diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..1f55d5d4 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,107 @@ +name: Build Image +permissions: + contents: write + id-token: write +on: + workflow_dispatch: + inputs: + environment: + description: 'Which account the ECR repository is in' + type: environment + fail_on_trivy_scan: + type: boolean + description: fail the build if vulnerabilities are found + required: true + default: true +jobs: + build: + name: Build Image + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + env: + ECR_REPOSITORY: ccdi-ins-backend + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }} + AWS_REGION: ${{ secrets.AWS_REGION }} + + steps: + + - name: Check out code + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + submodules: true + + - name: Set Image Tag + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + run: | + # Get all tags for the repo and find the latest tag for the branch being built + git fetch --tags --force --quiet + tag=$(git tag -l $BRANCH_NAME* | tail -1) + if [ ! -z "$tag" ]; + then + # Increment the build number if a tag is found + build_num=$(echo "${tag##*.}") + build_num=$((build_num+1)) + echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV + else + # If no tag is found create a new tag name + build_num=1 + echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV + fi + - name: Build + id: build-image + run: | + docker build -t $ECR_REPOSITORY:$IMAGE_TAG . + + - name: Set Trivy exit code + run: | + if [[ ${{ inputs.fail_on_trivy_scan }} == true ]]; + then + echo 'TRIVY_EXIT_CODE=1' >> $GITHUB_ENV + else + echo 'TRIVY_EXIT_CODE=0' >> $GITHUB_ENV + fi + + - name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 + with: + image-ref: '${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}' + format: 'table' + exit-code: '${{ env.TRIVY_EXIT_CODE }}' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + + - name: AWS OIDC Authentication + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }} + aws-region: ${{ env.AWS_REGION }} + role-session-name: ${{ github.actor }} + + - name: Create Git tag for Image + run: | + git config user.name "GitHub Actions" + git config user.email "github-actions@users.noreply.github.com" + git tag ${{ env.IMAGE_TAG }} + git push origin ${{ env.IMAGE_TAG }} + + - name: Login to Amazon ECR + id: login-aws-ecr + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 + + - name: Push to Amazon ECR + id: push-image + env: + ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }} + run: | + docker tag $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Slack Notification + uses: act10ns/slack@87c73aef9f8838eb6feae81589a6b1487a4a9e08 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + if: always() diff --git a/Dockerfile b/Dockerfile index 4cc244f8..a4af99eb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ COPY . . RUN mvn package -DskipTests # Production stage -FROM tomcat:11.0.6-jdk17 AS fnl_base_image +FROM tomcat:11.0.10-jdk17 AS fnl_base_image RUN apt-get update && apt-get -y upgrade