chanzuckerberg
diff --git a/‎.github/actions/argus-builder/build-prep/action.yml
+129 b/‎.github/actions/argus-builder/build-prep/action.yml
+129
diff --git a/‎.github/actions/argus-builder/docker-build/action.yml
+109 b/‎.github/actions/argus-builder/docker-build/action.yml
+109
diff --git a/‎.github/actions/argus-builder/manifest-update/action.yml
+81 b/‎.github/actions/argus-builder/manifest-update/action.yml
+81
diff --git a/‎.github/actions/container-scanning/action.yml
+58 b/‎.github/actions/container-scanning/action.yml
+58
diff --git a/‎.github/actions/conventional-commits/CHANGELOG.md
+7 b/‎.github/actions/conventional-commits/CHANGELOG.md
+7
@@ -0,0 +1,129 @@
+name: argus-docker-build-prep
+description: Prepare for building a Docker Image for Argus
+
+inputs:
+  path_filters:
+    description: 'Glob patterns to match against changed files in the repository, comma delimited'
+    required: false
+    default: '**/*'
+  path_filters_base:
+    description: |
+      Git reference (e.g. branch name) against which the changes will be detected. Defaults to the current branch.
+      If it references same branch it was pushed to, changes are detected against the most recent commit before the push.
+      This option is ignored if action is triggered by pull_request event.
+    required: false
+    default: ${{ github.ref }}
+  branches_include:
+    description: 'Branch names to run this job on, supports wildcards, comma delimited'
+    required: false
+    default: '*'
+  branches_ignore:
+    description: 'Branch names to run this job on, supports wildcards, comma delimited'
+    required: false
+    default: ''
+
+outputs:
+  image_tag:
+    description: A custom tag to apply to the images that are built
+    value: ${{ steps.build_tags.outputs.image_tag }}
+  should_build:
+    description: Whether the job should run
+    value: ${{ steps.final_check.outputs.should_build }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check for matching branch
+      id: branch_filter
+      uses: actions/github-script@v7
+      with:
+        script: |
+          function wildcardMatch(text, pattern) {
+            const regexPattern =
+            new RegExp('^' + pattern.replace(/\?/g, '.').replace(/\*/g, '.*') + '$');
+            return regexPattern.test(text);
+          }
+          const branchesInclude = `${{ inputs.branches_include }}`.split(',').map(b => b.trim()).filter(b => b.length > 0);
+          console.log('Branches to run against:', branchesInclude);
+          const branchesIgnore = `${{ inputs.branches_ignore }}`.split(',').map(b => b.trim()).filter(b => b.length > 0);
+          console.log('Branches to ignore:', branchesIgnore);
+          const branch = `${{ github.ref }}`.replace('refs/heads/', '');
+          const shouldRun = branchesInclude.some(b => wildcardMatch(branch, b)) && !branchesIgnore.some(b => wildcardMatch(branch, b));
+          if (shouldRun) {
+            console.log('Job will run');
+          } else {
+            console.log(`Job will be skipped because branch name "${branch}" does not match the filters`);
+          }
+          core.setOutput('match', shouldRun);
+
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Get build tag
+      id: build_tags
+      uses: actions/github-script@v7
+      with:
+        script: |
+          let sha;
+          const eventName = context.eventName;
+          if (eventName === "pull_request") {
+            console.log('pull_request:', context.payload.pull_request.head.sha);
+            sha = context.payload.pull_request.head.sha;
+          } else if (eventName === "push") {
+            console.log('push:', context.sha);
+            sha = context.sha;
+          } else {
+            core.setFailed(`EventName ${eventName} not supported`);
+            return;
+          }
+
+          const imageTag = `sha-${sha.slice(0, 7)}`;
+          if (imageTag === 'sha-') {
