platform (GCP) project where the attestor is located.'
+    required: true
+  keyversion_project:
+    description: 'GCP project where the key version is stored.'
+    required: true
+  keyversion_location:
+    description: 'Location/region of the key version.'
+    required: true
+  keyversion_keyring:
+    description: 'Keyring associated with the key version.'
+    required: true
+  keyversion_key:
+    description: 'Key associated with the key version.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v4
+    - uses: google-github-actions/setup-gcloud@v1
+
+    - id: auth
+      uses: google-github-actions/auth@v1
+      with:
+          token_format: "access_token"
+          workload_identity_provider: ${{ inputs.workload_identity_provider }}
+          service_account: ${{ inputs.service_account }}
+
+    - id: docker-auth
+      uses: docker/login-action@v1
+      with:
+        username: "oauth2accesstoken"
+        password: ${{ steps.auth.outputs.access_token }}
+        registry: ${{ inputs.gar_location }}-docker.pkg.dev
+
+    - id: build-docker-image
+      run: |-
+        docker build -t "${{ inputs.docker_image }}:${{ github.sha }}" -f ${{ inputs.dockerfile_name }} ${{ inputs.dockerfile_path }}
+      shell: bash
+
+    - id: push-docker-image
+      run: |-        
+        docker push "${{ inputs.docker_image }}:${{ github.sha }}"
+      shell: bash
+
+    - id: scan-vulnerabilities
+      run: |-
+        (gcloud artifacts docker images scan "${{ inputs.docker_image }}:${{ github.sha }}" --format="value(response.scan)" --remote --quiet) > ./scan_id.txt
+      shell: bash
+
+    - id: check-critical-vulnerabilities
+      run: |-
+        #!/bin/bash
+        # Check if the scan_id.txt file exists
+        if [ ! -f ./scan_id.txt ]; then
+            echo "Error: scan_id.txt not found."
+            exit 1
+        fi
+        # Use gcloud to list vulnerabilities and check for CRITICAL severity
+        severity=$(gcloud artifacts docker images list-vulnerabilities \
+                        "$(cat ./scan_id.txt)" \
+                        --format="value(vulnerability.effectiveSeverity)")
+        
+        # Check if CRITICAL vulnerability is found
+        chk=$(echo "$severity" | grep -c "CRITICAL")
+        if [ "$chk" -gt ${{ inputs.critical_count }} ]; then
+          echo "Failed vulnerability check for CRITICAL level"
+            exit 1
+        else
+            echo "No CRITICAL vulnerability found. Congratulations!"
+            exit 0
+        fi
+      shell: bash
+
+    - id: sign-docker-image
+      run: |-
+        export CLOUDSDK_CORE_DISABLE_PROMPTS=1
+        gcloud components install beta --quiet
+        
+        DIGEST=$(gcloud container images describe ${{ inputs.docker_image }}:${{ github.sha }} --format='get(image_summary.digest)')
+
+        gcloud beta container binauthz attestations sign-and-create \
+          --artifact-url="${{ inputs.docker_image }}@${DIGEST}" \
+          --attestor="${{ inputs.attestor }}" \
+          --attestor-project="${{ inputs.attestor_project }}" \
+          --keyversion-project="${{ inputs.keyversion_project }}" \
+          --keyversion-location="${{ inputs.keyversion_location }}" \
+          --keyversion-keyring="${{ inputs.keyversion_keyring }}" \
+          --keyversion-key="${{ inputs.keyversion_key }}" \
+          --keyversion="1"
+      shell: bash
+
+    - id: update-helm-values
+      run: |-
+        DIGEST=$(gcloud container images describe ${{ inputs.docker_image }}:${{ github.sha }} \
+              --format='get(image_summary.digest)')
+
+        sed -i "s|image:.*|image: ${{ inputs.docker_image }}@${DIGEST}|" ${{ inputs.helm_values_path }}
+      shell: bash
+
+    - id: push-back
+      uses: stefanzweifel/git-auto-commit-action@v5
+      with:
+        commit_message: Apply automatic changes to Update image repository in Helm values
+        file_pattern: ${{ inputs.helm_values_path }}