f44deab77b
* ci(actions): For GH patching Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * ci(actions): Pushing the changed code to a new branch Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(ci): Skipping bulds for chalice and frontend arm builds Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * ci(actions): Build msaas Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * ci(actions): Removed unnecessary steps Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * ci(actions): Proper name Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * fix(ci): Sevice names Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * ci(actions): Fixes Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * actions: limit actor * chore(release): Updated version to v1.18.0 * Enable AWS ecr auth Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * fix(ci): fixes Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * ci(patch): Update tag with main Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> * chore(ci): Remove debug job Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com> --------- Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>
146 lines
5 KiB
YAML
146 lines
5 KiB
YAML
# This action will push the sourcemapreader changes to aws
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
skip_security_checks:
|
|
description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false'
|
|
required: false
|
|
default: 'false'
|
|
push:
|
|
branches:
|
|
- dev
|
|
- api-*
|
|
paths:
|
|
- "sourcemap-reader/**"
|
|
- "!sourcemap-reader/.gitignore"
|
|
- "!sourcemap-reader/*-dev.sh"
|
|
|
|
name: Build and Deploy sourcemap-reader
|
|
|
|
jobs:
|
|
deploy:
|
|
name: Deploy
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
# We need to diff with old commit
|
|
# to see which workers got changed.
|
|
fetch-depth: 2
|
|
|
|
- uses: ./.github/composite-actions/update-keys
|
|
with:
|
|
domain_name: ${{ secrets.OSS_DOMAIN_NAME }}
|
|
license_key: ${{ secrets.OSS_LICENSE_KEY }}
|
|
jwt_secret: ${{ secrets.OSS_JWT_SECRET }}
|
|
minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }}
|
|
minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }}
|
|
pg_password: ${{ secrets.OSS_PG_PASSWORD }}
|
|
registry_url: ${{ secrets.OSS_REGISTRY_URL }}
|
|
name: Update Keys
|
|
|
|
- name: Docker login
|
|
run: |
|
|
docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}"
|
|
|
|
- uses: azure/k8s-set-context@v1
|
|
with:
|
|
method: kubeconfig
|
|
kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret.
|
|
id: setcontext
|
|
|
|
# Caching docker images
|
|
- uses: satackey/action-docker-layer-caching@v0.0.11
|
|
# Ignore the failure of a step and avoid terminating the job.
|
|
continue-on-error: true
|
|
|
|
|
|
- name: Building and Pushing sourcemaps-reader image
|
|
id: build-image
|
|
env:
|
|
DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }}
|
|
IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
|
|
ENVIRONMENT: staging
|
|
run: |
|
|
skip_security_checks=${{ github.event.inputs.skip_security_checks }}
|
|
cd sourcemap-reader
|
|
PUSH_IMAGE=0 bash -x ./build.sh
|
|
[[ "x$skip_security_checks" == "xtrue" ]] || {
|
|
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./
|
|
images=("sourcemaps-reader")
|
|
for image in ${images[*]};do
|
|
./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG
|
|
done
|
|
err_code=$?
|
|
[[ $err_code -ne 0 ]] && {
|
|
exit $err_code
|
|
}
|
|
} && {
|
|
echo "Skipping Security Checks"
|
|
}
|
|
images=("sourcemaps-reader")
|
|
for image in ${images[*]};do
|
|
docker push $DOCKER_REPO/$image:$IMAGE_TAG
|
|
done
|
|
- name: Creating old image input
|
|
run: |
|
|
#
|
|
# Create yaml with existing image tags
|
|
#
|
|
kubectl get pods -n app -o jsonpath="{.items[*].spec.containers[*].image}" |\
|
|
tr -s '[[:space:]]' '\n' | sort | uniq -c | grep '/foss/' | cut -d '/' -f3 > /tmp/image_tag.txt
|
|
|
|
echo > /tmp/image_override.yaml
|
|
|
|
for line in `cat /tmp/image_tag.txt`;
|
|
do
|
|
image_array=($(echo "$line" | tr ':' '\n'))
|
|
cat <<EOF >> /tmp/image_override.yaml
|
|
${image_array[0]}:
|
|
image:
|
|
tag: ${image_array[1]}
|
|
EOF
|
|
done
|
|
|
|
- name: Deploy to kubernetes
|
|
run: |
|
|
cd scripts/helmcharts/
|
|
|
|
# Update changed image tag
|
|
sed -i "/sourcemaps-reader/{n;n;s/.*/ tag: ${IMAGE_TAG}/}" /tmp/image_override.yaml
|
|
sed -i "s/sourcemaps-reader/sourcemapreader/g" /tmp/image_override.yaml
|
|
|
|
cat /tmp/image_override.yaml
|
|
# Deploy command
|
|
mv openreplay/charts/{ingress-nginx,sourcemapreader,quickwit} /tmp
|
|
rm -rf openreplay/charts/*
|
|
mv /tmp/{ingress-nginx,sourcemapreader,quickwit} openreplay/charts/
|
|
helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -n app -f -
|
|
env:
|
|
DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }}
|
|
IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
|
|
ENVIRONMENT: staging
|
|
|
|
- name: Alert slack
|
|
if: ${{ failure() }}
|
|
uses: rtCamp/action-slack-notify@v2
|
|
env:
|
|
SLACK_CHANNEL: foss
|
|
SLACK_TITLE: "Failed ${{ github.workflow }}"
|
|
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }}
|
|
SLACK_USERNAME: "OR Bot"
|
|
SLACK_MESSAGE: 'Build failed :bomb:'
|
|
|
|
# - name: Debug Job
|
|
# # if: ${{ failure() }}
|
|
# uses: mxschmitt/action-tmate@v3
|
|
# env:
|
|
# DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
|
|
# IMAGE_TAG: ${{ github.sha }}-ee
|
|
# ENVIRONMENT: staging
|
|
# with:
|
|
# limit-access-to-actor: true
|
|
|