forked from kubeflow/kubeflow
-
Notifications
You must be signed in to change notification settings - Fork 3
105 lines (94 loc) · 3.95 KB
/
build-centraldashboard.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: component/centraldashboard
on:
push:
branches:
- stc-master
paths:
- components/centraldashboard/**
pull_request:
types:
- 'opened'
- 'synchronize'
- 'reopened'
schedule:
- cron: '0 22 * * *'
# Environment variables available to all jobs and steps in this workflow
env:
REGISTRY_NAME: k8scc01covidacr
DEV_REGISTRY_NAME: k8scc01covidacrdev
CLUSTER_NAME: k8s-cancentral-02-covid-aks
CLUSTER_RESOURCE_GROUP: k8s-cancentral-01-covid-aks
TRIVY_VERSION: "v0.43.1"
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
HADOLINT_VERSION: "2.12.0"
jobs:
build-push:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- uses: actions/checkout@v2
# Determine if pushing to ACR or DEV ACR
- name: Set ENV variables for a PR containing the auto-deploy tag
if: github.event_name == 'pull_request' && contains( github.event.pull_request.labels.*.name, 'auto-deploy')
run: echo "REGISTRY=${{env.DEV_REGISTRY_NAME}}.azurecr.io" >> "$GITHUB_ENV"
- name: Set ENV variable for pushes to master
if: github.event_name == 'push' && github.ref == 'refs/heads/stc-master'
run: echo "REGISTRY=${{env.REGISTRY_NAME}}.azurecr.io" >> "$GITHUB_ENV"
# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# Connect to DEV Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.DEV_REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.DEV_REGISTRY_USERNAME }}
password: ${{ secrets.DEV_REGISTRY_PASSWORD }}
- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint ./components/centraldashboard/Dockerfile --no-fail
# Container build to a Azure Container registry (ACR)
- name: Docker build
run: |
docker build \
-t localhost:5000/kubeflow/centraldashboard:${{ github.sha }} \
--build-arg kubeflowversion=$(git describe --abbrev=0 --tags) \
--build-arg commit=$(git rev-parse HEAD) \
components/centraldashboard/
docker push localhost:5000/kubeflow/centraldashboard:${{ github.sha }}
docker image prune
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
trivy image localhost:5000/kubeflow/centraldashboard:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
# Pushes if this is a push to master or an update to a PR that has auto-deploy label
- name: Test if we should push to ACR
id: should-i-push
if: |
github.event_name == 'push' ||
(
github.event_name == 'pull_request' &&
contains( github.event.pull_request.labels.*.name, 'auto-deploy')
)
run: echo "::set-output name=boolean::true"
- name: Docker push
if: steps.should-i-push.outputs.boolean == 'true'
run: |
docker pull localhost:5000/kubeflow/centraldashboard:${{ github.sha }}
docker tag localhost:5000/kubeflow/centraldashboard:${{ github.sha }} ${{ env.REGISTRY }}/kubeflow/centraldashboard:${{ github.sha }}
docker push ${{ env.REGISTRY }}/kubeflow/centraldashboard:${{ github.sha }}
- name: Slack Notification
if: failure() && github.event_name=='schedule'
uses: act10ns/slack@v1
with:
status: failure
message: kubeflow build failed. https://github.com/StatCan/kubeflow/actions/runs/${{github.run_id}}