Fix: regex match on Shared folder (#77) #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Image CI | |
on: | |
push: | |
branches: | |
- main | |
workflow_call: | |
inputs: | |
environment_tag: | |
description: Environment of the deployment | |
required: true | |
type: string | |
default: development | |
docker_compose_file: | |
description: The path of the compose.yaml file needed to build docker images | |
required: true | |
type: string | |
function_app_source_code_path: | |
description: The source path of the function app source code for the docker builds | |
required: true | |
type: string | |
project_name: | |
description: The name of the project | |
required: true | |
type: string | |
excluded_containers_csv_list: | |
description: Excluded containers in a comma separated list | |
required: true | |
type: string | |
jobs: | |
get-functions: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
outputs: | |
FUNC_NAMES: ${{ steps.get-function-names.outputs.FUNC_NAMES }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: tj-actions/changed-files@v45 | |
id: changed-files | |
with: | |
path: ${{ inputs.function_app_source_code_path }} | |
dir_names: true | |
- name: Checkout dtos-devops-templates repository | |
uses: actions/checkout@v4 | |
with: | |
repository: NHSDigital/dtos-devops-templates | |
path: templates | |
ref: main | |
- name: Get docker compose function name(s) | |
id: get-function-names | |
env: | |
CHANGED_FOLDERS: ${{ steps.changed-files.outputs.all_changed_files }} | |
run: | | |
DOCKER_COMPOSE_DIR="$(dirname "${{ inputs.docker_compose_file }}")" | |
bash ./templates/scripts/deployments/get-docker-names.sh ${{ inputs.docker_compose_file }} ${{ inputs.excluded_containers_csv_list }} | |
echo "DOCKER_COMPOSE_DIR=$DOCKER_COMPOSE_DIR" >> ${GITHUB_OUTPUT} | |
- name: Print function names | |
run: | | |
echo "The branch is: " ${{ github.ref }} | |
echo "FUNC_NAMES before setting output: ${{ steps.get-function-names.outputs.FUNC_NAMES }}" | |
echo "FUNC_NAMES=${FUNC_NAMES}" >> ${GITHUB_OUTPUT} | |
build-and-push: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
needs: get-functions | |
strategy: | |
matrix: | |
function: ${{ fromJSON(needs.get-functions.outputs.FUNC_NAMES) }} | |
if: needs.get-functions.outputs.FUNC_NAMES != '["null"]' && needs.get-functions.outputs.FUNC_NAMES != '[]' && needs.get-functions.outputs.FUNC_NAMES != '[""]' | |
outputs: | |
pr_num_tag: ${{ env.PR_NUM_TAG }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
submodules: 'true' | |
- name: Checkout dtos-devops-templates repository | |
uses: actions/checkout@v4 | |
with: | |
repository: NHSDigital/dtos-devops-templates | |
path: templates | |
ref: main | |
- name: Az CLI login | |
if: github.ref == 'refs/heads/main' | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Azure Container Registry login | |
if: github.ref == 'refs/heads/main' | |
run: az acr login --name ${{ secrets.ACR_NAME }} | |
- name: Create Tags | |
env: | |
GH_TOKEN: ${{ github.token }} | |
continue-on-error: false | |
run: | | |
echo "GITHUB_REF: ${GITHUB_REF}" | |
echo "The branch is: ${{ github.ref }}" | |
if [[ "${GITHUB_REF}" == refs/pull/*/merge ]]; then | |
PR_NUM_TAG=$(echo "${GITHUB_REF}" | sed 's/refs\/pull\/\([0-9]*\)\/merge/\1/') | |
else | |
PULLS_JSON=$(gh api /repos/{owner}/{repo}/commits/${GITHUB_SHA}/pulls) | |
ORIGINATING_BRANCH=$(echo ${PULLS_JSON} | jq -r '.[].head.ref' | python3 -c "import sys, urllib.parse; print(urllib.parse.quote_plus(sys.stdin.read().strip()))") | |
echo "ORIGINATING_BRANCH: ${ORIGINATING_BRANCH}" | |
PR_NUM_TAG=$(echo ${PULLS_JSON} | jq -r '.[].number') | |
fi | |
echo "PR_NUM_TAG: pr${PR_NUM_TAG}" | |
echo "PR_NUM_TAG=pr${PR_NUM_TAG}" >> ${GITHUB_ENV} | |
SHORT_COMMIT_HASH=$(git rev-parse --short ${GITHUB_SHA}) | |
echo "Commit hash tag: ${SHORT_COMMIT_HASH}" | |
echo "COMMIT_HASH_TAG=${SHORT_COMMIT_HASH}" >> ${GITHUB_ENV} | |
