container-staging_app_8081d02_env_4f4cc38 Pipeline (Skyu Generated)

pipeline_5277a435-52ab-433c-b848-6616769f8c31 #14

Workflow file for this run

.github/workflows/container-staging_app_8081d02_env_4f4cc38.yaml at 7a25205

	name: container-staging_app_8081d02_env_4f4cc38 Pipeline (Skyu Generated)
	'on':
	push:
	branches:
	- staging
	- release/*
	paths-ignore:
	- .github/workflows/**
	workflow_dispatch: {}
	repository_dispatch:
	types: pipeline_5277a435-52ab-433c-b848-6616769f8c31
	env:
	ENCODED_PIPELINE_SECRET: ${{secrets.COFFEECATALOGUESVC_CONTAINERSTAGING_APP_8081D02_ENV_4F4CC38}}
	COMMIT_ID: ${{github.event.client_payload.commitId \|\| github.sha \|\| github.run_id}}
	DEPLOY_STEP_SHOULD_DEPLOY: 'true'
	jobs:
	code-scan:
	name: Code Scan
	permissions: write-all
	runs-on: ubuntu-latest
	steps:
	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: 'Run :: Checkout repository for Code Scan'
	uses: actions/checkout@v4
	- run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	name: 'Run :: Decoding Secrets e39226'
	- run: >-
	docker run -i -v "${PWD}:/src" semgrep/semgrep semgrep /src --json
	--quiet > semgrep_results.json
	name: 'Run :: Install Semgrep, Scan and Print'
	- run: \|2-

	SARIF_FILE="semgrep_results.json"
	if [ -n "$SARIF_FILE" ]; then
	cat "$SARIF_FILE" > ${{ env.COMMIT_ID }}-code-scan-report.sarif
	echo "Uploading CodeQL Results to S3 :: ${{ env.COMMIT_ID }}-code-scan-report.sarif"

	response=$(curl -X POST -F 'file=@${{ env.COMMIT_ID }}-code-scan-report.sarif' -F 'provider=aws' -F 'resourceType=code-scan-report' -F 'cloudStoragePath=/${{ env.PIPELINE_APPLICATION_ID }}/code-scan-reports/' -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-auth-by: sa' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-resource-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'Content-Type: multipart/form-data' '${{ env.S3_UPLOAD_ENDPOINT }}')

	if echo "$response" \| grep -q '"success":true'; then
	echo "SUCCESS :: $response"
	else
	echo "FAILED :: $response"
	fi

	else
	echo "SARIF file not found."
	fi
	name: 'Run :: Upload Code Scan Report'
	_status-pending:
	name: _status Pending
	permissions: write-all
	env:
	CONTEXT_JSON: ${{ toJson(github) }}
	runs-on: ubuntu-latest
	steps:
	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: Pipeline Started
	run: \|2-

	context=$(echo "$CONTEXT_JSON" \| jq -c . \| base64)
	response=$(curl -X PUT -d "runId=${{ github.run_id }}&context=$context" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/${{ env.PIPELINE_ID }}/PENDING?releaseId=${{ github.event.client_payload.releaseData.releaseId }}")
	if echo "$response" \| grep -q '"success":true'; then
	echo "SUCCESS :: $response"
	else
	echo "FAILED :: $response"
	fi

	_release-info:
	name: _release Info
	permissions: write-all
	runs-on: ubuntu-latest
	if: ${{ github.event.client_payload.releaseData }}
	steps:
	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: Pipeline Release
	run: \|2-

