forked from mergeability/mergeable
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
205 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,205 @@ | ||
| name: mergeable CI workflow | ||
|
|
||
| on: | ||
| # we want pull requests so we can build(test) but not push to image registry | ||
| push: | ||
| branches: | ||
| - 'eti-changes' | ||
| # only build when important files change | ||
| paths: | ||
| - 'helm/**' | ||
| - 'Dockerfile' | ||
| # pull_request: # takes too long - lets enable when this is mature | ||
| # branches: | ||
| # - 'main' | ||
| # paths: | ||
| # - 'app/**' | ||
| # - 'deploy/**' | ||
| # - 'Dockerfile' | ||
| workflow_dispatch: | ||
|
|
||
| # Grant read access for GITHUB_TOKEN on all jobs | ||
| permissions: | ||
| id-token: write # This is required for requesting the JWT | ||
| contents: read # This is required for actions/checkout | ||
| packages: write # needed to push docker image to gar or ecr | ||
|
|
||
| jobs: | ||
| ################################## Code Checkout ############################## | ||
| ############################################################################### | ||
| checkout-unit-tests: | ||
| name: checkout & unit test | ||
| runs-on: | ||
| group: ${{ vars.DEFAULT_EC2_RUNNER_GROUP }} | ||
| container: | ||
| image: ${{ vars.SRE_BUILD_IMAGE }} | ||
| options: --user root | ||
| credentials: | ||
| username: ${{ secrets.GHCR_USERNAME }} | ||
| password: ${{ secrets.GHCR_TOKEN }} | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| # The branch, tag or SHA to checkout, otherwise, uses the default branch. | ||
| ref: ${{ github.ref }} | ||
| # Relative path under $GITHUB_WORKSPACE to place the repository | ||
| path: '' | ||
| # Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching | ||
| # Default: true | ||
| clean: true | ||
| # Whether to download Git-LFS files | ||
| # Default: false | ||
| lfs: '' | ||
| # Whether to checkout submodules: `true` to checkout submodules or `recursive` to | ||
| # recursively checkout submodules. | ||
| # Default: false | ||
| submodules: '' | ||
|
|
||
| #################### Docker build & push ###################### | ||
| ############################################################################### | ||
| call-docker-build-push: | ||
| name: Call Docker Build Panoptica Scan & Push | ||
| needs: [ checkout-unit-tests ] | ||
| uses: cisco-eti/gh-reusable-workflows/.github/workflows/build-push-docker.yaml@production | ||
| secrets: | ||
| # Only needed if with:ecr-enabled or with:gar-enabled is true below | ||
| vault-approle-role-id: ${{ secrets.VAULT_APPROLE_ROLE_ID }} | ||
| vault-approle-secret-id: ${{ secrets.VAULT_APPROLE_SECRET_ID }} | ||
| # These two secrets are ONLY needed when you are trying to access GAR/GCR in a venture specific project (e.g. 'k8sec-dev' for example). | ||
| # The values should be consistent with the vault namespace (set by 'VAULT_VENTURE_NAMESPACE' var) | ||
| # vault-venture-approle-role-id: ${{secrets.VAULT_SECURECN_APPROLE_ROLE_ID}} | ||
| # vault-venture-approle-secret-id: ${{secrets.VAULT_SECURECN_APPROLE_SECRET_ID}} | ||
| ####### | ||
| ghcr-username: ${{ secrets.GHCR_USERNAME }} | ||
| ghcr-token: ${{ secrets.GHCR_TOKEN }} | ||
| ghcr-org-token: ${{ secrets.GHCR_TOKEN }} | ||
|
|
||
| with: | ||
| ### REQUIRED | ||
| ### Docker image name | ||
| image-name: "eti-sre/${{ github.event.repository.name }}" | ||
|
|
||
| ### path to where docker should copy files into image | ||
| ### defaults to root of repository (.) | ||
| # context: . | ||
|
|
||
| ### Dockerfile alternate name. Default is Dockerfile (relative to context path) | ||
| dockerfile: Dockerfile | ||
| ### REQUIRED | ||
| ### ENABLE ONE OR BOTH REGISTRIES | ||
| ### tell docker where to push. | ||
| ecr-enabled: true | ||
| ghcr-enabled: true | ||
| ghcr-org-registry: ${{ vars.GHCR_REGISTRY }} | ||
| runner-group: ${{ vars.DEFAULT_EC2_RUNNER_GROUP }} | ||
|
|
||
| ################################# Corona & blackduck ########################### | ||
| ################################################################################ | ||
| # call-corona-blackduck-scan: | ||
| # name: Call Corona & Blackduck scan | ||
| # if: github.ref == 'refs/heads/main' | ||
| # needs: [ call-docker-build-push ] | ||
| # uses: cisco-eti/gh-reusable-workflows/.github/workflows/corona-blackduck-scan.yaml@production | ||
|
|
||
| # secrets: | ||
| # vault-approle-role-id: ${{ secrets.VAULT_APPROLE_ROLE_ID }} | ||
| # vault-approle-secret-id: ${{ secrets.VAULT_APPROLE_SECRET_ID }} | ||
| # # GHCR Login for docker build runner | ||
| # ghcr-username: ${{ secrets.GHCR_USERNAME }} | ||
| # ghcr-token: ${{ secrets.GHCR_TOKEN }} | ||
