-
Notifications
You must be signed in to change notification settings - Fork 22
287 lines (246 loc) · 10.4 KB
/
build_push2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
# This workflow:
# * Builds, tests, and scans all images
# * (optionally) pushes the images to ACR
#
# This workflow triggers on:
# * a push to master
# * any create/synchronize to a PR (eg: any time you push an update to a PR).
#
# Image build/test/scan will run on any of the above events.
# Image push will run only if:
# * this is a push to master
# * if the PR triggering this event has the label 'auto-deploy'
#
# To configure this workflow:
#
# 1. Set up the following secrets in your workspace:
# a. REGISTRY_USERNAME with ACR username
# b. REGISTRY_PASSWORD with ACR Password
# c. AZURE_CREDENTIALS with the output of `az ad sp create-for-rbac --sdk-auth`
# d. DEV_REGISTRY_USERNAME with the DEV ACR username
# e. DEV_REGISTRY_PASSWORD with the DEV ACR Password
#
# 2. Change the values for the REGISTRY_NAME, CLUSTER_NAME, CLUSTER_RESOURCE_GROUP and NAMESPACE environment variables (below in build-push).
name: build_and_push2
on:
schedule:
# Execute at 2am EST every day
- cron: '0 21 * * *'
push:
branches:
- 'master-2.0'
pull_request:
types:
- 'opened'
- 'synchronize'
- 'reopened'
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
jobs:
# Any checks that run pre-build
# pre-build-checks:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@master
# - name: Assert committed ./output folder matches `make generate-dockerfiles` output
# run: |
# sudo apt-get install --yes make
# make clean
# make generate-dockerfiles
# if ! git diff --quiet output/; then
# echo 'output folder and docker-bits/resources out of sync!'
# exit 1
# fi
build-jupyter2:
env:
REGISTRY_NAME: k8scc01covidacr
DEV_REGISTRY_NAME: k8scc01covidacrdev
CLUSTER_NAME: k8s-cancentral-01-covid-aks
CLUSTER_RESOURCE_GROUP: k8s-cancentral-01-covid-aks
LOCAL_REPO: localhost:5000
TRIVY_VERSION: "v0.31.3"
HADOLINT_VERSION: "2.12.0"
strategy:
fail-fast: false
# needs: pre-build-checks
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
outputs:
jupyter-image-name: ${{ steps.build-image.outputs.full_image_name }}
steps:
- name: Set ENV variables for a PR containing the auto-deploy tag
if: github.event_name == 'pull_request' && contains( github.event.pull_request.labels.*.name, 'auto-deploy')
run: |
echo "REGISTRY=k8scc01covidacrdev.azurecr.io" >> "$GITHUB_ENV"
echo "IMAGE_VERSION=dev" >> "$GITHUB_ENV"
- name: Set ENV variables for pushes to master
if: github.event_name == 'push' && github.ref == 'refs/heads/master-2.0'
run: |
echo "REGISTRY=k8scc01covidacr.azurecr.io" >> "$GITHUB_ENV"
echo "IMAGE_VERSION=v2" >> "$GITHUB_ENV"
echo "IS_LATEST=true" >> "$GITHUB_ENV"
- uses: actions/checkout@master
- name: Echo disk usage before clean up
run: ./.github/scripts/echo_usage.sh
- name: Free up all available disk space before building
run: ./.github/scripts/cleanup_runner.sh
- name: Echo disk usage before build start
run: ./.github/scripts/echo_usage.sh
- name: Get current notebook name
id: notebook-name
shell: bash
run: |
echo NOTEBOOK_NAME=jupyterlab >> $GITHUB_OUTPUT
# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# Connect to Azure DEV Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ env.DEV_REGISTRY_NAME }}.azurecr.io
username: ${{ secrets.DEV_REGISTRY_USERNAME }}
password: ${{ secrets.DEV_REGISTRY_PASSWORD }}
- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint dockerfiles/jupyterlab/Dockerfile --no-fail
# make build emits full_image_name, image_tag, and image_repo outputs
- name: Build image
id: build-image
run: make build/jupyterlab REPO=${{ env.LOCAL_REPO }}
- name: Echo disk usage after build completion
run: ./.github/scripts/echo_usage.sh
- name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
run: make post-build/jupyterlab REPO=${{ env.LOCAL_REPO }}
- name: Push image to local registry (default pushes all tags)
run: make push/jupyterlab REPO=${{ env.LOCAL_REPO }}
# Image testing
- name: Set Up Python for Test Suite
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Set up venv for Test Suite
run: |
python -m pip install --upgrade pip
make install-python-dev-venv
- name: Test image
run: make test/jupyterlab REPO=${{ env.LOCAL_REPO }}
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
# see https://github.com/StatCan/aaw-private/issues/11 -- should be re-enabled
if: steps.notebook-name.outputs.NOTEBOOK_NAME != 'sas'
run: |
printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
trivy image ${{ steps.build-image.outputs.full_image_name }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
# Push image to ACR
# Pushes if this is a push to master or an update to a PR that has auto-deploy label
- name: Test if we should push to ACR
id: should-i-push
if: |
github.event_name == 'push' ||
(
github.event_name == 'pull_request' &&
contains( github.event.pull_request.labels.*.name, 'auto-deploy')
)
run: echo 'boolean=true' >> $GITHUB_OUTPUT
# Pull the local image back, then "build" it (will just tag the pulled image)
- name: Pull image back from local repo
if: steps.should-i-push.outputs.boolean == 'true'
run: docker pull ${{ steps.build-image.outputs.full_image_name }}
# Rename the localhost:5000/imagename:tag built above to use the real repo
# (get above's name from build-image's output)
- name: Tag images with real repository
if: steps.should-i-push.outputs.boolean == 'true'
run: >
make post-build/jupyterlab DEFAULT_REPO=$REGISTRY IS_LATEST=$IS_LATEST
IMAGE_VERSION=$IMAGE_VERSION SOURCE_FULL_IMAGE_NAME=${{ steps.build-image.outputs.full_image_name }}
- name: Push image to registry
if: steps.should-i-push.outputs.boolean == 'true'
run: |
make push/jupyterlab DEFAULT_REPO=$REGISTRY
## SAS BUILD
- name: Get current notebook name
id: notebook-name2
shell: bash
run: |
echo NOTEBOOK_NAME=sas >> $GITHUB_OUTPUT
- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint dockerfiles/sas/Dockerfile --no-fail
- name: get images
run: docker images -a
- name: Build image
id: build-image2
run: |
docker pull ${{ steps.build-image.outputs.full_image_name }}
make build/sas REPO=${{ env.LOCAL_REPO }}
- name: Echo disk usage after build completion
run: ./.github/scripts/echo_usage.sh
- name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
run: make post-build/sas REPO=${{ env.LOCAL_REPO }}
- name: Push image to local registry (default pushes all tags)
run: make push/sas REPO=${{ env.LOCAL_REPO }}
# Image testing
- name: Set Up Python for Test Suite
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Set up venv for Test Suite
run: |
python -m pip install --upgrade pip
make install-python-dev-venv
- name: Test image
run: make test/sas REPO=${{ env.LOCAL_REPO }}
# Free up space from build process (containerscan action will run out of space if we don't)
- run: ./.github/scripts/cleanup_runner.sh
# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
# see https://github.com/StatCan/aaw-private/issues/11 -- should be re-enabled
if: steps.notebook-name2.outputs.NOTEBOOK_NAME != 'sas'
run: |
printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
trivy image ${{ steps.build-image2.outputs.full_image_name }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
# Push image to ACR
# Pushes if this is a push to master or an update to a PR that has auto-deploy label
- name: Test if we should push to ACR
id: should-i-push2
if: |
github.event_name == 'push' ||
(
github.event_name == 'pull_request' &&
contains( github.event.pull_request.labels.*.name, 'auto-deploy')
)
run: echo 'boolean=true' >> $GITHUB_OUTPUT
# Pull the local image back, then "build" it (will just tag the pulled image)
- name: Pull image back from local repo
if: steps.should-i-push2.outputs.boolean == 'true'
run: docker pull ${{ steps.build-image2.outputs.full_image_name }}
# Rename the localhost:5000/imagename:tag built above to use the real repo
# (get above's name from build-image's output)
- name: Tag images with real repository
if: steps.should-i-push2.outputs.boolean == 'true'
run: >
make post-build/sas DEFAULT_REPO=$REGISTRY IS_LATEST=$IS_LATEST
IMAGE_VERSION=$IMAGE_VERSION SOURCE_FULL_IMAGE_NAME=${{ steps.build-image2.outputs.full_image_name }}
- name: Push image to registry
if: steps.should-i-push2.outputs.boolean == 'true'
run: |
make push/sas DEFAULT_REPO=$REGISTRY
- name: Slack Notification
if: failure() && github.event_name=='schedule'
uses: act10ns/slack@v1
with:
status: failure
message: Build failed. https://github.com/StatCan/aaw-kubeflow-containers/actions/runs/${{github.run_id}}