-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (117 loc) · 3.98 KB
/
Copy pathdocker.yml
File metadata and controls
130 lines (117 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Docker Build & Publish
on:
push:
branches: [ main, develop ]
tags: [ 'v*.*.*' ]
pull_request:
branches: [ main ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push:
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
packages: write
strategy:
matrix:
service: [api, web, worker] # Add services as they are created
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set environment variables
run: |
echo "REPO_LC=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
echo "SHORT_SHA=$(git rev-parse --short "$GITHUB_SHA")" >> $GITHUB_ENV
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ env.REPO_LC }}/flakeguard-${{ matrix.service }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
type=raw,value=${{ env.SHORT_SHA }}
- name: Check if service exists
id: check-service
run: |
if [ -d "apps/${{ matrix.service }}" ]; then
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
echo "Service ${{ matrix.service }} does not exist, skipping..."
fi
- name: Build and push Docker image
if: steps.check-service.outputs.exists == 'true'
uses: docker/build-push-action@v6
with:
context: .
file: ./apps/${{ matrix.service }}/Dockerfile
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
NODE_VERSION=20
PNPM_VERSION=10.0.0
NPM_TOKEN=${{ secrets.NPM_TOKEN }}
security-scan:
runs-on: ubuntu-latest
timeout-minutes: 15
needs: build-and-push
if: github.event_name != 'pull_request'
strategy:
matrix:
service: [api, web, worker]
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ env.REPO_LC }}/flakeguard-${{ matrix.service }}:sha-${{ github.sha }}'
format: 'sarif'
output: 'trivy-results-${{ matrix.service }}.sarif'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
deploy-staging:
runs-on: ubuntu-latest
timeout-minutes: 10
needs: [build-and-push, security-scan]
if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
environment: staging
steps:
- name: Deploy to staging
run: |
echo "Deploying to staging environment..."
# Add your staging deployment logic here
# This could be kubectl, docker-compose, or other deployment tools
deploy-production:
runs-on: ubuntu-latest
timeout-minutes: 10
needs: [build-and-push, security-scan]
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
environment: production
steps:
- name: Deploy to production
run: |
echo "Deploying to production environment..."
# Add your production deployment logic here
# This could be kubectl, docker-compose, or other deployment tools