This repository has been archived by the owner on Mar 12, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
205 lines (188 loc) · 6.5 KB
/
sanity_ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
name: Sanity CI
on:
push:
pull_request:
types: [opened]
env:
DOCKER_REPOSITORY: "docker.pkg.github.com"
ORGANIZATION: "thalesgroup"
CHAOS_ENGINE_REPO: "chaos-engine"
CHAOS_ENGINE_IMAGE_NAME: "chaos-engine"
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
version:
runs-on: [ubuntu-latest]
steps:
- name: Generate Version
run: echo "$GITHUB_SHA" | cut -c1-8 > version
- name: Upload Version
uses: actions/upload-artifact@v1
with:
name: variables
path: "version"
build:
runs-on: ubuntu-latest
needs: version
steps:
- uses: actions/checkout@v1
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11.0.x
- name: Run build
run: mvn --batch-mode install
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Gather build artifacts
run: mkdir artifacts; cp -r --parents $(find . | grep target) artifacts
- name: Upload build artifacts
uses: actions/upload-artifact@v1
with:
name: build
path: "artifacts"
av_scan:
runs-on: [ubuntu-latest]
needs: build
container:
image: thalesgroup/clamav4pipeline:latest
steps:
- uses: actions/checkout@v1
- name: Download build artifact
uses: actions/download-artifact@v1
with:
name: build
- name: AV Scan
run: scan.sh -d . -l av.log
- run: chmod a+r av.log
- name: Upload AV scan artefacts
uses: actions/upload-artifact@v1
with:
name: av_scan
path: "av.log"
hadolint:
runs-on: [ubuntu-latest]
container:
image: hadolint/hadolint:latest-debian
steps:
- uses: actions/checkout@v1
- name: Hadolint Scan
run: hadolint Dockerfile
documentation:
runs-on: [ubuntu-latest]
needs: version
container:
image: python:3-alpine
steps:
- uses: actions/checkout@v1
- name: Download build artifact
uses: actions/download-artifact@v1
with:
name: variables
- name: Extract Version
run: mv variables/version version
- name: Prepare Build Environment
run: ./ci/docs/mkdocs_pre_build.sh
- name: Build Documentation
run: ./ci/docs/mkdocs_build.sh public documentation
- name: Upload Documentation
uses: actions/upload-artifact@v1
with:
name: documentation
path: "documentation"
# docker_build:
# runs-on: [ubuntu-latest]
# needs: version
# steps:
# - uses: actions/checkout@v1
# - name: Download Variables
# uses: actions/download-artifact@v1
# with:
# name: variables
# - name: Extract Version
# run: mv variables/version version
# - name: Initialize version variable
# run: echo "VERSION=$(cat version)" >> $GITHUB_ENV
# - name: Build and push to registry
# uses: elgohr/Publish-Docker-Github-Action@v5
# with:
# name: ${{ env.ORGANIZATION }}/${{ env.CHAOS_ENGINE_REPO }}/${{ env.CHAOS_ENGINE_IMAGE_NAME }}
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_PASSWORD }}
# tags: ${{ env.VERSION }}
# registry: docker.pkg.github.com
build-and-push-image:
runs-on: ubuntu-latest
needs: version
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Download Variables
uses: actions/download-artifact@v1
with:
name: variables
- name: Extract Version
run: mv variables/version version
- name: Initialize version variable
run: echo "VERSION=$(cat version)" >> $GITHUB_ENV
- name: Log in to the Container registry
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
zap_scan:
runs-on: [ubuntu-latest]
needs: build-and-push-image
steps:
- uses: actions/checkout@v1
- name: Download Variables
uses: actions/download-artifact@v1
with:
name: variables
- name: Extract Version
run: mv variables/version version
- name: Initialize version variable
run: echo "VERSION=$(cat version)" >> $GITHUB_ENV
- name: Docker login
run: docker login $DOCKER_REPOSITORY -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
- name: Pull Chaos Engine Docker image
run: docker pull "$DOCKER_REPOSITORY/$ORGANIZATION/$CHAOS_ENGINE_REPO/$CHAOS_ENGINE_IMAGE_NAME:$VERSION"
- name: Pull ZAP proxy image
run: docker pull "owasp/zap2docker-weekly"
- name: Create a network
run: docker network create chaos-engine-network
- name: Run Chaos Engine
env:
CHAOS_SECURITY_ENABLED: "false"
run: docker run --rm --name chaos-engine --network chaos-engine-network -e CHAOS_SECURITY_ENABLED -d "$DOCKER_REPOSITORY/$ORGANIZATION/$CHAOS_ENGINE_REPO/$CHAOS_ENGINE_IMAGE_NAME:$VERSION"
- name: Create report directory
run: mkdir report; chmod 777 report
- name: Run Scan
env:
CHAOS_ENGINE_OPEN_API_URL: "http://chaos-engine:8080/v3/api-docs"
CHAOS_ENGINE_STARTUP_TIMEOUT: "180"
ZAP_WORK_DIR: "/zap/wrk/"
ZAP_REPORT_FILE: "zap_report.html"
run: docker run --rm --name zap --network chaos-engine-network -v $(pwd):/script -v $(pwd)/report:/report:rw -e CHAOS_ENGINE_OPEN_API_URL -e CHAOS_ENGINE_STARTUP_TIMEOUT -e ZAP_WORK_DIR -e ZAP_REPORT_FILE owasp/zap2docker-weekly bash -x /script/ci/dast/zap/zap_scan.sh
- name: Upload ZAP report
uses: actions/upload-artifact@v1
with:
name: zap-report
path: "./report/zap_report.html"