	echo "Pipeline Release Information"
	echo "////////////////////////////"
	echo "releaseId : ${{ github.event.client_payload.releaseData.releaseId }}"
	echo "pipelineId : ${{ github.event.client_payload.releaseData.pipelineId }}"
	echo "pipelineRunId : ${{ github.run_id }}"
	echo "applicationId : ${{ github.event.client_payload.releaseData.appId }}"
	echo "versionId : ${{ env.DEPLOYMENT_APP_VERSION_ID }}"
	echo "credentialId : ${{ env.PIPELINE_CREDENTIAL_ID }}"
	echo "userName : ${{ github.repository_owner }}"
	echo "repositoryName : ${{ github.repository }}"
	echo "commitId : ${{ env.COMMIT_ID }}"
	echo "commitHash : ${{ env.COMMIT_ID }}"
	echo "commitAvatar : https://github.com/${{ github.event.head_commit.author.name }}.png"
	echo "commitTime : ${{ github.event.head_commit.timestamp }}"
	echo "commitMessage : ${{ github.event.client_payload.commitMessage }}"
	echo "commitUser : ${{ github.event.head_commit.author.name }}"
	echo "shouldDeploy : ${{ env.DEPLOY_STEP_SHOULD_DEPLOY }}"
	echo "containerName : ${{ env.DEPLOYMENT_CONTAINER_NAME }}"
	echo "imageRegistryURL : ${{ env.IMAGE_NAME }}",
	# Storing Release Information for Deployment
	response=$(curl -X POST -d "releaseId=${{ github.event.client_payload.releaseData.releaseId }}&pipelineId=${{ github.event.client_payload.releaseData.pipelineId }}&pipelineRunId=${{ github.run_id }}&versionId=${{ env.DEPLOYMENT_APP_VERSION_ID }}&applicationId=${{ github.event.client_payload.releaseData.appId }}&credentialId=${{ env.PIPELINE_CREDENTIAL_ID }}&userName=${{ github.repository_owner }}&repositoryName=${{ github.repository }}&commitId=${{ env.COMMIT_ID }}&commitData[commitHash]=${{ env.COMMIT_ID }}&commitData[commitAvatar]=https://github.com/${{ github.event.head_commit.author.name }}.png&commitData[commitTime]=${{ github.event.head_commit.timestamp }}&commitData[commitMessage]=${{ github.event.client_payload.commitMessage }}&commitData[commitUser]=${{ github.event.head_commit.author.name }}&shouldDeploy=${{ env.DEPLOY_STEP_SHOULD_DEPLOY }}&containerName=${{ env.DEPLOYMENT_CONTAINER_NAME }}&imageRegistryURL=${{ env.IMAGE_NAME }}" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/release/pipeline")
	if echo "$response" \| grep -q '"success":true'; then
	echo "SUCCESS :: $response"
	else
	echo "FAILED :: $response"
	fi

	build-and-push:
	name: Build And Push
	permissions: write-all
	runs-on: ubuntu-latest
	steps:
	- name: Start
	run: \|2-

	echo " Starting GitHub Action!" &&
	echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV

	- name: 'Run :: Checkout repository'
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: 'Run :: Checkout Specific Commit'
	if: ${{ github.event.client_payload.commitId != null }}
	run: \|2-

	git fetch --all
	git checkout ${{ github.event.client_payload.commitId }} \|\| true

	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: 'Run :: Configure AWS credentials'
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ env.roleARN }}
	role-session-name: skyu-pipeline-assume-role-session
	aws-region: ${{ env.region }}
	- name: 'Run :: Login to Amazon ECR'
	id: skyu-login-ecr
	uses: aws-actions/amazon-ecr-login@v1
	- name: 'Run :: Check if image already exists'
	id: check-image-existence-step-id
	run: \|2-

	if docker pull ${{ env.IMAGE_NAME }}:${{env.COMMIT_ID}} >/dev/null 2>&1;
	then
	echo "Image exists in registry."
	echo "STEPS_CAN_PROCEED=false" >> $GITHUB_ENV
	else
	echo "Image does not exist in registry."
	echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV
	fi

