github-action-example/.github/workflows/Build And Deploy.yml at main · rmkr-dev/github-action-example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: Deploy to Azure [Dev]
run-name: Deploying changes from ${{ github.actor }}

on:
  workflow_dispatch:
  push:
    branches:
      - clouddevelop


jobs:

  build:

    name: Build|Validate|Deploy #[Java(Maven Build,Sonar Scan),Docker Image,Prisma Scan,K8s]
    environment: dev
    runs-on: [ uhg-runner ]


    steps:
      - uses: actions/checkout@v3


      - name: SonarQube Scan
        uses: github-actions/sonarqube-scan-action@master
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: https://sonar.example.com


      - name: Docker login
        uses: Azure/docker-login@v1
        with:
          login-server: ${{ vars.ACR_NAME }}.azurecr.io
          username: ${{ vars.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}


      - name: Build the Docker image
        run: |
          docker build -f Dockerfile --tag ${{ vars.ACR_NAME }}.azurecr.io/test-code-main:${{github.run_number}} .


      - name: Prisma Cloud image scan
        id: scan
        env:
          NODE_EXTRA_CA_CERTS: /usr/local/share/ca-certificates/test_Root_CA.crt

        uses: PaloAltoNetworks/prisma-cloud-scan@v1.5
        with:
          pcc_console_url: https://containersecurity.example.com
          pcc_user: "ms\\${{ secrets.TWISTLOCK_USER }}"
          pcc_pass: ${{ secrets.TWISTLOCK_PASSWORD }}
          image_name: ${{ vars.ACR_NAME }}.azurecr.io/test-code-main:${{github.run_number}}
          docker_tlscacert: "/certs/client/ca.pem"
          docker_tlscert: "/certs/client/cert.pem"
          docker_tlskey: "/certs/client/key.pem"


      - name: Upload SARIF file
        if: ${{ always() }} # necessary if using failure thresholds in the image scan
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif_file }}


      - name: Push the Docker image
        run: |
          docker push ${{ vars.ACR_NAME }}.azurecr.io/test-code-main:${{github.run_number}}


      - name: Install kubectl
        uses: azure/setup-kubectl@v3.0


      # login to Azure.
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}


      - name: Set up kubelogin for non-interactive login
        uses: azure/use-kubelogin@v1
        with:
          kubelogin-version: 'v0.0.25'


      # Set the target AKS cluster.
      - uses: Azure/aks-set-context@v3
        with:
          cluster-name: ${{ vars.AZURE_AKS_CLUSTER }}
          resource-group: ${{ vars.AKS_RESOURCE_GROUP }}
          admin: 'false'
          use-kubelogin: 'true'


      - uses: Azure/k8s-deploy@v4
        with:
          action: deploy
          force: 'false' #enforce to true if a deployment is needed disregarding the changes to code (or not)
          namespace: orx-it-mt-dev
          manifests: |
            manifests/configmap.yml
            manifests/deployment.yml
            manifests/service.yml
          images: |
            ${{ vars.ACR_NAME }}.azurecr.io/test-code-main:${{github.run_number}}