From 4daaf8c03f418baa1129160f31c4073c01389a12 Mon Sep 17 00:00:00 2001 From: priyaranjanpatil Date: Wed, 29 Nov 2023 15:37:36 +1100 Subject: [PATCH] github actions pipeline added --- .github/github-actions.yml | 143 +++++++++++++++++++++++++++++++++++++ .gitignore | 4 +- 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 .github/github-actions.yml diff --git a/.github/github-actions.yml b/.github/github-actions.yml new file mode 100644 index 0000000..5f0ca62 --- /dev/null +++ b/.github/github-actions.yml @@ -0,0 +1,143 @@ +# This is a basic workflow to help you get started with Actions +name: Connect to an AWS role from a GitHub repository + +# Controls when the action will run. Invokes the workflow on push events but only for the main branch +on: + push: + branches: [5165-cicd] + pull_request: + branches: [5165-cicd] + +env: + ENVIRONMENT: development + AWS_REGION: ap-southeast-2 #MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + #ECR_REPOSITORY: #########.dkr.ecr.ap-southeast-2.amazonaws.com/aodn-v2 # set this to your Amazon ECR repository name + ECS_SERVICE: geonetwork4-service #MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: aodn-imos-v2 # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: ./geonetwork4-td.json #MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: geonetwork4-container #MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + #ROLE_ARN: arn:aws:iam::#########:role/tlc-ci-cd + name: development + + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + AWS-ECR-ECS-Deploy: + runs-on: ubuntu-latest + environment: development + steps: + - name: Git clone the repository + uses: actions/checkout@v3 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ vars.ROLE_ARN }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION }} + # Hello from AWS: WhoAmI + - name: Sts GetCallerIdentity + run: | + aws sts get-caller-identity + - name: Prepare + id: prep + run: | + BRANCH=${GITHUB_REF##*/} + TS=$(date +%s) + REVISION=${GITHUB_SHA::8} + BUILD_ID="${BRANCH}-${REVISION}-${TS}" + LATEST_ID=canary + if [[ $GITHUB_REF == refs/tags/* ]]; then + BUILD_ID=${GITHUB_REF/refs\/tags\//} + LATEST_ID=latest + fi + echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ') + echo ::set-output name=BUILD_ID::${BUILD_ID} + echo ::set-output name=LATEST_ID::${LATEST_ID} >> $GITHUB_OUTPUT + + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Build with Maven + run: mvn -B package --file pom.xml + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Build and tag image + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }} + IMAGE_TAG: ${{ steps.prep.outputs.BUILD_ID }} + LATEST_ID: ${{ steps.prep.outputs.LATEST_ID }} + run: | + # Build a docker container and + # be deployed to ECS. + # docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + # echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT + # aws ecr get-login-password --region ap-southeast-2 | docker login --username AWS --password-stdin $ACCOUNT_ID + docker build -t $ECR_REPOSITORY:$IMAGE_TAG . + echo "image=$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT + + - name: Run Trivy vulnerability scanner in docker mode + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.build-image.outputs.image }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + exit-code: 1 + ignore-unfixed: true + continue-on-error: true + + - name: Push image to Amazon ECR + id: push-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }} + IMAGE_TAG: ${{ steps.prep.outputs.BUILD_ID }} + LATEST_ID: ${{ steps.prep.outputs.LATEST_ID }} + run: | + # Build a docker container and + # be deployed to ECS. + # docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + # echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT + # aws ecr get-login-password --region ap-southeast-2 | docker login --username AWS --password-stdin $ACCOUNT_ID + docker push $ECR_REPOSITORY:$IMAGE_TAG + echo "image=$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.push-image.outputs.image }} + environment-variables: | + IMAGE=${{ steps.push-image.outputs.image }} + ES_HOST=${{ vars.ES_HOST }} + INDEXER_HOST=${{ vars.INDEXER_HOST }} + INDEXER_PORT=${{ vars.INDEXER_PORT }} + INDEXER_APIKEY=${{ vars.INDEXER_APIKEY }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true \ No newline at end of file diff --git a/.gitignore b/.gitignore index 91b83ad..54599c2 100644 --- a/.gitignore +++ b/.gitignore @@ -26,4 +26,6 @@ replay_pid* # Ingore local generated folders elasticdata/ gn4_data/ -.env \ No newline at end of file +.env + +**/target/**/* \ No newline at end of file