Merge pull request #65 from cfindlayisme/renovate/golang-1.x #315
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Push Production Docker Image | |
| on: | |
| push: | |
| branches: [ "*" ] | |
| pull_request: | |
| branches: [ "*" ] | |
| jobs: | |
| unit-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21.3' | |
| - name: Retrieve wmb info from vault | |
| id: import-secrets-wmb | |
| uses: hashicorp/[email protected] | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| secrets: | | |
| kv/data/pipeline/wmb WMB_URL ; | |
| kv/data/pipeline/wmb WMB_PASSWORD | |
| exportEnv: true | |
| - name: Install dependencies for go | |
| run: go mod download | |
| - name: Unit Testing | |
| run: go test -v ./... | |
| - name: Generate coverage report | |
| run: go test -coverprofile=coverage.out ./... | |
| - name: Upload coverage report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-report | |
| path: coverage.out | |
| - name: Notify IRC Success | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Unit tests for https://github.com/${{ github.repository }} completed successfully with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: success() | |
| - name: Notify IRC Failure | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Unit tests for https://github.com/${{ github.repository }} failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: failure() | |
| sonar: | |
| needs: [unit-test] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download coverage report | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: coverage-report | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| nancy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.22.3 | |
| - name: Retrieve wmb info from vault | |
| id: import-secrets-wmb | |
| uses: hashicorp/[email protected] | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| secrets: | | |
| kv/data/pipeline/wmb WMB_URL ; | |
| kv/data/pipeline/wmb WMB_PASSWORD | |
| exportEnv: true | |
| - name: Check for Go vulnerabilities | |
| run: | | |
| go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth | |
| - name: Notify IRC Success | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Vulnerability scan for https://github.com/${{ github.repository }} completed successfully with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: success() | |
| - name: Notify IRC Failure | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Vulnerability scan for https://github.com/${{ github.repository }} failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: failure() | |
| build-and-push: | |
| needs: [sonar, nancy, unit-test] | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' || github.ref != 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Retrieve wmb info from vault | |
| id: import-secrets-wmb | |
| uses: hashicorp/[email protected] | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| secrets: | | |
| kv/data/pipeline/wmb WMB_URL ; | |
| kv/data/pipeline/wmb WMB_PASSWORD | |
| exportEnv: true | |
| - name: Build and push :staging tag | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}:staging | |
| - name: Build and push :latest tag | |
| if: github.ref == 'refs/heads/main' | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}:latest | |
| - name: Notify IRC on Success | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Build and push of ghcr.io/${{ github.repository }}:staging completed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: success() | |
| - name: Notify IRC on Failure | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Build and push of ghcr.io/${{ github.repository }}:staging failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: failure() | |
| deploy: | |
| needs: [build-and-push] | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' || github.ref != 'refs/heads/main' | |
| steps: | |
| - name: Retrieve wmb info from vault | |
| id: import-secrets-wmb | |
| uses: hashicorp/[email protected] | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| secrets: | | |
| kv/data/pipeline/wmb WMB_URL ; | |
| kv/data/pipeline/wmb WMB_PASSWORD | |
| exportEnv: true | |
| - name: Retrieve kubeconfig from Vault | |
| id: import-secrets | |
| uses: hashicorp/[email protected] | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| secrets: kv/data/pipeline/k3s kubeconfig | |
| exportEnv: true | |
| - name: Save kubeconfig to file | |
| run: | | |
| mkdir -p $HOME/.kube | |
| echo '${{ steps.import-secrets.outputs.kubeconfig }}' > $HOME/.kube/config | |
| echo "KUBECONFIG=$HOME/.kube/config" >> $GITHUB_ENV | |
| - name: Restart Staging Deployment | |
| run: | | |
| kubectl -n staging rollout restart deployment wmb | |
| # Restart Deployment for Production (Only triggered if push to `main`) | |
| - name: Restart Production Deployment | |
| run: | | |
| kubectl -n production rollout restart deployment wmb | |
| if: github.ref == 'refs/heads/main' | |
| - name: Notify IRC Success | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Deployment for https://github.com/${{ github.repository }} completed successfully with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: success() | |
| - name: Notify IRC Failure | |
| run: | | |
| export COMMIT_MSG=$(git log -1 --pretty=%B) | |
| export MESSAGE="Deployment for https://github.com/${{ github.repository }} failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }} | |
| if: failure() |