Main

Merge pull request #65 from cyber-dojo/upgrade-base-image #188

Workflow file for this run

	name: Main

	on:
	push:

	env:
	KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
	KOSLI_AWS_BETA: ${{ vars.KOSLI_AWS_BETA }} # aws-beta
	KOSLI_DEBUG: ${{ vars.KOSLI_DEBUG }} # true/false
	KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }} # false
	KOSLI_HOST: ${{ vars.KOSLI_HOST }} # https://app.kosli.com
	KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo
	KOSLI_FLOW: ${{ vars.KOSLI_FLOW }} # nginx-ci
	KOSLI_TRAIL: ${{ github.sha }}

	AWS_ECR_ID: ${{ vars.AWS_ECR_ID }}
	AWS_REGION: ${{ vars.AWS_REGION }}
	AWS_ACCOUNT_ID_BETA: ${{ vars.AWS_ACCOUNT_ID_BETA }}
	DOCKER_API_VERSION: ${{ vars.DOCKER_API_VERSION }}
	SERVICE_NAME: ${{ github.event.repository.name }} # nginx

	jobs:

	setup:
	runs-on: ubuntu-latest
	outputs:
	aws_account_id_beta: ${{ steps.vars.outputs.aws_account_id_beta }}
	ecr_registry: ${{ steps.vars.outputs.ecr_registry }}
	aws_region: ${{ steps.vars.outputs.aws_region }}
	gh_actions_iam_role_name: ${{ steps.vars.outputs.gh_actions_iam_role_name }}
	service_name: ${{ steps.vars.outputs.service_name }}
	image_tag: ${{ steps.vars.outputs.image_tag }}
	image_name: ${{ steps.vars.outputs.image_name }}
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Set outputs
	id: vars
	run: \|
	ECR_REGISTRY="${AWS_ECR_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
	IMAGE_TAG=${GITHUB_SHA:0:7}
	IMAGE_NAME="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG}"

	echo "aws_account_id_beta=${AWS_ACCOUNT_ID_BETA}" >> ${GITHUB_OUTPUT}
	echo "ecr_registry=${ECR_REGISTRY}" >> ${GITHUB_OUTPUT}
	echo "aws_region=${AWS_REGION}" >> ${GITHUB_OUTPUT}
	echo "gh_actions_iam_role_name=gh_actions_services" >> ${GITHUB_OUTPUT}
	echo "service_name=${{ env.SERVICE_NAME }}" >> ${GITHUB_OUTPUT}
	echo "image_tag=${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
	echo "image_name=${IMAGE_NAME}" >> ${GITHUB_OUTPUT}

	- name: Setup Kosli CLI
	uses: kosli-dev/setup-cli-action@v2
	with:
	version: ${{ vars.KOSLI_CLI_VERSION }}

	- name: Attest pull-request evidence to Kosli
	if: ${{ github.ref == 'refs/heads/main' }}
	run:
	kosli begin trail "${KOSLI_TRAIL}"
	--template-file=.kosli.yml


	pull-request:
	if: ${{ github.ref == 'refs/heads/main' }}
	needs: [setup]
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Setup Kosli CLI
	uses: kosli-dev/setup-cli-action@v2
	with:
	version: ${{ vars.KOSLI_CLI_VERSION }}

	- name: Attest pull-request evidence to Kosli
	run:
	kosli attest pullrequest github
	--github-token=${{ secrets.GITHUB_TOKEN }}
	--name=pull-request


	snyk-code-scan:
	needs: [setup]
	runs-on: ubuntu-latest
	env:
	SARIF_FILENAME: snyk.code.scan.json
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Setup Snyk
	uses: snyk/actions/setup@master

	- name: Run Snyk code scan
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	run:
	snyk code test
	--policy-path=.snyk
	--sarif
	--sarif-file-output="${SARIF_FILENAME}"
	.

	- name: Setup Kosli CLI
	if: ${{ github.ref == 'refs/heads/main' && (success() \|\| failure()) }}
	uses: kosli-dev/setup-cli-action@v2
	with:
	version: ${{ vars.KOSLI_CLI_VERSION }}