+            core.setFailed('The image tag [${imageTag}] is invalid.');
+          }
+
+          console.log('imageTag:', imageTag);
+          core.setOutput('image_tag', imageTag);
+
+    - name: Parse inputs
+      id: parse_filters
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const filters = `${{ inputs.path_filters }}`.split(',').map(f => f.trim()).filter(b => b.length > 0);
+          const filtersStr = "run_on:\n" + filters.map(f => `  - '${f}'`).join('\n');
+          core.setOutput('filters', filtersStr);
+
+    - name: Check for force push
+      id: force_push
+      uses: actions/github-script@v7
+      with:
+        # if the push was forced, use the default branch as the base -- otherwise, use the most recent commit before the push
+        # this is necessary because when you force push the previous commit is not available in the repo, thus no changes can be detected
+        script: |
+          if (`${{ github.event_name }}` === 'push' && ${{ github.event.forced || false }}) {
+            core.info(`Force push detected, using the repo's default branch (${{ github.event.repository.default_branch }}) as the base`)
+            core.setOutput('base', `${{ github.event.repository.default_branch }}`);
+          } else {
+            core.info(`Push was not forced, using the most recent commit before the push as the base`)
+            core.setOutput('base', `${{ inputs.path_filters_base }}`);
+          }
+
+    - name: Check for matching file changes
+      uses: dorny/paths-filter@v3
+      id: file_filter
+      with:
+        filters: |
+          ${{ steps.parse_filters.outputs.filters }}
+        base: ${{ steps.force_push.outputs.base }}
+        list-files: json
+
+    - name: Check if build should run
+      id: final_check
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const branchMatched = `${{ steps.branch_filter.outputs.match }}` === 'true';
+          const filesMatched = `${{ steps.file_filter.outputs.run_on }}` === 'true';
+          core.setOutput('should_build', filesMatched && branchMatched);
@@ -0,0 +1,109 @@
+name: argus-docker-build
+description: Build a Docker Image for Argus
+
+inputs:
+  image_name:
+    description: 'Name of the image to build'
+    required: true
+  dockerfile:
+    description: 'Path to the Dockerfile'
+    required: true
+  context:
+    description: 'Path to the build context'
+    required: true
+  platform:
+    description: 'Platform to build for'
+    required: false
+    default: 'linux/arm64'
+  build_args:
+    description: 'Args for docker build'
+    required: false
+    default: ''
+  secret_files:
+    description: 'Files to copy into the build context'
+    required: false
+    default: ''
+  image_tag:
+    description: 'Additional tag to apply to the image this is built'
+    required: true
+  github_app_id:
+    description: 'GitHub App ID'
+    required: true
+  github_private_key:
+    description: 'GitHub App private key'
+    required: true
+
+outputs:
+  image_uri:
+    description: 'URI of the image that was built'
+    value: ${{ steps.ecr_metadata.outputs.IMAGE_URI }}
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        path: ${{ github.event.repository.name }}
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-west-2
+        role-to-assume: arn:aws:iam::533267185808:role/gh_actions_core_platform_infra_prod_eks
+        role-session-name: ArgusContainerBuilder
+    - name: Generate token
+      id: generate_token
+      uses: tibdex/github-app-token@v2
+      with:
+        app_id: ${{ inputs.github_app_id }}
+        private_key: ${{ inputs.github_private_key }}
+    - uses: actions/checkout@v4
+      with:
+        repository: chanzuckerberg/core-platform-settings
+        path: core-platform-settings
+        token: ${{ steps.generate_token.outputs.token }}
+    - name: ECR Metadata
+      id: ecr_metadata
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const path = require('path');
