Merge pull request #129 from CBIIT/Build-GHA

David-YuWei · web-flow · commit 671c119f9b15 · 2025-04-03T13:26:46.000-04:00
ccdc GHA
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,105 @@
+name: Build Image
+permissions: 
+  contents: write
+  id-token: write
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Which account the ECR repository is in'
+        type: environment
+      fail_on_trivy_scan:
+        type: boolean
+        description: fail the build if vulnerabilities are found
+        required: true 
+        default: false
+jobs:
+  build:
+    name: Build Image
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    env:
+        ECR_REPOSITORY: ccdi-ccdc-backend
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+        AWS_REGION: ${{ secrets.AWS_REGION }}
+    
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
+
+    - name: Set Image Tag
+      env:
+        BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      run: |
+        # Get all tags for the repo and find the latest tag for the branch being built
+        git fetch --tags --force --quiet
+        tag=$(git tag -l $BRANCH_NAME* | tail -1)
+        if  [ ! -z "$tag" ];
+        then
+          # Increment the build number if a tag is found
+          build_num=$(echo "${tag##*.}")
+          build_num=$((build_num+1))
+          echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV
+        else
+          # If no tag is found create a new tag name
+          build_num=1
+          echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV
+        fi
+    - name: Build
+      id: build-image
+      run: |
+        docker build -t $ECR_REPOSITORY:$IMAGE_TAG .
+        
+    - name: Set Trivy exit code
+      run: |
+        if  [[ ${{ inputs.fail_on_trivy_scan }} == true ]];
+        then
+          echo 'TRIVY_EXIT_CODE=1' >> $GITHUB_ENV
+        else
+          echo 'TRIVY_EXIT_CODE=0' >> $GITHUB_ENV
+        fi
+    
+    - name: Run Trivy vulnerability scanner
+      id: trivy-scan
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561
+      with:
+        image-ref: '${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}'
+        format: 'table'
+        exit-code: '${{ env.TRIVY_EXIT_CODE }}'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+
+    - name: AWS OIDC Authentication
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+      with:
+        role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }}
+        aws-region: ${{ env.AWS_REGION }}
+        role-session-name: ${{ github.actor }}
+
+    - name: Create Git tag for Image
+      run: |
+        git config user.name "GitHub Actions"
+        git config user.email "github-actions@users.noreply.github.com"
+        git tag ${{ env.IMAGE_TAG }}
+        git push origin ${{ env.IMAGE_TAG }}
+
+    - name: Login to Amazon ECR
+      id: login-aws-ecr
+      uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7
+    
+    - name: Push to Amazon ECR
+      id: push-image
+      env:
+        ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }}
+      run: |
+        docker tag  $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+    - name: Slack Notification
+      uses: act10ns/slack@87c73aef9f8838eb6feae81589a6b1487a4a9e08
+      with:
+        status: ${{ job.status }}
+        steps: ${{ toJson(steps) }}
+      if: always()
