Update Node.js base image: 20,22,24 (#126) #481
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: BUILD-SCAN-PUSH | |
| on: | |
| push: | |
| branches: [ '**' ] | |
| workflow_dispatch: | |
| jobs: | |
| get-matrix-values: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image: ${{ steps.set-var.outputs.image }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - id: set-var | |
| run: | | |
| echo 'image<<EOF' >> $GITHUB_OUTPUT | |
| cat ./image-matrix.json >> $GITHUB_OUTPUT | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| build-images: | |
| runs-on: ubuntu-latest | |
| needs: get-matrix-values | |
| strategy: | |
| matrix: | |
| target: ["development", "production"] | |
| image: ${{fromJSON(needs.get-matrix-values.outputs.image)}} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - id: setEnv | |
| name: Set Job env vars | |
| run: | | |
| cat JOB.env >> $GITHUB_ENV | |
| - id: setImageDetails | |
| name: Set image name and latest tag | |
| run: | | |
| if [ ${{matrix.target}} = "production" ] | |
| then | |
| DOCKER_REPO_NAME="defradigital/$IMAGE_NAME" | |
| else | |
| DOCKER_REPO_NAME="defradigital/$IMAGE_NAME-${{matrix.target}}" | |
| fi | |
| echo "dockerRepoName=$DOCKER_REPO_NAME" >> $GITHUB_OUTPUT | |
| echo "fullImageName=$DOCKER_REPO_NAME:$DEFRA_VERSION-node${{matrix.image.nodeVersion}}" >> $GITHUB_OUTPUT | |
| if [ ${{matrix.image.latest}} = true ] | |
| then | |
| echo "latestTag=--tag $DOCKER_REPO_NAME:latest" >> $GITHUB_OUTPUT | |
| else | |
| echo "latestTag=" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Set up Docker | |
| uses: docker/setup-docker-action@v4 | |
| with: | |
| daemon-config: | | |
| { | |
| "debug": true, | |
| "features": { | |
| "containerd-snapshotter": true | |
| } | |
| } | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build the Docker image | |
| run: | | |
| docker buildx build . --file Dockerfile --no-cache \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --load \ | |
| --target=${{matrix.target}} \ | |
| --build-arg DEFRA_VERSION=$DEFRA_VERSION \ | |
| --build-arg BASE_VERSION=${{matrix.image.nodeVersion}}-alpine${{matrix.image.alpineVersion}} \ | |
| --tag ${{steps.setImageDetails.outputs.fullImageName}} \ | |
| ${{steps.setImageDetails.outputs.latestTag}} | |
| docker images | |
| - name: Save image to archive | |
| if: ${{ matrix.target == 'production' }} | |
| run: | | |
| docker save ${{steps.setImageDetails.outputs.fullImageName}} -o image-${{ matrix.image.nodeVersion }}.tar | |
| ls -lh image-${{ matrix.image.nodeVersion }}.tar | |
| - name: Run Anchore Grype scan | |
| id: grype-scan | |
| if: ${{ matrix.target == 'production' }} | |
| uses: anchore/scan-action@v7 | |
| with: | |
| image: docker-archive:image-${{ matrix.image.nodeVersion }}.tar | |
| fail-build: true | |
| severity-cutoff: "medium" | |
| continue-on-error: true | |
| - name: Run Aqua Trivy scan | |
| id: trivy-scan | |
| if: ${{ matrix.target == 'production' }} | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 | |
| with: | |
| input: image-${{ matrix.image.nodeVersion }}.tar | |
| scan-type: image | |
| format: sarif | |
| output: trivy-reports-node-${{ matrix.image.nodeVersion }} | |
| exit-code: 1 | |
| vuln-type: os,library | |
| severity: CRITICAL,HIGH,MEDIUM | |
| continue-on-error: true | |
| - name: Upload Grype SARIF report | |
| if: ${{ steps.grype-scan.outcome == 'failure' && matrix.target == 'production' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: grype-reports-node-${{ matrix.image.nodeVersion }} | |
| path: ${{ steps.grype-scan.outputs.sarif }} | |
| - name: Upload Trivy SARIF report | |
| if: ${{ steps.trivy-scan.outcome == 'failure' && matrix.target == 'production' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-reports-node-${{ matrix.image.nodeVersion }} | |
| path: trivy-reports-node-${{ matrix.image.nodeVersion }} | |
| - name: Fail build if scans failed | |
| if: ${{ (steps.grype-scan.outcome == 'failure' || steps.trivy-scan.outcome == 'failure') && matrix.target == 'production' && github.ref != 'refs/heads/master' }} | |
| run: | | |
| echo "One or more scans failed. Failing the build." | |
| echo "Grype scan outcome: ${{ steps.grype-scan.outcome }}" | |
| echo "Trivy scan outcome: ${{ steps.trivy-scan.outcome }}" | |
| exit 1 | |
| - name: Tag image | |
| run: | | |
| echo "Tags are ${{ join(matrix.image.tags, ' ') }}" | |
| for TAG in ${{ join(matrix.image.tags, ' ') }} | |
| do | |
| echo "creating tag ${{steps.setImageDetails.outputs.dockerRepoName}}:$TAG" | |
| docker image tag ${{steps.setImageDetails.outputs.fullImageName}} ${{steps.setImageDetails.outputs.dockerRepoName}}:$TAG | |
| done | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v2 | |
| if: github.ref == 'refs/heads/master' | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - id: pushImage | |
| name: push docker image | |
| if: github.ref == 'refs/heads/master' | |
| run: | | |
| docker image push ${{steps.setImageDetails.outputs.fullImageName}} | |
| for TAG in ${{ join(matrix.image.tags, ' ') }} | |
| do | |
| docker image push ${{steps.setImageDetails.outputs.dockerRepoName}}:$TAG | |
| done | |
| create-release: | |
| runs-on: ubuntu-latest | |
| needs: build-images | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Create GitHub release | |
| if: github.ref == 'refs/heads/master' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| current_defra_version=$(grep -oP 'DEFRA_VERSION=\K[\d.]+' JOB.env) | |
| if gh release view $current_defra_version &>/dev/null; then | |
| echo "Tag $current_defra_version already exists. Skipping release." | |
| else | |
| gh release create $current_defra_version \ | |
| --title "Node $current_defra_version" \ | |
| --generate-notes | |
| fi |