debug auto merge #228

# to view logs

Workflow file for this run

.github/workflows/build-push-chart.yml at 2e68f16

	---
	name: Build/Push Image and Release Charts

	on:
	pull_request:
	paths-ignore:
	- "chart/**/Chart.yaml"
	- "chart/**/values.yaml"
	push:
	branches:
	- main
	paths-ignore:
	- "chart/**/Chart.yaml"
	- "chart/**/values.yaml"

	permissions: read-all

	jobs:
	setenv:
	runs-on: ubuntu-latest

	outputs:
	short_sha: ${{ steps.env.outputs.short_sha }}
	chart_version: ${{ steps.env.outputs.chart_version }}
	image_version: ${{ steps.env.outputs.image_version }}
	image_tag: ${{ steps.env.outputs.image_tag }}
	image_repo_tag: ${{ steps.env.outputs.image_repo_tag }}
	image_repository: ${{ steps.env.outputs.image_repository }}
	registry: ${{ steps.env.outputs.registry }}
	branch: ${{ steps.env.outputs.branch }}
	compname: ${{ steps.env.outputs.compname }}
	dhurl: ${{ steps.env.outputs.dhurl }}
	gh_handle: ${{ steps.env.outputs.gh_handle }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Checkout
	id: checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	fetch-depth: 1

	- name: Export env
	id: env
	env:
	DHURL: https://console.deployhub.com
	REGISTRY: quay.io
	BRANCH: ${{ github.head_ref \|\| github.ref_name }}
	run: \|
	BRANCH=$(echo "${{ env.BRANCH }}" \| cut -d'/' -f1)
	BASE_VERSION=$(curl -s "https://ortelius.github.io/${{ github.event.repository.name }}/index.yaml" \| grep version: \| awk '{print $2}' \| cut -f1-2 -d. \| sort -u -r --version-sort \| head -1)
	SHORT_SHA=$(echo ${{ github.sha }} \| cut -c 1-6)
	{
	echo "dhurl=${{ env.DHURL }}"
	echo "branch=${BRANCH}"
	echo "chart_version=${BASE_VERSION}.${{ github.run_number }}"
	echo "compname=${{ github.event.repository.name }}"
	echo "image_repo_tag=${{ env.REGISTRY }}/${{ github.repository }}:${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
	echo "image_repository=${{ env.REGISTRY }}/${{ github.repository }}"
	echo "image_tag=${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
	echo "image_version=${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
	echo "registry=${{ env.REGISTRY }}"
	echo "short_sha=${SHORT_SHA}"
	echo "gh_handle=$GITHUB_ACTOR"
	} >> "$GITHUB_OUTPUT"

	release:
	runs-on: ubuntu-latest
	needs: setenv

	outputs:
	digest: ${{ steps.build.outputs.digest }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Checkout
	id: checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

	- name: Login to Quay
	if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
	id: login
	uses: docker/#-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
	with:
	registry: ${{ needs.setenv.outputs.registry }}
	username: ${{ secrets.QUAY_USERID }}
	password: ${{ secrets.QUAY_PASSWORD }}

	- name: Build and Push Docker Image
	if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
	id: build
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	with:
	push: true
	tags: ${{ needs.setenv.outputs.image_repo_tag }}

	- name: Build Docker Image
	if: ${{ !(github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main') }}
	id: build_only
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	with:
	tags: ${{ needs.setenv.outputs.image_repo_tag }}

	trivy:
	runs-on: ubuntu-latest
	needs: [setenv, release]

	permissions:
	security-events: write
	statuses: write

	if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Checkout
	id: checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # master
	with:
	image-ref: ${{ needs.setenv.outputs.image_repo_tag }}
	format: "sarif"
	output: "trivy-results.sarif"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
	if: always()
	with:
	sarif_file: "trivy-results.sarif"

	helm:
	runs-on: ubuntu-latest
	needs: [setenv, release]

	permissions:
	security-events: write
	statuses: write
	contents: write

	if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Helm Chart Releaser
	uses: ortelius/ms-cr-action@0aed84909ef7f2a08a1ea1e980f499a42fa1fa09 # v1.2.1
	with:
	gpg_keyring_base64: ${{ secrets.GPG_KEYRING_BASE64 }}
	gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
	gpg_key: ${{ secrets.GPG_KEY }}
	gh_token: ${{ secrets.HELM_INDEXER_TOKEN }}
	gh_handle: ${{ needs.setenv.outputs.gh_handle }}
	chart: chart/${{ needs.setenv.outputs.compname }}
	chart_version: ${{ needs.setenv.outputs.chart_version }}
	image_repository: ${{ needs.setenv.outputs.image_repository }}
	image_tag: ${{ needs.setenv.outputs.image_tag }}
	image_digest: ${{ needs.release.outputs.digest }}

	- name: Trigger Rebuild of Main Chart
	uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2
	with:
	workflow: generate-main-chart.yml
	repo: ortelius/ortelius-charts
	token: ${{ secrets.HELM_INDEXER_TOKEN }}

	sbom:
	runs-on: ubuntu-latest
	needs: [setenv, release]

	if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Checkout
	id: checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

	- name: Generate SBOM
	uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
	id: sbom
	with:
	format: cyclonedx-json
	output-file: /tmp/cyclonedx.json
	image: ${{ needs.setenv.outputs.image_repo_tag }}

	- name: Update Compnent
	id: updatecomp
	env:
	DHURL: ${{ needs.setenv.outputs.dhurl }}
	DHUSER: ${{ secrets.DHUSER }}
	DHPASS: ${{ secrets.DHPASS }}
	GIT_BRANCH: ${{ needs.setenv.outputs.branch }}
	CHART_VERSION: ${{ needs.setenv.outputs.chart_version }}
	COMPNAME: ${{ needs.setenv.outputs.compname }}
	DIGEST: ${{ needs.release.outputs.digest }}
	IMAGE_REPO: ${{ needs.setenv.outputs.image_repository }}
	IMAGE_REPO_TAG: ${{ needs.setenv.outputs.image_repo_tag }}
	IMAGE_TAG: ${{ needs.setenv.outputs.image_tag }}
	IMAGE_VERSION: ${{ needs.setenv.outputs.image_version }}
	SHORT_SHA: ${{ needs.setenv.outputs.short_sha }}

	run: \|
	pip install ortelius-cli
	dh updatecomp --rsp component.toml --deppkg cyclonedx@/tmp/cyclonedx.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

debug auto merge #228

Workflow file

debug auto merge #228

Jobs

Run details

Workflow file for this run