Skip to content
Build & Push Production Docker Image

wmb use vault secrets #268

Sign in to view logs

wmb use vault secrets

wmb use vault secrets #268

Workflow file for this run

.github/workflows/docker-image.yml at 40961f7
name: Build & Push Production Docker Image
on:
push:
branches: [ "*" ]
pull_request:
branches: [ "*" ]
jobs:
unit-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21.3'
- name: Install dependencies for go
run: go mod download
- name: Unit Testing
run: go test -v ./...
- name: Generate coverage report
run: go test -coverprofile=coverage.out ./...
- name: Upload coverage report
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: coverage.out
- name: Retrieve wmb info from vault
id: import-secrets-wmb
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
kv/data/pipeline/wmb WMB_URL ;
kv/data/pipeline/wmb WMB_PASSWORD
exportEnv: true
- name: Notify IRC Success
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Unit tests for https://github.com/${{ github.repository }} completed successfully with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: success()
- name: Notify IRC Failure
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Unit tests for https://github.com/${{ github.repository }} failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: failure()
sonar:
needs: [unit-test]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download coverage report
uses: actions/download-artifact@v4
with:
name: coverage-report
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
nancy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.22.3
- name: Check for Go vulnerabilities
run: |
go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth
- name: Retrieve wmb info from vault
id: import-secrets-wmb
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
kv/data/pipeline/wmb WMB_URL ;
kv/data/pipeline/wmb WMB_PASSWORD
exportEnv: true
- name: Notify IRC Success
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Vulnerability scan for https://github.com/${{ github.repository }} completed successfully with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: success()
- name: Notify IRC Failure
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Vulnerability scan for https://github.com/${{ github.repository }} failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: failure()
build-and-push:
needs: [sonar, nancy, unit-test]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Repository
uses: docker/login-action@v3
with:
registry: ${{ secrets.DOCKER_REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Docker images for private repo
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ secrets.DOCKER_REPO }}:latest
- name: Build Docker images for ghcr.io
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ghcr.io/${{ github.repository }}:latest
- name: Notify IRC on Success
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Build and push of ${{ secrets.DOCKER_REPO }}:latest completed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: success()
- name: Notify IRC on Failure
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Build and push of ${{ secrets.DOCKER_REPO }}:latest failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: failure()
deploy:
needs: [build-and-push]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Retrieve kubeconfig from Vault
id: import-secrets
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: kv/data/pipeline/k3s kubeconfig
exportEnv: true
- name: Save kubeconfig to file
run: |
mkdir -p $HOME/.kube
echo '${{ steps.import-secrets.outputs.kubeconfig }}' > $HOME/.kube/config
echo "KUBECONFIG=$HOME/.kube/config" >> $GITHUB_ENV
- name: Restart Deployment
run: |
kubectl -n staging rollout restart deployment wmb
kubectl -n production rollout restart deployment wmb
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Retrieve wmb info from vault
id: import-secrets-wmb
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
kv/data/pipeline/wmb WMB_URL ;
kv/data/pipeline/wmb WMB_PASSWORD
exportEnv: true
- name: Notify IRC Success
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Prod deploy for https://github.com/${{ github.repository }} completed successfully with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: success()
- name: Notify IRC Failure
run: |
export COMMIT_MSG=$(git log -1 --pretty=%B)
export MESSAGE="Prod deploy for https://github.com/${{ github.repository }} failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
if: failure()