Merge branch 'main' into patch-15
This commit is contained in:
@@ -109,7 +109,7 @@ jobs:
|
||||
|
||||
# Upload the MSIX package: https://github.com/marketplace/actions/upload-a-build-artifact
|
||||
- name: Upload build artifacts
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: MSIX Package
|
||||
path: ${{ env.Wap_Project_Directory }}\AppPackages
|
||||
|
||||
+5
-1
@@ -1,6 +1,10 @@
|
||||
name: MSBuild
|
||||
|
||||
on: [push]
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
env:
|
||||
# Path to the solution file relative to the root of the project.
|
||||
|
||||
@@ -42,8 +42,13 @@ on:
|
||||
workflow_dispatch:
|
||||
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Trigger APIsec scan:
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -61,4 +66,4 @@ jobs:
|
||||
- name: Import results
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ./apisec-results.sarif
|
||||
sarif_file: ./apisec-results.sarif
|
||||
|
||||
@@ -17,8 +17,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
brakeman-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Brakeman Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,43 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
name: clj-holmes
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch, $protected-branches ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ $default-branch ]
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
clj-holmes:
|
||||
name: Run clj-holmes scanning
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Scan code
|
||||
uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb
|
||||
with:
|
||||
rules-repository: 'git://org/private-rules-repo#main'
|
||||
output-type: 'sarif'
|
||||
output-file: 'clj-holmes-results.sarif'
|
||||
fail-on-result: 'false'
|
||||
|
||||
- name: Upload analysis results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: ${{github.workspace}}/clj-holmes-results.sarif
|
||||
ait-for-processing: true
|
||||
@@ -22,8 +22,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
codacy-security-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -13,8 +13,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
mobile-security:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -33,4 +39,4 @@ jobs:
|
||||
- name: Upload mobsfscan report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
sarif_file: results.sarif
|
||||
|
||||
@@ -20,8 +20,14 @@ env:
|
||||
# Path to the CMake build directory.
|
||||
build: '${{ github.workspace }}/build'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Analyze
|
||||
runs-on: windows-latest
|
||||
|
||||
@@ -53,7 +59,7 @@ jobs:
|
||||
|
||||
# Upload SARIF file as an Artifact to download and view
|
||||
# - name: Upload SARIF as an Artifact
|
||||
# uses: actions/upload-artifact@v2
|
||||
# uses: actions/upload-artifact@v3
|
||||
# with:
|
||||
# name: sarif-file
|
||||
# path: ${{ steps.run-analysis.outputs.sarif }}
|
||||
|
||||
@@ -17,8 +17,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
njsscan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
name: njsscan code scanning
|
||||
steps:
|
||||
|
||||
@@ -21,8 +21,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
prisma_cloud_iac_scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
name: Run Prisma Cloud IaC Scan to check
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"name": "clj-holmes",
|
||||
"creator": "Matheus Bernardes",
|
||||
"description": "A Static Application Security Testing tool to find vulnerable Clojure code via rules that use a simple pattern language.",
|
||||
"iconName": "clj-holmes",
|
||||
"categories": [
|
||||
"Code Scanning",
|
||||
"clojure"
|
||||
]
|
||||
}
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf # v1.0.2
|
||||
uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
|
||||
@@ -19,8 +19,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
semgrep:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
name: Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
@@ -37,8 +37,14 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
stackhawk:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info
|
||||
name: StackHawk
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
|
||||
@@ -13,10 +13,17 @@ on:
|
||||
schedule:
|
||||
- cron: $cron-weekly
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
build:
|
||||
|
||||
permissions:
|
||||
checks: write # for sysdiglabs/scan-action to publish the checks
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
@@ -51,4 +58,4 @@ jobs:
|
||||
#Upload SARIF file
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarifReport }}
|
||||
sarif_file: ${{ steps.scan.outputs.sarifReport }}
|
||||
|
||||
@@ -17,10 +17,16 @@ on:
|
||||
- cron: $cron-weekly
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
# This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
|
||||
build-and-pipeline-scan:
|
||||
# The type of runner that the job will run on
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
||||
|
||||
@@ -79,7 +79,7 @@ jobs:
|
||||
license: ${{ secrets.XANITIZER_LICENSE }}
|
||||
|
||||
# Archiving the findings list reports
|
||||
- uses: actions/upload-artifact@v2
|
||||
- uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: Xanitizer-Reports
|
||||
path: |
|
||||
|
||||
@@ -0,0 +1,122 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
#
|
||||
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm.
|
||||
# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration.
|
||||
# - CHART_PATH (path to your helm chart)
|
||||
# - CHART_OVERRIDE_PATH (path to your helm chart with override values)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
name: Build and deploy an app to AKS with Helm
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
CHART_PATH: "your-chart-path"
|
||||
CHART_OVERRIDE_PATH: "your-chart-override-path"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Runs Helm to create manifest files
|
||||
- name: Bake deployment
|
||||
uses: azure/k8s-bake@v2.1
|
||||
with:
|
||||
renderEngine: 'helm'
|
||||
helmChart: ${{ env.CHART_PATH }}
|
||||
overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
|
||||
overrides: |
|
||||
replicas:2
|
||||
helm-version: 'latest'
|
||||
id: bake
|
||||
|
||||
# Deploys application based on manifest files from previous step
|
||||
- name: Deploy application
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
action: deploy
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
@@ -0,0 +1,111 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
#
|
||||
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
|
||||
# Set your dockerComposeFile and kompose-version to suit your configuration.
|
||||
# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
name: Build and deploy an app to AKS with Kompose
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Runs Kompose to create manifest files
|
||||
- name: Bake deployment
|
||||
uses: azure/k8s-bake@v2.1
|
||||
with:
|
||||
renderEngine: 'kompose'
|
||||
dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
|
||||
kompose-version: 'latest'
|
||||
id: bake
|
||||
|
||||
# Deploys application based on manifest files from previous step
|
||||
- name: Deploy application
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
action: deploy
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
@@ -0,0 +1,117 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
#
|
||||
# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
|
||||
# Set your kustomizationPath and kubectl-version to suit your configuration.
|
||||
# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
name: Build and deploy an app to AKS with Kustomize
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
KUSTOMIZE_PATH: "your-kustomize-path"
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Runs Kustomize to create manifest files
|
||||
- name: Bake deployment
|
||||
uses: azure/k8s-bake@v2.1
|
||||
with:
|
||||
renderEngine: 'kustomize'
|
||||
kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
|
||||
kubectl-version: latest
|
||||
id: bake
|
||||
|
||||
# Deploys application based on manifest files from previous step
|
||||
- name: Deploy application
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
action: deploy
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
@@ -1,80 +1,105 @@
|
||||
# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
|
||||
#
|
||||
# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
|
||||
# For instructions see https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# https://github.com/Azure/aks-create-action
|
||||
# For instructions see:
|
||||
# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
|
||||
# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
|
||||
# - https://github.com/Azure/aks-create-action
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Set the following secrets in your repository:
|
||||
# - AZURE_CREDENTIALS (instructions for getting this https://github.com/Azure/login#configure-a-service-principal-with-a-secret)
|
||||
# 1. Set the following secrets in your repository (instructions for getting these
|
||||
# https://github.com/Azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication):
|
||||
# - AZURE_CLIENT_ID
|
||||
# - AZURE_TENANT_ID
|
||||
# - AZURE_SUBSCRIPTION_ID
|
||||
#
|
||||
# 2. Set the following environment variables (or replace the values below):
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry)
|
||||
# - PROJECT_NAME
|
||||
# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
|
||||
# - RESOURCE_GROUP (where your cluster is deployed)
|
||||
# - CLUSTER_NAME (name of your AKS cluster)
|
||||
#
|
||||
# 3. Choose the approrpiate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes helm, then set
|
||||
# any needed environment variables such as:
|
||||
# - CHART_PATH
|
||||
# - CHART_OVERRIDE_PATH
|
||||
# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
|
||||
# - SECRET_NAME (name of the secret associated with pulling your ACR image)
|
||||
# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
|
||||
#
|
||||
# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
|
||||
# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
|
||||
# For more options with the actions used below please see the folllowing
|
||||
# https://github.com/Azure/login
|
||||
# https://github.com/Azure/aks-set-context
|
||||
# https://github.com/marketplace/actions/azure-cli-action
|
