Merge pull request #6 from dockersamples/evaluate-scout-policy-breakage #60
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline using Docker cloud services | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
pull_request: | |
workflow_dispatch: | |
env: | |
DOCKERHUB_ORG_NAME: dockerdevrel | |
IMAGE_NAME: catalog-service-node | |
DBC_BUILDER_NAME: dockerdevrel/demo-builder | |
jobs: | |
prettier: | |
name: "Validate code formatting" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: lts/* | |
- name: Install dependencies | |
run: yarn install | |
- name: Run Prettier | |
run: yarn run prettier-check | |
unit-test: | |
name: "Run tests" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: lts/* | |
cache: yarn | |
- name: Install dependencies | |
run: yarn install | |
- name: Run unit tests | |
run: yarn unit-test | |
integration-test: | |
name: "Run integration tests" | |
needs: [ prettier, unit-test ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: lts/* | |
cache: yarn | |
- name: Install dependencies | |
run: yarn install | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Setup Testcontainers Cloud Client | |
uses: atomicjar/testcontainers-cloud-setup-action@v1 | |
with: | |
token: ${{ secrets.TC_CLOUD_TOKEN }} | |
- name: Run integration tests | |
run: yarn run integration-test | |
build: | |
name: Build and push image | |
needs: [unit-test, integration-test] | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
outputs: | |
IMAGE_TAGS: ${{ toJSON( fromJSON(steps.meta.outputs.json).tags ) }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up containerd | |
uses: docker/setup-docker-action@v4 | |
with: | |
set-host: true | |
daemon-config: | | |
{ | |
"features": { | |
"containerd-snapshotter": true | |
} | |
} | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Determine image tags and labels | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.DOCKERHUB_ORG_NAME }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=ref,enable=true,event=branch,suffix=--{{sha}} | |
type=ref,enable=true,event=branch,suffix=--latest | |
type=ref,event=tag | |
type=ref,event=pr | |
type=raw,value=latest,enable={{is_default_branch}} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: "lab:latest" | |
driver: cloud | |
endpoint: ${{ env.DBC_BUILDER_NAME }} | |
- name: Build and push Docker image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }} | |
provenance: mode=max | |
sbom: true | |
push: ${{ github.event_name != 'pull_request' }} | |
load: ${{ github.event_name == 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Analyze and compare image against production | |
uses: docker/scout-action@v1 | |
if: ${{ github.event_name == 'pull_request' }} | |
with: | |
command: quickview,compare | |
image: ${{ steps.meta.outputs.tags }} | |
to-env: production | |
write-comment: true | |
organization: ${{ env.DOCKERHUB_ORG_NAME }} | |
# TODO Update this to include policy once DBC image loading includes attestations | |
exit-on: vulnerability | |
stage-deploy: | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
name: Deploy to stage environment | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Do the deploy | |
run: | | |
echo "Do the staging deployment here. Would deploy image ${IMAGE_TAG}" | |
env: | |
IMAGE_TAG: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }} | |
- name: Update Scout environment | |
id: docker-scout-environment | |
uses: docker/scout-action@v1 | |
with: | |
command: environment | |
image: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }} | |
environment: stage | |
organization: ${{ env.DOCKERHUB_ORG_NAME }} | |
prod-deploy: | |
if: github.ref_type == 'tag' | |
name: Deploy to production environment | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Do the deploy | |
run: | | |
echo "Do the production deployment here. Would deploy image ${IMAGE_TAG}" | |
env: | |
IMAGE_TAG: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }} | |
- name: Update Scout environment | |
id: docker-scout-environment | |
uses: docker/scout-action@v1 | |
with: | |
command: environment | |
image: ${{ fromJSON( needs.build.outputs.IMAGE_TAGS )[0] }} | |
environment: production | |
organization: ${{ env.DOCKERHUB_ORG_NAME }} |