	- name: 'Run :: Build With Docker'
	run: >-
	docker build -t ${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }} -f
	${{env.DOCKER_FILE_PATH}} --build-arg BUILT_WITH=SKYU${{
	env.DOCKER_BUILD_ARGS }} ${{env.DOCKER_BUILD_CONTEXT}}
	if: ${{ env.STEPS_CAN_PROCEED == 'true' }}
	- name: 'Run :: Trivy vulnerability scanner'
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }}
	format: ${{env.TRIVY_RESULT_FORMAT}}
	output: ${{ env.COMMIT_ID }}-image-vulnerability-report.json
	exit-code: ${{env.TRIVY_SCAN_EXIT_CODE}}
	vuln-type: os,library
	severity: ${{env.SCAN_SEVERITY}}
	hide-progress: true
	if: ${{ env.STEPS_CAN_PROCEED == 'true' }}
	- name: 'Run :: Evaluate Trivy Results'
	run: \|2-

	# Minifying Json
	jq -c '.' ${{ env.COMMIT_ID }}-image-vulnerability-report.json > ${{ env.COMMIT_ID }}-image-vulnerability-report.min.json
	trivy_result=$(cat "${{ env.COMMIT_ID }}-image-vulnerability-report.min.json")

	# Set the desired severity level
	desiredSeverity="${{ env.SCAN_SEVERITY }}"
	IFS=',' read -ra severities <<< "$desiredSeverity" # Split the severity string

	# Print the tags array for debugging
	jq '.runs[0].tool.driver.rules[].properties.tags' "${{ env.COMMIT_ID }}-image-vulnerability-report.json"

	VULNERABILITY_COUNT=0

	for severity in "${severities[@]}"; do
	count=$(jq --arg severity "$severity" '.runs[0].tool.driver.rules \| map(select(.properties.tags and (.properties.tags \| map(tostring) \| index($severity) // empty))) \| length' "${{ env.COMMIT_ID }}-image-vulnerability-report.json")
	echo "Number of $severity vulnerabilities: $count"
	VULNERABILITY_COUNT=$((VULNERABILITY_COUNT + count))
	done

	echo "Total Number of vulnerabilities: $VULNERABILITY_COUNT"

	if [ "$VULNERABILITY_COUNT" -gt 0 ]; then
	echo "STEPS_CAN_PROCEED=false" >> $GITHUB_ENV
	echo "VULNERABILITY_COUNT=$VULNERABILITY_COUNT" >> $GITHUB_ENV
	fi
	echo "ARE_TRIVY_RESULTS_EVALUATED=true" >> $GITHUB_ENV

	if: ${{ env.STEPS_CAN_PROCEED == 'true' }}
	- name: 'Run :: Upload Trivy Result To S3'
	run: \|2-


	# Minifying Json
	jq -c '.' ${{ env.COMMIT_ID }}-image-vulnerability-report.json > ${{ env.COMMIT_ID }}-image-vulnerability-report.min.json

	# Uploading Minified Trivy Resuls
	response=$(curl -X POST -F 'file=@${{ env.COMMIT_ID }}-image-vulnerability-report.min.json' -F 'provider=aws' -F 'resourceType=image-vulnerability-report' -F 'cloudStoragePath=/${{ env.PIPELINE_APPLICATION_ID }}/image-vulnerability-reports/' -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-resource-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: multipart/form-data' "${{ env.S3_UPLOAD_ENDPOINT }}")

	if echo "$response" \| grep -q '"success":true'; then
	echo "SUCCESS :: $response"
	else
	echo "FAILED :: $response"
	fi

	if: ${{ env.ARE_TRIVY_RESULTS_EVALUATED == 'true' }}
	- name: 'Run :: Check Pipeline Safety'
	run: \|2-

	if [ "${{ env.VULNERABILITY_COUNT }}" -gt 0 ]; then
	echo "UN-SAFE to continue Pipeline"
	exit 1
	else
	echo "SAFE to continue Pipeline"
	fi

