-
Notifications
You must be signed in to change notification settings - Fork 45
100 lines (91 loc) · 2.84 KB
/
deploy-CANARY.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
---
#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#######################################
# Start the job on all push to master #
#######################################
name: "Build & Deploy - CANARY"
on:
push:
branches:
- "canary"
###############
# Set the Job #
###############
jobs:
deploy:
name: Deploy canary
runs-on: ubuntu-latest
permissions: read-all
environment:
name: canary
steps:
- uses: actions/checkout@v4
# Setup .npmrc file to publish to npm
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: "https://registry.npmjs.org"
always-auth: true
# Defaults to the user or organization that owns the workflow file
scope: "hardisgroupcom"
- run: yarn install --frozen-lockfile
- run: yarn config set version-git-tag false && tsc -b
- run: CANARYID=$(date '+%Y%m%d%H%M') && yarn version --prepatch --preid="canary$CANARYID"
- run: yarn config set network-timeout 300000 && yarn publish --tag canary
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
push_canary_to_registry:
name: Push canary Docker image to Docker Hub
needs: deploy
runs-on: ubuntu-latest
permissions:
packages: write
environment:
name: canary
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build & Push Docker Image (Canary)
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
platforms: linux/amd64
build-args: |
SFDX_HARDIS_VERSION=canary
SFDX_CLI_VERSION=latest
load: false
push: true
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
docker.io/hardisgroupcom/sfdx-hardis:canary
ghcr.io/hardisgroupcom/sfdx-hardis:canary
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/hardisgroupcom/sfdx-hardis:canary"
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
security-checks: vuln
severity: "CRITICAL,HIGH"