||||
# https://github.com/Azure/k8s-bake
|
||||
# https://github.com/Azure/k8s-deploy
|
||||
# For more options with the actions used below please refer to https://github.com/Azure/login
|
||||
|
||||
on: [push]
|
||||
name: Build and deploy an app to AKS
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
|
||||
CONTAINER_NAME: "your-container-name"
|
||||
RESOURCE_GROUP: "your-resource-group"
|
||||
CLUSTER_NAME: "your-cluster-name"
|
||||
IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name"
|
||||
DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path'
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checks out the repository this file is in
|
||||
- uses: actions/checkout@master
|
||||
|
||||
- name: Azure Login
|
||||
uses: azure/login@v1
|
||||
# Logs in with your Azure credentials
|
||||
- name: Azure login
|
||||
uses: azure/login@v1.4.3
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_CREDENTIALS }}
|
||||
|
||||
- name: Build image on ACR
|
||||
uses: azure/CLI@v1
|
||||
with:
|
||||
azcliversion: 2.29.1
|
||||
inlineScript: |
|
||||
az configure --defaults acr=${{ env.AZURE_CONTAINER_REGISTRY }}
|
||||
az acr build -t -t ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
|
||||
|
||||
- name: Gets K8s context
|
||||
uses: azure/aks-set-context@v1
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_CREDENTIALS }}
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
id: login
|
||||
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
||||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
||||
|
||||
# Builds and pushes an image up to your Azure Container Registry
|
||||
- name: Build and push image to ACR
|
||||
run: |
|
||||
az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
|
||||
|
||||
- name: Configure deployment
|
||||
uses: azure/k8s-bake@v1
|
||||
# Retrieves your Azure Kubernetes Service cluster's kubeconfig file
|
||||
- name: Get K8s context
|
||||
uses: azure/aks-set-context@v2.0
|
||||
with:
|
||||
renderEngine: 'helm'
|
||||
helmChart: ${{ env.CHART_PATH }}
|
||||
overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
|
||||
overrides: |
|
||||
replicas:2
|
||||
helm-version: 'latest'
|
||||
id: bake
|
||||
resource-group: ${{ env.RESOURCE_GROUP }}
|
||||
cluster-name: ${{ env.CLUSTER_NAME }}
|
||||
|
||||
# Retrieves the credentials for pulling images from your Azure Container Registry
|
||||
- name: Get ACR credentials
|
||||
run: |
|
||||
az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true
|
||||
ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv)
|
||||
ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv)
|
||||
echo "::set-output name=username::${ACR_USERNAME}"
|
||||
echo "::set-output name=password::${ACR_PASSWORD}"
|
||||
id: get-acr-creds
|
||||
|
||||
# Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step
|
||||
- name: Create K8s secret for pulling image from ACR
|
||||
uses: Azure/k8s-create-secret@v1.1
|
||||
with:
|
||||
container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io
|
||||
container-registry-username: ${{ steps.get-acr-creds.outputs.username }}
|
||||
container-registry-password: ${{ steps.get-acr-creds.outputs.password }}
|
||||
secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
# Deploys application based on given manifest file
|
||||
- name: Deploys application
|
||||
- uses: Azure/k8s-deploy@v1
|
||||
uses: Azure/k8s-deploy@v3.0
|
||||
with:
|
||||
manifests: ${{ steps.bake.outputs.manifestsBundle }}
|
||||
action: deploy
|
||||
manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
|
||||
images: |
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.PROJECT_NAME }}:${{ github.sha }}
|
||||
${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
|
||||
imagepullsecrets: |
|
||||
${{ env.PROJECT_NAME }}
|
||||
${{ env.IMAGE_PULL_SECRET_NAME }}
|
||||
|
||||
@@ -57,7 +57,7 @@ jobs:
|
||||
run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp
|
||||
|
||||
- name: Upload artifact for deployment job
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: .net-app
|
||||
path: ${{env.DOTNET_ROOT}}/myapp
|
||||
@@ -71,7 +71,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Download artifact from build job
|
||||
uses: actions/download-artifact@v2
|
||||
uses: actions/download-artifact@v3
|
||||
with:
|
||||
name: .net-app
|
||||
|
||||
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
run: mvn clean install
|
||||
|
||||
- name: Upload artifact for deployment job
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: java-app
|
||||
path: '${{ github.workspace }}/target/*.jar'
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Download artifact from build job
|
||||
uses: actions/download-artifact@v2
|
||||
uses: actions/download-artifact@v3
|
||||
with:
|
||||
name: java-app
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ jobs:
|
||||
npm run test --if-present
|
||||
|
||||
- name: Upload artifact for deployment job
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: node-app
|
||||
path: .
|
||||
@@ -61,7 +61,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Download artifact from build job
|
||||
uses: actions/download-artifact@v2
|
||||
uses: actions/download-artifact@v3
|
||||
with:
|
||||
name: node-app
|
||||
|
||||
|
||||
@@ -68,7 +68,7 @@ jobs:
|
||||
run: composer validate --no-check-publish && composer install --prefer-dist --no-progress
|
||||
|
||||
- name: Upload artifact for deployment job
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: php-app
|
||||
path: .
|
||||
@@ -82,7 +82,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Download artifact from build job
|
||||
uses: actions/download-artifact@v2
|
||||
uses: actions/download-artifact@v3
|
||||
with:
|
||||
name: php-app
|
||||
|
||||
|
||||
@@ -53,7 +53,7 @@ jobs:
|
||||
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
|
||||
|
||||
- name: Upload artifact for deployment jobs
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: python-app
|
||||
path: |
|
||||
@@ -69,7 +69,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Download artifact from build job
|
||||
uses: actions/download-artifact@v2
|
||||
uses: actions/download-artifact@v3
|
||||
with:
|
||||
name: python-app
|
||||
path: .
|
||||
|
||||
@@ -0,0 +1,114 @@
|
||||
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch
|
||||
#
|
||||
# Overview:
|
||||
#
|
||||
# 1. Authenticate to Google Cloud
|
||||
# 2. Authenticate Docker to Artifact Registry
|
||||
# 3. Build a docker container
|
||||
# 4. Publish it to Google Artifact Registry
|
||||
# 5. Deploy it to Cloud Run
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Ensure the required Google Cloud APIs are enabled:
|
||||
#
|
||||
# Cloud Run run.googleapis.com
|
||||
# Artifact Registry artifactregistry.googleapis.com
|
||||
#
|
||||
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
|
||||
#
|
||||
# 3. Ensure the required IAM permissions are granted
|
||||
#
|
||||
# Cloud Run
|
||||
# roles/run.admin
|
||||
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
|
||||
#
|
||||
# Artifact Registry
|
||||
# roles/artifactregistry.admin (project or repository level)
|
||||
#
|
||||
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
|
||||
#
|
||||
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
|
||||
#
|
||||
# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below).
|
||||
#
|
||||
# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
|
||||
#
|
||||
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
|
||||
#
|
||||
# Further reading:
|
||||
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
|
||||
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
|
||||
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
|
||||
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
|
||||
|
||||
name: Build and Deploy to Cloud Run
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
env:
|
||||
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
|
||||
GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
|
||||
SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
|
||||
REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
# Add 'id-token' with the intended permissions for workload identity federation
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Google Auth
|
||||
id: auth
|
||||
uses: 'google-github-actions/auth@v0'
|
||||
with:
|
||||
token_format: 'access_token'
|
||||
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
|
||||
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
|
||||
|
||||
# NOTE: Alternative option - authentication via credentials json
|
||||
# - name: Google Auth
|
||||
# id: auth
|
||||
# uses: 'google-github-actions/auth@v0'
|
||||
# with:
|
||||
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}''
|
||||
|
||||
# BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted)
|
||||
|
||||
# Authenticate Docker to Google Cloud Artifact Registry
|
||||
- name: Docker Auth
|
||||
id: docker-auth
|
||||
uses: 'docker/login-action@v1'
|
||||
with:
|
||||
username: 'oauth2accesstoken'
|
||||
password: '${{ steps.auth.outputs.access_token }}'
|
||||
registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
|
||||
|
||||
- name: Build and Push Container
|
||||
run: |-
|
||||
docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./
|
||||
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
|
||||
|
||||
# END - Docker auth and build
|
||||
|
||||
- name: Deploy to Cloud Run
|
||||
id: deploy
|
||||
uses: google-github-actions/deploy-cloudrun@v0
|
||||
with:
