-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (116 loc) · 4.13 KB
/
test-and-push.yaml
File metadata and controls
137 lines (116 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---
name: CI Pipeline
on:
push:
branches:
- main
pull_request:
types:
- 'opened'
- 'synchronize'
- 'reopened'
env:
GO_VERSION: 1.24
KIND_VERSION: v0.27.0
IMAGE_NAME: namespace-cleaner:test
REGISTRY: k8scc01covidacr.azurecr.io
jobs:
deploy-namespace-cleaner: # Consolidated job for all deployment-related tasks
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
# --- Linting and Setup ---
- uses: actions/checkout@v4
- name: Lint Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: "3.10"
- name: Run yamllint
run: |
pip install yamllint
yamllint .
# --- Build Docker Image ---
- name: Build Docker Image
run: docker build -t ${{ env.IMAGE_NAME }} .
# --- Unit Tests ---
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Run Unit Tests
run: make test-unit
id: unit-tests
# --- Integration Tests with Kind ---
- name: Install kubectl
uses: azure/setup-kubectl@v3
- name: Install Kind
run: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
- name: Create Kind Cluster
run: kind create cluster
- name: Load Image into Kind
run: kind load docker-image ${{ env.IMAGE_NAME }}
- name: Run Integration Tests
run: make test-integration
# --- Security Scan ---
- name: Run Trivy Security Scan
env:
TRIVY_VERSION: "0.69.3"
TRIVY_DIGEST: "sha256:7228e304ae0f610a1fad937baa463598cadac0c2ac4027cc68f3a8b997115689"
TRIVY_DB_REPOSITORIES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DB_REPOSITORIES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: "5"
TRIVY_RETRY_DELAY: "20"
run: |
set +e
# retry for random failure
for ((i=0; i<${TRIVY_MAX_RETRIES}; i++)); do
echo "Attempt $((i + 1)) of ${TRIVY_MAX_RETRIES}..."
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${{ github.workspace }}/.trivycache:/root/.cache" \
aquasec/trivy:${TRIVY_VERSION}@${TRIVY_DIGEST} \
image \
--image-src docker \
--db-repository ${TRIVY_DB_REPOSITORIES} \
--java-db-repository ${TRIVY_JAVA_DB_REPOSITORIES} \
--scanners vuln \
--severity CRITICAL \
--format table \
--timeout 20m \
--exit-code 1 \
"${{ env.IMAGE_NAME }}"
EXIT_CODE=$?
if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 1 ]]; then
echo "Trivy found vulnerabilities meeting the configured threshold."
exit 1
elif [[ $i -lt $((TRIVY_MAX_RETRIES - 1)) ]]; then
echo "Unexpected Trivy error. Retrying in ${TRIVY_RETRY_DELAY} seconds..."
sleep "${TRIVY_RETRY_DELAY}"
else
echo "Unexpected Trivy error persisted after ${TRIVY_MAX_RETRIES} attempts."
exit 1
fi
done
# --- Push Image to ACR ---
- name: Login to ACR
uses: azure/docker-login@v1
with:
login-server: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Tag and Push Image
run: |
docker tag ${{ env.IMAGE_NAME }} ${{ env.REGISTRY }}/namespace-cleaner:${{ github.sha }}
docker push ${{ env.REGISTRY }}/namespace-cleaner:${{ github.sha }}