-
Notifications
You must be signed in to change notification settings - Fork 2
feat: add image push to GitHub registry #27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 10 commits
a33d9a7
571a6a0
7238e6f
7a455cb
5c903fb
7e0e22e
292a5fc
abb0da8
375f25a
d0e1115
92feb5c
8c9bb3e
5ab5b52
832492c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| name: User Management Tests | ||
| name: User Management | ||
|
|
||
| on: | ||
| push: | ||
|
|
@@ -11,6 +11,11 @@ on: | |
| - "user-management/**" | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| REGISTRY: ghcr.io | ||
| IMAGE_NAME_USER_SERVICE: ${{ github.repository_owner }}/stickerlandia/user-management-service | ||
| REPOSITORY_URL: github.com/${{ github.repository }} | ||
|
|
||
| jobs: | ||
| unit-test: | ||
| runs-on: ubuntu-latest | ||
|
|
@@ -35,12 +40,6 @@ jobs: | |
| - AZURE | ||
| fail-fast: false | ||
|
|
||
| services: | ||
| cosmosdb: | ||
| image: mcr.microsoft.com/cosmosdb/linux/azure-cosmos-emulator:vnext-preview | ||
| ports: | ||
| - 8081:8081 | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #4.3.1 | ||
|
|
@@ -114,4 +113,56 @@ jobs: | |
| DRIVING: ${{ matrix.DRIVING }} | ||
| DRIVEN: AGNOSTIC | ||
| run: | | ||
| cd user-management/tests/Stickerlandia.UserManagement.IntegrationTest && dotnet test --logger:"console;verbosity=detailed" | ||
| cd user-management/tests/Stickerlandia.UserManagement.IntegrationTest && dotnet test --logger:"console;verbosity=detailed" | ||
|
|
||
| push-image: | ||
| runs-on: ubuntu-latest | ||
| needs: [integration-test-azure, integration-test-agnostic] | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| attestations: write | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - name: Get Commit Info | ||
| id: get_sha | ||
| run: | | ||
| echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | ||
| echo "COMMIT_SHA_FULL=$(git rev-parse HEAD)" >> $GITHUB_ENV | ||
|
|
||
| - | ||
| name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
|
|
||
| - name: Log in to the Container registry | ||
| uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
| with: | ||
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_USER_SERVICE }} | ||
| tags: | | ||
| latest | ||
| ${{ env.COMMIT_SHA }} | ||
| ${{ env.COMMIT_SHA_FULL }} | ||
|
|
||
| - name: Build and push Docker image | ||
| id: push | ||
| uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | ||
| with: | ||
| context: ./user-management | ||
| file: ./user-management/src/Stickerlandia.UserManagement.Api/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| build-args: | | ||
| GIT_COMMIT_SHA=${{ env.COMMIT_SHA_FULL }} | ||
| GIT_REPOSITORY_URL=${{ env.REPOSITORY_URL }} | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,34 +1,35 @@ | ||
| <Project Sdk="Microsoft.NET.Sdk"> | ||
|
|
||
| <PropertyGroup> | ||
| <TargetFramework>net8.0</TargetFramework> | ||
| <ImplicitUsings>enable</ImplicitUsings> | ||
| <Nullable>enable</Nullable> | ||
| </PropertyGroup> | ||
| <PropertyGroup> | ||
| <TargetFramework>net8.0</TargetFramework> | ||
| <ImplicitUsings>enable</ImplicitUsings> | ||
| <Nullable>enable</Nullable> | ||
| </PropertyGroup> | ||
|
|
||
| <ItemGroup> | ||
|
|
||
| <ProjectReference Include="..\Stickerlandia.UserManagement.Auth\Stickerlandia.UserManagement.Auth.csproj" /> | ||
|
|
||
| <ProjectReference Include="..\Stickerlandia.UserManagement.Core\Stickerlandia.UserManagement.Core.csproj" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="CloudNative.CloudEvents" Version="2.8.0" /> | ||
| <PackageReference Include="CloudNative.CloudEvents.SystemTextJson" Version="2.8.0" /> | ||
| <PackageReference Include="Confluent.Kafka" Version="2.10.0" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.16" /> | ||
| <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="2.0.0" /> | ||
| <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.16"> | ||
| <PrivateAssets>all</PrivateAssets> | ||
| <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets> | ||
| </PackageReference> | ||
| <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.11" /> | ||
| <PackageReference Include="OpenIddict.Validation.AspNetCore" Version="6.3.0" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.16" /> | ||
| <PackageReference Include="OpenIddict.AspNetCore" Version="6.3.0" /> | ||
| <PackageReference Include="OpenIddict.Server.AspNetCore" Version="6.3.0" /> | ||
| <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="6.3.0" /> | ||
| </ItemGroup> | ||
| <ProjectReference | ||
| Include="..\Stickerlandia.UserManagement.Auth\Stickerlandia.UserManagement.Auth.csproj" /> | ||
|
|
||
| </Project> | ||
| <ProjectReference | ||
| Include="..\Stickerlandia.UserManagement.Core\Stickerlandia.UserManagement.Core.csproj" /> | ||
| </ItemGroup> | ||
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="CloudNative.CloudEvents" Version="2.8.0" /> | ||
| <PackageReference Include="CloudNative.CloudEvents.SystemTextJson" Version="2.8.0" /> | ||
| <PackageReference Include="Confluent.Kafka" Version="2.10.0" /> | ||
| <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="2.0.0" /> | ||
| <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.16"> | ||
| <PrivateAssets>all</PrivateAssets> | ||
| <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets> | ||
| </PackageReference> | ||
| <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.11" /> | ||
| <PackageReference Include="OpenIddict.Validation.AspNetCore" Version="6.3.0" /> | ||
| <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.16" /> | ||
| <PackageReference Include="OpenIddict.AspNetCore" Version="6.3.0" /> | ||
| <PackageReference Include="OpenIddict.Server.AspNetCore" Version="6.3.0" /> | ||
| <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="6.3.0" /> | ||
| </ItemGroup> | ||
|
|
||
| </Project> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Default permissions for the
GITHUB_TOKENare expected to be restricted (contents:read,metadata:read, andpackages:read).Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.