| # # GHCR Login for docker scan | ||
| # ghcr-org-username: ${{ secrets.GHCR_USERNAME }} | ||
| # ghcr-org-token: ${{ secrets.GHCR_TOKEN }} | ||
|
|
||
| # with: | ||
| # runner: ${{ vars.DEFAULT_EC2_RUNNER_GROUP }} | ||
| # runner-docker-image: ${{ vars.SRE_BUILD_IMAGE }} | ||
| # enable-corona: true | ||
| # enable-blackduck: true | ||
| # corona-product-name: ${{ vars.CORONA_PRODUCT_NAME }} | ||
| # corona-product-id: ${{ vars.CORONA_PRODUCT_ID }} | ||
| # corona-release-id: ${{ vars.CORONA_RELEASE_ID }} | ||
| # corona-csdl-id: ${{ vars.CORONA_CSDL_ID }} | ||
| # corona-security-contact: ${{ vars.CORONA_SECURITY_CONTACT }} | ||
| # corona-engineering-contact: ${{ vars.CORONA_ENGINEERING_CONTACT }} | ||
| # corona-image-admins: ${{ vars.CORONA_IMAGE_ADMINS }} | ||
| # ghcr-org-registry: ${{ vars.GHCR_REGISTRY }} | ||
| # # optional | ||
| # image-name: "eti-sre/${{ github.event.repository.name }}" | ||
| # #image-tag: "" | ||
|
|
||
| ################################## SonarQube Scan ############################## | ||
| ################################################################################# | ||
| #call-sonar-scan: | ||
| # name: Call SonarQube scan | ||
| # needs: [ call-corona-blackduck-scan ] | ||
| # uses: cisco-eti/gh-reusable-workflows/.github/workflows/sonar-scan.yaml@sonar-scan-ext | ||
| # with: | ||
| # sonar-properties-file: "./build/sonar-project.properties" | ||
| # secrets: | ||
| # vault-approle-role-id: ${{ secrets.VAULT_APPROLE_ROLE_ID }} | ||
| # vault-approle-secret-id: ${{ secrets.VAULT_APPROLE_SECRET_ID }} | ||
| # ghcr-username: ${{ secrets.GHCR_USERNAME }} | ||
| # ghcr-token: ${{ secrets.GHCR_TOKEN }} | ||
|
|
||
| ################################## Helm Publish ################################# | ||
| ################################################################################# | ||
| call-helm-publish-mergeable: | ||
| name: Helm publish Mergeable | ||
| uses: cisco-eti/gh-reusable-workflows/.github/workflows/helm-publish.yaml@production | ||
| with: | ||
| enable-private-ecr: false | ||
| enable-public-ecr: false | ||
| enable-chartmuseum: true | ||
| chart-path: "helm/mergeable" | ||
| runner-group: ${{ vars.DEFAULT_EC2_RUNNER_GROUP }} | ||
| secrets: | ||
| # GHCR Login for docker build runner | ||
| ghcr-username: ${{ secrets.GHCR_USERNAME }} | ||
| ghcr-token: ${{ secrets.GHCR_TOKEN }} | ||
| vault-approle-role-id: ${{ secrets.VAULT_APPROLE_ROLE_ID }} | ||
| vault-approle-secret-id: ${{ secrets.VAULT_APPROLE_SECRET_ID }} | ||
|
|
||
| ################################## Trigger Deployment ########################### | ||
| ################################################################################# | ||
| # call-trigger-cd: | ||
| # name: Trigger CD | ||
| # needs: [ call-helm-publish ] | ||
| # uses: cisco-eti/gh-reusable-workflows/.github/workflows/trigger-deploy.yaml@production | ||
| # with: | ||
| # deployment-repo: "${{ github.repository }}-deployment" | ||
| # # Always we update "a" and "b" deployment values file, value is optional arg | ||
| # client-payload: '{"app-repo": "${{ github.repository }}", "values-file-path": "${{ github.event.repository.name }}", "property-path": "${{ github.event.repository.name }}.tagversion", "value": ""}' | ||
|
|
||
| # secrets: | ||
| # # GHCR Login for docker build runner | ||
| # ghcr-username: ${{ secrets.GHCR_USERNAME }} | ||
| # ghcr-token: ${{ secrets.GHCR_TOKEN }} | ||
| # # GHCR Login for docker scan | ||
| # ghcr-org-username: ${{ secrets.GHCR_USERNAME }} | ||
| # ghcr-org-token: ${{ secrets.GHCR_TOKEN }} | ||
| # vault-approle-role-id: ${{ secrets.VAULT_APPROLE_ROLE_ID }} | ||
| # vault-approle-secret-id: ${{ secrets.VAULT_APPROLE_SECRET_ID }} | ||
|
|
||
| ################################## Send Status for PR Checks ########################### | ||
| ######################################################################################## | ||
| # This Job is REQUIRED, it is what allows for the WHOLE workflow to show up in the PR status checks as a requirement for branch rules | ||
| reusable-workflow-ci-status: | ||
| name: Reusable Workflow CI Status | ||
| # This should be an array of ALL active jobs that are used/run | ||
| needs: [ checkout-unit-tests,call-docker-build-push, call-helm-publish-mergeable ] | ||
| if: always() | ||
| runs-on: | ||
| group: ${{ vars.DEFAULT_EC2_RUNNER_GROUP }} | ||
| steps: | ||
| - name: report failure | ||
| if: ${{ cancelled() || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'failure') }} | ||
| run: | | ||
| echo -e "\033[31m*** WORKFLOW FAILED ***\033[0m" | ||
| exit 1 | ||
| - name: report success | ||
| run: | | ||
| echo -e "\033[1;36m*** WORKFLOW SUCCESS ***\033[0m" | ||
| exit 0 |