pipeline_61baa387-aab1-4c7a-a2a2-6a01e38b7c40 #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: >- | |
| coffee-catalogue-api-service_container-dev_app_8081d02_env_c97c7fd Pipeline | |
| (Skyu Generated) | |
| 'on': | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - .github/workflows/** | |
| - .trivyignore | |
| - Readme.md | |
| - README.md | |
| workflow_dispatch: {} | |
| repository_dispatch: | |
| types: pipeline_61baa387-aab1-4c7a-a2a2-6a01e38b7c40 | |
| env: | |
| ENCODED_PIPELINE_SECRET: >- | |
| ${{secrets.COFFEECATALOGUESVC_COFFEECATALOGUEAPISERVICE_CONTAINERDEV_APP_8081D02_ENV_C97C7FD}} | |
| COMMIT_ID: ${{github.event.client_payload.commitId || github.sha || github.run_id}} | |
| BRANCH_NAME: >- | |
| ${{github.event.client_payload.branchName || github.event.branch || | |
| github.ref_name}} | |
| DEPLOY_STEP_SHOULD_DEPLOY: 'true' | |
| jobs: | |
| code-scan: | |
| name: Code Scan | |
| permissions: write-all | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Checkout repository for Code Scan' | |
| uses: actions/checkout@v4 | |
| - name: 'Run :: Decoding Secrets e39226' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Install Semgrep, Scan and Print' | |
| run: >- | |
| docker run -i -v "${PWD}:/src" semgrep/semgrep semgrep /src --json | |
| --quiet > semgrep_results.json | |
| - name: 'Run :: Upload Code Scan Report' | |
| run: |2- | |
| SARIF_FILE="semgrep_results.json" | |
| if [ -n "$SARIF_FILE" ]; then | |
| cat "$SARIF_FILE" > ${{ env.COMMIT_ID }}-code-scan-report.sarif | |
| echo "Uploading CodeQL Results to S3 :: ${{ env.COMMIT_ID }}-code-scan-report.sarif" | |
| response=$(curl -X POST -F 'file=@${{ env.COMMIT_ID }}-code-scan-report.sarif' -F 'provider=aws' -F 'resourceType=code-scan-report' -F 'cloudStoragePath=/${{ env.PIPELINE_APPLICATION_ID }}/code-scan-reports/' -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-auth-by: sa' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-resource-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'Content-Type: multipart/form-data' '${{ env.S3_UPLOAD_ENDPOINT }}') | |
| if echo "$response" | grep -q '"success":true'; then | |
| echo "SUCCESS :: $response" | |
| else | |
| echo "FAILED :: $response" | |
| fi | |
| else | |
| echo "SARIF file not found." | |
| fi | |
| _status-pending: | |
| name: ' Status Pending' | |
| permissions: write-all | |
| env: | |
| CONTEXT_JSON: ${{ toJson(github) }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Pipeline Started' | |
| env: | |
| RUN_ID: ${{ github.run_id }} | |
| run: |2- | |
| context=$(echo "$CONTEXT_JSON" | jq --arg sha "$COMMIT_ID" '.sha = $sha' | jq -c . | base64) | |
| response=$(curl -X PUT -d "runId=$RUN_ID&context=$context" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/${{ env.PIPELINE_ID }}/PENDING?releaseId=${{ github.event.client_payload.releaseData.releaseId }}") | |
| if echo "$response" | grep -q '"success":true'; then | |
| echo "SUCCESS :: $response" | |
| else | |
| echo "FAILED :: $response" | |
| fi | |
| _release-info: | |
| name: ' Release Info' | |
| permissions: write-all | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.client_payload.releaseData }} | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Pipeline Release' | |