	- name: 'Run :: Create Repository'
	run: >-
	aws ecr create-repository --repository-name ${{ env.REPOSITORY_NAME }}
	\|\| true
	if: ${{ env.STEPS_CAN_PROCEED == 'true' }}
	- name: 'Run :: Build, tag, and push image'
	run: docker push ${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }}
	if: ${{ env.STEPS_CAN_PROCEED == 'true' }}
	outputs:
	stepsCanProceed: ${{ env.STEPS_CAN_PROCEED }}
	_status-success:
	name: _status Success
	permissions: write-all
	env:
	CONTEXT_JSON: ${{ toJson(github) }}
	runs-on: ubuntu-latest
	needs:
	- code-scan
	- build-and-push
	- deploy
	if: ${{ !(failure() \|\| cancelled()) }}
	steps:
	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: Pipeline Success
	run: \|2-

	context=$(echo "$CONTEXT_JSON" \| jq -c . \| base64)
	response=$(curl -X PUT -d "runId=${{ github.run_id }}&context=$context" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/${{ env.PIPELINE_ID }}/SUCCESS?releaseId=${{ github.event.client_payload.releaseData.releaseId }}")

	_status-failed:
	name: _status Failed
	permissions: write-all
	env:
	CONTEXT_JSON: ${{ toJson(github) }}
	runs-on: ubuntu-latest
	needs:
	- code-scan
	- build-and-push
	- deploy
	if: ${{ failure() \|\| cancelled() }}
	steps:
	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: Pipeline Failed
	run: \|2-

	context=$(echo "$CONTEXT_JSON" \| jq -c . \| base64)
	response=$(curl -X PUT -d "runId=${{ github.run_id }}&context=$context" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/${{ env.PIPELINE_ID }}/FAILED?releaseId=${{ github.event.client_payload.releaseData.releaseId }}")

	deploy:
	name: Deploy
	permissions: write-all
	runs-on: ubuntu-latest
	needs:
	- build-and-push
	if: >-
	needs.build-and-push.outputs.stepsCanProceed == 'true' &&
	github.event.client_payload.releaseData == null
	steps:
	- name: 'Run :: Decoding Secrets'
	run: \|2-

	if [ ! -x "$(command -v jq)" ]; then
	echo "jq not found, installing..."
	sudo apt-get update
	sudo apt-get install -y jq
	fi
	echo "${{ env.ENCODED_PIPELINE_SECRET }}" \| base64 --decode \| jq -r 'to_entries[] \| "\(.key)=\(.value)"' \| while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done

	- name: 'Run :: Deploy and Notify Resource Service'
	run: \|2-

	response=$(curl -X PATCH -d "imageRegistryURL=${{ env.IMAGE_NAME }}&appVersionId=${{ env.DEPLOYMENT_APP_VERSION_ID }}&tag=${{ env.COMMIT_ID }}&containerName=${{ env.DEPLOYMENT_CONTAINER_NAME }}&shouldDeploy=${{env.DEPLOY_STEP_SHOULD_DEPLOY}}&pipelineRunId=${{ github.run_id }}&commitDetails[commitHash]=${{ github.sha }}&commitDetails[commitAvatar]=https://github.com/${{ github.event.head_commit.author.name }}.png&commitDetails[commitTime]=${{ github.event.head_commit.timestamp }}&commitDetails[commitMessage]=${{ github.event.head_commit.message \|\| github.event.client_payload.commitMessage }}&commitDetails[commitUser]=${{ github.event.head_commit.author.name }}" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-application-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-resource-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.DEPLOYMENT_ENDPOINT }}")

	status_code=$?

	if [ $status_code -eq 0 ]; then
	if echo "$response" \| grep -q '"success":true'; then
	echo "SUCCESS :: $response"
	else
	echo "FAILED :: $response"
	exit 1
	fi
	else
	echo "Failed to deploy. HTTP status code: $status_code"
	exit 1
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pipeline_5277a435-52ab-433c-b848-6616769f8c31 #14

Workflow file

pipeline_5277a435-52ab-433c-b848-6616769f8c31 #14

Jobs

Run details

Workflow file for this run