Fix bugs in ci pipeline and IaC vulnerability scan #974
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: cd | |
| on: | |
| pull_request: | |
| types: [ opened, synchronize, reopened, ready_for_review ] | |
| # Ensures preview deployment has minimal permissions for security | |
| permissions: | |
| contents: read # Read-only access to repo contents for safer workflows | |
| pull-requests: write # Allow workflow to comment on, label, and update pull request as part of automation | |
| id-token: write # Allow OIDC tokens for secure cloud authentication | |
| jobs: | |
| deploy: | |
| if: github.event.pull_request.state == 'open' && github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: cd-preview-${{ github.event.pull_request.head.ref }} | |
| cancel-in-progress: true | |
| steps: | |
| - name: Checkout app | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| path: app | |
| - name: Checkout github-ci | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| repository: jalantechnologies/github-ci | |
| path: platform | |
| ref: v3.3.2-alpha.1 | |
| - name: Extract branch name | |
| id: extract_branch | |
| run: | | |
| BRANCH_NAME=$(echo ${{ github.event.pull_request.head.ref }} | sed -e 's/^refs\/heads\///g') | |
| BRANCH_HASH=$(sha1sum < <(printf '%s' $BRANCH_NAME) | cut -c -15) | |
| echo "branch_hash=$(echo $BRANCH_HASH)" >> $GITHUB_OUTPUT | |
| - name: Build Docker image | |
| id: build | |
| uses: ./platform/.github/actions/build | |
| with: | |
| app_name: flask-react-app | |
| tag: ${{ steps.extract_branch.outputs.branch_hash }} | |
| build_args: APP_ENV=preview | |
| context: app/. | |
| docker_registry: ${{ vars.DOCKER_REGISTRY }} | |
| docker_username: ${{ vars.DOCKER_USERNAME }} | |
| docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Deploy to preview | |
| uses: ./platform/.github/actions/deploy | |
| with: | |
| app_name: flask-react-app | |
| app_env: preview | |
| app_hostname: '{1}.preview.platform.bettrhq.com' | |
| branch: ${{ github.event.pull_request.head.ref }} | |
| deploy_id: ${{ github.run_number }} | |
| deploy_root: app/lib/kube | |
| deploy_labels: gh/pr=${{ github.event.number }} | |
| deploy_image: ${{ steps.build.outputs.image_name }} | |
| deploy_tag: ${{ steps.build.outputs.image_tag }} | |
| deploy_digest: ${{ steps.build.outputs.image_digest }} | |
| docker_registry: ${{ vars.DOCKER_REGISTRY }} | |
| docker_username: ${{ vars.DOCKER_USERNAME }} | |
| docker_password: ${{ secrets.DOCKER_PASSWORD }} | |
| do_access_token: ${{ secrets.DO_ACCESS_TOKEN }} | |
| do_cluster_id: ${{ vars.DO_CLUSTER_ID }} | |
| doppler_token: ${{ secrets.DOPPLER_PREVIEW_TOKEN }} | |
| pull_request_number: ${{ github.event.pull_request.number }} | |
| deploy_annotate_pr: "true" |