| env: | |
| RELEASE_ID: ${{ github.event.client_payload.releaseData.releaseId }} | |
| PIPELINE_ID: ${{ github.event.client_payload.releaseData.pipelineId }} | |
| RUN_ID: ${{ github.run_id }} | |
| APPLICATION_ID: ${{ github.event.client_payload.releaseData.appId }} | |
| USER_NAME: ${{ github.repository_owner }} | |
| REPOSITORY: ${{ github.repository }} | |
| COMMIT_USER: ${{ github.event.head_commit.author.name }} | |
| COMMIT_MESSAGE: ${{ github.event.client_payload.commitMessage }} | |
| COMMIT_TIME: ${{ github.event.head_commit.timestamp }} | |
| run: |2- | |
| echo "Pipeline Release Information" | |
| echo "////////////////////////////" | |
| echo "releaseId : $RELEASE_ID" | |
| echo "pipelineId : $PIPELINE_ID" | |
| echo "pipelineRunId : $RUN_ID" | |
| echo "applicationId : $APPLICATION_ID" | |
| echo "versionId : ${{ env.DEPLOYMENT_APP_VERSION_ID }}" | |
| echo "credentialId : ${{ env.PIPELINE_CREDENTIAL_ID }}" | |
| echo "userName : $USER_NAME" | |
| echo "repositoryName : $REPOSITORY" | |
| echo "commitId : ${{ env.COMMIT_ID }}" | |
| echo "commitHash : ${{ env.COMMIT_ID }}" | |
| echo "commitAvatar : https://github.com/$COMMIT_USER.png" | |
| echo "commitTime : $COMMIT_TIME" | |
| echo "commitMessage : $COMMIT_MESSAGE" | |
| echo "commitUser : $COMMIT_USER" | |
| echo "shouldDeploy : ${{ env.DEPLOY_STEP_SHOULD_DEPLOY }}" | |
| echo "containerName : ${{ env.DEPLOYMENT_CONTAINER_NAME }}" | |
| echo "imageRegistryURL : ${{ env.IMAGE_NAME }}", | |
| # Storing Release Information for Deployment | |
| response=$(curl -X POST -d "releaseId=$RELEASE_ID&pipelineId=$PIPELINE_ID&pipelineRunId=$RUN_ID&versionId=${{ env.DEPLOYMENT_APP_VERSION_ID }}&applicationId=${{ github.event.client_payload.releaseData.appId }}&credentialId=${{ env.PIPELINE_CREDENTIAL_ID }}&userName=$USER_NAME&repositoryName=$REPOSITORY&commitId=${{ env.COMMIT_ID }}&commitData[commitHash]=${{ env.COMMIT_ID }}&commitData[commitAvatar]=https://github.com/$COMMIT_USER.png&commitData[commitTime]=$COMMIT_TIME&commitData[commitMessage]=$COMMIT_MESSAGE&commitData[commitUser]=$COMMIT_USER&shouldDeploy=${{ env.DEPLOY_STEP_SHOULD_DEPLOY }}&containerName=${{ env.DEPLOYMENT_CONTAINER_NAME }}&imageRegistryURL=${{ env.IMAGE_NAME }}" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/release/pipeline") | |
| if echo "$response" | grep -q '"success":true'; then | |
| echo "SUCCESS :: $response" | |
| else | |
| echo "FAILED :: $response" | |
| fi | |
| build-and-push: | |
| name: Build And Push | |
| permissions: write-all | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Configure AWS credentials' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ env.roleARN }} | |
| role-session-name: skyu-pipeline-assume-role-session | |
| aws-region: ${{ env.region }} | |
| - name: 'Run :: Login to Amazon ECR' | |
| id: skyu-login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: 'Run :: Check if image already exists' | |
| id: check-image-existence-step-id | |
| run: |2- | |
| if docker pull ${{ env.IMAGE_NAME }}:${{env.COMMIT_ID}} >/dev/null 2>&1; | |
| then | |
| echo "Image exists in registry." | |
