-
Notifications
You must be signed in to change notification settings - Fork 5
159 lines (139 loc) · 4.69 KB
/
build-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Release and Build
on:
push:
branches:
- develop
- main
- feature/*
- fix/*
- hotfix/*
paths-ignore:
- '.gitignore'
- '**/*.env'
- '*.env'
- '**/*.md'
- '*.md'
- '**/*.txt'
- '*.txt'
permissions:
id-token: write
contents: write
pull-requests: write
env:
NODE_VERSION: '22'
jobs:
release:
name: Create Release for Node.js Project
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
outputs:
semantic_tag: ${{ steps.semantic_release.outputs.semantic_tag }}
steps:
- name: Create GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.LERIAN_STUDIO_MIDAZ_PUSH_BOT_APP_ID }}
private-key: ${{ secrets.LERIAN_STUDIO_MIDAZ_PUSH_BOT_PRIVATE_KEY }}
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.LERIAN_CI_CD_USER_GPG_KEY }}
passphrase: ${{ secrets.LERIAN_CI_CD_USER_GPG_KEY_PASSWORD }}
git_committer_name: ${{ secrets.LERIAN_CI_CD_USER_NAME }}
git_committer_email: ${{ secrets.LERIAN_CI_CD_USER_EMAIL }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
- name: Cache Node.js dependencies
uses: actions/cache@v3
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
run: npm ci
- name: Build the project
run: npm run build
- name: Run Semantic Release and Capture Tag
id: semantic_release
run: |
TAG=$(npx semantic-release | grep 'The next release version is' | awk '{print $NF}')
echo "Generated tag: $TAG"
echo "::set-output name=semantic_tag::$TAG"
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
GIT_AUTHOR_NAME: ${{ secrets.LERIAN_CI_CD_USER_NAME }}
GIT_AUTHOR_EMAIL: ${{ secrets.LERIAN_CI_CD_USER_EMAIL }}
GIT_COMMITTER_NAME: ${{ secrets.LERIAN_CI_CD_USER_NAME }}
GIT_COMMITTER_EMAIL: ${{ secrets.LERIAN_CI_CD_USER_EMAIL }}
- name: Fail if no tag is generated
if: ${{ steps.semantic_release.outputs.semantic_tag == '' }}
run: |
echo -e "\033[31mNo new version was generated. Stopping the pipeline.\033[0m"
exit 1
build_and_publish:
name: Build and Publish Docker Image
needs: release
runs-on: ubuntu-latest
env:
APP_NAME: midaz-console
DOCKERHUB_ORG: lerianstudio
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Debug semantic_tag
run: echo "semantic_tag=${{ needs.release.outputs.semantic_tag }}"
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKERHUB_ORG }}/${{ env.APP_NAME }}
tags: |
${{ needs.release.outputs.semantic_tag }}
${{ github.ref == 'refs/heads/main' && 'latest' || github.ref == 'refs/heads/develop' && 'next' || '' }}
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
load: true
tags: ${{ steps.meta.outputs.tags }}
cache-from: type=registry,ref=${{ env.DOCKERHUB_ORG }}/${{ env.APP_NAME }}:latest
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.DOCKERHUB_ORG }}/${{ env.APP_NAME }}:${{ needs.release.outputs.semantic_tag }}'
format: 'table'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Push Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}