Skip to content

fix: security vulnerability (#2284) #7423

fix: security vulnerability (#2284)

fix: security vulnerability (#2284) #7423

Workflow file for this run

# This workflow will build a golang project
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
name: Go
on:
workflow_dispatch:
inputs:
buildImportDemo:
type: choice
description: "build demo import images and dex image"
options:
- "true"
- "false"
default: "false"
buildPostgres:
type: choice
description: "build postgres images "
options:
- "true"
- "false"
default: "false"
servicesList:
type: string
description: "List of services to build"
required: false
default: "all"
deployTo:
type: choice
description: "Environment to deploy to"
options:
- "dev"
- "prod"
default: "dev"
push:
branches: ["main","dev"]
pull_request:
branches: ["main","dev"]
jobs:
tag:
runs-on: ubuntu-latest
environment: golang
outputs:
latest_tag: ${{ steps.set_latest_tag.outputs.latest_tag }}
if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && ( ! contains(github.event.head_commit.message, 'ui-changes') )
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Tag version
id: tag_version
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GH_ACCESS_TOKEN }}
fetch_all_tags: true
release_branches: main
tag_prefix: v
- name: Set latest tag output
id: set_latest_tag
run: |
if [[ -z "${{ steps.tag_version.outputs.new_tag }}" ]]; then
echo "latest_tag=${{ steps.tag_version.outputs.previous_tag }}" >> "$GITHUB_OUTPUT"
else
echo "latest_tag=${{ steps.tag_version.outputs.new_tag }}" >> "$GITHUB_OUTPUT"
fi
build:
runs-on: ubuntu-latest
needs:
- tag
environment: golang
outputs:
steampipe: ${{ steps.build_services.outputs.steampipe }}
auth-service: ${{ steps.build_services.outputs.auth-service }}
checkup-job: ${{ steps.build_services.outputs.checkup-job }}
compliance-report-job: ${{ steps.build_services.outputs.compliance-report-job }}
compliance-service: ${{ steps.build_services.outputs.compliance-service }}
compliance-summarizer-job: ${{ steps.build_services.outputs.compliance-summarizer-job }}
scheduler-service: ${{ steps.build_services.outputs.scheduler-service }}
inventory-service: ${{ steps.build_services.outputs.inventory-service }}
metadata-service: ${{ steps.build_services.outputs.metadata-service }}
post-install-job: ${{ steps.build_services.outputs.post-install-job }}
swagger-ui: ${{ steps.build_services.outputs.swagger-ui }}
cloudql: ${{ steps.build_services.outputs.cloudql }}
integration-service: ${{ steps.build_services.outputs.integration-service }}
es-sink-service: ${{ steps.build_services.outputs.es-sink-service }}
query-runner-job: ${{ steps.build_services.outputs.query-runner-job }}
query-validator-job: ${{ steps.build_services.outputs.query-validator-job }}
demo-importer-job: ${{ steps.build_services.outputs.demo-importer-job }}
task-service: ${{ steps.build_services.outputs.task-service }}
rego-service: ${{ steps.build_services.outputs.rego-service }}
env:
SERVICE_LIST: ${{ github.event.inputs.servicesList }}
GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
steps:
- name: Install musl cc
uses: awalsh128/cache-apt-pkgs-action@v1
with:
packages: musl-tools musl-dev musl
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 5
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: "./go.mod"
cache: false
- name: Go Cache
uses: actions/cache@v3
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Configure Git
run: git config --global url.https://[email protected]/opengovern.insteadOf https://github.com/opengovern
- name: Build services
id: build_services
run: |
set -x
./scripts/list_services > ./service-list
cat ./service-list
cat ./service-list | sed 's/\s\+/\n/g' | sed 's/^\<steampipe\>$//g' | sed '/^$/d' > ./build_services
cat ./build_services
mkdir -p ./build
if [ ! -z "$(cat ./build_services)" ]; then
for f in $(cat ./build_services); do
CC=/usr/bin/musl-gcc GOPRIVATE="github.com/opengovern" GOOS=linux GOARCH=amd64 go build -v -ldflags "-linkmode external -extldflags '-static' -s -w" -tags musl -o ./build/ ./cmd/$f;
done
chmod +x ./build/*
fi
for f in $(cat ./service-list); do echo "$f=true" >> "$GITHUB_OUTPUT"; done
- name: Pack build
if: github.event_name != 'pull_request'
run: |
tar -czvf build.tar.gz build
- name: Upload artifact
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@v3
with:
name: build
path: build.tar.gz
retention-days: 1
deploy-steampipe:
runs-on: ubuntu-latest
needs:
- build
- tag
- deploy-cloudql
permissions:
id-token: write
contents: read
environment: docker
if: (needs.build.outputs.cloudql == 'true' || needs.build.outputs.steampipe == 'true') && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/steampipe-service:${{ needs.tag.outputs.latest_tag }}
file: docker/SteampipeServiceDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-auth-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.auth-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/auth-service:${{ needs.tag.outputs.latest_tag }}
file: docker/AuthServiceDockerfile
context: .
deploy-task-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.task-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/task-service:${{ needs.tag.outputs.latest_tag }}
file: docker/TaskServiceDockerfile
context: .
deploy-checkup-job:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.checkup-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/checkup-job:${{ needs.tag.outputs.latest_tag }}
file: docker/CheckupJobDockerfile
context: .
deploy-compliance-report-job:
runs-on: ubuntu-latest
needs:
- build
- tag
- deploy-cloudql
- deploy-steampipe
permissions:
id-token: write
contents: read
environment: docker
if: (needs.build.outputs.cloudql == 'true' || needs.build.outputs.compliance-report-job == 'true') && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/compliance-report-job:${{ needs.tag.outputs.latest_tag }}
file: docker/ComplianceReportJobDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-rego-service:
runs-on: ubuntu-latest
needs:
- build
- tag
- deploy-cloudql
- deploy-steampipe
permissions:
id-token: write
contents: read
environment: docker
if: (needs.build.outputs.cloudql == 'true' || needs.build.outputs.rego-service == 'true') && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/rego-service:${{ needs.tag.outputs.latest_tag }}
