Skip to content
Create Key Manager image

Merge remote-tracking branch 'origin/main' into 46-feature-mod-goqu-t… #57

Sign in to view logs

Merge remote-tracking branch 'origin/main' into 46-feature-mod-goqu-t…

Merge remote-tracking branch 'origin/main' into 46-feature-mod-goqu-t… #57

Workflow file for this run

.github/workflows/docker-publish-key-manager.yml at 566f62b
name: Create Key Manager image
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
on:
push:
branches: [ "main" ]
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
paths:
- 'src/key_management/**'
- 'src/cmd/**'
- 'src/middleware/**'
- 'src/model/**'
- 'src/util/**'
- '.github/workflows/docker-publish-key-manager.yml'
pull_request:
branches: [ "main" ]
paths:
- 'src/key_management/**'
- 'src/cmd/**'
- 'src/middleware/**'
- 'src/model/**'
- 'src/util/**'
- '.github/workflows/docker-publish-key-manager.yml'
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
KEY_MAN_DIR: "src/key_management"
SRC_DIR: "src"
AWS_REGION: us-east-1
ECS_SERVICE: holidays-key-manager-service
ECS_CLUSTER: holidays-cluster
ECS_TASK_DEFINITION: .aws/key_manager_task.json
CONTAINER_NAME: holidays-key-manager
PLATFORM: "linux/amd64,linux/arm64,linux/x86_64"
DOCKER_FILEPATH: "docker/key_management/Dockerfile"
jobs:
analyze:
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
# Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v3
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
test-key-manager:
needs: analyze
runs-on: ubuntu-latest
services:
postgres:
image: postgres:17
env:
POSTGRES_USER: app
POSTGRES_PASSWORD: password
POSTGRES_DB: unittest
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23'
cache-dependency-path: |
src/go.sum
- name: Run migration
working-directory: ${{ env.SRC_DIR }}
shell: bash -l {0}
run: |
go mod download
PSQL_HOSTNAME=localhost go run cmd/migration.go
- name: Build
working-directory: ${{ env.KEY_MAN_DIR }}
run: go build -v ./...
- name: Test
working-directory: ${{ env.KEY_MAN_DIR }}
env:
COV_FILE_NAME: coverage.txt
MODE: atomic
run: go test -v ./...
publish-key-manager:
needs: test-key-manager
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3 #v3.1.1
with:
cosign-release: 'v2.2.3'
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 # v3.1.0
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5 # v5.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-key-manager
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v5
with:
context: .
file: ${{ env.DOCKER_FILEPATH }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64,linux/x86_64
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
# deploy:
# permissions:
# id-token: write
# needs: test-key-manager
# name: Deploy to ECR
# runs-on: ubuntu-latest
# environment: production
#
# steps:
# - name: Checkout
# uses: actions/checkout@v4
#
# # Set up BuildKit Docker container builder to be able to build
# # multi-platform images and export cache
# # https://github.com/docker/setup-buildx-action
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3 # v3.1.0
#
# - name: Configure AWS credentials
# uses: aws-actions/configure-aws-credentials@v4
# with:
# role-to-assume: ${{ secrets.ASSUME_ROLE }}
# aws-region: ${{ env.AWS_REGION }}
#
# - name: Login to Amazon ECR
# id: login-ecr
# uses: aws-actions/amazon-ecr-login@v1
# with:
# mask-password: 'true'
# registry-type: public
#
# # Extract metadata (tags, labels) for Docker
# # https://github.com/docker/metadata-action
# - name: Extract Docker metadata
# id: meta
# uses: docker/metadata-action@v5 # v5.0.0
# with:
# images: ${{ steps.login-ecr.outputs.registry }}/${{ env.IMAGE_NAME }}-key-manager
#
# # Build and push Docker image with Buildx (don't push on PR)
# # https://github.com/docker/build-push-action
# - name: Build and push Docker image
# id: build-and-push
# uses: docker/build-push-action@v5
# with:
# context: .
# file: ${{ env.DOCKER_FILEPATH }}
# push: ${{ github.event_name != 'pull_request' }}
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=gha
# cache-to: type=gha,mode=max
# platforms: ${{ env.PLATFORM }}
# - name: Fill in the new image ID in the Amazon ECS task definition
# id: task-def
# uses: aws-actions/amazon-ecs-render-task-definition@v1
# with:
# task-definition: ${{ env.ECS_TASK_DEFINITION }}
# container-name: ${{ env.CONTAINER_NAME }}
# image: ${{ steps.build-and-push.outputs.image }}
# - name: Deploy Amazon ECS task definition
# uses: aws-actions/amazon-ecs-deploy-task-definition@v1
# with:
# task-definition: ${{ steps.task-def.outputs.task-definition }}
# service: ${{ env.ECS_SERVICE }}
# cluster: ${{ env.ECS_CLUSTER }}
# wait-for-service-stability: true