Skip to content

Commit

Permalink
Merge pull request #1163 from DFE-Digital/2166-scan-docker-image-in-a…
Browse files Browse the repository at this point in the history 
…ll-repositories

Add SNYK scan to build image
  • Loading branch information
@saliceti
saliceti authored Jan 17, 2025
2 parents 26c9807 + 9cc9b14 commit a77ba9c
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 59 deletions.
43 changes: 0 additions & 43 deletions .github/workflows/actions/build-docker/action.yml
View file

This file was deleted.

37 changes: 21 additions & 16 deletions .github/workflows/build-and-deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,24 +31,29 @@ env:
CONTAINER_REGISTRY: ghcr.io

jobs:
docker:
name: Docker build and push
build_image:
name: Image build and push
if: contains(github.event.pull_request.labels.*.name, 'deploy') || github.event_name != 'pull_request'
runs-on: ubuntu-latest
outputs:
docker_image: ${{ steps.dockerimage.outputs.docker_image_tag }}
docker-image: ${{ steps.build-image.outputs.image }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/actions/build-docker
id: dockerimage

- name: Build and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@master
with:
github_username: ${{ github.actor }}
github_token: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
max-cache: true
reuse-cache: true
snyk-token: ${{ secrets.SNYK_TOKEN }}

deploy_review:
name: Deploy to review environment
concurrency: deploy_review_${{ github.event.pull_request.number }}
needs: [docker]
needs: [build_image]
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'deploy')
environment:
Expand All @@ -60,7 +65,7 @@ jobs:
id: deploy
with:
environment: review
docker_image: ${{ needs.docker.outputs.docker_image }}
docker_image: ${{ needs.build_image.outputs.docker-image }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
pr-id: ${{ github.event.pull_request.number }}
Expand All @@ -75,7 +80,7 @@ jobs:
set_matrix:
name: Set deployment matrix
runs-on: ubuntu-latest
needs: [docker]
needs: [build_image]
outputs:
deployment_matrix: ${{ steps.set_matrix.outputs.deployment_matrix }}
steps:
Expand All @@ -93,7 +98,7 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
concurrency: deploy_${{ matrix.environment }}
needs: [docker, set_matrix]
needs: [build_image, set_matrix]
strategy:
fail-fast: false # this is necessary to prevent early terminiation of terraform deployments that will result in tfstate locks
max-parallel: 3
Expand Down Expand Up @@ -124,7 +129,7 @@ jobs:
id: deploy
with:
environment: ${{ matrix.environment }}
docker_image: ${{ needs.docker.outputs.docker_image }}
docker_image: ${{ needs.build_image.outputs.docker-image }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}

Expand All @@ -140,7 +145,7 @@ jobs:
env:
SLACK_COLOR: failure
SLACK_TITLE: Failure deploying release to ${{ matrix.environment }}
SLACK_MESSAGE: Failure deploying release to ${{ matrix.environment }} - Docker tag ${{ needs.docker.outputs.docker_image }}
SLACK_MESSAGE: Failure deploying release to ${{ matrix.environment }} - Docker image ${{ needs.build_image.outputs.docker-image }}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}

deploy_production:
Expand All @@ -151,7 +156,7 @@ jobs:
name: production
url: ${{ steps.deploy.outputs.environment_url }}
concurrency: deploy_production
needs: [docker, deploy_nonprod]
needs: [build_image, deploy_nonprod]

outputs:
environment_url: ${{ steps.deploy.outputs.environment_url }}
Expand All @@ -176,7 +181,7 @@ jobs:
id: deploy
with:
environment: production
docker_image: ${{ needs.docker.outputs.docker_image }}
docker_image: ${{ needs.build_image.outputs.docker-image }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}

Expand All @@ -186,5 +191,5 @@ jobs:
env:
SLACK_COLOR: failure
SLACK_TITLE: Failure deploying release to production
SLACK_MESSAGE: Failure deploying release to production - Docker tag ${{ needs.docker.outputs.docker_image }}
SLACK_MESSAGE: Failure deploying release to production - Docker image ${{ needs.build_image.outputs.docker-image }}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
50 changes: 50 additions & 0 deletions .github/workflows/build-nocache.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Build No Cache

on:
workflow_dispatch:
schedule:
- cron: "30 12 * * 0"
# Will run once a week on Sunday afternoon

jobs:
build-no-cache:
runs-on: ubuntu-latest
environment:
name: development
steps:
- uses: actions/checkout@v4
name: Checkout

- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Build without cache and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
max-cache: true
reuse-cache: false
snyk-token: ${{ secrets.SNYK_TOKEN }}

- name: Notify slack on failure
uses: rtCamp/action-slack-notify@master
if: ${{ failure() }}
with:
SLACK_USERNAME: CI Deployment
SLACK_COLOR: failure
SLACK_ICON_EMOJI: ":github-logo:"
SLACK_TITLE: "Build failure"
SLACK_MESSAGE: ":alert: Rebuild docker cache failure :sadparrot:"
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}

0 comments on commit a77ba9c

Please sign in to comment.