Merge branch 'main' into patch-15

This commit is contained in:
h0x0er
2022-03-21 21:26:12 +05:30
committed by GitHub
37 changed files with 817 additions and 73 deletions
+1 -1
View File
@@ -109,7 +109,7 @@ jobs:
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
- name: Upload build artifacts
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: MSIX Package
path: ${{ env.Wap_Project_Directory }}\AppPackages
+5 -1
View File
@@ -1,6 +1,10 @@
name: MSBuild
on: [push]
on:
push:
branches: [ $default-branch ]
pull_request:
branches: [ $default-branch ]
env:
# Path to the solution file relative to the root of the project.
+6 -1
View File
@@ -42,8 +42,13 @@ on:
workflow_dispatch:
permissions:
contents: read
jobs:
Trigger APIsec scan:
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
@@ -61,4 +66,4 @@ jobs:
- name: Import results
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./apisec-results.sarif
sarif_file: ./apisec-results.sarif
+6
View File
@@ -17,8 +17,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
brakeman-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
+43
View File
@@ -0,0 +1,43 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: clj-holmes
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
clj-holmes:
name: Run clj-holmes scanning
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Scan code
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
with:
rules-repository: 'git://org/private-rules-repo#main'
output-type: 'sarif'
output-file: 'clj-holmes-results.sarif'
fail-on-result: 'false'
- name: Upload analysis results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
ait-for-processing: true
+6
View File
@@ -22,8 +22,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
codacy-security-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Codacy Security Scan
runs-on: ubuntu-latest
steps:
+7 -1
View File
@@ -13,8 +13,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
mobile-security:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
@@ -33,4 +39,4 @@ jobs:
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
sarif_file: results.sarif
+7 -1
View File
@@ -20,8 +20,14 @@ env:
# Path to the CMake build directory.
build: '${{ github.workspace }}/build'
permissions:
contents: read
jobs:
analyze:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Analyze
runs-on: windows-latest
@@ -53,7 +59,7 @@ jobs:
# Upload SARIF file as an Artifact to download and view
# - name: Upload SARIF as an Artifact
# uses: actions/upload-artifact@v2
# uses: actions/upload-artifact@v3
# with:
# name: sarif-file
# path: ${{ steps.run-analysis.outputs.sarif }}
+6
View File
@@ -17,8 +17,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
njsscan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
+6
View File
@@ -21,8 +21,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
prisma_cloud_iac_scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
@@ -0,0 +1,10 @@
{
"name": "clj-holmes",
"creator": "Matheus Bernardes",
"description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.",
"iconName": "clj-holmes",
"categories": [
"Code Scanning",
"clojure"
]
}
+1 -1
View File
@@ -27,7 +27,7 @@ jobs:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2
uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
with:
results_file: results.sarif
results_format: sarif
+6
View File
@@ -19,8 +19,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
semgrep:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Scan
runs-on: ubuntu-latest
steps:
+6
View File
@@ -37,8 +37,14 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
stackhawk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
name: StackHawk
runs-on: ubuntu-20.04
steps:
+8 -1
View File
@@ -13,10 +13,17 @@ on:
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
build:
permissions:
checks: write # for sysdiglabs/scan-action to publish the checks
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
@@ -51,4 +58,4 @@ jobs:
#Upload SARIF file
if: always()
with:
sarif_file: ${{ steps.scan.outputs.sarifReport }}
sarif_file: ${{ steps.scan.outputs.sarifReport }}
+6
View File
@@ -17,10 +17,16 @@ on:
- cron: $cron-weekly
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
permissions:
contents: read
jobs:
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
build-and-pipeline-scan:
# The type of runner that the job will run on
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
+1 -1
View File
@@ -79,7 +79,7 @@ jobs:
license: ${{ secrets.XANITIZER_LICENSE }}
# Archiving the findings list reports
- uses: actions/upload-artifact@v2
- uses: actions/upload-artifact@v3
with:
name: Xanitizer-Reports
path: |
@@ -0,0 +1,122 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
# 1. Set the following secrets in your repository (instructions for getting these
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
# - CHART_PATH (path to your helm chart)
# - CHART_OVERRIDE_PATH (path to your helm chart with override values)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
# For more options with the actions used below please refer to https://github.com/Azure/login
name: Build and deploy an app to AKS with Helm
on:
push:
branches:
- $default-branch
workflow_dispatch:
env:
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
CHART_PATH: "your-chart-path"
CHART_OVERRIDE_PATH: "your-chart-override-path"
jobs:
build:
permissions:
actions: read
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
- uses: actions/checkout@master
# Logs in with your Azure credentials
- name: Azure login
uses: azure/login@v1.4.3
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Builds and pushes an image up to your Azure Container Registry
- name: Build and push image to ACR
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
with:
resource-group: ${{ env.RESOURCE_GROUP }}
cluster-name: ${{ env.CLUSTER_NAME }}
# Retrieves the credentials for pulling images from your Azure Container Registry
- name: Get ACR credentials
run: |
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
echo "::set-output name=username::${ACR_USERNAME}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- name: Create K8s secret for pulling image from ACR
uses: Azure/k8s-create-secret@v1.1
with:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
# Runs Helm to create manifest files
- name: Bake deployment
uses: azure/k8s-bake@v2.1
with:
renderEngine: 'helm'
helmChart: ${{ env.CHART_PATH }}
overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
overrides: |
replicas:2
helm-version: 'latest'
id: bake
# Deploys application based on manifest files from previous step
- name: Deploy application
uses: Azure/k8s-deploy@v3.0
with:
action: deploy
manifests: ${{ steps.bake.outputs.manifestsBundle }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
${{ env.IMAGE_PULL_SECRET_NAME }}
@@ -0,0 +1,111 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
# 1. Set the following secrets in your repository (instructions for getting these
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
# Set your dockerComposeFile and kompose-version to suit your configuration.
# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
# For more options with the actions used below please refer to https://github.com/Azure/login
name: Build and deploy an app to AKS with Kompose
env:
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
jobs:
build:
permissions:
actions: read
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
- uses: actions/checkout@master
# Logs in with your Azure credentials
- name: Azure login
uses: azure/login@v1.4.3
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Builds and pushes an image up to your Azure Container Registry
- name: Build and push image to ACR
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
with:
resource-group: ${{ env.RESOURCE_GROUP }}
cluster-name: ${{ env.CLUSTER_NAME }}
# Retrieves the credentials for pulling images from your Azure Container Registry
- name: Get ACR credentials
run: |
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
echo "::set-output name=username::${ACR_USERNAME}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- name: Create K8s secret for pulling image from ACR
uses: Azure/k8s-create-secret@v1.1
with:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
# Runs Kompose to create manifest files
- name: Bake deployment
uses: azure/k8s-bake@v2.1
with:
renderEngine: 'kompose'
dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
kompose-version: 'latest'
id: bake
# Deploys application based on manifest files from previous step
- name: Deploy application
uses: Azure/k8s-deploy@v3.0
with:
action: deploy
manifests: ${{ steps.bake.outputs.manifestsBundle }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
${{ env.IMAGE_PULL_SECRET_NAME }}
@@ -0,0 +1,117 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
# 1. Set the following secrets in your repository (instructions for getting these
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
#
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
# Set your kustomizationPath and kubectl-version to suit your configuration.
# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
# For more options with the actions used below please refer to https://github.com/Azure/login
name: Build and deploy an app to AKS with Kustomize
on:
push:
branches:
- $default-branch
workflow_dispatch:
env:
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
KUSTOMIZE_PATH: "your-kustomize-path"
jobs:
build:
permissions:
actions: read
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
- uses: actions/checkout@master
# Logs in with your Azure credentials
- name: Azure login
uses: azure/login@v1.4.3
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Builds and pushes an image up to your Azure Container Registry
- name: Build and push image to ACR
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
with:
resource-group: ${{ env.RESOURCE_GROUP }}
cluster-name: ${{ env.CLUSTER_NAME }}
# Retrieves the credentials for pulling images from your Azure Container Registry
- name: Get ACR credentials
run: |
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
echo "::set-output name=username::${ACR_USERNAME}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- name: Create K8s secret for pulling image from ACR
uses: Azure/k8s-create-secret@v1.1
with:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
# Runs Kustomize to create manifest files
- name: Bake deployment
uses: azure/k8s-bake@v2.1
with:
renderEngine: 'kustomize'
kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
kubectl-version: latest
id: bake
# Deploys application based on manifest files from previous step
- name: Deploy application
uses: Azure/k8s-deploy@v3.0
with:
action: deploy
manifests: ${{ steps.bake.outputs.manifestsBundle }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
${{ env.IMAGE_PULL_SECRET_NAME }}
+76 -51
View File
@@ -1,80 +1,105 @@
