Skip to content

Update guardrail script #3

Update guardrail script

Update guardrail script #3

Workflow file for this run

name: Check,Build,Deploy
on:
push:
branches:
- develop
- test
- staging
- main
permissions:
contents: write
pull-requests: write
packages: write
env:
ENVIRONMENT: ${{ (github.ref_name == 'main' && 'prod-govtool') || (github.ref_name == 'staging' && 'pre-prod-govtool') || (github.ref_name == 'test' && 'qa-govtool') || (github.ref_name == 'develop' && 'dev-govtool') }}
jobs:
check-build-deploy:
environment: ${{ (github.ref_name == 'main' && 'prod-govtool') || (github.ref_name == 'staging' && 'pre-prod-govtool') || (github.ref_name == 'test' && 'qa-govtool') || (github.ref_name == 'develop' && 'dev-govtool') }}
strategy:
matrix:
include:
- workdir: ./govtool/backend
name: govtool-backend
dockerfile: ./govtool/backend/Dockerfile.qovery
image: ghcr.io/${{ github.repository }}-govtool-backend
qovery_container_name: govtool-backend
- workdir: ./govtool/frontend
name: govtool-frontend
dockerfile: ./govtool/frontend/Dockerfile.qovery
image: ghcr.io/${{ github.repository }}-govtool-frontend
qovery_container_name: govtool-frontend
- workdir: ./govtool/metadata-validation
name: govtool-metadata-validation
dockerfile: ./govtool/metadata-validation/Dockerfile
image: ghcr.io/${{ github.repository }}-govtool-metadata-validation
qovery_container_name: govtool-metadata-validation
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set TAG Environment Variable
id: set_tag
run: |
if [ "${{ github.ref_name }}" = "main" ]; then
echo "TAG=${{ github.sha }}" >> $GITHUB_ENV
else
echo "TAG=${{ github.ref_name }}-${{ github.sha }}" >> $GITHUB_ENV
fi
- name: Lint Dockerfile
id: hadolint
uses: hadolint/[email protected]
with:
failure-threshold: error
format: json
dockerfile: ${{ matrix.dockerfile }}
# output-file: hadolint_output.json
- name: Save Hadolint output
id: save_hadolint_output
if: always()
run: cd ${{ matrix.workdir }} && echo "$HADOLINT_RESULTS" | jq '.' > hadolint_output.json
- name: Print Dockerfile lint output
run: |
cd ${{ matrix.workdir }}
echo "-----HADOLINT RESULT-----"
echo "Outcome: ${{ steps.hadolint.outcome }}"
echo "-----DETAILS--------"
cat hadolint_output.json
echo "--------------------"
- name: Code lint
id: code_lint
run: |
cd ${{ matrix.workdir }}
if [ ! -f lint.sh ]; then
echo "lint skipped" | tee code_lint_output.txt
exit 0
fi
set -o pipefail
sudo chmod +x lint.sh && ./lint.sh 2>&1 | tee code_lint_output.txt
- name: Unit tests
id: unit_tests
run: |
cd ${{ matrix.workdir }}
if [ ! -f unit-test.sh ]; then
echo "unit tests skipped" | tee code_lint_output.txt
exit 0
fi
set -o pipefail
sudo chmod +x unit-test.sh && ./unit-test.sh 2>&1 | tee unit_test_output.txt
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- id: image_lowercase
uses: ASzc/change-string-case-action@v6
with:
string: ${{ matrix.image }}
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: ${{ matrix.workdir }}
file: ${{ matrix.dockerfile }}
tags: ${{ steps.image_lowercase.outputs.lowercase }}:${{ env.TAG }}
load: true
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
build-args: |
VITE_APP_ENV=${{ secrets.VITE_APP_ENV }}
VITE_BASE_URL=${{ secrets.VITE_BASE_URL }}
VITE_METADATA_API_URL=${{ secrets.VITE_METADATA_API_URL }}
VITE_GTM_ID=${{ secrets.VITE_GTM_ID }}
VITE_NETWORK_FLAG=${{ secrets.VITE_NETWORK_FLAG }}
VITE_SENTRY_DSN=${{ secrets.VITE_SENTRY_DSN }}
NPMRC_TOKEN=${{ secrets.NPMRC_TOKEN }}
VITE_USERSNAP_SPACE_API_KEY=${{ secrets.VITE_USERSNAP_SPACE_API_KEY }}
VITE_IS_PROPOSAL_DISCUSSION_FORUM_ENABLED=${{ secrets.VITE_IS_PROPOSAL_DISCUSSION_FORUM_ENABLED }}
VITE_PDF_API_URL=${{ secrets.VITE_PDF_API_URL }}
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Scan Docker image with Dockle
id: dockle
run: |
wget https://github.com/goodwithtech/dockle/releases/download/v0.4.14/dockle_0.4.14_Linux-64bit.tar.gz
tar zxvf dockle_0.4.14_Linux-64bit.tar.gz
sudo mv dockle /usr/local/bin
dockle --exit-level fatal --format json --output ${{ matrix.workdir }}/dockle_scan_output.json ${{ steps.image_lowercase.outputs.lowercase }}:${{ env.TAG }}
echo " dockle exited w/ $?"
cat ${{ matrix.workdir }}/dockle_scan_output.json
echo "outcome=success" >> $GITHUB_OUTPUT
- name: Push Docker image to GHCR
run: |
docker push ${{ steps.image_lowercase.outputs.lowercase }}:${{ env.TAG }}
- name: Deploy with Qovery
if: github.ref == 'refs/heads/develop'
env:
QOVERY_CLI_ACCESS_TOKEN: ${{secrets.QOVERY_CLI_ACCESS_TOKEN }}
run: |
echo "Deploying on $ENVIRONMENT"
echo "Organization - ${{ vars.ORGANIZATION }}"
echo "Project - ${{ vars.PROJECT }}"
# Download and install Qovery CLI
curl -s https://get.qovery.com | bash
qovery container list \
--organization ${{ vars.ORGANIZATION }} \
--project ${{ vars.PROJECT }} \
--environment $ENVIRONMENT
qovery container deploy \
--organization ${{ vars.ORGANIZATION }} \
--project ${{ vars.PROJECT }} \
--environment $ENVIRONMENT \
--container ${{ matrix.qovery_container_name }} \
--tag ${{ env.TAG }} \
--watch