|
||||
service: ${{ env.SERVICE }}
|
||||
region: ${{ env.REGION }}
|
||||
# NOTE: If using a pre-built image, update the image name here
|
||||
image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
|
||||
|
||||
# If required, use the Cloud Run url output in later steps
|
||||
- name: Show Output
|
||||
run: echo ${{ steps.deploy.outputs.url }}
|
||||
@@ -0,0 +1,96 @@
|
||||
# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch
|
||||
#
|
||||
# Overview:
|
||||
#
|
||||
# 1. Authenticate to Google Cloud
|
||||
# 2. Deploy it to Cloud Run
|
||||
#
|
||||
# To configure this workflow:
|
||||
#
|
||||
# 1. Ensure the required Google Cloud APIs are enabled:
|
||||
#
|
||||
# Cloud Run run.googleapis.com
|
||||
# Cloud Build cloudbuild.googleapis.com
|
||||
# Artifact Registry artifactregistry.googleapis.com
|
||||
#
|
||||
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
|
||||
#
|
||||
# 3. Ensure the required IAM permissions are granted
|
||||
#
|
||||
# Cloud Run
|
||||
# roles/run.admin
|
||||
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
|
||||
#
|
||||
# Cloud Build
|
||||
# roles/cloudbuild.builds.editor
|
||||
#
|
||||
# Cloud Storage
|
||||
# roles/storage.objectAdmin
|
||||
#
|
||||
# Artifact Registry
|
||||
# roles/artifactregistry.admin (project or repository level)
|
||||
#
|
||||
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
|
||||
#
|
||||
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
|
||||
#
|
||||
# 5. Change the values for the SERVICE and REGION environment variables (below).
|
||||
#
|
||||
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
|
||||
#
|
||||
# Further reading:
|
||||
# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity
|
||||
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
|
||||
# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code
|
||||
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
|
||||
|
||||
name: Deploy to Cloud Run from Source
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- $default-branch
|
||||
|
||||
env:
|
||||
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
|
||||
SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
|
||||
REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
# Add 'id-token' with the intended permissions for workload identity federation
|
||||
permissions:
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Google Auth
|
||||
id: auth
|
||||
uses: 'google-github-actions/auth@v0'
|
||||
with:
|
||||
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
|
||||
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com
|
||||
|
||||
# NOTE: Alternative option - authentication via credentials json
|
||||
# - name: Google Auth
|
||||
# id: auth
|
||||
# uses: 'google-github-actions/auth@v0'
|
||||
# with:
|
||||
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
|
||||
|
||||
- name: Deploy to Cloud Run
|
||||
id: deploy
|
||||
uses: google-github-actions/deploy-cloudrun@v0
|
||||
with:
|
||||
service: ${{ env.SERVICE }}
|
||||
region: ${{ env.REGION }}
|
||||
# NOTE: If required, update to the appropriate source folder
|
||||
source: ./
|
||||
|
||||
# If required, use the Cloud Run url output in later steps
|
||||
- name: Show Output
|
||||
run: echo ${{ steps.deploy.outputs.url }}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to AKS with Helm",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster using Helm",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Helm", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to AKS with Kompose",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster using Kompose",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Kompose", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to AKS with Kustomize",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster using Kustomize",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Kustomize", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to a AKS Cluster",
|
||||
"description": "Deploy an application to a Azure Kubernetes Service Cluster using Azure Credentials",
|
||||
"name": "Deploy to AKS",
|
||||
"description": "Deploy an application to an Azure Kubernetes Service cluster",
|
||||
"creator": "Microsoft Azure",
|
||||
"iconName": "azure",
|
||||
"categories": ["Deployment", "Kompose", "Helm", "Kustomize", "Kubernetes", "Dockerfile"]
|
||||
"categories": ["Deployment", "Kubernetes", "Dockerfile"]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Build and Deploy to Cloud Run",
|
||||
"description": "Build a Docker container, publish it to Google Artifact Registry, and deploy to Google Cloud Run.",
|
||||
"creator": "Google Cloud",
|
||||
"iconName": "google-cloud",
|
||||
"categories": ["Deployment", "Containers", "Dockerfile", "Cloud Run", "Serverless"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
"name": "Deploy to Cloud Run from Source",
|
||||
"description": "Deploy to Google Cloud Run directly from source.",
|
||||
"creator": "Google Cloud",
|
||||
"iconName": "google-cloud",
|
||||
"categories": ["Deployment", "Containers", "Cloud Run", "Serverless", "Buildpacks"]
|
||||
}
|
||||
@@ -2,6 +2,6 @@
|
||||
"name": "Build and Deploy to GKE",
|
||||
"description": "Build a docker container, publish it to Google Container Registry, and deploy to GKE.",
|
||||
"creator": "Google Cloud",
|
||||
"iconName": "googlegke",
|
||||
"iconName": "google-cloud",
|
||||
"categories": ["Deployment", "Dockerfile", "Kubernetes", "Kustomize"]
|
||||
}
|
||||
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 107 KiB |
|
Before Width: | Height: | Size: 9.3 KiB After Width: | Height: | Size: 9.3 KiB |
Reference in New Issue
Block a user