Skip to content

feat: dtoss 6235 create terraform module for azure event grid (#87) #41

feat: dtoss 6235 create terraform module for azure event grid (#87)

feat: dtoss 6235 create terraform module for azure event grid (#87) #41

name: Docker Image CI
on:
push:
branches:
- main
workflow_call:
inputs:
environment_tag:
description: Environment of the deployment
required: true
type: string
default: development
docker_compose_file:
description: The path of the compose.yaml file needed to build docker images
required: true
type: string
function_app_source_code_path:
description: The source path of the function app source code for the docker builds
required: true
type: string
project_name:
description: The name of the project
required: true
type: string
excluded_containers_csv_list:
description: Excluded containers in a comma separated list
required: true
type: string
jobs:
get-functions:
runs-on: ubuntu-latest
permissions:
id-token: write
outputs:
FUNC_NAMES: ${{ steps.get-function-names.outputs.FUNC_NAMES }}
steps:
- uses: actions/checkout@v4
- uses: tj-actions/changed-files@v45
id: changed-files
with:
path: ${{ inputs.function_app_source_code_path }}
dir_names: true
- name: Checkout dtos-devops-templates repository
uses: actions/checkout@v4
with:
repository: NHSDigital/dtos-devops-templates
path: templates
ref: main
- name: Get docker compose function name(s)
id: get-function-names
env:
CHANGED_FOLDERS: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
DOCKER_COMPOSE_DIR="$(dirname "${{ inputs.docker_compose_file }}")"
bash ./templates/scripts/deployments/get-docker-names.sh ${{ inputs.docker_compose_file }} ${{ inputs.excluded_containers_csv_list }}
echo "DOCKER_COMPOSE_DIR=$DOCKER_COMPOSE_DIR" >> ${GITHUB_OUTPUT}
- name: Print function names
run: |
echo "The branch is: " ${{ github.ref }}
echo "FUNC_NAMES before setting output: ${{ steps.get-function-names.outputs.FUNC_NAMES }}"
echo "FUNC_NAMES=${FUNC_NAMES}" >> ${GITHUB_OUTPUT}
build-and-push:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
needs: get-functions
strategy:
matrix:
function: ${{ fromJSON(needs.get-functions.outputs.FUNC_NAMES) }}
if: needs.get-functions.outputs.FUNC_NAMES != '["null"]' && needs.get-functions.outputs.FUNC_NAMES != '[]' && needs.get-functions.outputs.FUNC_NAMES != '[""]'
outputs:
pr_num_tag: ${{ env.PR_NUM_TAG }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
submodules: 'true'
- name: Checkout dtos-devops-templates repository
uses: actions/checkout@v4
with:
repository: NHSDigital/dtos-devops-templates
path: templates
ref: main
- name: Az CLI login
if: github.ref == 'refs/heads/main'
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Azure Container Registry login
if: github.ref == 'refs/heads/main'
run: az acr login --name ${{ secrets.ACR_NAME }}
- name: Create Tags
env:
GH_TOKEN: ${{ github.token }}
continue-on-error: false
run: |
echo "GITHUB_REF: ${GITHUB_REF}"
echo "The branch is: ${{ github.ref }}"
if [[ "${GITHUB_REF}" == refs/pull/*/merge ]]; then
PR_NUM_TAG=$(echo "${GITHUB_REF}" | sed 's/refs\/pull\/\([0-9]*\)\/merge/\1/')
else
PULLS_JSON=$(gh api /repos/{owner}/{repo}/commits/${GITHUB_SHA}/pulls)
ORIGINATING_BRANCH=$(echo ${PULLS_JSON} | jq -r '.[].head.ref' | python3 -c "import sys, urllib.parse; print(urllib.parse.quote_plus(sys.stdin.read().strip()))")
echo "ORIGINATING_BRANCH: ${ORIGINATING_BRANCH}"
PR_NUM_TAG=$(echo ${PULLS_JSON} | jq -r '.[].number')
fi
echo "PR_NUM_TAG: pr${PR_NUM_TAG}"
echo "PR_NUM_TAG=pr${PR_NUM_TAG}" >> ${GITHUB_ENV}
SHORT_COMMIT_HASH=$(git rev-parse --short ${GITHUB_SHA})
echo "Commit hash tag: ${SHORT_COMMIT_HASH}"
echo "COMMIT_HASH_TAG=${SHORT_COMMIT_HASH}" >> ${GITHUB_ENV}
echo "ENVIRONMENT_TAG=${{ inputs.environment_tag }}" >> ${GITHUB_ENV}
- name: Build and Push Image
working-directory: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }}
continue-on-error: false
run: |
function=${{ matrix.function }}
project_name=${{ inputs.project_name }}
echo project_name: $project_name
if [ -z "${function}" ]; then
echo "Function variable is empty. Skipping Docker build."
exit 0
fi
# Build the image
docker compose -f ${{ inputs.docker_compose_file }} build ${function}
repo_name="${{ secrets.ACR_NAME }}.azurecr.io/${project_name}-$function"
# Tag the image
docker tag ${project_name}-${function}:latest "$repo_name:${COMMIT_HASH_TAG}"
docker tag ${project_name}-${function}:latest "$repo_name:${PR_NUM_TAG}"
docker tag ${project_name}-${function}:latest "$repo_name:${ENVIRONMENT_TAG}"
# If this variable is set, the create-sbom-report.sh script will scan this docker image instead.
export CHECK_DOCKER_IMAGE=${project_name}-${function}:latest
export FORCE_USE_DOCKER=true
export PR_NUM_TAG=${PR_NUM_TAG}
echo "PR_NUM_TAG=${PR_NUM_TAG}" >> ${GITHUB_ENV}
# Push the image to the repository
if [ "${GITHUB_REF}" == 'refs/heads/main' ]; then
docker push "${repo_name}:${COMMIT_HASH_TAG}"
if [ "${PR_NUM_TAG}" != 'pr' ]; then
docker push "${repo_name}:${PR_NUM_TAG}"
fi
docker push "${repo_name}:${ENVIRONMENT_TAG}"
fi
export SBOM_REPOSITORY_REPORT="sbom-${function}-repository-report"
echo "SBOM_REPOSITORY_REPORT=$SBOM_REPOSITORY_REPORT" >> $GITHUB_ENV
${GITHUB_WORKSPACE}/templates/scripts/reports/create-sbom-report.sh
export VULNERABILITIES_REPOSITORY_REPORT="vulnerabilities-${function}-repository-report"
echo "VULNERABILITIES_REPOSITORY_REPORT=$VULNERABILITIES_REPOSITORY_REPORT" >> $GITHUB_ENV
${GITHUB_WORKSPACE}/templates/scripts/reports/scan-vulnerabilities.sh
# Remove the image
docker rmi "${repo_name}:${COMMIT_HASH_TAG}"
docker rmi "${repo_name}:${PR_NUM_TAG}"
docker rmi "${repo_name}:${ENVIRONMENT_TAG}"
docker rmi ${project_name}-${function}:latest
- name: Compress SBOM report
shell: bash
run: |
echo SBOM_REPOSITORY_REPORT: ${SBOM_REPOSITORY_REPORT}
zip "${SBOM_REPOSITORY_REPORT}.json.zip" "${SBOM_REPOSITORY_REPORT}.json"
- name: Upload SBOM report as an artefact
uses: actions/upload-artifact@v4
with:
name: ${{ env.SBOM_REPOSITORY_REPORT }}.json.zip
path: ./${{ env.SBOM_REPOSITORY_REPORT }}.json.zip
retention-days: 21
- name: Compress vulnerabilities report
shell: bash
run: |
echo VULNERABILITIES_REPOSITORY_REPORT: ${VULNERABILITIES_REPOSITORY_REPORT}
zip ${VULNERABILITIES_REPOSITORY_REPORT}.json.zip ${VULNERABILITIES_REPOSITORY_REPORT}.json
- name: Upload vulnerabilities report as an artefact
uses: actions/upload-artifact@v4
with:
name: ${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip
path: ./${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip
retention-days: 21
aggregate-json:
runs-on: ubuntu-latest
needs: build-and-push
steps:
- name: Download SBOM JSON artifacts
uses: actions/download-artifact@v4
with:
path: ./downloaded-artifacts
- name: Combine sbom report JSON files
run: |
zip sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/sbom*.json.zip
- name: Combine vulnerabilities report JSON files
run: |
zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/vulnerabilities*.json.zip
- name: Upload sbom zip file
uses: actions/upload-artifact@v4
with:
name: aggregated-sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
path: sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
- name: Upload repository zip file
uses: actions/upload-artifact@v4
with:
name: aggregated-vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
path: vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip