forked from DefectDojo/django-DefectDojo
-
Notifications
You must be signed in to change notification settings - Fork 0
229 lines (205 loc) · 9.66 KB
/
nca-build-docker-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
name: "NCA: build Docker images and package Helm chart"
env:
DD_REGISTRY_INTERNAL: "docker-registry-internal.extranet.netcetera.biz"
DD_REGISTRY_INTERNAL_RELEASE: "docker-registry-internal-release.extranet.netcetera.biz"
DD_PATH: "/nca-459-7/defectdojo"
GIT_USERNAME: "DefectDojo NCA release bot"
GIT_EMAIL: "[email protected]"
HELM_CHARTS_BRANCH_PREFIX: "helm-charts-nca"
on:
workflow_dispatch:
push:
branch:
# uncomment this (and update to the current major version) if you want an
# image built for each commit
#- tag-2.16.1-NCA
# nca/X naming is used in actions below, adjust accordingly if needed
- nca/feature/*
tag:
- nca/release/*
# On each push to the aforementioned branches or tags with names matching the
# pattern above, the following happens:
#
# - Depending on Git reference name (branch or tag name) we determine a release
# for a would-be artifact.
# - nca/release/<RESULTING NAME>
# - nca/feature/<RESULTING NAME>
# - tag-VERSION-NCA --> VERSION-nca-GIT_SHA_FIRST_8_CHARS, i.e. 2.16.1-nca-abcdef
#
# - Note that when pushing to nca/feature branch or creating a nca/release tag,
# the artifacts will have the same name (will overwrite the previous
# versions). However, when pushing to tag-VERSION-NCA branch, each resulting
# artifact will be unique.
#
# - We also determine if it is a release build or just a test build. This
# affects on where the resulting image will be pushed to.
#
# - Docker images (nginx and django) are built. They are tagged with release
# determined above and pushed to repositories stated in environment variables
# above. The same image is pushed to both repositories.
#
# - Helm chart is packaged.
# - Helm package is pushed to the release named as 'helm-<RESULTING NAME>'.
# - The package is stored under a subdirectory named in the same way as Docker
# image (described above).
# - index.yaml file is pushed to a branch named 'helm-charts-nca-<RESULTING name>'.
# The branch is created from helm-charts upstream branch. Changes are pushed
# force flag.
jobs:
build_images:
name: build and push DefectDojo Docker images
runs-on: ubuntu-latest
strategy:
matrix:
docker-image: [django, nginx]
os: [debian]
platform: [amd64]
steps:
- name: set Docker tag to the release
if: ${{ startsWith(github.ref_name, 'nca/release/') }}
run: |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/release/}" >> $GITHUB_ENV
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL_RELEASE}" >> $GITHUB_ENV
echo "DD_REPO=${DD_REGISTRY_INTERNAL_RELEASE}${DD_PATH}" >> $GITHUB_ENV
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}" >> $GITHUB_ENV
- name: set Docker tag to the feature branch name
if: ${{ startsWith(github.ref_name, 'nca/feature/') }}
run: |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/feature/}" >> $GITHUB_ENV
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV
- name: set Docker tag to the main branch name and hash
if: ${{ startsWith(github.ref_name, 'tag-') }}
run: |
RELEASE_VERSION="${GITHUB_REF_NAME#tag-}"
echo "RELEASE_VERSION=$(echo $RELEASE_VERSION | tr '[:upper:]' '[:lower:]')-${GITHUB_SHA:0:8}" >> $GITHUB_ENV
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV
- name: reporting the resulting versions
run: |
echo building docker image tag ${{ env.RELEASE_VERSION }}
echo packaging Helm chart into ${{ env.NCA_HELM_BRANCH }} branch
- name: checkout the repo
uses: actions/checkout@v4
- name: login to Docker repository
run: |
nslookup docker-registry-internal.extranet.netcetera.biz
sudo systemctl status systemd-networkd
sudo systemctl status systemd-resolved
echo "${{ secrets.NCA_REPO_PASSWORD }}" | docker login "${{ env.DD_REGISTRY }}" -u "${{ secrets.NCA_REPO_USERNAME }}" --password-stdin
- name: setup Docker buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: cache Docker layers
uses: actions/cache@v4
env:
docker-image: ${{ matrix.docker-image }}
with:
path: /tmp/.buildx-cache-${{ env.docker-image }}
key: ${{ runner.os }}-buildx-${{ env.docker-image }}-${{ github.sha }}-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-buildx-${{ env.docker-image }}-${{ github.sha }}
${{ runner.os }}-buildx-${{ env.docker-image }}-
- name: storing Netcetera Active Directory certificate in would-be container
env:
AD_CERT: ${{ secrets.AD_CERT }}
run: echo "$AD_CERT" > docker/certs/ad-ca.crt
- name: build and push image
uses: docker/build-push-action@v5
env:
docker-image: ${{ matrix.docker-image }}
with:
push: true
tags: ${{ env.DD_REPO }}/defectdojo-${{ env.docker-image}}:${{ env.RELEASE_VERSION }}
file: ./Dockerfile.${{ env.docker-image }}-debian
context: .
