defra-docker-node/.github/workflows/build-scan-push.yml at a6e5751a067906b24be920784141e22b4bca4590 · DEFRA/defra-docker-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
name: BUILD-SCAN-PUSH

on:
  push:
    branches: [ '**' ]
  workflow_dispatch:

jobs:

  get-matrix-values:
    runs-on: ubuntu-latest
    outputs:
      image: ${{ steps.set-var.outputs.image }}
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

      - id: set-var
        run: |
          echo 'image<<EOF' >> $GITHUB_OUTPUT
          cat ./image-matrix.json >> $GITHUB_OUTPUT
          echo 'EOF' >> $GITHUB_OUTPUT

  build-images:
    runs-on: ubuntu-latest
    needs:  get-matrix-values
    strategy:
      fail-fast: false
      matrix:
        target: ["development", "production"]
        image: ${{fromJSON(needs.get-matrix-values.outputs.image)}}
    steps:
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

      - id: setEnv
        name: Set Job env vars
        run: |
          cat JOB.env >> $GITHUB_ENV

      - id: setImageDetails
        name: Set image name and latest tag
        run: |
          if [ ${{matrix.target}} = "production" ]
          then
            DOCKER_REPO_NAME="defradigital/$IMAGE_NAME"
          else
            DOCKER_REPO_NAME="defradigital/$IMAGE_NAME-${{matrix.target}}"
          fi

          echo "dockerRepoName=$DOCKER_REPO_NAME" >> $GITHUB_OUTPUT
          echo "fullImageName=$DOCKER_REPO_NAME:$DEFRA_VERSION-node${{matrix.image.nodeVersion}}" >> $GITHUB_OUTPUT

          if [ ${{matrix.image.latest}} = true ]
          then
            echo "latestTag=--tag $DOCKER_REPO_NAME:latest" >> $GITHUB_OUTPUT
          else
            echo "latestTag=" >> $GITHUB_OUTPUT
          fi

      - name: Set up Docker
        uses: docker/setup-docker-action@b2189fbf2a6592b51fee7cdd93ee2bfaeba733db # v5
        with:
          daemon-config: |
            {
              "debug": true,
              "features": {
                "containerd-snapshotter": true
              }
            }

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

      - name: Build the Docker image
        run: |
          docker buildx build . --file Dockerfile --no-cache \
          --platform linux/amd64,linux/arm64 \
          --load \
          --target=${{matrix.target}} \
          --build-arg DEFRA_VERSION=$DEFRA_VERSION \
          --build-arg BASE_VERSION=${{matrix.image.nodeVersion}}-alpine${{matrix.image.alpineVersion}} \
          --tag ${{steps.setImageDetails.outputs.fullImageName}} \
          ${{steps.setImageDetails.outputs.latestTag}}
          docker images

      - name: Save image to archive
        if: ${{ matrix.target == 'production' }}
        run: |
          docker save ${{steps.setImageDetails.outputs.fullImageName}} -o image-${{ matrix.image.nodeVersion }}.tar
          ls -lh image-${{ matrix.image.nodeVersion }}.tar

      - name: Run Anchore Grype scan
        id: grype-scan
        if: ${{ matrix.target == 'production' }}
        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7
        with:
          image: docker-archive:image-${{ matrix.image.nodeVersion }}.tar
          fail-build: true
          severity-cutoff: "medium"
        continue-on-error: true

      - name: Run Aqua Trivy scan
        id: trivy-scan
        if: ${{ matrix.target == 'production' }}
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          input: image-${{ matrix.image.nodeVersion }}.tar
          scan-type: image
          format: sarif
          output: trivy-reports-node-${{ matrix.image.nodeVersion }}
          exit-code: 1
          vuln-type: os,library
          severity: CRITICAL,HIGH,MEDIUM
        continue-on-error: true

      - name: Upload Grype SARIF report
        if: ${{ steps.grype-scan.outcome == 'failure' && matrix.target == 'production' }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: grype-reports-node-${{ matrix.image.nodeVersion }}
          path: ${{ steps.grype-scan.outputs.sarif }}

      - name: Upload Trivy SARIF report
        if: ${{ steps.trivy-scan.outcome == 'failure' && matrix.target == 'production' }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: trivy-reports-node-${{ matrix.image.nodeVersion }}
          path: trivy-reports-node-${{ matrix.image.nodeVersion }}

      - name: Fail build if scans failed
        if: ${{ (steps.grype-scan.outcome == 'failure' || steps.trivy-scan.outcome == 'failure') && matrix.target == 'production' && github.ref != 'refs/heads/main' }}
        run: |
          echo "One or more scans failed. Failing the build."
          echo "Grype scan outcome: ${{ steps.grype-scan.outcome }}"
          echo "Trivy scan outcome: ${{ steps.trivy-scan.outcome }}"
          exit 1

      - name: Tag image
        run: |
          echo "Tags are ${{ join(matrix.image.tags, ' ') }}"
          for TAG in ${{ join(matrix.image.tags, ' ') }}
          do
            echo "creating tag ${{steps.setImageDetails.outputs.dockerRepoName}}:$TAG"
            docker image tag ${{steps.setImageDetails.outputs.fullImageName}} ${{steps.setImageDetails.outputs.dockerRepoName}}:$TAG
          done

      - name: Login to DockerHub
        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
        if: github.ref == 'refs/heads/main'
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - id: pushImage
        name: push docker image
        if: github.ref == 'refs/heads/main'
        run: |
          docker image push ${{steps.setImageDetails.outputs.fullImageName}}
          for TAG in ${{ join(matrix.image.tags, ' ') }}
          do
            docker image push ${{steps.setImageDetails.outputs.dockerRepoName}}:$TAG
          done

  create-release:
    runs-on: ubuntu-latest
    needs: build-images
    steps:
    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

    - name: Create GitHub release
      if: github.ref == 'refs/heads/main'
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        current_defra_version=$(grep -oP 'DEFRA_VERSION=\K[\d.]+' JOB.env)

        if gh release view $current_defra_version &>/dev/null; then
          echo "Tag $current_defra_version already exists. Skipping release."
        else
          gh release create $current_defra_version \
          --title "Node $current_defra_version" \
          --generate-notes
        fi