Skip to content
Build Pipeline

try this #8

Sign in to view logs

try this

try this #8

Workflow file for this run

.github/workflows/build.yml at 5a632ee
name: "Build Pipeline"
on:
push:
branches:
- jesse/pipeline-deploy
- main
paths-ignore:
- 'helm-chart/**'
env:
PROJECT_ID: "polygonlabs-devtools-dev"
GAR_LOCATION: "europe-west2"
WIF_PROVIDER: "projects/337907489413/locations/global/workloadIdentityPools/jesse-artifacts-pool/providers/jesse-artifacts" # this was hard to find: WIP --> Expand pool --> Click pencil icon
WIF_SERVICE_ACCOUNT: "jesse-artifacts-github-actions@prj-polygonlabs-devtools-dev.iam.gserviceaccount.com"
CRITICAL_COUNT: 5
IMAGE_NAME: "europe-west2-docker.pkg.dev/prj-polygonlabs-devtools-dev/polygonlabs-docker-dev/jesse/polygon-cli"
ATTESTOR_PROJECT_ID: "polygonlabs-devtools-dev"
KEY_RING: "jesse-artifacts-ring"
KEY: "jesse-artifacts-binary-auth-key"
ATTESTOR: "jesse-artifacts-attestor"
jobs:
build-pipeline:
name: "Build, push, scan, and sign Docker image"
permissions:
contents: "write"
id-token: "write"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Google Auth
id: auth
uses: google-github-actions/auth@v2
with:
token_format: "access_token"
workload_identity_provider: "${{ env.WIF_PROVIDER }}"
service_account: "${{ env.WIF_SERVICE_ACCOUNT }}"
- name: Docker Auth
id: docker-auth
uses: docker/login-action@v1
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"
- name: Build and Push Docker Image to GCP Artifact Registry
run: |-
docker build -t "${{ env.IMAGE_NAME }}:${{ github.sha }}" .
docker push "${{ env.IMAGE_NAME }}:${{ github.sha }}"
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"
- name: Scan Vulnerabilities
run: |
(gcloud artifacts docker images scan "${{ env.IMAGE_NAME }}:${{ github.sha }}" --format="value(response.scan)" --remote --quiet) > ./scan_id.txt
- name: Checking Critical Vulnerabilities
run: |-
#!/bin/bash
# Check if the scan_id.txt file exists
if [ ! -f ./scan_id.txt ]; then
echo "Error: scan_id.txt not found."
exit 1
fi
# Use gcloud to list vulnerabilities and check for CRITICAL severity
severity=$(gcloud artifacts docker images list-vulnerabilities \
"$(cat ./scan_id.txt)" \
--format="value(vulnerability.effectiveSeverity)")
# Check if CRITICAL vulnerability is found
chk=$(echo "$severity" | grep -c "CRITICAL")
if [ "$chk" -gt ${{ env.CRITICAL_COUNT }} ]; then
echo "Failed vulnerability check for CRITICAL level"
exit 1
else
echo "No CRITICAL vulnerability found. Congratulations!"
exit 0
fi
- name: Sign the docker image
run: |-
export CLOUDSDK_CORE_DISABLE_PROMPTS=1
gcloud components install beta --quiet
DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)')
gcloud beta container binauthz attestations sign-and-create \
--artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \
--attestor="${{ env.ATTESTOR }}" \
--attestor-project="${{ env.ATTESTOR_PROJECT_ID }}" \
--keyversion-project="${{ env.ATTESTOR_PROJECT_ID }}" \
--keyversion-location="${{ env.GAR_LOCATION }}" \
--keyversion-keyring="${{ env.KEY_RING }}" \
--keyversion-key="${{ env.KEY }}" \
--keyversion="1"
- name: Update Helm values # the helm-chart name should be standardized or parameterized
run: |-
DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} \
--format='get(image_summary.digest)')
sed -i "s|image:.*|image: ${{ env.IMAGE_NAME }}@${DIGEST}|" ./helm-chart/values.yaml
- name: Set up Git, Commit and Push Changes to Update Container Image
uses: stefanzweifel/git-auto-commit-action@v5
with: # the helm-chart name should be standardized or parameterized
commit_message: Apply automatic changes to Update image repository in Helm values
file_pattern: './helm-chart/values.yaml'
branch: wbutton-dev-test
create_branch: true