Skip to content

chore(deps): lock file maintenance (#374) #355

chore(deps): lock file maintenance (#374)

chore(deps): lock file maintenance (#374) #355

name: Build and Push to Container Registry
on:
workflow_dispatch:
push:
branches:
- main
env:
GITHUB_SHA: ${{ github.sha }}
REGISTRY: 283582579564.dkr.ecr.ca-central-1.amazonaws.com
permissions:
id-token: write
contents: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Audit DNS requests
uses: cds-snc/dns-proxy-action@main
env:
DNS_PROXY_FORWARDTOSENTINEL: "true"
DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Configure aws credentials using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::283582579564:role/sre-bot-apply
role-session-name: SREBotGitHubActions
aws-region: "ca-central-1"
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
- name: Build container
working-directory: ./
run: |
docker build \
--build-arg git_sha=$GITHUB_SHA \
--build-arg LICENSE_KEY=${{ secrets.MAXMIND_LICENSE }} \
-t $REGISTRY/sre-bot:$GITHUB_SHA-`date '+%Y-%m-%d'` \
-t $REGISTRY/sre-bot:latest .
- name: Push containers to Amazon ECR
working-directory: ./app
run: |
docker push $REGISTRY/sre-bot:$GITHUB_SHA-`date '+%Y-%m-%d'`
docker push $REGISTRY/sre-bot:latest
- name: Restart ECS
run: |
aws ecs update-service --cluster sre-bot-cluster --service sre-bot-service --force-new-deployment > /dev/null 2>&1
- name: Report deployment to Sentinel
uses: cds-snc/sentinel-forward-data-action@main
with:
input_data: '{"product": "sre-bot", "version": "${{ github.sha }}", "repository": "${{ github.repository }}", "environment": "production"}'
log_type: CDS_Product_Deployment_Data
log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
- name: Docker generate SBOM
uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
with:
docker_image: "${{ env.REGISTRY }}/sre-bot:latest"
dockerfile_path: "./Dockerfile"
sbom_name: "sre-bot"
token: "${{ secrets.GITHUB_TOKEN }}"