Implement GHCR container image build pipeline

Signed-off-by: Jeremy Ho <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# These users will be the default owners for everything in the repo.
+# Unless a later match takes precedence, the following users will be
+# requested for review when someone opens a pull request.
+* @jujaga @norrisng-bc @TimCsaky @jatindersingh93 @wilwong89 @kyle1morel

.github/actions/build-push-container/action.yaml

@@ -0,0 +1,87 @@
+name: Build & Push Container
+description: Builds a container from a Dockerfile and pushes to registry
+
+inputs:
+  context:
+    description: Effective Working Directory
+    required: true
+    default: "./"
+  image_name:
+    description: Image Name
+    required: true
+  github_username:
+    description: Github Container Registry Username
+    required: true
+  github_token:
+    description: Github Container Registry Authorization Token
+    required: true
+  dockerhub_username:
+    description: Dockerhub Container Registry Username
+    required: false
+  dockerhub_organization:
+    description: Dockerhub Container Registry Organization
+    required: false
+    default: bcgovimages
+  dockerhub_token:
+    description: Dockerhub Container Registry Authorization Token
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Parse Input Values
+      shell: bash
+      run: |
+        echo "GH_USERNAME=$(tr '[:upper:]' '[:lower:]' <<< '${{ inputs.github_username }}')" >> $GITHUB_ENV
+        echo "HAS_DOCKERHUB=${{ fromJson(inputs.dockerhub_username != '' && inputs.dockerhub_token != '') }}" >> $GITHUB_ENV
+
+    - name: Login to Github Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ env.GH_USERNAME }}
+        password: ${{ inputs.github_token }}
+
+    - name: Login to Dockerhub Container Registry
+      if: env.HAS_DOCKERHUB == 'true'
+      uses: docker/login-action@v2
+      with:
+        registry: docker.io
+        username: ${{ inputs.dockerhub_username }}
+        password: ${{ inputs.dockerhub_token }}
+
+    - name: Prepare Container Metadata tags
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: |
+          ghcr.io/${{ env.GH_USERNAME }}/${{ inputs.image_name }}
+          docker.io/${{ inputs.dockerhub_organization }}/${{ inputs.image_name }},enable=${{ env.HAS_DOCKERHUB }}
+        # Always updates the 'latest' tag
+        flavor: |
+          latest=true
+        # Creates tags based off of branch names and semver tags
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+          type=sha
+
+    - name: Build and Push to Container Registry
+      id: builder
+      uses: docker/build-push-action@v3
+      with:
+        context: ${{ inputs.context }}
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: Inspect Docker Image
+      shell: bash
+      run: |
+        docker image inspect ghcr.io/${{ env.GH_USERNAME }}/${{ inputs.image_name }}:latest

.github/actions/deploy-to-environment/action.yaml

@@ -0,0 +1,59 @@
+name: Deploy to Environment
+description: Deploys an image to the defined environment
+inputs:
+  app_name:
+    description: Application general Name
+    required: true
+  acronym:
+    description: Application acronym
+    required: true
+  environment:
+    description: Logical Github Environment
+    required: true
+  job_name:
+    description: Job/Instance name
+    required: true
+  namespace_prefix:
+    description: Openshift Namespace common prefix
+    required: true
+  namespace_environment:
+    description: Openshift Namespace environment suffix
+    required: true
+  openshift_server:
+    description: Openshift API Endpoint
+    required: true
+  openshift_token:
+    description: Openshift Service Account Token
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Login to OpenShift Cluster
+      uses: redhat-actions/oc-login@v1
+      with:
+        openshift_server_url: ${{ inputs.openshift_server }}
+        openshift_token: ${{ inputs.openshift_token }}
+        insecure_skip_tls_verify: true
+        namespace: ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }}
+
+    - name: Helm Deploy
+      shell: bash
+      run: >-
+        helm upgrade --install --atomic ${{ inputs.job_name }} ${{ inputs.app_name }}
+        --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }}
+        --repo https://bcgov.github.io/common-object-management-service
+        --values ./.github/environments/values.${{ inputs.environment }}.yaml
+        --set image.repository=ghcr.io/${{ github.repository_owner }}
+        --set image.tag=sha-$(git rev-parse --short HEAD)
+        --set route.host=${{ inputs.acronym }}-${{ inputs.namespace_environment }}-${{ inputs.job_name }}.apps.silver.devops.gov.bc.ca
+        --timeout 10m
+        --wait
+
+    - name: Wait on Deployment
+      shell: bash
+      run: |
+        oc rollout --namespace ${{ inputs.namespace_prefix }}-${{ inputs.namespace_environment }} status dc/${{ inputs.app_name }}-${{ inputs.job_name }} --watch=true

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,74 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+---
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches:
+      - master
+  schedule:
+    - cron: "38 6 * * 5"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      #- run: |
+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/on-pr-opened.yaml

@@ -0,0 +1,36 @@
+name: Pull Request Opened
+
+env:
+  ACRONYM: ches
+  APP_NAME: common-hosted-email-service
+  NAMESPACE_PREFIX: b160aa
+
+on:
+  pull_request:
+    branches:
+      - master
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build & Push
+    if: "! github.event.pull_request.head.repo.fork"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build & Push
+        uses: ./.github/actions/build-push-container
+        with:
+          context: .
+          image_name: ${{ env.APP_NAME }}
+          github_username: ${{ github.repository_owner }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/on-push.yaml

@@ -0,0 +1,35 @@
+name: Push
+
+env:
+  ACRONYM: ches
+  APP_NAME: common-hosted-email-service
+  NAMESPACE_PREFIX: b160aa
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - v*.*.*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build & Push
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build & Push
+        uses: ./.github/actions/build-push-container
+        with:
+          context: .
+          image_name: ${{ env.APP_NAME }}
+          github_username: ${{ github.repository_owner }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}