we do not need poet here (#2227) #304
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Docker Images | |
| # we want to be able to sort by tag name to find the newest and trace back to source control | |
| # on every commit to main: | |
| # frontend:main-20230223164322-b8becd1-45 | |
| # frontend:main-latest | |
| # we settled on: | |
| # main-2023-02-24_16-16-40 | |
| # because the labels on the docker image itself have the git sha and everything else :) | |
| # on every tag: | |
| # frontend:latest | |
| # | |
| # Example docker image labels: | |
| # "Labels": { | |
| # "description": "Software development platform for building, running, and monitoring executable diagrams", | |
| # "org.opencontainers.image.created": "2023-02-24T16:43:00.844Z", | |
| # "org.opencontainers.image.description": "", | |
| # "org.opencontainers.image.licenses": "LGPL-2.1", | |
| # "org.opencontainers.image.revision": "54064a050fbf9f366648f0f2e2c60ce244fcc421", | |
| # "org.opencontainers.image.source": "https://github.com/sartography/spiff-arena", | |
| # "org.opencontainers.image.title": "spiff-arena", | |
| # "org.opencontainers.image.url": "https://github.com/sartography/spiff-arena", | |
| # "org.opencontainers.image.version": "main-latest", | |
| # "source": "https://github.com/sartography/spiff-arena" | |
| # } | |
| # | |
| # Git tags for an image: | |
| # curl -H "Authorization: Bearer $(echo -n $TOKEN | base64 -w0)" https://ghcr.io/v2/sartography/spiffworkflow-backend/tags/list | jq -r '.tags | sort_by(.)' | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - keycloak-realm-with-groups | |
| - fail-fast-off | |
| tags: [v*] | |
| jobs: | |
| create_docker_images: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - image_name: sartography/spiffworkflow-frontend | |
| context: spiffworkflow-frontend | |
| description: "Frontend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams" | |
| - image_name: sartography/spiffworkflow-backend | |
| context: spiffworkflow-backend | |
| description: "Backend component of SpiffWorkflow, a software development platform for building, running, and monitoring executable diagrams" | |
| - image_name: sartography/connector-proxy-demo | |
| context: connector-proxy-demo | |
| description: "Connector proxy component of SpiffWorkflow, providing integration capabilities for external services" | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ matrix.image_name }} | |
| BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write # Required for uploading Trivy scan results to GitHub Security | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to the Container registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get current date | |
| id: date | |
| run: echo "date=$(date -u +'%Y-%m-%d_%H-%M-%S')" >> "$GITHUB_OUTPUT" | |
| - name: Get short commit sha | |
| id: commit_sha | |
| run: echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.description=${{ matrix.description }} | |
| org.opencontainers.image.version=${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }} | |
| tags: | | |
| type=ref,event=branch,branch=main,suffix=-latest | |
| type=ref,event=branch,suffix=-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }} | |
| type=ref,event=tag,enable=true,format={{version}} | |
| type=ref,event=tag,enable=true,format=latest | |
| - name: Write app version info | |
| working-directory: ${{ matrix.context }} | |
| run: echo "$DOCKER_METADATA_OUTPUT_JSON" | jq '.labels' > version_info.json | |
| - name: Generate full image tag | |
| id: full_tag | |
| run: echo "full_tag=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}-${{ steps.date.outputs.date }}-${{ steps.commit_sha.outputs.sha_short }}" >> "$GITHUB_OUTPUT" | |
| - name: Build Docker image | |
| uses: docker/[email protected] | |
| with: | |
| context: ${{ matrix.context }} | |
| push: false # Don't push yet | |
| load: true # Load image to local Docker daemon | |
| tags: ${{ steps.full_tag.outputs.full_tag }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| # While we ultimately push multi-arch images (amd64/arm64) to registries, we don't want to do that before we scan for vulns. | |
| # The Action can only load a single arch image into the local dockerd at a time, so we only build and test one arch here. | |
| # It's pretty likely that any vuln in amd64 is also in arm64, and vice-versa, so the trade-off seems reasonable. | |
| platforms: linux/amd64 | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: "${{ steps.full_tag.outputs.full_tag }}" | |
| scan-type: "image" | |
| hide-progress: false | |
| limit-severities-for-sarif: true | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| severity: "CRITICAL" | |
| exit-code: 1 # Fail the workflow if critical vulnerabilities are found | |
| timeout: 15m0s | |
| ignore-unfixed: true | |
| - name: Check if Trivy results exist | |
| if: always() | |
| # trivy will fail if vulnerabilities are found but we need to upload them anyway | |
| run: | | |
| if [ -f "trivy-results.sarif" ]; then | |
| echo "UPLOAD_TRIVY_RESULTS=true" >> "$GITHUB_ENV" | |
| else | |
| echo "Trivy results file not found. Skipping upload." | |
| echo "UPLOAD_TRIVY_RESULTS=false" >> "$GITHUB_ENV" | |
| fi | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() && env.UPLOAD_TRIVY_RESULTS == 'true' | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Push Docker image | |
| uses: docker/[email protected] | |
| with: | |
| context: ${{ matrix.context }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Adding markdown | |
| run: echo 'TAGS ${{ steps.meta.outputs.tags }}' >> "$GITHUB_STEP_SUMMARY" | |
| quickstart-guide-test: | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [create_docker_images] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Apps | |
| run: ./bin/run_arena_with_docker_compose | |
| - name: wait_for_backend | |
| working-directory: ./spiffworkflow-backend | |
| run: ./bin/wait_for_backend_to_be_up 5 8000 | |
| - name: wait_for_frontend | |
| working-directory: ./spiffworkflow-frontend | |
| run: ./bin/wait_for_frontend_to_be_up 5 8001 | |
| - name: wait_for_connector | |
| working-directory: ./connector-proxy-demo | |
| run: ./bin/wait_for_connector_to_be_up 5 8004 | |
| - name: Cypress run | |
| uses: cypress-io/github-action@v6 | |
| with: | |
| working-directory: ./spiffworkflow-frontend | |
| browser: chromium | |
| # just run one test to make sure we didn't completely break it | |
| spec: cypress/e2e/process_groups.cy.js | |
| env: | |
| # pass GitHub token to allow accurately detecting a build vs a re-run build | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "false" | |
| CYPRESS_SPIFFWORKFLOW_FRONTEND_USERNAME: "admin" | |
| CYPRESS_SPIFFWORKFLOW_FRONTEND_PASSWORD: "admin" | |
| SPIFFWORKFLOW_FRONTEND_PORT: 8001 |