Merge branch 'main' into dependabot/github_actions/actions/dependency…

…-review-action-3.1.4
ministryofjustice · Nov 29, 2023 · d04866f · d04866f
2 parents 286dab1 + bb0eac3
commit d04866f
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 4 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,56 @@
+---
+name: Build
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build Image
+        id: build_image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          push: false
+          load: true
+          tags: control-panel
+
+      - name: Scan Image
+        id: scan_image
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
+        with:
+          image-ref: control-panel
+          exit-code: 1
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+          limit-severities-for-sarif: true
+
+      - name: Scan Image (On SARIF Scan Failure)
+        if: failure() && steps.scan_image.outcome == 'failure'
+        id: scan_image_on_failure
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
+        with:
+          image-ref: control-panel
+          exit-code: 1
+          format: table
+          severity: CRITICAL
+
+      - name: Upload SARIF
+        if: always()
+        id: upload_sarif
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.2.7
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,54 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - '*.*.*'
+
+permissions: {}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install cosign
+        id: install-cosign
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+
+      - name: Login to GitHub Container Registry
+        id: login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push
+        id: push
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          context: .
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }}
+
+      - name: Sign
+        id: sign
+        run: |
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }}
+
+      - name: Verify
+        id: verify
+        run: |
+          cosign verify \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+          --certificate-identity=https://github.com/${{ github.repository_owner }}/data-platform-control-panel/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \
+          ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }}
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -1,7 +1,7 @@
 ---
 name: Super-Linter
 
-on: # yamllint disable-line rule:truthy
+on:
   pull_request:
     branches:
       - main

diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,9 @@
+---
+extends: default
+
+rules:
+  comments: disable
+  line-length:
+    level: warning
+    allow-non-breakable-inline-mappings: true
+  truthy: disable
diff --git a/scripts/container/entrypoint.sh b/scripts/container/entrypoint.sh
@@ -1,18 +1,21 @@
 #!/usr/bin/env sh
 
 MODE=${MODE:-"run"}
+ADDRESS=${ADDRESS:-"0.0.0.0"}
+PORT=${PORT:-"8000"}
+WORKERS=${WORKERS:-"4"}
 
 case "$MODE" in
 "run")
-  echo "Running Django server"
-  gunicorn -b 0.0.0.0:8000 -k uvicorn.workers.UvicornWorker -w 4 controlpanel.asgi:application
+  echo "Running Django server on ${ADDRESS}:${PORT}"
+  gunicorn -b "${ADDRESS}":"${PORT}" -k uvicorn.workers.UvicornWorker -w "${WORKERS}" controlpanel.asgi:application
   ;;
 "migrate")
   echo "Running Django migrations"
   python manage.py migrate
   ;;
 *)
-  echo "Unknown mode: $MODE"
+  echo "Unknown mode: ${MODE}"
   exit 1
   ;;
 esac