| echo "STEPS_CAN_PROCEED=false" >> $GITHUB_ENV | |
| else | |
| echo "Image does not exist in registry." | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| fi | |
| - name: 'Run :: Build With Docker' | |
| run: >- | |
| docker build -t ${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }} -f | |
| ${{env.DOCKER_FILE_PATH}} --build-arg BUILT_WITH=SKYU${{ | |
| env.DOCKER_BUILD_ARGS }} ${{env.DOCKER_BUILD_CONTEXT}} | |
| if: ${{ env.STEPS_CAN_PROCEED == 'true' }} | |
| - name: 'Run :: Trivy vulnerability scanner' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }} | |
| format: ${{env.TRIVY_RESULT_FORMAT}} | |
| output: ${{ env.COMMIT_ID }}-image-vulnerability-report.json | |
| exit-code: ${{env.TRIVY_SCAN_EXIT_CODE}} | |
| vuln-type: os,library | |
| severity: ${{env.SCAN_SEVERITY}} | |
| hide-progress: true | |
| if: ${{ env.STEPS_CAN_PROCEED == 'true' }} | |
| - name: 'Run :: Evaluate Trivy Results' | |
| run: |2- | |
| # Minifying Json | |
| jq -c '.' ${{ env.COMMIT_ID }}-image-vulnerability-report.json > ${{ env.COMMIT_ID }}-image-vulnerability-report.min.json | |
| trivy_result=$(cat "${{ env.COMMIT_ID }}-image-vulnerability-report.min.json") | |
| # Set the desired severity level | |
| desiredSeverity="${{ env.SCAN_SEVERITY }}" | |
| IFS=',' read -ra severities <<< "$desiredSeverity" # Split the severity string | |
| # Print the tags array for debugging | |
| jq '.runs[0].tool.driver.rules[].properties.tags' "${{ env.COMMIT_ID }}-image-vulnerability-report.json" | |
| VULNERABILITY_COUNT=0 | |
| for severity in "${severities[@]}"; do | |
| count=$(jq --arg severity "$severity" '.runs[0].tool.driver.rules | map(select(.properties.tags and (.properties.tags | map(tostring) | index($severity) // empty))) | length' "${{ env.COMMIT_ID }}-image-vulnerability-report.json") | |
| echo "Number of $severity vulnerabilities: $count" | |
| VULNERABILITY_COUNT=$((VULNERABILITY_COUNT + count)) | |
| done | |
| echo "Total Number of vulnerabilities: $VULNERABILITY_COUNT" | |
| if [ "$VULNERABILITY_COUNT" -gt 0 ]; then | |
| echo "STEPS_CAN_PROCEED=false" >> $GITHUB_ENV | |
| echo "VULNERABILITY_COUNT=$VULNERABILITY_COUNT" >> $GITHUB_ENV | |
| fi | |
| echo "ARE_TRIVY_RESULTS_EVALUATED=true" >> $GITHUB_ENV | |
| if: ${{ env.STEPS_CAN_PROCEED == 'true' }} | |
| - name: 'Run :: Upload Trivy Result To S3' | |
| env: | |
| RUN_ID: ${{ github.run_id }} | |
| run: |2- | |
| # Minifying Json | |
| jq -c '.' ${{ env.COMMIT_ID }}-image-vulnerability-report.json > ${{ env.COMMIT_ID }}-image-vulnerability-report.min.json | |
| # Uploading Minified Trivy Resuls | |
| response=$(curl -X POST -F 'file=@${{ env.COMMIT_ID }}-image-vulnerability-report.min.json' -F 'provider=aws' -F 'resourceType=image-vulnerability-report' -F 'cloudStoragePath=/${{ env.PIPELINE_APPLICATION_ID }}/image-vulnerability-reports/' -F 'pipelineRunId=$RUN_ID' -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-resource-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: multipart/form-data' "${{ env.S3_UPLOAD_ENDPOINT }}") | |
| if echo "$response" | grep -q '"success":true'; then | |
| echo "SUCCESS :: $response" | |
| else | |
| echo "FAILED :: $response" | |
| fi | |
