Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate ecr image build to use arm64 runner for arm64 builds #2620

Merged
merged 1 commit into from
Jun 24, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
205 changes: 205 additions & 0 deletions .github/workflows/ecr-image-build-w-arm-runner.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
---
name: AWS ECR Build Image with ARM Runner

on:
release:
types:
- "released"
push:
- "main"
- "*-rc"
tags:
- "v*"

jobs:
build:
strategy:
fail-fast: false
matrix:
platforms:
- [linux/amd64, ubuntu-latest]
- [linux/arm64, ubuntu-arm64-runner]
runs-on: ${{ matrix.platforms[1] }}
steps:
- name: Prepare
run: |
platform=${{ matrix.platforms[0] }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

- name: Checkout
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata
tags: |
type=ref,event=branch
type=ref,event=tag

- name: Setup SSH Agent and add Github to known hosts
env:
SSH_AUTH_SOCK: /tmp/ssh-agent.sock
run: |
ssh-agent -a $SSH_AUTH_SOCK >> /dev/null
ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"
mkdir -p ~/.ssh
ssh-keyscan github.com > ~/.ssh/known_hosts

- name: Get the version
id: get-version
if: github.event_name != 'push'
run: echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

- name: Get the branch name
id: get-branch-name
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV

- name: (Ubuntu) Build and push
id: docker-build-ubuntu
uses: docker/build-push-action@v5
with:
context: .
file: ./docker/onadata-uwsgi/Dockerfile.ubuntu
platforms: ${{ matrix.platforms[0] }}
cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ env.version || github.ref_name }}
cache-to: type=inline
ssh: |
default=/tmp/ssh-agent.sock
build-args: |
optional_packages=PyYAML django-redis ${{ secrets.ECR_OPTIONAL_PACKAGES }}
push: true
labels: ${{ steps.meta.outputs.labels }}
provenance: false
outputs: type=image,name=${{ steps.login-ecr.outputs.registry }}/onaio/onadata,push-by-digest=true,name-canonical=true,push=true
-
name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.docker-build-ubuntu.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
-
name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1

merge:
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata
tags: |
type=ref,event=branch
type=ref,event=tag

- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ steps.login-ecr.outputs.registry }}/onaio/onadata@sha256:%s ' *)

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy scan result to Github security lab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
continue-on-error: true

- name: Run Trivy vulnerability scanner for Slack
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }}
format: json
output: 'trivy-results.json'

- name: Create summary of trivy issues
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z $summary ]
then
summary="0 Issues"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV

- name: Send Slack Notification
uses: slackapi/[email protected]
with:
payload: |
{
"text": "Trivy scan results for ${{ steps.meta.outputs.version }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "[Ona Data] Trivy scan results: ${{ env.SUMMARY }}"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "View scan results: https://github.com/${{ github.repository }}/security/code-scanning?query=branch:${{ env.version || github.ref_name }}+is:open++"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
Loading