diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 43181a2..d1302cc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,109 +1,90 @@ --- -name: litmus-ansible-ci +name: Build on: pull_request: - branches: - - master - push: - branches: - - master - tags-ignore: - - '**' + branches: [master] + types: [opened, synchronize, reopened] env: DOCKER_REPO: litmuschaos DOCKER_IMAGE: ansible-runner DOCKER_TAG: ci -defaults: - run: - shell: bash - jobs: - - build: + pre-checks: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} - - name: Build Image - env: - SAVE_PATH: ${{ github.workspace }} - run: | - make build - make save - chmod +x ${{ github.workspace }}/image.tar + - name: checking dependencies are installed + run: make deps - - name: Upload artifact - uses: actions/upload-artifact@v2 + - name: Running ansible syntax-checks + run: make syntax-checks + + - name: Running ansible lint-checks + run: make lint-checks + + gitleaks-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 with: - name: myimage - path: | - ${{ github.workspace }}/image.tar - ${{ github.workspace }}/tag.txt + fetch-depth: 0 + - name: Run GitLeaks + run: | + wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz && \ + tar -zxvf gitleaks_8.18.2_linux_x64.tar.gz && \ + sudo mv gitleaks /usr/local/bin && gitleaks detect --source . -v + - image-checks: + build: + needs: pre-checks runs-on: ubuntu-latest - needs: build steps: - - name: Checkout - uses: actions/checkout@v2 + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} - - name: Download artifact - uses: actions/download-artifact@v2 + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 with: - name: myimage - path: ${{ github.workspace }} - - - name: Load Docker image - run: | - docker load --input ${{ github.workspace }}/image.tar + platforms: all - - name: checking dependencies are installed - run: make deps - - - name: Running ansible syntax-checks - run: make syntax-checks + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + with: + version: latest - - name: Running ansible lint-checks - run: make lint-checks + - name: Build and push + uses: docker/build-push-action@v2 + with: + push: false + file: build/ansible-runner/Dockerfile + platforms: linux/amd64 + tags: litmuschaos/ansible-runner:ci + trivy: + needs: pre-checks + runs-on: ubuntu-latest + steps: - uses: actions/checkout@v2 with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ github.event.pull_request.head.sha }} + + - name: Build an image from Dockerfile + run: | + docker build -f build/ansible-runner/Dockerfile -t docker.io/litmuschaos/ansible-runner:${{ github.sha }} . --build-arg TARGETARCH=amd64 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'litmuschaos/ansible-runner:ci' + image-ref: 'docker.io/litmuschaos/ansible-runner:${{ github.sha }}' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - - push: - runs-on: ubuntu-latest - needs: [build,image-checks] - if: github.event_name == 'push' - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Download artifact - uses: actions/download-artifact@v2 - with: - name: myimage - path: ${{ github.workspace }} - - - name: Load Docker image - run: | - docker load --input ${{ github.workspace }}/image.tar - - - name: Push Image - env: - DNAME: ${{ secrets.DNAME }} - DPASS: ${{ secrets.DPASS }} - run: | - make push + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 0000000..2a262a4 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,59 @@ +--- +name: Push +on: + push: + branches: + - master + tags-ignore: + - '**' + +env: + DOCKER_REPO: litmuschaos + DOCKER_IMAGE: ansible-runner + DOCKER_TAG: ci + +jobs: + pre-checks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: checking dependencies are installed + run: make deps + + - name: Running ansible syntax-checks + run: make syntax-checks + + - name: Running ansible lint-checks + run: make lint-checks + + push: + needs: pre-checks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + with: + platforms: all + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + with: + version: latest + + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DNAME }} + password: ${{ secrets.DPASS }} + + - name: Build and push + uses: docker/build-push-action@v2 + with: + push: true + file: build/ansible-runner/Dockerfile + platforms: linux/amd64 + tags: litmuschaos/ansible-runner:ci \ No newline at end of file diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 031d6df..17c8a4c 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -12,14 +12,13 @@ env: defaults: run: - shell: bash + shell: bash jobs: - release-build: + push: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - uses: actions/checkout@v2 - name: Set Tag run: | @@ -32,46 +31,29 @@ jobs: echo "RELEASE TAG: ${RELEASE_TAG}" echo "${RELEASE_TAG}" > ${{ github.workspace }}/tag.txt - - name: Build Image - env: - DOCKER_TAG: ${RELEASE_TAG} - SAVE_PATH: ${{ github.workspace }} - run: | - make build - make save - chmod +x ${{ github.workspace }}/image.tar + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + with: + platforms: all - - name: Upload artifact - uses: actions/upload-artifact@v2 + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 with: - name: myimage - path: | - ${{ github.workspace }}/image.tar - ${{ github.workspace }}/tag.txt - - release-push: - runs-on: ubuntu-latest - needs: [release-build] - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Download artifact - uses: actions/download-artifact@v2 + version: latest + + - name: Login to Docker Hub + uses: docker/login-action@v1 with: - name: myimage - path: ${{ github.workspace }} - - - name: Load Docker image - run: | - docker load --input ${{ github.workspace }}/image.tar - RELEASE_TAG=`cat ${{ github.workspace }}/tag.txt` - echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV + username: ${{ secrets.DNAME }} + password: ${{ secrets.DPASS }} - - name: Push Image + - name: Build and push + uses: docker/build-push-action@v2 env: - DOCKER_TAG: ${RELEASE_TAG} - DNAME: ${{ secrets.DNAME }} - DPASS: ${{ secrets.DPASS }} - run: | - make push + RELEASE_TAG: ${{ env.RELEASE_TAG }} + with: + push: true + file: build/ansible-runner/Dockerfile + platforms: linux/amd64 + tags: litmuschaos/ansible-runner:${{ env.RELEASE_TAG }},litmuschaos/ansible-runner:latest