| if: ${{ env.ARE_TRIVY_RESULTS_EVALUATED == 'true' }} | |
| - name: 'Run :: Check Pipeline Safety' | |
| run: |2- | |
| if [ "${{ env.VULNERABILITY_COUNT }}" -gt 0 ]; then | |
| echo "UN-SAFE to continue Pipeline" | |
| exit 1 | |
| else | |
| echo "SAFE to continue Pipeline" | |
| fi | |
| - name: 'Run :: Create Repository' | |
| run: >- | |
| aws ecr create-repository --repository-name ${{ env.REPOSITORY_NAME }} | |
| || true | |
| if: ${{ env.STEPS_CAN_PROCEED == 'true' }} | |
| - name: 'Run :: Build, tag, and push image' | |
| run: docker push ${{ env.IMAGE_NAME }}:${{ env.COMMIT_ID }} | |
| if: ${{ env.STEPS_CAN_PROCEED == 'true' }} | |
| outputs: | |
| stepsCanProceed: ${{ env.STEPS_CAN_PROCEED }} | |
| _status-success: | |
| name: ' Status Success' | |
| permissions: write-all | |
| env: | |
| CONTEXT_JSON: ${{ toJson(github) }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - code-scan | |
| - build-and-push | |
| - deploy | |
| if: ${{ !(failure() || cancelled()) }} | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Pipeline Success' | |
| env: | |
| RUN_ID: ${{ github.run_id }} | |
| run: |2- | |
| context=$(echo "$CONTEXT_JSON" | jq --arg sha "$COMMIT_ID" '.sha = $sha' | jq -c . | base64) | |
| response=$(curl -X PUT -d "runId=$RUN_ID&context=$context" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/${{ env.PIPELINE_ID }}/SUCCESS?releaseId=${{ github.event.client_payload.releaseData.releaseId }}") | |
| _status-failed: | |
| name: ' Status Failed' | |
| permissions: write-all | |
| env: | |
| CONTEXT_JSON: ${{ toJson(github) }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - code-scan | |
| - build-and-push | |
| - deploy | |
| if: ${{ failure() || cancelled() }} | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Pipeline Failed' | |
| env: | |
| RUN_ID: ${{ github.run_id }} | |
| run: |2- | |
| context=$(echo "$CONTEXT_JSON" | jq --arg sha "$COMMIT_ID" '.sha = $sha' | jq -c . | base64) | |
| response=$(curl -X PUT -d "runId=$RUN_ID&context=$context" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.PIPELINE_SERVICE_EP }}/${{ env.PIPELINE_ID }}/FAILED?releaseId=${{ github.event.client_payload.releaseData.releaseId }}") | |
| # Triggering SkyU Alerts | |
| response=$(curl -X POST -d "labels[alertname]=pipelineFailed&labels[pipelineId]=${{ env.PIPELINE_ID }}&message=Pipeline Failed&messageTitle=Pipeline ${{ env.PIPELINE_ID }} Failed&status=firing" -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.FIRE_SKYU_ALERT_EP }}?organizationId=${{ env.PIPELINE_ORGANIZATION_ID }}&projectId=${{ env.PIPELINE_PROJECT_ID }}&environmentId=${{ env.PIPELINE_ENVIRONMENT_ID }}&token=${{ env.SERVICE_ACC_ACCESS_TOKEN_STRIPPED }}&authBy=sa") | |
| if echo "$response" | grep -q '"success":true'; then | |
| echo "SUCCESS :: $response" | |
| else | |
| echo "FAILED :: $response" | |
| fi | |
| deploy: | |
| name: Deploy | |
| permissions: write-all | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-and-push | |
| if: >- | |
| needs.build-and-push.outputs.stepsCanProceed == 'true' && | |
| github.event.client_payload.releaseData == null | |
| steps: | |
| - name: 'Run :: Start' | |
| run: |2- | |
| echo " Starting GitHub Action!" && | |
