From 834d671555bc72b04006710dab355d8da683b81f Mon Sep 17 00:00:00 2001 From: Brock Hinkson Date: Wed, 22 Oct 2025 17:28:05 -0500 Subject: [PATCH 1/4] test-cicd --- .github/workflows/cicd.yml | 82 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/cicd.yml diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml new file mode 100644 index 0000000..b26f10a --- /dev/null +++ b/.github/workflows/cicd.yml @@ -0,0 +1,82 @@ +name: CI/CD Pipeline + +on: + pull_request: + branches: [main, development] + push: + branches: [main, development] + # Consider how you want to handle version tags + tags: ['v*.*.*'] + +permissions: + contents: read + packages: write + security-events: write + +env: + REGISTRY: ghcr.io + PYTHON_VERSION: '3.13' + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + image_base: ${{ steps.vars.outputs.image_base }} + pr_tag: ${{ steps.vars.outputs.pr_tag }} + commit_sha: ${{ steps.vars.outputs.commit_sha }} + commit_sha_short: ${{ steps.vars.outputs.commit_sha_short }} + test_image_tag: ${{ steps.vars.outputs.test_image_tag }} + steps: + - name: Compute image vars + id: vars + shell: bash + run: | + set -euo pipefail + ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')" + REPO="$(basename "${GITHUB_REPOSITORY}")" + IMAGE_BASE="${REGISTRY}/${ORG}/${REPO}" + echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT" + + if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then + PR_NUM="${{ github.event.pull_request.number }}" + PR_TAG="pr-${PR_NUM}-build" + echo "pr_tag=${PR_TAG}" >> "$GITHUB_OUTPUT" + echo "test_image_tag=${PR_TAG}" >> "$GITHUB_OUTPUT" + fi + + if [ "${GITHUB_EVENT_NAME}" = "push" ]; then + COMMIT_SHA="${GITHUB_SHA}" + SHORT_SHA="${COMMIT_SHA:0:12}" + echo "commit_sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT" + echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT" + echo "test_image_tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT" + fi + + build-and-scan: + name: Build and Scan Container + runs-on: ubuntu-latest + needs: setup + steps: + - uses: actions/checkout@v4 + - name: Build image for scanning + id: build + uses: docker/build-push-action@v6 + with: + context: . + file: ./docker/Dockerfile-gitlab + # Load the image to the local Docker daemon, but do not push it + load: true + tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} + - name: Scan container with Trivy + uses: aquasecurity/trivy-action@0.20.0 + with: + # Scan the locally available image + image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Upload Trivy SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file From f76e26b06bbd20b26b9bde396a381493a91c5c8c Mon Sep 17 00:00:00 2001 From: Brock Hinkson Date: Wed, 22 Oct 2025 17:40:42 -0500 Subject: [PATCH 2/4] fix --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index b26f10a..fddc8b4 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -63,7 +63,7 @@ jobs: uses: docker/build-push-action@v6 with: context: . - file: ./docker/Dockerfile-gitlab + file: ./Dockerfile-gitlab # Load the image to the local Docker daemon, but do not push it load: true tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }} From 38d2cec84667f504eae07852592497087ee35a61 Mon Sep 17 00:00:00 2001 From: Brock Hinkson Date: Wed, 22 Oct 2025 18:07:18 -0500 Subject: [PATCH 3/4] add gitlab secrets --- .github/workflows/cicd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index fddc8b4..52b79b7 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -58,6 +58,12 @@ jobs: needs: setup steps: - uses: actions/checkout@v4 + - name: Log in to GitLab Container Registry + uses: docker/login-action@v3 + with: + registry: registry.sh.nextgenwaterprediction.com + username: ${{ secrets.GITLAB_REGISTRY_USER }} + password: ${{ secrets.GITLAB_REGISTRY_PAT }} - name: Build image for scanning id: build uses: docker/build-push-action@v6 From 076de7b994f5d346881091157a5e600ca28421d5 Mon Sep 17 00:00:00 2001 From: Brock Hinkson Date: Wed, 22 Oct 2025 18:09:24 -0500 Subject: [PATCH 4/4] fix gitlab link --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 52b79b7..f079161 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -61,7 +61,7 @@ jobs: - name: Log in to GitLab Container Registry uses: docker/login-action@v3 with: - registry: registry.sh.nextgenwaterprediction.com + registry: gitlab.sh.nextgenwaterprediction.com username: ${{ secrets.GITLAB_REGISTRY_USER }} password: ${{ secrets.GITLAB_REGISTRY_PAT }} - name: Build image for scanning