Frontend CICD #23
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| name: Dev frontend workflow | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - 'dev/frontend@**' | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| trigger-frontend-ci: | ||
| uses: ./.github/workflows/frontend-ci.yml | ||
|
|
||
| # cd part use watchtower to update the container will be changed to a more clever way once we scale up our services |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| name: Build and upload docker image of frontend to GHCR | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| workflow_call: | ||
|
|
||
|
|
||
|
|
||
| # Configures this workflow to run every time a change is pushed to the branch called `release`. | ||
|
|
||
| # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. | ||
| env: | ||
| REGISTRY: ghcr.io | ||
| IMAGE_NAME: ${{ github.repository_owner }}/pastexam/frontend | ||
|
|
||
| # There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. | ||
| jobs: | ||
| build-and-push-image: | ||
| runs-on: ubuntu-latest | ||
| # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| attestations: write | ||
| id-token: write | ||
| # | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| - name: Log in to the Container registry | ||
| uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. | ||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
| with: | ||
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
| tags: | | ||
| type=raw,value=latest | ||
| type=ref,event=branch | ||
| type=ref,event=tag | ||
| # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. | ||
| # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. | ||
| # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. | ||
| - name: Build and push Docker image | ||
| id: push | ||
| uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | ||
| with: | ||
| context: ./frontend | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
|
Comment on lines
+49
to
+56
There was a problem hiding this comment. 🛠️ Refactor suggestion Add security scanning and build optimization Consider adding:
Example enhancement: steps:
- name: Build and push Docker image
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
context: ./frontend
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH' |
||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| services: | ||
| watchtower: | ||
| image: containrrr/watchtower | ||
| volumes: | ||
| - /var/run/docker.sock:/var/run/docker.sock | ||
|
Comment on lines
+4
to
+5
There was a problem hiding this comment. Security concern: Docker socket mounting creates a potential security risk Mounting the Docker socket gives the container root-equivalent access to the host. Consider:
Example socket proxy configuration: services:
socket-proxy:
image: tecnativa/docker-socket-proxy
privileged: false
environment:
- CONTAINERS=1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
watchtower:
image: containrrr/watchtower
environment:
- DOCKER_HOST=tcp://socket-proxy:2375
depends_on:
- socket-proxy |
||
| command: | ||
| --interval 10 --cleanup | ||
|
Comment on lines
+6
to
+7
There was a problem hiding this comment. Performance concern: 10-second update interval is too aggressive Such a short interval could:
Consider increasing the interval to at least 5 minutes (300 seconds). 🧰 Tools🪛 yamllint (1.35.1)[error] 6-6: trailing spaces (trailing-spaces) |
||
| restart: always | ||
|
Comment on lines
+1
to
+8
There was a problem hiding this comment. 🛠️ Refactor suggestion Add container filters and authentication configuration Current configuration will update all containers. Consider:
Example enhanced configuration: services:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_POLL_INTERVAL=300
- WATCHTOWER_LABEL_ENABLE=true
- WATCHTOWER_CLEANUP=true
- REGISTRY_USERNAME=${GHCR_USERNAME}
- REGISTRY_PASSWORD=${GHCR_TOKEN}
command: --label-enable
deploy:
resources:
limits:
memory: 256M
reservations:
memory: 128M
restart: always🧰 Tools🪛 yamllint (1.35.1)[error] 6-6: trailing spaces (trailing-spaces) |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Use GITHUB_TOKEN with minimum required permissions
The workflow uses GITHUB_TOKEN with broad permissions. Consider:
[security]
Example configuration: