demo test 6/24/24 #145
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Scan and Rollout Multiarchitecture Containers | |
| env: | |
| ## Quay Credentials | |
| QUAY_USERNAME: mmondics | |
| # QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} # used for quay.io | |
| QUAY_PASSWORD: ${{ secrets.REDHAT_PASSWORD }} # used for on-prem quay | |
| ## Red Hat Credentials (for pulling images) | |
| REDHAT_USERNAME: mmondics | |
| REDHAT_PASSWORD: ${{ secrets.REDHAT_PASSWORD }} | |
| ## Git Credentials (for opening PR) | |
| GIT_USERNAME: mmondics | |
| GIT_EMAIL: [email protected] | |
| GH_TOKEN: ${{ github.token }} | |
| ## SMTP Credentials | |
| SMTP_USERNAME: [email protected] | |
| SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} | |
| ## RHACS Target | |
| ROX_CENTRAL_ADDRESS: https://central-rhacs-operator.apps.atsocpd2.dmz:443 | |
| ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }} | |
| ## Image name, tag, and registry | |
| APP_NAME: acmeair-mainservice-java | |
| MANIFEST_NAME: acmeair-mainservice-java-manifest | |
| Z_IMAGE_TAGS: s390x-${{ github.sha }} | |
| X_IMAGE_TAGS: amd64-${{ github.sha }} | |
| MANIFEST_IMAGE_TAG: manifest-${{ github.sha }} | |
| IMAGE_REGISTRY: quay-registry-quay-openshift-operators.apps.atsocppa.dmz/mmondics # used for on-prem quay | |
| # IMAGE_REGISTRY: quay.io/mmondics # used for quay.io | |
| on: | |
| push: | |
| paths: | |
| - acmeair/source/acmeair-mainservice-java/src/main/webapp/* | |
| branches: | |
| - DevSecOps | |
| # on: workflow_dispatch | |
| jobs: | |
| s390x-build-and-push: | |
| name: s390x build and push to Quay | |
| runs-on: [self-hosted, linux, s390x, native] | |
| environment: openshift | |
| # check out the GitHub repo | |
| steps: | |
| - name: Checkout | |
| id: checkout | |
| uses: actions/checkout@v2 | |
| # uses: actions/checkout@v4 | |
| with: | |
| ref: DevSecOps | |
| # build the app package for s390x | |
| - name: mvn clean package | |
| run: | | |
| mvn clean package -f ./acmeair/source/acmeair-mainservice-java/pom.xml | |
| # build the container image for s390x | |
| - name: podman build | |
| run: | | |
| podman version | |
| podman login registry.redhat.io -u ${{ env.REDHAT_USERNAME }} -p ${{ secrets.REDHAT_PASSWORD }} | |
| podman build -t ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }} ./acmeair/source/acmeair-mainservice-java | |
| # push the s390x container image to repo | |
| - name: Push to Registry | |
| id: push-to-registry | |
| uses: redhat-actions/[email protected] | |
| with: | |
| image: ${{ env.APP_NAME }} | |
| tags: ${{ env.Z_IMAGE_TAGS }} | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| username: ${{ env.QUAY_USERNAME }} | |
| password: ${{ env.QUAY_PASSWORD }} | |
| tls-verify: false | |
| amd64-build-and-push: | |
| name: amd64 build and push to Quay | |
| runs-on: [self-hosted, linux, x64, native] | |
| environment: openshift | |
| # checkout the GitHub repo | |
| steps: | |
| - name: Checkout | |
| id: checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: DevSecOps | |
| # build the app package for amd64 | |
| - name: mvn clean package | |
| run: | | |
| mvn clean package -f ./acmeair/source/acmeair-mainservice-java/pom.xml | |
| # build the container image for amd64 | |
| - name: podman build | |
| run: | | |
| podman version | |
| podman login registry.redhat.io -u ${{ env.REDHAT_USERNAME }} -p ${{ secrets.REDHAT_PASSWORD }} | |
| podman build -t ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }} ./acmeair/source/acmeair-mainservice-java | |
| # push the amd64 container image to repo | |
| - name: Push to Registry | |
| id: push-to-registry | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ env.APP_NAME }} | |
| tags: ${{ env.X_IMAGE_TAGS }} | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| username: ${{ env.QUAY_USERNAME }} | |
| password: ${{ env.QUAY_PASSWORD }} | |
| tls-verify: false | |
| create-manifest: | |
| name: combine amd64 and s390x container images into a single manifest and push to Quay | |
| runs-on: [self-hosted, linux, s390x, native] | |
| needs: | |
| - s390x-build-and-push | |
| - amd64-build-and-push | |
| environment: openshift | |
| # Create image manifest, add the s390x and amd64 container images, then push the manifest to the repository. | |
| steps: | |
| - name: podman login | |
| run: | | |
| podman login --tls-verify=false ${{ env.IMAGE_REGISTRY }} -u ${{ env.QUAY_USERNAME }} -p ${{ env.QUAY_PASSWORD }} | |
| - name: create manifest list | |
| run: podman manifest create ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} | |
