From f3d46e0fad4d3cbef3f95cf052bf7712130f18fe Mon Sep 17 00:00:00 2001 From: "michael.rabellino" Date: Wed, 26 Jun 2024 11:56:25 -0600 Subject: [PATCH] adding GHA and docker build for mock ims_service.py --- .github/workflows/build-package-mock-ims.yml | 103 +++++++++++++++++++ docker/mockims/dev/Dockerfile | 24 +++++ docker/mockims/local/Dockerfile | 23 +++++ 3 files changed, 150 insertions(+) create mode 100644 .github/workflows/build-package-mock-ims.yml create mode 100644 docker/mockims/dev/Dockerfile create mode 100644 docker/mockims/local/Dockerfile diff --git a/.github/workflows/build-package-mock-ims.yml b/.github/workflows/build-package-mock-ims.yml new file mode 100644 index 0000000..24fa783 --- /dev/null +++ b/.github/workflows/build-package-mock-ims.yml @@ -0,0 +1,103 @@ +name: Build and Package the Mock IMS Service to Dev Registry +on: + push: + branches: [ main ] +env: + DEV_REGISTRY: ghcr.io/noaa-gsl/idss/service/ims-gateway +jobs: + build: + runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + app: + - mockims + steps: + + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: pull + run: | + docker pull ghcr.io/noaa-gsl/idss/commons/python/python-base:main + + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Set ENV Variables + shell: bash + run: | + DATE=$(git show -s --format=%cd --date=format:'%Y-%m-%d.%H:%M:%S.%z' ${{ github.sha }}) + if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then + # PR build + echo "BRANCH=${GITHUB_HEAD_REF}" >> $GITHUB_ENV + echo "VERSION=dev-${{ github.sha }}-$DATE" >> $GITHUB_ENV + elif [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then + # Handle differences between branches/tags + if [[ "${GITHUB_REF}" == *"heads"* ]]; then + # Branch build + echo "BRANCH=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV + echo "VERSION=dev-${{ github.sha }}-$DATE" >> $GITHUB_ENV + elif [[ "${GITHUB_REF}" == *"tags"* ]]; then + # Tag build + echo "BRANCH=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + else + echo "ERROR: Unanticipated Git Ref" + exit 1 + fi + else + echo "ERROR: Unanticipated GitHub Event" + exit 1 + fi + + - name: Create App Names + env: + APP: '${{matrix.app}}' + run: | + echo "APP_LOWERCASE=${APP,,}" >> $GITHUB_ENV + + - name: Build Image + run: | + docker build \ + --build-arg APPNAME=${{matrix.app}} \ + --build-arg BUILDVER="${{env.VERSION}}" \ + --build-arg COMMITBRANCH=${{env.BRANCH}} \ + --build-arg COMMITSHA=${{github.sha}} \ + -t ${{env.DEV_REGISTRY}}/${{env.APP_LOWERCASE}}:${{env.BRANCH}} \ + -f ./docker/mockims/dev/Dockerfile . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{env.DEV_REGISTRY}}/${{env.APP_LOWERCASE}}:${{env.BRANCH}}' + format: 'table' + #exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + # this requires public repo / additional config + #format: 'sarif' + #output: 'trivy-results.sarif' + + # GSL isn't paying for this support with private repositories +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v2 +# with: +# sarif_file: 'trivy-results.sarif' + + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Push Image to Dev Registry + run: | + docker push ${{env.DEV_REGISTRY}}/${{env.APP_LOWERCASE}}:${{env.BRANCH}} \ No newline at end of file diff --git a/docker/mockims/dev/Dockerfile b/docker/mockims/dev/Dockerfile new file mode 100644 index 0000000..0cee141 --- /dev/null +++ b/docker/mockims/dev/Dockerfile @@ -0,0 +1,24 @@ +# IMS Gateway Request Service using python commons base image +FROM ghcr.io/noaa-gsl/idss/commons/python/python-base:main + +ARG maintainer +LABEL maintainer ${maintainer} + +# Install additional dependencies +#RUN conda config --add channels conda-forge && \ +# conda install -y flask=2.3.2 + +WORKDIR /python/ims_service + +# Copy source files +COPY ./python/idsse_testing/ims_service/src/ims_service.py /python/ims_service/ + +# (TEMPORARY) Copy canned criteria files. To be removed when integration with IMS API exists +COPY ./python/idsse_testing/ims_service/profiles/*.json /python/profiles/ + +# The volume mapping here is kind of strange for k8s deployment, because if we map an empty volume to /criteria +# then the temp copy of json above will get blown away by the volume mapping...just omit it for k8s deployment +# for now. +#VOLUME /python/profiles + +ENTRYPOINT [ "python3", "/python/ims_service/ims_service.py" ] diff --git a/docker/mockims/local/Dockerfile b/docker/mockims/local/Dockerfile new file mode 100644 index 0000000..13f71e5 --- /dev/null +++ b/docker/mockims/local/Dockerfile @@ -0,0 +1,23 @@ +# IMS Gateway Request Service using python sci base image +# sci is required because the use of shapely +FROM idss.engine.commons.python-base:local + +ARG maintainer +LABEL maintainer ${maintainer} + +# Install additional dependencies +#RUN conda config --add channels conda-forge && \ +# conda install -y =<1.0.0> + +WORKDIR /python/ims_service + +# Copy source files +COPY ./python/idsse_testing/ims_service/src/ims_service.py /python/ims_service/ + +# (TEMPORARY) Copy canned criteria files. To be removed when integration with IMS API exists +COPY ./python/idss_testing/ims_service/profiles/*.json /python/profiles/ + +# If you need to have a local mount, otherwise service will use version controlled jsons +#VOLUME /python/profiles + +ENTRYPOINT [ "python3", "/python/ims_service/ims_service.py" ] \ No newline at end of file