	- name: Attest evidence to Kosli
	if: ${{ github.ref == 'refs/heads/main' && (success() \|\| failure()) }}
	run:
	kosli attest snyk
	--attachments=.snyk
	--name=nginx.snyk-code-scan
	--scan-results="${SARIF_FILENAME}"


	build-image:
	needs: [setup]
	uses: cyber-dojo/reusable-actions-workflows/.github/workflows/secure-docker-build.yml@main
	with:
	checkout_repository: cyber-dojo/nginx
	checkout_ref: ${{ github.sha }}
	checkout_fetch_depth: 1
	image_name: ${{ needs.setup.outputs.ecr_registry }}/${{ needs.setup.outputs.service_name }}
	image_tag: ${{ needs.setup.outputs.image_tag }}
	image_build_args: \|
	COMMIT_SHA=${{ github.sha }}
	BASE_IMAGE=${{ inputs.BASE_IMAGE }}
	kosli_flow: ${{ vars.KOSLI_FLOW }}
	kosli_trail: ${{ github.sha }}
	kosli_reference_name: ${{ needs.setup.outputs.service_name }}
	attest_to_kosli: ${{ github.ref == 'refs/heads/main' }}
	secrets:
	kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}


	snyk-container-scan:
	needs: [setup, build-image]
	runs-on: ubuntu-latest
	env:
	IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
	KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
	SARIF_FILENAME: snyk.container.scan.json
	steps:
	- name: Download docker image
	uses: cyber-dojo/download-artifact@main
	with:
	image_digest: ${{ needs.build-image.outputs.digest }}

	- uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Setup Snyk
	uses: snyk/actions/setup@master

	- name: Run Snyk container scan
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	run:
	snyk container test ${IMAGE_NAME}
	--policy-path=.snyk
	--sarif
	--sarif-file-output="${SARIF_FILENAME}"

	- name: Setup Kosli CLI
	if: ${{ github.ref == 'refs/heads/main' && (success() \|\| failure()) }}
	uses: kosli-dev/setup-cli-action@v2
	with:
	version: ${{ vars.KOSLI_CLI_VERSION }}

	- name: Attest evidence to Kosli
	if: ${{ github.ref == 'refs/heads/main' && (success() \|\| failure()) }}
	run:
	kosli attest snyk
	--attachments=.snyk
	--name=nginx.snyk-container-scan
	--scan-results="${SARIF_FILENAME}"


	sdlc-control-gate:
	if: ${{ github.ref == 'refs/heads/main' }}
	needs: [setup, build-image, pull-request, snyk-container-scan, snyk-code-scan]
	runs-on: ubuntu-latest
	env:
	IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
	KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
	steps:
	- name: Setup Kosli CLI
	uses: kosli-dev/setup-cli-action@v2
	with:
	version: ${{ vars.KOSLI_CLI_VERSION }}

	- name: Display current compliance
	run:
	kosli get trail "${KOSLI_TRAIL}"

	- name: Kosli SDLC gate to short-circuit the workflow
	run:
	kosli assert artifact ${IMAGE_NAME}
	--environment=${KOSLI_AWS_BETA}


	approve-deployment-to-beta:
	needs: [setup, build-image, sdlc-control-gate]
	runs-on: ubuntu-latest
	env:
	IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
	KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
	environment:
	name: staging
	url: https://beta.cyber-dojo.org
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Setup Kosli CLI
	uses: kosli-dev/setup-cli-action@v2
	with:
	version: ${{ vars.KOSLI_CLI_VERSION }}

	- name: Attest approval of deployment to Kosli
	run:
	kosli report approval ${IMAGE_NAME}
	--approver="${{ github.actor }}"
	--environment=${KOSLI_AWS_BETA}


	deploy-to-beta:
	needs: [setup, build-image, approve-deployment-to-beta]
	permissions:
	id-token: write
	contents: write
	uses: fivexl/gh-workflow-tf-plan-apply/.github/workflows/[email protected]
	with:
	aws_region: ${{ needs.setup.outputs.aws_region }}
	aws_role_arn: arn:aws:iam::${{ needs.setup.outputs.aws_account_id_beta }}:role/${{ needs.setup.outputs.gh_actions_iam_role_name }}
	aws_default_region: ${{ needs.setup.outputs.aws_region }}
	aws_role_duration: 900
	working_directory: deployment/terraform/
	tf_apply: true
	tf_version: v1.9.1
	tf_additional_env_vars: '{"TF_VAR_TAGGED_IMAGE": "${{ needs.setup.outputs.ecr_registry }}/${{ needs.setup.outputs.service_name }}:${{ needs.setup.outputs.image_tag }}@sha256:${{ needs.build-image.outputs.digest }}"}'


	# Deployment to aws-prod Environment is done with a Promotion workflow.
	# See https://github.com/cyber-dojo/aws-prod-co-promotion

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #65 from cyber-dojo/upgrade-base-image #188

Workflow file

Merge pull request #65 from cyber-dojo/upgrade-base-image #188

Uh oh!

Jobs

Run details

Workflow file for this run