cache-from: type=local,src=/tmp/.buildx-cache-${{ env.docker-image }}
cache-to: type=local,dest=/tmp/.buildx-cache-${{ env.docker-image }}
package_helm:
name: package Helm chart
runs-on: ubuntu-latest
steps:
# the first steps must be copy-pasted from above
- name: set Docker tag to the release
if: ${{ startsWith(github.ref_name, 'nca/release/') }}
run: |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/release/}" >> $GITHUB_ENV
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL_RELEASE}" >> $GITHUB_ENV
echo "DD_REPO=${DD_REGISTRY_INTERNAL_RELEASE}${DD_PATH}" >> $GITHUB_ENV
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}" >> $GITHUB_ENV
- name: set Docker tag to the feature branch name
if: ${{ startsWith(github.ref_name, 'nca/feature/') }}
run: |
echo "RELEASE_VERSION=${GITHUB_REF_NAME#nca/feature/}" >> $GITHUB_ENV
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV
- name: set Docker tag to the main branch name and hash
if: ${{ startsWith(github.ref_name, 'tag-') }}
run: |
RELEASE_VERSION="${GITHUB_REF_NAME#tag-}"
echo "RELEASE_VERSION=$(echo $RELEASE_VERSION | tr '[:upper:]' '[:lower:]')-${GITHUB_SHA:0:8}" >> $GITHUB_ENV
echo "DD_REGISTRY=${DD_REGISTRY_INTERNAL}" >> $GITHUB_ENV
echo "DD_REPO=${DD_REGISTRY_INTERNAL}${DD_PATH}" >> $GITHUB_ENV
echo "NCA_HELM_BRANCH=${HELM_CHARTS_BRANCH_PREFIX}-${RELEASE_VERSION}" >> $GITHUB_ENV
- name: reporting the resulting versions
run: |
echo building docker image tag ${{ env.RELEASE_VERSION }}
echo packaging Helm chart into ${{ env.NCA_HELM_BRANCH }} branch
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: install Helm
uses: azure/setup-helm@v3
with:
version: v3.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: configure Helm repos
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm dependency list ./helm/defectdojo
helm dependency update ./helm/defectdojo
- name: package Helm chart
id: package-helm-chart
run: |
mkdir build
helm package helm/defectdojo/ --destination ./build
echo "chart_version=$(ls build | sed 's|defectdojo-||' | sed 's|\.tgz||')" >> $GITHUB_ENV
app_version=$(helm show chart helm/defectdojo/ | grep appVersion)
echo "app_version=${app_version#appVersion: }" >> $GITHUB_ENV
echo "NCA_HELM_RELEASE=helm-${{ env.RELEASE_VERSION }}" >> $GITHUB_ENV
- name: create a release
id: create_release
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: netceteragroup/django-DefectDojo
with:
draft: false
prerelease: false
files: ./build/defectdojo-${{ env.chart_version }}.tgz
name: Release ${{ env.NCA_HELM_RELEASE }}
tag_name: ${{ env.NCA_HELM_RELEASE }}
target_commitish: ${{ github.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: update Helm repository index
run: |
git config --global user.name "${{ env.GIT_USERNAME }}"
git config --global user.email "${{ env.GIT_EMAIL }}"
git remote update
git fetch --all
git stash
git checkout -b "${{ env.NCA_HELM_BRANCH }}" origin/helm-charts
if [ ! -f ./index.yaml ]; then
helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ env.NCA_HELM_RELEASE }}/"
else
helm repo index ./build --url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/download/${{ env.NCA_HELM_RELEASE }}/" --merge ./index.yaml
fi
cp -f ./build/index.yaml ./index.yaml
git add ./index.yaml
git commit -m "Update index.yaml"
git push -f -u origin "${{ env.NCA_HELM_BRANCH }}"