Skip to content

sep moving fields onkeydown refactor #19653

sep moving fields onkeydown refactor

sep moving fields onkeydown refactor #19653

name: Build Image and Deploy
on:
workflow_dispatch:
push:
branches:
- 'trunk'
- 'epic_188588775_csp_enabled'
pull_request:
branches:
- 'trunk'
- 'epic_188588775_csp_enabled'
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: true
env:
RABBITMQ_DEFAULT_USER: 'guest'
RABBITMQ_DEFAULT_PASS: 'guest'
SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
jobs:
prep:
if: github.repository_owner == 'ideacrew' && ((github.event_name == 'push') || (github.event_name == 'workflow_dispatch') || (github.event.pull_request.head.repo.owner.login == 'ideacrew'))
runs-on: ubuntu-latest
outputs:
taggedImage: ${{ steps.prep.outputs.tagged_image }}
shortSha: ${{ steps.prep.outputs.short_sha}}
branchName: ${{ steps.prep.outputs.branch_name }}
latestTag: ${{ steps.prep.outputs.latest_tag }}
repositoryName: ${{ steps.prep.outputs.repository_name }}
registryEcr: ${{ steps.prep.outputs.registry_ecr }}
registryGhcr: ${{ steps.prep.outputs.registry_ghcr }}
steps:
- name: Git branch name
id: git-branch-name
uses: EthanSK/git-branch-name-action@v1
- name: Prepare info
id: prep
run: |
SHORT_SHA=$(echo $GITHUB_SHA | head -c7)
REPO=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')
TAG=${{ env.GIT_BRANCH_NAME }}-$(echo $GITHUB_SHA | head -c7)
IMAGE=ideacrew/$REPO
echo "tagged_image=${IMAGE}:${TAG}" >> $GITHUB_OUTPUT
echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
echo "branch_name=${{ env.GIT_BRANCH_NAME }}" >> $GITHUB_OUTPUT
echo "repository_name=$REPO" >> $GITHUB_OUTPUT
echo "latest_tag=${IMAGE}:latest" >> $GITHUB_OUTPUT
echo "registry_ecr=public.ecr.aws" >> $GITHUB_OUTPUT
echo "registry_ghcr=ghcr.io" >> $GITHUB_OUTPUT
# Uses buildx to build and push the image
build-and-upload-image:
if: github.repository_owner == 'ideacrew' && ((github.event_name == 'push') || (github.event_name == 'workflow_dispatch') || (github.event.pull_request.head.repo.owner.login == 'ideacrew'))
needs: [prep]
strategy:
matrix:
client: ['dc', 'me']
runs-on: ubuntu-latest
services:
rabbitmq:
image: rabbitmq:latest
ports:
- 5672:5672
- 15672:15672
options: >-
--name "rabbitmq"
--health-cmd "rabbitmqctl node_health_check"
--health-interval 10s
--health-timeout 5s
--health-retries 5
mongo:
image: mongo:4.2
ports:
- 27017:27017
options: >-
--name "mongo"
--health-cmd mongo
--health-interval 10s
--health-timeout 5s
--health-retries 5
redis:
image: redis:3.2-alpine
ports:
- 6379
options: >-
--name "redis"
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- uses: actions/checkout@v3
- name: Add git HEAD info to docker image
run: |
git show --quiet HEAD > release.txt
echo -e "current branch: $(git rev-parse --abbrev-ref HEAD)\n\n$(git show --quiet HEAD)" > public/release.txt
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
install: true
version: v0.9.1
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
# Key is named differently to avoid collision
key: ${{ runner.os }}-multi-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-multi-buildx
# Add vhosts to RabbitMQ
- run: |
docker exec rabbitmq rabbitmqctl add_vhost /
docker exec rabbitmq rabbitmqctl add_vhost event_source
docker exec rabbitmq rabbitmqctl set_permissions -p event_source guest ".*" ".*" ".*"
# Provide credentials for AWS
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
# Must use docker login in order to specify public registry
- name: Login to Public ECR
uses: docker/login-action@v2
with:
registry: ${{ needs.prep.outputs.registryEcr }}
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ${{ needs.prep.outputs.registryGhcr }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Image
uses: docker/build-push-action@v3
with:
context: .
builder: ${{ steps.buildx.outputs.name }}
file: .docker/production/Dockerfile.gha
# Set the desired build target here
target: deploy
# needed to access mongo and rabbit on GHA machine
network: host
# send to public registry if not a pull request
push: ${{ github.event_name != 'pull_request' }}
