Right now, we test the container at the end of the build rather than before publishing so while we decouple that work, we should not fail the build step if a security advisory was found - it's too late, the containers are released so we should instead catch the advisory and that will allow our release pipeline to continue
218 lines
8.7 KiB
YAML
218 lines
8.7 KiB
YAML
name: pulumi sdk containers build
|
|
on:
|
|
repository_dispatch:
|
|
types:
|
|
- docker-build
|
|
env:
|
|
VERSION: ${{ github.event.client_payload.ref }}
|
|
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
|
|
|
|
jobs:
|
|
pulumi:
|
|
name: pulumi image build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: Build Pulumi Image
|
|
uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/pulumi/Dockerfile
|
|
additional-tags: v${{ env.VERSION }}
|
|
tag-latest: true
|
|
build-args: PULUMI_VERSION=v${{ env.VERSION }}
|
|
- name: Build Pulumi GitHub Actions Image
|
|
uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/actions
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/actions/Dockerfile
|
|
additional-tags: v${{ env.VERSION }}
|
|
tag-latest: true
|
|
build-args: PULUMI_VERSION=v${{ env.VERSION }}
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-region: us-east-2
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
role-duration-seconds: 3600
|
|
role-external-id: upload-pulumi-release
|
|
role-session-name: pulumi@githubActions
|
|
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
|
|
- name: Get Public ECR Authorization token
|
|
run: |
|
|
aws --region us-east-1 ecr-public get-authorization-token \
|
|
--query 'authorizationData.authorizationToken' | \
|
|
tr -d '"' | base64 --decode | cut -d: -f2 | \
|
|
docker login -u AWS --password-stdin https://public.ecr.aws
|
|
- name: Publish pulumi/pulumi image to AWS Public ECR
|
|
run: |
|
|
docker tag pulumi/pulumi:v${{ env.VERSION }} public.ecr.aws/pulumi/pulumi:v${{ env.VERSION }}
|
|
docker tag pulumi/pulumi:latest public.ecr.aws/pulumi/pulumi:latest
|
|
docker push public.ecr.aws/pulumi/pulumi:v${{ env.VERSION }}
|
|
docker push public.ecr.aws/pulumi/pulumi:latest
|
|
base:
|
|
name: base sdk image build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build base image
|
|
uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-base
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/base/Dockerfile
|
|
additional-tags: ${{ env.VERSION }}
|
|
tag-latest: true
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
- uses: meeDamian/sync-readme@v1.0.6
|
|
name: Sync readme to Docker Hub
|
|
with:
|
|
user: "pulumibot"
|
|
pass: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
slug: pulumi/pulumi-base
|
|
readme: docker/README.md
|
|
description: Pulumi CLI container - bring your own SDK
|
|
base_os:
|
|
name: os base sdk image build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ "ubi", "debian" ]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build base image
|
|
uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-base
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/base/Dockerfile.${{ matrix.os }}
|
|
additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
|
|
tag-latest: false
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
sdk:
|
|
name: language sdk image
|
|
runs-on: ubuntu-latest
|
|
needs: base
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
sdk: [ "nodejs", "python", "dotnet", "go" ]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build image
|
|
uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-${{matrix.sdk}}
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/${{ matrix.sdk }}/Dockerfile
|
|
additional-tags: ${{ env.VERSION }}
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
tag-latest: true
|
|
- uses: meeDamian/sync-readme@v1.0.6
|
|
name: Sync readme to Docker Hub
|
|
with:
|
|
user: "pulumibot"
|
|
pass: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
slug: pulumi/pulumi-${{matrix.sdk}}
|
|
readme: docker/README.md
|
|
description: Pulumi CLI container for ${{ matrix.sdk }}
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-region: us-east-2
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
role-duration-seconds: 3600
|
|
role-external-id: upload-pulumi-release
|
|
role-session-name: pulumi@githubActions
|
|
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
|
|
- name: Get Public ECR Authorization token
|
|
run: |
|
|
aws --region us-east-1 ecr-public get-authorization-token \
|
|
--query 'authorizationData.authorizationToken' | \
|
|
tr -d '"' | base64 --decode | cut -d: -f2 | \
|
|
docker login -u AWS --password-stdin https://public.ecr.aws
|
|
- name: Publish pulumi/pulumi-${{matrix.sdk}} image to AWS Public ECR
|
|
run: |
|
|
docker tag pulumi/pulumi-${{matrix.sdk}}:latest public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:latest
|
|
docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:latest
|
|
|
|
docker tag pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }} public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}
|
|
docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}
|
|
os_sdk:
|
|
name: os language sdk image
|
|
runs-on: ubuntu-latest
|
|
needs: base_os
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
sdk: [ "nodejs", "python", "dotnet", "go" ]
|
|
os: [ "ubi", "debian" ]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build image
|
|
uses: jaxxstorm/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-${{matrix.sdk}}
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/${{ matrix.sdk }}/Dockerfile.${{ matrix.os }}
|
|
additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
tag-latest: false
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-region: us-east-2
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
role-duration-seconds: 3600
|
|
role-external-id: upload-pulumi-release
|
|
role-session-name: pulumi@githubActions
|
|
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
|
|
- name: Get Public ECR Authorization token
|
|
run: |
|
|
aws --region us-east-1 ecr-public get-authorization-token \
|
|
--query 'authorizationData.authorizationToken' | \
|
|
tr -d '"' | base64 --decode | cut -d: -f2 | \
|
|
docker login -u AWS --password-stdin https://public.ecr.aws
|
|
- name: Publish pulumi/pulumi-${{matrix.sdk}} image to AWS Public ECR
|
|
run: |
|
|
docker tag pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }} public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }}
|
|
docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }}
|
|
image-scan:
|
|
name: scan container images
|
|
runs-on: ubuntu-latest
|
|
needs: os_sdk
|
|
continue-on-error: true
|
|
strategy:
|
|
matrix:
|
|
image: [ "base", "nodejs", "python", "go" ]
|
|
os: [ "ubi" ]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Run Snyk to check Docker images for vulnerabilities
|
|
uses: snyk/actions/docker@master
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
with:
|
|
image: pulumi/pulumi-${{matrix.image}}:${{ env.VERSION }}-${{ matrix.os }}
|
|
args: --severity-threshold=high --file=docker/${{matrix.image}}/Dockerfile.${{ matrix.os }}
|