Skip to content

AAP-24179 - creating git metadata task #3199

AAP-24179 - creating git metadata task

AAP-24179 - creating git metadata task #3199

name: Build and Push Image
on:
push:
branches:
- main
pull_request:
branches:
- main
# have the ability to trigger this workflow manually
workflow_dispatch:
jobs:
build:
name: Build and push image
runs-on: ubuntu-20.04
permissions:
contents: write
steps:
- uses: actions/checkout@v3
- name: Tag Name
id: tag_name
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "IMAGE_TAGS=pr-${{ github.event.pull_request.number }}.$(date +'%Y%m%d%H%M') pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
echo "LABEL quay.expires-after=3d" >> ./wisdom-service.Containerfile # tag expires in 3 days
elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "IMAGE_TAGS=${{ github.ref_name }}-$( git rev-parse --short HEAD ).$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
else
echo "IMAGE_TAGS=latest $(cat ./.version).$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
fi
echo "sha-short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "sha-long=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- name: Retrieve ari knowledge base from s3
run: |
aws s3 cp --only-show-errors --recursive ${KB_ARI_PATH}/data ari/kb/data
aws s3 cp --only-show-errors --recursive ${KB_ARI_PATH}/rules ari/kb/rules
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
KB_ARI_PATH: ${{ secrets.KB_ARI_PATH }}
- name: Free space on build machine
run: |
rm -rf /opt/hostedtoolcache/Java*
rm -rf /opt/hostedtoolcache/Ruby*
rm -rf /opt/hostedtoolcache/Go*
rm -rf /opt/hostedtoolcache/node*
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Remove the pre-cached Docker images
run: docker image prune --all --force
- name: Build Image
id: build-image
uses: redhat-actions/buildah-build@v2
with:
image: wisdom-service
tags: ${{ steps.tag_name.outputs.IMAGE_TAGS }}
containerfiles: |
./wisdom-service.Containerfile
labels: |
sha-short=${{ steps.tag_name.outputs.sha-short }}
sha-long=${{ steps.tag_name.outputs.sha-long }}
build-args: |
IMAGE_TAGS=${{ steps.tag_name.outputs.IMAGE_TAGS }}
GIT_COMMIT=${{ steps.tag_name.outputs.sha-long }}
extra-args: |
--target=production
--ulimit nofile=4096
- name: Scan Malware
# Do not scan malware in PR builds
if: ${{ github.event_name == 'push' }}
run: |
id=$(podman create $CLAMAV_DB_IMAGE)
podman cp $id:$CLAMAV_DB_DIR clamav-db
podman rm -v $id
podman build -f ./wisdom-service-clamav.Containerfile -t wisdom-service-clamav .
echo '```' > clamav.md
podman run -t wisdom-service-clamav | tee -a clamav.md
echo '```' >> clamav.md
env:
CLAMAV_DB_IMAGE: quay.io/redhat-appstudio/clamav-db:latest
CLAMAV_DB_DIR: /var/lib/clamav
- name: Get Comment Body
id: get-comment-body
# https://github.com/marketplace/actions/commit-comment#setting-the-comment-body-from-a-file
if: ${{ github.event_name == 'push' }}
run: |
body="$(cat clamav.md)"
delimiter="$(openssl rand -hex 8)"
echo "body<<$delimiter" >> $GITHUB_OUTPUT
echo "$body" >> $GITHUB_OUTPUT
echo "$delimiter" >> $GITHUB_OUTPUT
- name: Add Malware Scanning Commit Comment
if: ${{ github.event_name == 'push' }}
uses: peter-evans/commit-comment@v2
with:
body: ${{ steps.get-comment-body.outputs.body }}
- name: Push To quay.io
id: push-to-quay
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ steps.build-image.outputs.image }}
tags: ${{ steps.build-image.outputs.tags }}
registry: quay.io/ansible
username: ${{ secrets.QUAY_USER }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Print image url
run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"
- name: Report to slack
id: slack
uses: slackapi/slack-github-action@v1.23.0
with:
# For posting a rich message using Block Kit
payload: |
{
"text": "wisdom service image build result: ${{ job.status }}\nimage tag: ${{ steps.build-image.outputs.tags }}\nlink to action: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ always() }}