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
#
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
# https://github.com/Azure/aks-create-action
# For instructions see:
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
# - https://github.com/Azure/aks-create-action
#
# To configure this workflow:
#
# 1. Set the following secrets in your repository:
# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret)
# 1. Set the following secrets in your repository (instructions for getting these
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
# - AZURE_CLIENT_ID
# - AZURE_TENANT_ID
# - AZURE_SUBSCRIPTION_ID
#
# 2. Set the following environment variables (or replace the values below):
# - AZURE_CONTAINER_REGISTRY (name of your container registry)
# - PROJECT_NAME
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
# - RESOURCE_GROUP (where your cluster is deployed)
# - CLUSTER_NAME (name of your AKS cluster)
#
# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set
# any needed environment variables such as:
# - CHART_PATH
# - CHART_OVERRIDE_PATH
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
#
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
# For more options with the actions used below please see the folllowing
# https://github.com/Azure/login
# https://github.com/Azure/aks-set-context
# https://github.com/marketplace/actions/azure-cli-action
# https://github.com/Azure/k8s-bake
# https://github.com/Azure/k8s-deploy
# For more options with the actions used below please refer to https://github.com/Azure/login
on: [push]
name: Build and deploy an app to AKS
on:
push:
branches:
- $default-branch
workflow_dispatch:
env:
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
CONTAINER_NAME: "your-container-name"
RESOURCE_GROUP: "your-resource-group"
CLUSTER_NAME: "your-cluster-name"
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
jobs:
build:
permissions:
actions: read
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
# Checks out the repository this file is in
- uses: actions/checkout@master
- name: Azure Login
uses: azure/login@v1
# Logs in with your Azure credentials
- name: Azure login
uses: azure/login@v1.4.3
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Build image on ACR
uses: azure/CLI@v1
with:
azcliversion: 2.29.1
inlineScript: |
az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }}
az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
- name: Gets K8s context
uses: azure/aks-set-context@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
resource-group: ${{ env.RESOURCE_GROUP }}
cluster-name: ${{ env.CLUSTER_NAME }}
id: login
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Builds and pushes an image up to your Azure Container Registry
- name: Build and push image to ACR
run: |
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
- name: Configure deployment
uses: azure/k8s-bake@v1
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
- name: Get K8s context
uses: azure/aks-set-context@v2.0
with:
renderEngine: 'helm'
helmChart: ${{ env.CHART_PATH }}
overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
overrides: |
replicas:2
helm-version: 'latest'
id: bake
resource-group: ${{ env.RESOURCE_GROUP }}
cluster-name: ${{ env.CLUSTER_NAME }}
# Retrieves the credentials for pulling images from your Azure Container Registry
- name: Get ACR credentials
run: |
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
echo "::set-output name=username::${ACR_USERNAME}"
echo "::set-output name=password::${ACR_PASSWORD}"
id: get-acr-creds
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
- name: Create K8s secret for pulling image from ACR
uses: Azure/k8s-create-secret@v1.1
with:
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
# Deploys application based on given manifest file
- name: Deploys application
- uses: Azure/k8s-deploy@v1
uses: Azure/k8s-deploy@v3.0
with:
manifests: ${{ steps.bake.outputs.manifestsBundle }}
action: deploy
manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
images: |
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
imagepullsecrets: |
${{ env.PROJECT_NAME }}
${{ env.IMAGE_PULL_SECRET_NAME }}
+2 -2
View File
@@ -57,7 +57,7 @@ jobs:
run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: .net-app
path: ${{env.DOTNET_ROOT}}/myapp
@@ -71,7 +71,7 @@ jobs:
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: .net-app
+2 -2
View File
@@ -46,7 +46,7 @@ jobs:
run: mvn clean install
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: java-app
path: '${{ github.workspace }}/target/*.jar'
@@ -60,7 +60,7 @@ jobs:
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: java-app
+2 -2
View File
@@ -47,7 +47,7 @@ jobs:
npm run test --if-present
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: node-app
path: .
@@ -61,7 +61,7 @@ jobs:
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: node-app
+2 -2
View File
@@ -68,7 +68,7 @@ jobs:
run: composer validate --no-check-publish && composer install --prefer-dist --no-progress
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: php-app
path: .
@@ -82,7 +82,7 @@ jobs:
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: php-app
+2 -2
View File
@@ -53,7 +53,7 @@ jobs:
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
- name: Upload artifact for deployment jobs
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: python-app
path: |
@@ -69,7 +69,7 @@ jobs:
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: python-app
path: .
+114
View File
@@ -0,0 +1,114 @@
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch
#
# Overview:
#
# 1. Authenticate to Google Cloud
# 2. Authenticate Docker to Artifact Registry
# 3. Build a docker container
# 4. Publish it to Google Artifact Registry
# 5. Deploy it to Cloud Run
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled:
#
# Cloud Run run.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
#
# 3. Ensure the required IAM permissions are granted
#
# Cloud Run
# roles/run.admin
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
#
# Artifact Registry
# roles/artifactregistry.admin (project or repository level)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
#
# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
#
# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
#
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
#
# Further reading:
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
name: Build and Deploy to Cloud Run
on:
push:
branches:
- $default-branch
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
jobs:
deploy:
# Add 'id-token' with the intended permissions for workload identity federation
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
# NOTE: Alternative option - authentication via credentials json
# - name: Google Auth
# id: auth
# uses: 'google-github-actions/auth@v0'
# with:
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}''
# BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)
# Authenticate Docker to Google Cloud Artifact Registry
- name: Docker Auth
id: docker-auth
uses: 'docker/login-action@v1'
with:
username: 'oauth2accesstoken'
password: '${{ steps.auth.outputs.access_token }}'
registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
- name: Build and Push Container
run: |-
docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
# END - Docker auth and build
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: ${{ env.SERVICE }}
region: ${{ env.REGION }}
# NOTE: If using a pre-built image, update the image name here
image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
# If required, use the Cloud Run url output in later steps
- name: Show Output
run: echo ${{ steps.deploy.outputs.url }}
+96
View File
@@ -0,0 +1,96 @@
# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch
#
# Overview:
#
# 1. Authenticate to Google Cloud
# 2. Deploy it to Cloud Run
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled:
#
# Cloud Run run.googleapis.com
# Cloud Build cloudbuild.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
#
# 3. Ensure the required IAM permissions are granted
#
# Cloud Run
# roles/run.admin
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
#
# Cloud Build
# roles/cloudbuild.builds.editor
#
# Cloud Storage
# roles/storage.objectAdmin
#
# Artifact Registry
# roles/artifactregistry.admin (project or repository level)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
#
# 5. Change the values for the SERVICE and REGION environment variables (below).
#
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
#
# Further reading:
# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
name: Deploy to Cloud Run from Source
on:
push:
branches:
- $default-branch
env:
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
jobs:
deploy:
# Add 'id-token' with the intended permissions for workload identity federation
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
# NOTE: Alternative option - authentication via credentials json
# - name: Google Auth
# id: auth
# uses: 'google-github-actions/auth@v0'
# with:
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: ${{ env.SERVICE }}
region: ${{ env.REGION }}
# NOTE: If required, update to the appropriate source folder
source: ./
# If required, use the Cloud Run url output in later steps
- name: Show Output
run: echo ${{ steps.deploy.outputs.url }}
@@ -0,0 +1,7 @@
{
"name": "Deploy to AKS with Helm",
"description": "Deploy an application to an Azure Kubernetes Service cluster using Helm",
"creator": "Microsoft Azure",
"iconName": "azure",
"categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"]
}
@@ -0,0 +1,7 @@
{
"name": "Deploy to AKS with Kompose",
"description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose",
"creator": "Microsoft Azure",
"iconName": "azure",
"categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"]
}
@@ -0,0 +1,7 @@
{
"name": "Deploy to AKS with Kustomize",
"description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize",
"creator": "Microsoft Azure",
"iconName": "azure",
"categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"]
}
@@ -1,7 +1,7 @@
{
"name": "Deploy to a AKS Cluster",
"description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials",
"name": "Deploy to AKS",
"description": "Deploy an application to an Azure Kubernetes Service cluster",
"creator": "Microsoft Azure",
"iconName": "azure",
"categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"]
"categories": ["Deployment", "Kubernetes", "Dockerfile"]
}
@@ -0,0 +1,7 @@
{
"name": "Build and Deploy to Cloud Run",
"description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.",
"creator": "Google Cloud",
"iconName": "google-cloud",
"categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"]
}
@@ -0,0 +1,7 @@
{
"name": "Deploy to Cloud Run from Source",
"description": "Deploy to Google Cloud Run directly from source.",
"creator": "Google Cloud",
"iconName": "google-cloud",
"categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"]
}
@@ -2,6 +2,6 @@
"name": "Build and Deploy to GKE",
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
"creator": "Google Cloud",
"iconName": "googlegke",
"iconName": "google-cloud",
"categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"]
}
File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 107 KiB

Before

Width:  |  Height:  |  Size: 9.3 KiB

After

Width:  |  Height:  |  Size: 9.3 KiB