| - name: pull new container images | |
| run: | | |
| podman pull --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }} | |
| podman pull --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }} | |
| - name: add container images to manifest | |
| run: | | |
| podman manifest add --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.Z_IMAGE_TAGS }} | |
| podman manifest add --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ env.APP_NAME }}:${{ env.X_IMAGE_TAGS }} | |
| - name: push manifest list | |
| run: podman manifest push --tls-verify=false ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} | |
| # update the deployment YAML file with new image manifest | |
| update-app-yaml: | |
| name: update acmeair mainservice application YAML to use new image manifest | |
| runs-on: ubuntu-latest | |
| needs: create-manifest | |
| environment: openshift | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: DevSecOps | |
| - name: replace container image in YAML | |
| # The yq command is similar to json's `jq`. The following command will find the container image line in the deployment YAML file, and replace it with the newly created manifest file. | |
| run: | | |
| yq e -i "select(documentIndex == 0).spec.template.spec.containers[0].image = \"${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}\"" ./acmeair/deployments/deploy-acmeair-mainservice-java.yaml | |
| - name: git config | |
| run: | | |
| git config --global user.email ${{ env.GIT_EMAIL }} | |
| git config --global user.name ${{ env.GIT_USERNAME }} | |
| git status | |
| git add . | |
| git commit -m "update deploy-acmeair-mainservice-java.yaml via GitHub Actions" | |
| git fetch origin DevSecOps | |
| git push origin HEAD:DevSecOps | |
| gh pr create --base main --head DevSecOps --title "update deploy-acmeair-mainservice-java.yaml via GitHub Actions" --body "Using image manfest ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }}" | |
| # scan the deployment & container image manifest with RHACS from OCP on Z cluster | |
| acs-image-scan: | |
| name: Scan container manifest with Red Hat Advanced Cluster Security | |
| runs-on: [self-hosted, linux, s390x, ocp] | |
| environment: openshift | |
| needs: update-app-yaml | |
| continue-on-error: true | |
| # Image scan is initated on self-hosted IBM Z runner. | |
| # Image scan is performed by ACS server running on IBM Z. | |
| steps: | |
| # check out the GitHub repo | |
| - name: Checkout | |
| id: checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: DevSecOps | |
| - name: install roxctl cli | |
| run: | | |
| curl -O https://mirror.openshift.com/pub/rhacs/assets/4.3.0/bin/Linux/roxctl-s390x | |
| chmod +x roxctl-s390x | |
| ln -s roxctl-s390x roxctl | |
| continue-on-error: true | |
| - name: deployment-check | |
| run: | | |
| ./roxctl --insecure-skip-tls-verify deployment check --endpoint ${{ env.ROX_CENTRAL_ADDRESS }} -f ./acmeair/deployments/deploy-acmeair-mainservice-java.yaml 2>&1 | tee deployment_check.txt | |
| - name: image-scan | |
| run: | | |
| ./roxctl --insecure-skip-tls-verify image scan --endpoint ${{ env.ROX_CENTRAL_ADDRESS }} --image ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} 2>&1 | tee image_scan.txt | |
| - name: image-check | |
| run: | | |
| ./roxctl --insecure-skip-tls-verify image check --endpoint ${{ env.ROX_CENTRAL_ADDRESS }} --image ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} 2>&1 | tee image_check.txt | |
| # Send results of security scans through email. | |
| - name: Send email | |
| uses: dawidd6/action-send-mail@v3 | |
| with: | |
| server_address: smtp.gmail.com | |
| server_port: 465 | |
| secure: true | |
| username: ${{ env.SMTP_USERNAME }} | |
| password: ${{ env.SMTP_PASSWORD }} | |
| subject: Security Scan for image ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} | |
| to: [email protected] | |
| from: Matt Mondics <[email protected]> | |
| attachments: deployment_check.txt,image_scan.txt,image_check.txt | |
| # Body of mail message (could be a filename prefixed with file:// to read from) | |
| body: | | |
| Red Hat Advanced Cluster Security scans for image: | |
| ${{ env.IMAGE_REGISTRY }}/${{ env.MANIFEST_NAME }}:${{ env.MANIFEST_IMAGE_TAG }} | |
| See attachments for deployment check, image check, and image scan. | |
| Update the application code to remediate security findings described in the attached files. | |
| Per IBM security practices, failed security scans do not prevent commits to development branches, but they will prevent merging to main branches. |