file: docker/RegoServiceDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-compliance-summarizer-job:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.compliance-summarizer-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/compliance-summarizer-job:${{ needs.tag.outputs.latest_tag }}
file: docker/ComplianceSummarizerJobDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-compliance-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.compliance-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/compliance-service:${{ needs.tag.outputs.latest_tag }}
file: docker/ComplianceServiceDockerfile
context: .
deploy-scheduler-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.scheduler-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/scheduler-service:${{ needs.tag.outputs.latest_tag }}
file: docker/SchedulerServiceDockerfile
context: .
deploy-integration-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.integration-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/integration:${{ needs.tag.outputs.latest_tag }}
file: docker/IntegrationServiceDockerfile
context: .
deploy-es-sink-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.es-sink-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/es-sink:${{ needs.tag.outputs.latest_tag }}
file: docker/EsSinkServiceDockerfile
context: .
deploy-inventory-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.inventory-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/inventory-service:${{ needs.tag.outputs.latest_tag }}
file: docker/InventoryServiceDockerfile
context: .
deploy-metadata-service:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.metadata-service == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/metadata-service:${{ needs.tag.outputs.latest_tag }}
file: docker/MetadataServiceDockerfile
context: .
deploy-post-install-job:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.post-install-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/post-install-job:${{ needs.tag.outputs.latest_tag }}
file: docker/PostInstallJobDockerfile
context: .
deploy-swagger-ui:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.swagger-ui == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/swagger-ui:${{ needs.tag.outputs.latest_tag }}
file: docker/SwaggerUIDockerfile
context: .
deploy-cloudql:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: (needs.build.outputs.cloudql == 'true' ||
needs.build.outputs.steampipe == 'true' ||
needs.build.outputs.compliance-report-job == 'true') && github.event_name != 'pull_request'
steps:
- name: Check if we need to actually push
id: check_if_push
run: |
if [[ -z "${{ needs.build.outputs.cloudql }}" ]]; then
echo "do_build=false" >> $GITHUB_OUTPUT
else
echo "do_build=true" >> $GITHUB_OUTPUT
fi
- name: Checkout code
if: steps.check_if_push.outputs.do_build == 'true'
uses: actions/checkout@v3
- name: Download artifact
if: steps.check_if_push.outputs.do_build == 'true'
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
if: steps.check_if_push.outputs.do_build == 'true'
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
if: steps.check_if_push.outputs.do_build == 'true'
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/cloudql:0.0.1
ghcr.io/${{ github.repository_owner }}/cloudql:${{ needs.tag.outputs.latest_tag }}
file: docker/CloudQLDockerfile
context: .
deploy-query-runner-job:
runs-on: ubuntu-latest
needs:
- build
- tag
- deploy-cloudql
- deploy-steampipe
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.query-runner-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/query-runner-job:${{ needs.tag.outputs.latest_tag }}
file: docker/QueryRunnerJobDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-query-validator-job:
runs-on: ubuntu-latest
needs:
- build
- tag
- deploy-cloudql
- deploy-steampipe
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.query-validator-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/query-validator-job:${{ needs.tag.outputs.latest_tag }}
file: docker/QueryValidatorJobDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-audit-job:
runs-on: ubuntu-latest
needs:
- build
- tag
- deploy-cloudql
- deploy-steampipe
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.query-validator-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/audit-job:${{ needs.tag.outputs.latest_tag }}
file: docker/AuditJobDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-import-data-script:
runs-on: ubuntu-latest
needs:
- tag
if: github.event.inputs.buildImportDemo == 'true'
permissions:
id-token: write
contents: read
environment: docker
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/import-data-script:${{ needs.tag.outputs.latest_tag }}
file: docker/ImportDataScriptDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-export-data-script:
runs-on: ubuntu-latest
needs:
- tag
if: github.event.inputs.buildImportDemo == 'true'
permissions:
id-token: write
contents: read
environment: docker
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/export-data-script:${{ needs.tag.outputs.latest_tag }}
file: docker/ExportDataScriptDockerfile
build-args: |
PLUGIN_REGISTRY=ghcr.io/opengovern
context: .
deploy-demo-importer-job:
runs-on: ubuntu-latest
needs:
- build
- tag
permissions:
id-token: write
contents: read
environment: docker
if: needs.build.outputs.demo-importer-job == 'true' && github.event_name != 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: build
path: .
- name: Unpack artifact
run: |
tar -xvf build.tar.gz
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/demo-importer-job:${{ needs.tag.outputs.latest_tag }}
file: docker/DemoImporterJobDockerfile
context: .
deploy-dex-login:
runs-on: ubuntu-latest
if: github.event.inputs.buildImportDemo == 'true'
needs:
- tag
permissions:
id-token: write
contents: read
environment: docker
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/dex-login:${{ needs.tag.outputs.latest_tag }}
file: docker/DexLoginDockerfile
context: .
deploy-postgres:
runs-on: ubuntu-latest
if: github.event.inputs.buildPostgres == 'true'
needs:
- tag
permissions:
id-token: write
contents: read
environment: docker
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_PAT }}
- name: Build and push Docker images
uses: docker/build-push-action@v4
with:
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/postgres:${{ needs.tag.outputs.latest_tag }}
file: docker/PostgresDockerfile
context: .