# create local image (for scanning) if it is a pull request
load: ${{ github.event_name == 'pull_request' }}
tags: |
${{ format('{0}/{1}-{2}', needs.prep.outputs.registryEcr, needs.prep.outputs.taggedImage, matrix.client) }}
${{ format('{0}/{1}-{2}', needs.prep.outputs.registryEcr, needs.prep.outputs.latestTag, matrix.client) }}
${{ format('{0}/{1}-{2}', needs.prep.outputs.registryGhcr, needs.prep.outputs.taggedImage, matrix.client) }}
${{ format('{0}/{1}-{2}', needs.prep.outputs.registryGhcr, needs.prep.outputs.latestTag, matrix.client) }}
cache-from: type=local,src=/tmp/.buildx-cache
# Note the mode=max here
# More: https://github.com/moby/buildkit#--export-cache-options
# And: https://github.com/docker/buildx#--cache-tonametypetypekeyvalue
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
build-args: |
HOSTNAME=172.17.0.1
CLIENT=${{ matrix.client }}
- name: Setup sysdig cache
uses: actions/cache@v3
with:
path: cache
key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
restore-keys: ${{ runner.os }}-cache-
- name: Scan Docker image
if: github.event_name != 'pull_request'
id: scan
uses: anchore/scan-action@v3
with:
image: ${{ format('{0}/{1}-{2}', needs.prep.outputs.registryEcr, needs.prep.outputs.taggedImage, matrix.client) }}
acs-report-enable: true
fail-build: false
severity-cutoff: critical
- name: Download sysdig scanner if needed and scan the image
env:
SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
run: |
curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] || [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
else
echo "Latest version of sysdig cli scanner is already downloaded"
fi
${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
--apiurl "${SYSDIG_SECURE_ENDPOINT}" \
${{ format('{0}/{1}-{2}', needs.prep.outputs.registryGhcr, needs.prep.outputs.taggedImage, matrix.client) }} \
--console-log \
--dbpath="${GITHUB_WORKSPACE}/cache/db/" \
--cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"
- name: upload Anchore scan SARIF report
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
new-image-notification:
if: github.repository_owner == 'ideacrew' && github.event_name != 'pull_request'
needs: [prep, build-and-upload-image]
runs-on: ubuntu-latest
steps:
- name: Git Commit Data w/ Message
uses: jcputney/[email protected]
- name: Post to a Slack channel
id: ic-slack
uses: slackapi/slack-github-action@v1
with:
channel-id: 'docker-images-${{ needs.prep.outputs.repositoryName }}'
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "New image built from <https://github.com/ideacrew/${{ needs.prep.outputs.repositoryName }}/commit/${{ needs.prep.outputs.shortSha }}|${{ needs.prep.outputs.shortSha }}> on `${{ needs.prep.outputs.branchName }}`"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.YELLR_BOT_TOKEN }}
notify-slack:
if: github.repository_owner == 'ideacrew' && github.event_name != 'pull_request'
needs: [new-image-notification, prep, build-and-upload-image]
runs-on: ubuntu-latest
strategy:
matrix:
client: ['dc', 'me']
registry: ['public.ecr.aws', 'ghcr.io']
steps:
- run: |
MATRIX_CLIENT=$(echo ${{ matrix.client }} | tr '[:lower:]' '[:upper:]')
echo "CLIENT=${MATRIX_CLIENT}" >> ${GITHUB_ENV}
- name: Post to a Slack channel
id: dc-slack
uses: slackapi/slack-github-action@v1
with:
channel-id: 'docker-images-${{ needs.prep.outputs.repositoryName }}'
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*${{ format('{0} {1} image*:\n`{2}/{3}-{4}`', env.CLIENT, matrix.registry, matrix.registry, needs.prep.outputs.taggedImage, matrix.client) }}"
}
},
{
"type": "divider"
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.YELLR_BOT_TOKEN }}
- name: Post to DC slack
# Only run if matrix client is DC
if: matrix.client == 'dc-pause'
id: slack
uses: slackapi/slack-github-action@v1
with:
channel-id: 'docker-images-${{ needs.prep.outputs.repositoryName }}'
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*${{ format('{0} {1} image*:\n`{2}/{3}-{4}`', env.CLIENT, matrix.registry, matrix.registry, needs.prep.outputs.taggedImage, matrix.client) }}"
}
},
{
"type": "divider"
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.DC_DEPLOY_SLACK_BOT_TOKEN }}