improved docs #76
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Multi-Stage Workflow | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| build: # This job builds and pushes the Docker image to Docker Hub. | |
| name: Build and Push Docker Image & Sign Container Image | |
| runs-on: "ubuntu-20.04" | |
| steps: | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2.1.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2.5.0 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.4.0 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v4 | |
| id: build-and-push | |
| with: | |
| push: true | |
| tags: saurabhkr952/dev-portfolio:${{ github.sha }} | |
| platforms: linux/amd64,linux/arm64 | |
| # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| - name: Sign image with a key | |
| run: | | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY saurabhkr952/dev-portfolio:${{ github.sha }} | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| scan_upload: #This job checks the vulnerability of the Container Vulnerability Check & Upload it. | |
| name: Container Vulnerability Check | |
| needs: build | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe | |
| with: | |
| image-ref: 'docker.io/saurabhkr952/dev-portfolio:${{ github.sha }}' | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| update_manifest: # this job will update the kubernetes manifest files image version tag | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| - scan_upload | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| repository: saurabhkr952/dev-portfolio-manifest | |
| ref: 'main' | |
| token: ${{ secrets.PAT_TOKEN }} | |
| - name: Setup git config and update manifest tag | |
| run: | | |
| git config --local user.email "action@github.com" | |
| git config --local user.name "GitHub Action" | |
| sed -i 's+saurabhkr952/dev-portfolio:.*+saurabhkr952/dev-portfolio:${{ github.sha }}+g' deployment.yaml | |
| git add . | |
| git commit -s -m "Update image tag in deployment manifest - ${{ github.sha }}" | |
| - name: Push changes | |
| uses: ad-m/github-push-action@master | |
| with: | |
| github_token: ${{ secrets.PAT_TOKEN }} | |
| repository: saurabhkr952/dev-portfolio-manifest | |
| force: true | |
| slack-workflow-status: # send the status of the workflow that it is success,failed or cancelled | |
| if: always() | |
| name: Post Workflow Status To Slack | |
| needs: | |
| - build | |
| - scan_upload | |
| - update_manifest | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: 'read' | |
| steps: | |
| - name: Slack Workflow Notification | |
| uses: Gamesight/slack-workflow-status@master | |
| with: | |
| repo_token: ${{ secrets.PAT_TOKEN }} | |
| slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| channel: '#general' | |
| name: 'CI/CD Workflow Status' | |
| icon_emoji: ':repeat:' | |
| icon_url: 'https://avatars0.githubusercontent.com/u/1701160?s=96&v=4' |