fix: move AMPLS from Audit to Hub subscription (#535) #601
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_call: | |
| inputs: | |
| environment_tag: | |
| description: "Environment of the deployement" | |
| required: true | |
| type: string | |
| jobs: | |
| get-functions: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| outputs: | |
| FUNC_NAMES: ${{steps.get-function-names.outputs.FUNC_NAMES}} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| submodules: 'true' | |
| - uses: tj-actions/changed-files@v44 | |
| id: changed-files | |
| with: | |
| path: application/CohortManager/src/Functions | |
| dir_names: "true" | |
| - name: Get docker compose function name(s) | |
| id: get-function-names | |
| env: | |
| CHANGED_FOLDERS: ${{steps.changed-files.outputs.all_changed_files}} | |
| run: | | |
| bash ./scripts/deployment/get-docker-names.sh | |
| - name: Print function names | |
| run: | | |
| echo "The branch is: " ${{ github.ref }} | |
| echo "FUNC_NAMES before setting output: ${{steps.get-function-names.outputs.FUNC_NAMES}}" | |
| echo "FUNC_NAMES=$FUNC_NAMES" >> $GITHUB_OUTPUT | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| needs: get-functions | |
| strategy: | |
| matrix: | |
| function: ${{ fromJSON(needs.get-functions.outputs.FUNC_NAMES) }} | |
| if: needs.get-functions.outputs.FUNC_NAMES != '["null"]' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: 'true' | |
| fetch-depth: 0 | |
| - name: Az CLI login | |
| if: github.ref == 'refs/heads/main' | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Azure Container Registry login | |
| if: github.ref == 'refs/heads/main' | |
| run: az acr login --name ${{ secrets.ACR_NAME }} | |
| - name: Create Tags | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| continue-on-error: true | |
| run: | | |
| echo "GITHUB_REF: $GITHUB_REF" | |
| echo "The branch is: ${{ github.ref }}" | |
| if [[ "$GITHUB_REF" == refs/pull/*/merge ]]; then | |
| PR_NUM_TAG=$(echo "$GITHUB_REF" | sed 's/refs\/pull\/\([0-9]*\)\/merge/\1/') | |
| else | |
| PULLS_JSON=$(gh api /repos/{owner}/{repo}/commits/${GITHUB_SHA}/pulls) | |
| ORIGINATING_BRANCH=$(echo ${PULLS_JSON} | jq -r '.[].head.ref' | python3 -c "import sys, urllib.parse; print(urllib.parse.quote_plus(sys.stdin.read().strip()))") | |
| echo "ORIGINATING_BRANCH: $ORIGINATING_BRANCH" | |
| PR_NUM_TAG=$(echo ${PULLS_JSON} | jq -r '.[].number') | |
| fi | |
| echo "PR_NUM_TAG: pr$PR_NUM_TAG" | |
| echo "PR_NUM_TAG=pr$PR_NUM_TAG" >> $GITHUB_ENV | |
| SHORT_COMMIT_HASH=$(git rev-parse --short $GITHUB_SHA) | |
| echo "Commit hash tag: $SHORT_COMMIT_HASH" | |
| echo "COMMIT_HASH_TAG=$SHORT_COMMIT_HASH" >> $GITHUB_ENV | |
| echo "ENVIRONMENT_TAG=development" >> $GITHUB_ENV | |
| - name: Build and Push Image | |
| working-directory: ./application/CohortManager | |
| run: | | |
| function=${{ matrix.function }} | |
| # Build the image | |
| docker compose build $function | |
| repo_name="${{ secrets.ACR_NAME }}.azurecr.io/cohort-manager-$function" | |
| # Tag the image | |
| docker tag cohort-manager-$function:latest "$repo_name:$COMMIT_HASH_TAG" | |
| docker tag cohort-manager-$function:latest "$repo_name:$PR_NUM_TAG" | |
| docker tag cohort-manager-$function:latest "$repo_name:$ENVIRONMENT_TAG" | |
