feat: audit workflow for releases

bcgov · Sep 12, 2024 · 4c960c2 · 4c960c2
1 parent 23fea88
commit 4c960c2
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,49 @@
+---
+name: Audit Shas
+
+on:
+  workflow_dispatch:
+    inputs:
+      ### Required
+      environment:
+        description: "Deployment environment - dev/test/prod"
+        required: true
+        type: choice
+        options: ["dev","test","prod"]
+        default: "prod"
+      release:
+        description: 'release name'
+        required: true
+        type: string
+        default: "prod"
+jobs:
+  # https://github.com/bcgov-nr/action-deployer-openshift
+  docker_login:
+    - name: Log in to the Container registry
+      if: steps.build.outputs.triggered == 'true'
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: {{ secrets.oc_token }}
+
+  audit_packages:
+    name: Audit
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        package: [dops, vehicles, frontend, scheduler, policy]
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - name: Audit the installed application for package sha vs deployed sha
+        run: |
+          oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }}
+          oc project c28f0c-${{ inputs.environment }} # Safeguard!
+          export GHCR_SHA=$(docker manifest inspect onroutebc-${{inputs.release}}-${{matrix.package}} | jq '.manifests[0].digest')
+          export SHA_LIST=$(oc get pods -l app.kubernetes.io/instance=onroutebc-${{inputs.release}} -l app.kubernetes.io/name=${{matrix.package}} -o yaml | grep imageID | grep ghcr | cut -d : -f 3)
+          for sha in ${SHA_LIST}
+            do
+              echo "onroutebc-${{inputs.release}}-${{matrix.package}} - pod:${sha} ghcr: ${GHCR_SHA}"
+            done
+