+          const ECR_REGISTRY = "533267185808.dkr.ecr.us-west-2.amazonaws.com";
+          const ECR_REPO_NAME = path.join(
+            'core-platform',
+            '${{ github.event.repository.name }}',
+            '${{ inputs.context }}',
+            '${{ inputs.image_name }}',
+          );
+          const IMAGE_URI = `${ECR_REGISTRY}/${ECR_REPO_NAME}:${{ inputs.image_tag }}`;
+
+          core.setOutput('ECR_REGISTRY', ECR_REGISTRY);
+          core.setOutput('ECR_REPO_NAME', ECR_REPO_NAME);
+          core.setOutput('IMAGE_URI', IMAGE_URI);
+    - name: Create ECR repo if necessary
+      uses: int128/create-ecr-repository-action@v1
+      with:
+        repository: ${{ steps.ecr_metadata.outputs.ECR_REPO_NAME }}
+        lifecycle-policy: core-platform-settings/ecr/lifecycle-policy.json
+        repository-policy: core-platform-settings/ecr/repository-policy.json
+    - name: Build And Push
+      uses: chanzuckerberg/github-actions/.github/actions/docker-build-push@6fe6046403cf16689027cb3981781d8b05fd702b
+      with:
+        dockerfile: ${{ github.event.repository.name }}/${{ inputs.dockerfile }}
+        context: ${{ github.event.repository.name }}/${{ inputs.context }}
+        name: ${{ steps.ecr_metadata.outputs.ECR_REPO_NAME }}
+        registry: ${{ steps.ecr_metadata.outputs.ECR_REGISTRY }}
+        custom_tag: ${{ inputs.image_tag }}
+        platforms: ${{ inputs.platform }}
+        build_args: |
+          IMAGE_TAG=${{ inputs.image_tag }}
+          ${{ inputs.build_args }}
+        secret-files: ${{ inputs.secret_files }}
+
+    # TODO: scan image for vulnerabilities
+    # - name: Scan for vulnerabilities
+    #   uses: chanzuckerberg/github-actions/.github/actions/argus-builder/scan-for-vulnerabilities@main
+    #   with:
+    #     image_uri: ${{ steps.ecr_metadata.outputs.ECR_REGISTRY }}/${{ steps.ecr_metadata.outputs.ECR_REPO_NAME }}:${{ inputs.image_tag }}
+    #     github_app_id: ${{ inputs.github_app_id }}
+    #     github_private_key: ${{ inputs.github_private_key }}
@@ -0,0 +1,81 @@
+name: argus-docker-manifest-update
+description: Updates manifests for Argus after the Docker image is built
+
+inputs:
+  envs:
+    description: 'Env names, comma delimited'
+    required: true
+  image_tag:
+    description: The tag of the image that should be updated
+    required: true
+  argus_project_dirs:
+    description: 'Comma-delimited list of Argus project roots (directories that contain the .infra/ directory for each app)'
+    default: '.'
+    required: false
+  github_app_id:
+    description: 'GitHub App ID'
+    required: true
+  github_private_key:
+    description: 'GitHub App private key'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        echo "Image Tag: ${{ inputs.image_tag }}"
+      shell: bash
+    - name: Generate token
+      id: generate_token
+      uses: tibdex/github-app-token@v2
+      with:
+        app_id: ${{ inputs.github_app_id }}
+        private_key: ${{ inputs.github_private_key }}
+    - name: Calculate Branch and Base Names
+      id: refs
+      uses: chanzuckerberg/github-actions/.github/actions/[email protected]
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        token: ${{ steps.generate_token.outputs.token }}
+        ref: ${{ steps.refs.outputs.headRef }}
+    - name: Parse envs
+      id: parse_envs
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const envs = `${{ inputs.envs }}`.split(',').map(env => env.trim()).filter(b => b.length > 0);
+          core.setOutput('envs', envs.join(' '));
+    - name: Determine .infra path
+      uses: actions/github-script@v7
+      id: path
+      with:
+        script: |
+          const path = require('path');
+          const fs = require('fs');
+          const workingDirs = `${{ inputs.argus_project_dirs }}`.split(',').map(dir => dir.trim()).filter(b => b.length > 0);
+          const infraDirPaths = workingDirs.map(dir => {
+            const infraDirPath = path.join(dir, '.infra');
+            if (!fs.existsSync(infraDirPath)) {
+              throw new Error(`.infra directory not found at ${infraDirPath}`);
+            }
+            return infraDirPath;
+          });
+          core.setOutput('infra_dir_paths', infraDirPaths.join(' '));
+    - name: Update Manifest
+      shell: bash
+      run: |
+        for env in ${{ steps.parse_envs.outputs.envs }}
+        do
+          for infra_dir_path in ${{ steps.path.outputs.infra_dir_paths }}
+          do
+            sed -i 's/tag: sha-\w\+/tag: ${{ inputs.image_tag }}/g' ${infra_dir_path}/${env}/values.yaml
+            cat ${infra_dir_path}/${env}/values.yaml
+          done
+        done
+    - name: Update Argus manifests
+      uses: EndBug/add-and-commit@v9
+      with:
+        add: -A
+        message: 'chore: Updated [${{ steps.parse_envs.outputs.envs }}] values.yaml image tags to ${{ inputs.image_tag }}'
+
@@ -0,0 +1,58 @@
+name: Container Scanning
+description: 'A GitHub Action to scan a container image for security vulnerabilities that follows CZI Best Practices'
+inputs:
+  image_uri:
+    description: 'which image to scan'
+    required: true
+  critical_threshold:
+    description: 'number of critical vulnerabilities that will cause the action to fail'
+    required: false
+    default: "1"
+  high_threshold:
+    description: 'number of high vulnerabilities that will cause the action to fail'
+    required: false
+    default: "1"
+  medium_threshold:
+    description: 'number of medium vulnerabilities that will cause the action to fail'
+    required: false
+    default: "10"
+  low_threshold:
+    description: 'number of low vulnerabilities that will cause the action to fail'
+    required: false
+    default: "10"
+  other_threshold:
+    description: 'number of other vulnerabilities that will cause the action to fail'
+    required: false
+    default: "10"
+  fail_on_vulnerabilities:
+    description: 'whether to fail the action if vulnerabilities are found'
+    required: false
+    default: "true"
+runs:
+  using: "composite"
+  steps:
+    - uses: aws-actions/configure-aws-credentials@v3
+      with:
+        aws-region: us-west-2
+        role-to-assume: arn:aws:iam::871040364337:role/ci/github-actions-inspector
+        role-duration-seconds: 1800
+        role-session-name: github-actions-inspector
+    - name: Scan built image with Inspector
+      uses: aws-actions/[email protected]
+      id: inspector
+      with:
+        artifact_type: 'container'
+        artifact_path: ${{ inputs.image_uri }} # make sure this matches the image you built
+        critical_threshold: ${{ inputs.critical_threshold }}
+        high_threshold:   ${{ inputs.high_threshold }}
+        medium_threshold:   ${{ inputs.medium_threshold }}
+        low_threshold:  ${{ inputs.low_threshold }}
+        other_threshold: ${{ inputs.other_threshold }}
+        display_vulnerability_findings: "enabled"
+    - name: Display Inspector vulnerability scan results (markdown)
+      shell: bash
+      run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+    - name: Fail job if vulnerability threshold is exceeded
+      if: contains(inputs.fail_on_vulnerabilities, 'true')
+      shell: bash
+      run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
@@ -1,5 +1,12 @@
 # Changelog
 
+## [1.5.0](https://github.com/chanzuckerberg/github-actions/compare/conventional-commits-v1.4.0...conventional-commits-v1.5.0) (2024-07-08)
+
+
+### Features
+
+* add more conventional commit types ([#279](https://github.com/chanzuckerberg/github-actions/issues/279)) ([c212929](https://github.com/chanzuckerberg/github-actions/commit/c2129291817d4055272deee803d893d6669ababd))
+
 ## [1.4.0](https://github.com/chanzuckerberg/github-actions/compare/conventional-commits-v1.3.4...conventional-commits-v1.4.0) (2024-02-01)