| export CHECK_DOCKER_IMAGE=cohort-manager-$function:latest # If this is set it will scan this docker image instead. | |
| export FORCE_USE_DOCKER=true | |
| export PR_NUM_TAG=$PR_NUM_TAG | |
| echo "PR_NUM_TAG=$PR_NUM_TAG" >> $GITHUB_ENV | |
| export SBOM_REPOSITORY_REPORT="sbom-${function}-repository-report" | |
| echo "SBOM_REPOSITORY_REPORT=$SBOM_REPOSITORY_REPORT" >> $GITHUB_ENV | |
| ../../scripts/reports/create-sbom-report.sh | |
| export VULNERABILITIES_REPOSITORY_REPORT="vulnerabilities-${function}-repository-report" | |
| echo "VULNERABILITIES_REPOSITORY_REPORT=$VULNERABILITIES_REPOSITORY_REPORT" >> $GITHUB_ENV | |
| ../../scripts/reports/scan-vulnerabilities.sh | |
| # Push the image to the repository | |
| if [ "$GITHUB_REF" == 'refs/heads/main' ]; then | |
| docker push "$repo_name:$COMMIT_HASH_TAG" | |
| if [ "$PR_NUM_TAG" != 'pr' ]; then | |
| docker push "$repo_name:$PR_NUM_TAG" | |
| fi | |
| docker push "$repo_name:$ENVIRONMENT_TAG" | |
| fi | |
| # Remove the image | |
| docker rmi "$repo_name:$COMMIT_HASH_TAG" | |
| docker rmi "$repo_name:$PR_NUM_TAG" | |
| docker rmi "$repo_name:$ENVIRONMENT_TAG" | |
| docker rmi cohort-manager-$function:latest | |
| - name: "Compress SBOM report" | |
| shell: bash | |
| run: | | |
| echo SBOM_REPOSITORY_REPORT: $SBOM_REPOSITORY_REPORT | |
| zip "$SBOM_REPOSITORY_REPORT.json.zip" "$SBOM_REPOSITORY_REPORT.json" | |
| - name: "Upload SBOM report as an artefact" | |
| if: ${{ !env.ACT }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.SBOM_REPOSITORY_REPORT }}.json.zip | |
| path: ./${{ env.SBOM_REPOSITORY_REPORT }}.json.zip | |
| retention-days: 21 | |
| - name: "Compress vulnerabilities report" | |
| shell: bash | |
| run: | | |
| echo VULNERABILITIES_REPOSITORY_REPORT: $VULNERABILITIES_REPOSITORY_REPORT | |
| zip $VULNERABILITIES_REPOSITORY_REPORT.json.zip $VULNERABILITIES_REPOSITORY_REPORT.json | |
| - name: "Upload vulnerabilities report as an artefact" | |
| if: ${{ !env.ACT }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip | |
| path: ./${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip | |
| retention-days: 21 | |
| outputs: | |
| pr_num_tag: ${{ env.PR_NUM_TAG }} | |
| aggregate-json: | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| steps: | |
| - name: Download SBOM JSON artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: ./downloaded-artifacts | |
| - name: Combine sbom report JSON files | |
| run: | | |
| zip sbom-repository-report-${{needs.build-and-push.outputs.PR_NUM_TAG}}.zip downloaded-artifacts/**/sbom*.json.zip | |
| - name: Combine vulnerabilities report JSON files | |
| run: | | |
| zip vulnerabilities-repository-report-${{needs.build-and-push.outputs.PR_NUM_TAG}}.zip downloaded-artifacts/**/vulnerabilities*.json.zip | |
| - name: Upload sbom zip file | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: aggregated-sbom-repository-report-${{needs.build-and-push.outputs.PR_NUM_TAG}}.zip | |
| path: sbom-repository-report-${{needs.build-and-push.outputs.PR_NUM_TAG}}.zip | |
| - name: Upload repository zip file | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: aggregated-vulnerabilities-repository-report-${{needs.build-and-push.outputs.PR_NUM_TAG}}.zip | |
| path: vulnerabilities-repository-report-${{needs.build-and-push.outputs.PR_NUM_TAG}}.zip |