| echo "STEPS_CAN_PROCEED=true" >> $GITHUB_ENV | |
| - name: 'Run :: Checkout repository' | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: 'Run :: Checkout Specific Commit' | |
| env: | |
| COMMIT_ID: ${{ github.event.client_payload.commitId }} | |
| BRANCH_NAME: ${{ github.event.client_payload.branchName }} | |
| if: >- | |
| ${{ github.event.client_payload.commitId != null || | |
| github.event.client_payload.branchName != null }} | |
| run: |2- | |
| echo "Starting the checkout process..." | |
| git fetch --all | |
| if [ -n "$COMMIT_ID" ]; then | |
| echo "Commit ID provided: $COMMIT_ID" | |
| git checkout $COMMIT_ID || true | |
| echo "Checked out to commit ID: $COMMIT_ID" | |
| elif [ -n "$BRANCH_NAME" ]; then | |
| echo "Branch name provided: $BRANCH_NAME" | |
| git checkout $BRANCH_NAME || true | |
| echo "Checked out to branch: $BRANCH_NAME" | |
| #Updating the commit Id | |
| ACTUAL_COMMIT_ID=$(git rev-parse HEAD) | |
| echo "Changing CommitId: $ACTUAL_COMMIT_ID" | |
| echo "COMMIT_ID=$ACTUAL_COMMIT_ID" >> $GITHUB_ENV | |
| else | |
| echo "Skipping checkout..." | |
| fi | |
| - name: 'Run :: Decoding Secrets' | |
| run: |2- | |
| if [ ! -x "$(command -v jq)" ]; then | |
| echo "jq not found, installing..." | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| fi | |
| echo "${{ env.ENCODED_PIPELINE_SECRET }}" | base64 --decode | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while read line; do echo "$line" >> $GITHUB_ENV; echo "::add-mask::${line#*=}"; done | |
| - name: 'Run :: Deploy and Notify Resource Service' | |
| env: | |
| RUN_ID: ${{ github.run_id }} | |
| COMMIT_USER: ${{ github.event.head_commit.author.name }} | |
| COMMIT_TIME: ${{ github.event.head_commit.timestamp }} | |
| COMMIT_MESSAGE: >- | |
| ${{ github.event.head_commit.message || | |
| github.event.client_payload.commitMessage }} | |
| run: |2- | |
| response=$(curl -X PATCH -d "imageRegistryURL=${{ env.IMAGE_NAME }}&appVersionId=${{ env.DEPLOYMENT_APP_VERSION_ID }}&tag=${{ env.COMMIT_ID }}&containerName=${{ env.DEPLOYMENT_CONTAINER_NAME }}&shouldDeploy=${{env.DEPLOY_STEP_SHOULD_DEPLOY}}&pipelineRunId=$RUN_ID&commitDetails[commitHash]=${{ env.COMMIT_ID }}&commitDetails[commitAvatar]=https://github.com/$COMMIT_USER.png&commitDetails[commitTime]=$COMMIT_TIME&commitDetails[commitMessage]=$COMMIT_MESSAGE&commitDetails[commitUser]=$COMMIT_USER" -H 'Authorization: ${{ env.SERVICE_ACC_ACCESS_TOKEN }}' -H 'x-organization-id: ${{ env.PIPELINE_ORGANIZATION_ID }}' -H 'x-project-id: ${{ env.PIPELINE_PROJECT_ID }}' -H 'x-environment-id: ${{ env.PIPELINE_ENVIRONMENT_ID }}' -H 'x-application-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'x-trace-id: ${{ env.PIPELINE_TRACE_ID }}' -H 'x-resource-id: ${{ env.PIPELINE_APPLICATION_ID }}' -H 'x-auth-by: sa' -H 'Content-Type: application/x-www-form-urlencoded' "${{ env.DEPLOYMENT_ENDPOINT }}") | |
| status_code=$? | |
| if [ $status_code -eq 0 ]; then | |
| if echo "$response" | grep -q '"success":true'; then | |
| echo "SUCCESS :: $response" | |
| else | |
| echo "FAILED :: $response" | |
| exit 1 | |
| fi | |
| else | |
| echo "Failed to deploy. HTTP status code: $status_code" | |
| exit 1 | |
| fi | |