Fix Docker build and dependencies #153
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
name: Standard CI checks | |
jobs: | |
Hadolint: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
image: ["server", "ui", "base"] | |
steps: | |
- uses: actions/checkout@v2 | |
- uses: hadolint/hadolint-action@v1.5.0 | |
with: | |
dockerfile: docker-builds/${{ matrix.image }}/Dockerfile | |
Prettier: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Prettier Action | |
uses: creyD/prettier_action@v3.3 | |
Code_security: | |
name: Code security | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
- name: Scan project | |
uses: ShiftLeftSecurity/scan-action@master | |
nodejs-lint: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: ["11.14.0"] | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Lint code using Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v1 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- run: npm i -g yarn | |
- run: yarn deps | |
- run: yarn lint | |
docker_checks: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
image: [ 'server', 'ui' ] | |
environment: ['qa', 'prod'] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ secrets.AWS_DEFAULT_REGION }} | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Build ${{ matrix.image }} Docker image | |
env: | |
ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }} | |
ECR_REPOSITORY: "memefactory" | |
run: | | |
echo "Building on ${GITHUB_REF} branch" | |
DOCKER_BUILDKIT=1 docker build --build-arg BUILD_ENV=${{ matrix.environment }} -t ${{ matrix.image }}:${{ github.sha }}-${{ matrix.environment }} -t ${ECR_REGISTRY}/${ECR_REPOSITORY}-${{matrix.image}}:latest-${{ matrix.environment }} -t ${ECR_REGISTRY}/${ECR_REPOSITORY}-${{matrix.image}}:${{ github.sha }}-${{ matrix.environment }} -f docker-builds/${{ matrix.image }}/Dockerfile . | |
echo "Successfully built docker image" | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: '${{ matrix.image }}:${{ github.sha }}-${{ matrix.environment }}' | |
format: 'table' | |
exit-code: '0' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL' | |
- name: Push docker images | |
env: | |
ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }} | |
ECR_REPOSITORY: "memefactory" | |
run: | | |
echo "Pushing docker images" | |
echo "Will push to the registry image with latest-${{ matrix.environment }} and ${{ github.sha }}-${{ matrix.environment }} tags" | |
if [[ ${{ matrix.environment }} == "prod" && ${GITHUB_REF} == "refs/heads/master" ]]; then | |
docker push ${ECR_REGISTRY}/${ECR_REPOSITORY}-${{matrix.image}}:${{ github.sha }}-${{ matrix.environment }} | |
docker push ${ECR_REGISTRY}/${ECR_REPOSITORY}-${{matrix.image}}:latest-${{ matrix.environment }} | |
else | |
docker push ${ECR_REGISTRY}/${ECR_REPOSITORY}-${{matrix.image}}:${{ github.sha }}-${{ matrix.environment }} | |
docker push ${ECR_REGISTRY}/${ECR_REPOSITORY}-${{matrix.image}}:latest-${{ matrix.environment }} | |
fi |