Merge branch 'main' into patch-16
This commit is contained in:
+5
-1
@@ -1,6 +1,10 @@
|
||||
name: MSBuild
|
||||
|
||||
on: [push]
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
env:
|
||||
# Path to the solution file relative to the root of the project.
|
||||
|
||||
@@ -42,8 +42,13 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Trigger APIsec scan:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -61,4 +66,4 @@ jobs:
|
||||
- name: Import results
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ./apisec-results.sarif
|
||||
sarif_file: ./apisec-results.sarif
|
||||
|
||||
@@ -17,8 +17,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
brakeman-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Brakeman Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -22,8 +22,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
codacy-security-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -13,8 +13,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
mobile-security:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -33,4 +39,4 @@ jobs:
|
||||
- name: Upload mobsfscan report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -20,8 +20,14 @@ env:
|
||||
# Path to the CMake build directory.
|
||||
build: '${{ github.workspace }}/build'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Analyze
|
||||
runs-on: windows-latest
|
||||
|
||||
|
||||
@@ -17,8 +17,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
njsscan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
name: njsscan code scanning
|
||||
steps:
|
||||
|
||||
@@ -21,8 +21,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
prisma_cloud_iac_scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
name: Run Prisma Cloud IaC Scan to check
|
||||
steps:
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2
|
||||
uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
|
||||
@@ -19,8 +19,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -37,8 +37,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
stackhawk:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
|
||||
name: StackHawk
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
|
||||
@@ -13,10 +13,17 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
build:
|
||||
|
||||
permissions:
|
||||
checks: write # for sysdiglabs/scan-action to publish the checks
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -51,4 +58,4 @@ jobs:
|
||||
#Upload SARIF file
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarifReport }}
|
||||
sarif_file: ${{ steps.scan.outputs.sarifReport }}
|
||||
|
||||
@@ -17,10 +17,16 @@ on:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
|
||||
build-and-pipeline-scan:
|
||||
# The type of runner that the job will run on
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
|
||||
@@ -0,0 +1,122 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
#
|
||||
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
|
||||
# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
|
||||
# - CHART_PATH (path to your helm chart)
|
||||
# - CHART_OVERRIDE_PATH (path to your helm chart with override values)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
name: Build and deploy an app to AKS with Helm
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
CHART_PATH: "your-chart-path"
|
||||
CHART_OVERRIDE_PATH: "your-chart-override-path"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Runs Helm to create manifest files
|
||||
- name: Bake deployment
|
||||
uses: azure/k8s-bake@v2.1
|
||||
with:
|
||||
renderEngine: 'helm'
|
||||
helmChart: ${{ env.CHART_PATH }}
|
||||
overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
|
||||
overrides: |
|
||||
replicas:2
|
||||
helm-version: 'latest'
|
||||
id: bake
|
||||
|
||||
# Deploys application based on manifest files from previous step
|
||||
- name: Deploy application
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
action: deploy
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
@@ -0,0 +1,111 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
#
|
||||
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
|
||||
# Set your dockerComposeFile and kompose-version to suit your configuration.
|
||||
# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
name: Build and deploy an app to AKS with Kompose
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Runs Kompose to create manifest files
|
||||
- name: Bake deployment
|
||||
uses: azure/k8s-bake@v2.1
|
||||
with:
|
||||
renderEngine: 'kompose'
|
||||
dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
|
||||
kompose-version: 'latest'
|
||||
id: bake
|
||||
|
||||
# Deploys application based on manifest files from previous step
|
||||
- name: Deploy application
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
action: deploy
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
@@ -0,0 +1,117 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
#
|
||||
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
|
||||
# Set your kustomizationPath and kubectl-version to suit your configuration.
|
||||
# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
name: Build and deploy an app to AKS with Kustomize
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
KUSTOMIZE_PATH: "your-kustomize-path"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Runs Kustomize to create manifest files
|
||||
- name: Bake deployment
|
||||
uses: azure/k8s-bake@v2.1
|
||||
with:
|
||||
renderEngine: 'kustomize'
|
||||
kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
|
||||
kubectl-version: latest
|
||||
id: bake
|
||||
|
||||
# Deploys application based on manifest files from previous step
|
||||
- name: Deploy application
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
action: deploy
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
@@ -1,80 +1,105 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# https://github.com/Azure/aks-create-action
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository:
|
||||
# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret)
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry)
|
||||
# - PROJECT_NAME
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
#
|
||||
# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set
|
||||
# any needed environment variables such as:
|
||||
# - CHART_PATH
|
||||
# - CHART_OVERRIDE_PATH
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please see the folllowing
|
||||
# https://github.com/Azure/login
|
||||
# https://github.com/Azure/aks-set-context
|
||||
# https://github.com/marketplace/actions/azure-cli-action
|
||||
# https://github.com/Azure/k8s-bake
|
||||
# https://github.com/Azure/k8s-deploy
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
on: [push]
|
||||
name: Build and deploy an app to AKS
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
- name: Azure Login
|
||||
uses: azure/login@v1
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_CREDENTIALS }}
|
||||
|
||||
- name: Build image on ACR
|
||||
uses: azure/CLI@v1
|
||||
with:
|
||||
azcliversion: 2.29.1
|
||||
inlineScript: |
|
||||
az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }}
|
||||
az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
|
||||
|
||||
- name: Gets K8s context
|
||||
uses: azure/aks-set-context@v1
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_CREDENTIALS }}
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
id: login
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
- name: Configure deployment
|
||||
uses: azure/k8s-bake@v1
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
renderEngine: 'helm'
|
||||
helmChart: ${{ env.CHART_PATH }}
|
||||
overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
|
||||
overrides: |
|
||||
replicas:2
|
||||
helm-version: 'latest'
|
||||
id: bake
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Deploys application based on given manifest file
|
||||
- name: Deploys application
|
||||
- uses: Azure/k8s-deploy@v1
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
action: deploy
|
||||
manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.PROJECT_NAME }}
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to AKS with Helm",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster using Helm",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to AKS with Kompose",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to AKS with Kustomize",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to a AKS Cluster",
|
||||
"description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials",
|
||||
"name": "Deploy to AKS",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"]
|
||||
"categories": ["Deployment", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user