echo "ENVIRONMENT_TAG=${{ inputs.environment_tag }}" >> ${GITHUB_ENV} | |
- name: Build and Push Image | |
working-directory: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }} | |
continue-on-error: false | |
run: | | |
function=${{ matrix.function }} | |
project_name=${{ inputs.project_name }} | |
echo project_name: $project_name | |
if [ -z "${function}" ]; then | |
echo "Function variable is empty. Skipping Docker build." | |
exit 0 | |
fi | |
# Build the image | |
docker compose -f ${{ inputs.docker_compose_file }} build ${function} | |
repo_name="${{ secrets.ACR_NAME }}.azurecr.io/${project_name}-$function" | |
# Tag the image | |
docker tag ${project_name}-${function}:latest "$repo_name:${COMMIT_HASH_TAG}" | |
docker tag ${project_name}-${function}:latest "$repo_name:${PR_NUM_TAG}" | |
docker tag ${project_name}-${function}:latest "$repo_name:${ENVIRONMENT_TAG}" | |
# If this variable is set, the create-sbom-report.sh script will scan this docker image instead. | |
export CHECK_DOCKER_IMAGE=${project_name}-${function}:latest | |
export FORCE_USE_DOCKER=true | |
export PR_NUM_TAG=${PR_NUM_TAG} | |
echo "PR_NUM_TAG=${PR_NUM_TAG}" >> ${GITHUB_ENV} | |
# Push the image to the repository | |
if [ "${GITHUB_REF}" == 'refs/heads/main' ]; then | |
docker push "${repo_name}:${COMMIT_HASH_TAG}" | |
if [ "${PR_NUM_TAG}" != 'pr' ]; then | |
docker push "${repo_name}:${PR_NUM_TAG}" | |
fi | |
docker push "${repo_name}:${ENVIRONMENT_TAG}" | |
fi | |
export SBOM_REPOSITORY_REPORT="sbom-${function}-repository-report" | |
echo "SBOM_REPOSITORY_REPORT=$SBOM_REPOSITORY_REPORT" >> $GITHUB_ENV | |
${GITHUB_WORKSPACE}/templates/scripts/reports/create-sbom-report.sh | |
export VULNERABILITIES_REPOSITORY_REPORT="vulnerabilities-${function}-repository-report" | |
echo "VULNERABILITIES_REPOSITORY_REPORT=$VULNERABILITIES_REPOSITORY_REPORT" >> $GITHUB_ENV | |
${GITHUB_WORKSPACE}/templates/scripts/reports/scan-vulnerabilities.sh | |
# Remove the image | |
docker rmi "${repo_name}:${COMMIT_HASH_TAG}" | |
docker rmi "${repo_name}:${PR_NUM_TAG}" | |
docker rmi "${repo_name}:${ENVIRONMENT_TAG}" | |
docker rmi ${project_name}-${function}:latest | |
- name: Compress SBOM report | |
shell: bash | |
run: | | |
echo SBOM_REPOSITORY_REPORT: ${SBOM_REPOSITORY_REPORT} | |
zip "${SBOM_REPOSITORY_REPORT}.json.zip" "${SBOM_REPOSITORY_REPORT}.json" | |
- name: Upload SBOM report as an artefact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.SBOM_REPOSITORY_REPORT }}.json.zip | |
path: ./${{ env.SBOM_REPOSITORY_REPORT }}.json.zip | |
retention-days: 21 | |
- name: Compress vulnerabilities report | |
shell: bash | |
run: | | |
echo VULNERABILITIES_REPOSITORY_REPORT: ${VULNERABILITIES_REPOSITORY_REPORT} | |
zip ${VULNERABILITIES_REPOSITORY_REPORT}.json.zip ${VULNERABILITIES_REPOSITORY_REPORT}.json | |
- name: Upload vulnerabilities report as an artefact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip | |
path: ./${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip | |
retention-days: 21 | |
aggregate-json: | |
runs-on: ubuntu-latest | |
needs: build-and-push | |
steps: | |
- name: Download SBOM JSON artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: ./downloaded-artifacts | |
- name: Combine sbom report JSON files | |
run: | | |
zip sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/sbom*.json.zip | |
- name: Combine vulnerabilities report JSON files | |
run: | | |
zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/vulnerabilities*.json.zip | |
- name: Upload sbom zip file | |
uses: actions/upload-artifact@v4 | |
with: | |
name: aggregated-sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip | |
path: sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip | |
- name: Upload repository zip file | |
uses: actions/upload-artifact@v4 | |
with: | |
name: aggregated-vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip | |
path: vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip |