diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..f9edc64 --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,126 @@ +name: CD +on: + pull_request: + types: [closed] + issue_comment: + types: [created] + +permissions: + contents: read + pull-requests: write + +jobs: + build-and-push: + if: > + (github.event_name == 'pull_request' && github.event.pull_request.merged == true) || + (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '/deploy')) + runs-on: ubuntu-latest + steps: + - name: Get deploy SHA + id: sha + uses: actions/github-script@v7 + with: + script: | + if (context.eventName === 'issue_comment') { + const pr = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number, + }); + return pr.data.head.sha; + } + return context.sha; + result-encoding: string + + - name: Add deploy reaction + if: github.event_name == 'issue_comment' + uses: actions/github-script@v7 + with: + script: | + await github.rest.reactions.createForIssueComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: context.payload.comment.id, + content: 'rocket', + }); + + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ steps.sha.outputs.result }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build Docker image for scanning (amd64) + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + load: true + platforms: linux/amd64 + tags: kaiohz/pickpro:composable-agents-scan + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Trivy Image Scan (report) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + with: + image-ref: 'kaiohz/pickpro:composable-agents-scan' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + trivy-config: trivy.yaml + trivy-version: 'v0.69.3' + + - name: Trivy Image Scan (CRITICAL gate) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + with: + image-ref: 'kaiohz/pickpro:composable-agents-scan' + format: 'table' + severity: 'CRITICAL' + exit-code: '1' + trivy-config: trivy.yaml + trivy-version: 'v0.69.3' + + - name: Build and push Docker image (multi-platform) + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + push: true + platforms: linux/amd64,linux/arm64 + tags: | + kaiohz/pickpro:composable-agents-${{ steps.sha.outputs.result }} + kaiohz/pickpro:composable-agents-latest + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Checkout flux repository + run: | + git clone https://x-access-token:${{ secrets.FLUX_REPO_TOKEN }}@github.com/SoluDevTech/flux.git flux-repo + + - name: Update deployment image tag + run: | + DEPLOYMENT_FILE="flux-repo/dev/composables/composable-agents/deployment.yaml" + if [ -f "$DEPLOYMENT_FILE" ]; then + sed -i 's|image: kaiohz/pickpro:composable-agents-.*|image: kaiohz/pickpro:composable-agents-${{ steps.sha.outputs.result }}|g' "$DEPLOYMENT_FILE" + else + echo "Error: Deployment file not found at $DEPLOYMENT_FILE" + exit 1 + fi + + - name: Commit and push changes + run: | + cd flux-repo + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add dev/composables/composable-agents/deployment.yaml + git commit -m "Update composable-agents image to ${{ steps.sha.outputs.result }}" || echo "No changes to commit" + git push https://x-access-token:${{ secrets.FLUX_REPO_TOKEN }}@github.com/SoluDevTech/flux.git main \ No newline at end of file