chore(deps): update ghcr.io/nerdswords/yet-another-cloudwatch-exporter docker tag to v0.48.0 #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Docker Build Tag' | |
| on: | |
| pull_request: | |
| types: [ closed ] | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| jobs: | |
| calculate-semver: | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event.pull_request.merged == true && | |
| (contains(github.event.pull_request.labels.*.name, 'major') || contains(github.event.pull_request.labels.*.name, 'minor') || contains(github.event.pull_request.labels.*.name, 'patch')) | |
| outputs: | |
| version: ${{steps.calculate.outputs.version}} | |
| steps: | |
| - name: Parse the SemVer label | |
| id: label | |
| uses: UKHomeOffice/match-label-action@v1 | |
| with: | |
| labels: minor,major,patch | |
| mode: singular | |
| - name: Calculate SemVer value | |
| id: calculate | |
| uses: UKHomeOffice/semver-calculate-action@v1 | |
| with: | |
| increment: ${{ steps.label.outputs.matchedLabels }} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| default_to_highest: ${{ github.base_ref == 'main' }} | |
| container-image-build: | |
| needs: calculate-semver | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Calculate metadata | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=${{needs.calculate-semver.outputs.version}} | |
| type=raw,value=latest,enable=${{ github.base_ref == 'main' }} | |
| - name: Build container | |
| uses: docker/[email protected] | |
| with: | |
| context: ./monitoring-as-code | |
| file: ./monitoring-as-code/Dockerfile | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: | | |
| PACKAGE_TOKEN=${{secrets.GITHUB_TOKEN}} | |
| MAC_VERSION=${{needs.calculate-semver.outputs.version}} | |
| outputs: type=docker,dest=/tmp/${{ env.REPO_NAME }}.tar | |
| - name: Upload artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: ${{ env.REPO_NAME }} | |
| path: /tmp/${{ env.REPO_NAME }}.tar | |
| container-image-test: | |
| needs: container-image-build | |
| permissions: | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Download artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: ${{ env.REPO_NAME }} | |
| path: /tmp | |
| - name: Load Docker image | |
| run: | | |
| docker load --input /tmp/${{ env.REPO_NAME }}.tar | |
| echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -m1 sre-monitoring-as-code)" >> $GITHUB_ENV | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 18.10.0 | |
| - name: Setup Snyk | |
| run: | | |
| npm install snyk -g | |
| snyk auth ${{secrets.SNYK_TOKEN}} | |
| - name: Snyk Container Scan | |
| id: snyk-dockerfile | |
| run: | | |
| snyk container test --file=./monitoring-as-code/Dockerfile --sarif-file-output=snyk.sarif --app-vulns --severity-threshold=medium ${{ env.IMAGE_TAG }} | |
| continue-on-error: true | |
| - name: Set env reference | |
| run: echo "GITHUB_REF=refs/heads/$GITHUB_REF" >> $GITHUB_ENV && echo "GITHUB_SHA=$GITHUB_SHA" >> $GITHUB_ENV | |
| - name: Upload result to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: snyk.sarif | |
| ref: ${{ env.GITHUB_REF }} | |
| sha: ${{ env.GITHUB_SHA }} | |
| - name: Check on failures | |
| if: steps.snyk-dockerfile.outcome != 'success' | |
| run: exit 1 | |
| container-image-push: | |
| needs: [container-image-test] | |
| permissions: | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Download artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: ${{ env.REPO_NAME }} | |
| path: /tmp | |
| - name: Load Docker image | |
| run: | | |
| docker load --input /tmp/${{ env.REPO_NAME }}.tar | |
| - name: Login to GitHub Container Registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push image to GitHub Container Registry | |
| run: | | |
| for i in $(docker image list --format '{{.Repository}}:{{.Tag}}' "${1}" | grep "sre-monitoring-as-code"); do | |
| echo "${1}$i" | |
| docker push "${1}$i" | |
| done | |
| tag-repo-semver: | |
| needs: [calculate-semver, container-image-push] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Tag repository with SemVer | |
| uses: UKHomeOffice/semver-tag-action@v3 | |
| with: | |
| tag: ${{needs.calculate-semver.outputs.version}} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| draft-release-notes: | |
| needs: tag-repo-semver | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Draft release notes | |
| uses: release-drafter/release-drafter@v5 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |