1. Create app #193

Workflow file for this run

.github/workflows/build-app.yml at 5abea20

	name: "1. Create app"

	on:
	push:
	branches: [dev,feature/*]
	tags:
	- '**'
	paths:
	- "go/src/app/**.go"
	- Dockerfile
	- ".github/workflows/*"
	workflow_dispatch:
	schedule:
	- cron: '42 0 * * 6' # Refresh image every Sunday at 00:42

	env:
	GO_VERSION: 1.22
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GITHUB_SHA: ${{ github.sha }}

	permissions:
	contents: read

	jobs:
	build-app:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

	- name: Log in to the Container registry
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Will create and boot a builder that can be used in the build-push action.
	- name: Set up QEMU
	uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=ref,event=tag
	type=sha,format=long

	# Run the build and outputs a test coverage file
	- name: Build and push Docker image
	uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
	with:
	file: Dockerfile
	push: false
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	target: test-coverage
	outputs: \|
	type=local,dest=.

	- uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	files: ./coverage.out
	fail_ci_if_error: true # optional (default = false)
	verbose: true # optional (default = false)

	# Any file mutation in the steps that precede the build step will be ignored,
	# since the context is based on the Git reference. Use the Path context to remove this restriction.
	# https://github.com/marketplace/actions/build-and-push-docker-images#git-context
	- name: Build and push Docker image
	uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
	with:
	file: Dockerfile
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}

	image-scan:
	runs-on: ubuntu-latest
	needs: ['build-app']
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

	# Security scanner
	# https://github.com/aquasecurity/trivy-action
	- name: Run container image vulnerability scanner
	uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 # master
	with:
	# image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}'
	format: 'table'
	ignore-unfixed: true
	vuln-type: 'os'
	severity: 'CRITICAL,HIGH'
	timeout: 5m
	output: 'trivy-results.sarif'

	# Pages https://github.com/tuxerrante/kapparmor/settings/pages
	# https://helm.sh/docs/topics/chart_repository/#github-pages-example
	# https://helm.sh/docs/howto/chart_releaser_action/
	release-chart:
	needs: ['build-app']
	if: github.event_name == 'pull_request' \|\| startsWith(github.event.ref, 'refs/tags/v')
	permissions:
	contents: write
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	fetch-depth: 0

	- name: Configure Git
	run: \|
	git config user.name "$GITHUB_ACTOR"
	git config user.email "[email protected]"

	- name: Install Helm
	uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5

	- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
	with:
	python-version: '3.9'
	check-latest: true

	- name: Set up chart-testing
	uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1

	- name: Run chart-testing (list-changed)
	id: list-changed
	run: \|
	changed=$(ct list-changed --config ct.yaml --target-branch ${{ github.event.repository.default_branch }})
	if [[ -n "$changed" ]]; then
	echo "::set-output name=changed::true"
	fi

	- name: Run chart-testing (lint)
	run: ct lint --config ct.yaml --target-branch ${{ github.event.repository.default_branch }}

	- name: Create kind cluster
	uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07 # v1.4.0
	if: steps.list-changed.outputs.changed == 'true'

	- name: Run chart-testing (install)
	run: ct install --config ct.yaml --print-config --target-branch ${{ github.event.repository.default_branch }} --debug

	- name: Replace GITHUB_SHA in values.yaml file
	run: \|
	sed -i "s/GITHUB_SHA/$GITHUB_SHA/" charts/kapparmor/values.yaml
	cat charts/kapparmor/values.yaml

	- name: Run chart-releaser
	uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
	env:
	CR_TOKEN: "${{ env.GITHUB_TOKEN }}"
	with:
	config: cr.yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1. Create app #193

Workflow file

1. Create app #193

Jobs

Run details

Workflow file for this run