[DTOSS-11103] Azure monitor infrastructure metrics for container app … #194

Workflow file for this run

.github/workflows/stage-3-build-images.yaml at 38317a2

	name: Docker Image CI

	on:
	push:
	branches:
	- main

	workflow_call:
	inputs:
	environment_tag:
	description: Environment of the deployment
	required: true
	type: string
	default: development
	docker_compose_file:
	description: The path of the compose.yaml file needed to build docker images
	required: true
	type: string
	function_app_source_code_path:
	description: The source path of the function app source code for the docker builds
	required: true
	type: string
	project_name:
	description: The name of the project
	required: true
	type: string
	excluded_containers_csv_list:
	description: Excluded containers in a comma separated list
	required: true
	type: string
	build_all_images:
	description: Build all images (true) or only changed ones (false)
	required: false
	type: boolean
	default: false

	jobs:
	get-functions:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	id-token: write
	outputs:
	FUNC_NAMES: ${{ steps.get-function-names.outputs.FUNC_NAMES }}
	DOCKER_COMPOSE_DIR: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }}
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 2
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Checkout dtos-devops-templates repository
	uses: actions/checkout@v4
	with:
	repository: NHSDigital/dtos-devops-templates
	path: templates
	ref: main

	- name: Determine which Docker container(s) to build
	id: get-function-names
	env:
	COMPOSE_FILES_CSV: ${{ inputs.docker_compose_file }}
	EXCLUDED_CONTAINERS_CSV: ${{ inputs.excluded_containers_csv_list }}
	SOURCE_CODE_PATH: ${{ inputs.function_app_source_code_path }}
	MANUAL_BUILD_ALL: ${{ inputs.build_all_images \|\| false }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: bash ./templates/scripts/deployments/get-docker-names.sh

	build-and-push:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	needs: get-functions
	strategy:
	matrix:
	function: ${{ fromJSON(needs.get-functions.outputs.FUNC_NAMES) }}
	if: needs.get-functions.outputs.FUNC_NAMES != '[]'
	outputs:
	pr_num_tag: ${{ env.PR_NUM_TAG }}
	short_commit_hash: ${{ env.COMMIT_HASH_TAG }}
	steps:
	- uses: actions/checkout@v4
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	fetch-depth: 1
	submodules: 'true'

	- name: Checkout dtos-devops-templates repository
	uses: actions/checkout@v4
	with:
	repository: NHSDigital/dtos-devops-templates
	path: templates
	ref: main

	- name: Az CLI login
	if: github.ref == 'refs/heads/main'
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- name: Azure Container Registry login
	if: github.ref == 'refs/heads/main'
	run: az acr login --name ${{ secrets.ACR_NAME }}

	- name: Create Tags
	env:
	GH_TOKEN: ${{ github.token }}
	ENVIRONMENT_TAG: ${{ inputs.environment_tag }}
	continue-on-error: false
	run: \|
	echo "The branch is: ${GITHUB_REF}"

	if [[ "${GITHUB_REF}" == refs/pull/*/merge ]]; then
	PR_NUM_TAG=$(echo "${GITHUB_REF}" \| sed 's/refs\/pull\/$[0-9]*$\/merge/\1/')
	else
	PULLS_JSON=$(gh api /repos/{owner}/{repo}/commits/${GITHUB_SHA}/pulls)
	ORIGINATING_BRANCH=$(echo ${PULLS_JSON} \| jq -r '.[].head.ref' \| python3 -c "import sys, urllib.parse; print(urllib.parse.quote_plus(sys.stdin.read().strip()))")
	echo "ORIGINATING_BRANCH: ${ORIGINATING_BRANCH}"
	PR_NUM_TAG=$(echo ${PULLS_JSON} \| jq -r '.[].number')
	fi

	echo "PR_NUM_TAG: pr${PR_NUM_TAG}"
	echo "PR_NUM_TAG=pr${PR_NUM_TAG}" >> ${GITHUB_ENV}

	SHORT_COMMIT_HASH=$(git rev-parse --short ${GITHUB_SHA})
	echo "Commit hash tag: ${SHORT_COMMIT_HASH}"
	echo "COMMIT_HASH_TAG=${SHORT_COMMIT_HASH}" >> ${GITHUB_ENV}

	echo "ENVIRONMENT_TAG=${ENVIRONMENT_TAG}" >> ${GITHUB_ENV}

	- name: Build and Push Image
	working-directory: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }}
	continue-on-error: false
	env:
	COMPOSE_FILE: ${{ inputs.docker_compose_file }}
	PROJECT_NAME: ${{ inputs.project_name }}
	run: \|
	function=${{ matrix.function }}

	echo PROJECT_NAME: ${PROJECT_NAME}

	if [ -z "${function}" ]; then
	echo "Function variable is empty. Skipping Docker build."
	exit 0
	fi

	# Build the image
	docker compose -f ${COMPOSE_FILE//,/ -f } -p ${PROJECT_NAME} --profile "*" build --no-cache --pull ${function}

	repo_name="${{ secrets.ACR_NAME }}.azurecr.io/${PROJECT_NAME}-${function}"
	echo $(repo_name)

	# Tag the image
	echo "Tag the image:"
	docker tag ${PROJECT_NAME}-${function}:latest "$repo_name:${COMMIT_HASH_TAG}"
	docker tag ${PROJECT_NAME}-${function}:latest "$repo_name:${PR_NUM_TAG}"
	docker tag ${PROJECT_NAME}-${function}:latest "$repo_name:${ENVIRONMENT_TAG}"

	# If this variable is set, the create-sbom-report.sh script will scan this docker image instead.
	export CHECK_DOCKER_IMAGE=${PROJECT_NAME}-${function}:latest
	export FORCE_USE_DOCKER=true

	export PR_NUM_TAG=${PR_NUM_TAG}
	echo "PR_NUM_TAG=${PR_NUM_TAG}" >> ${GITHUB_ENV}

	# Push the image to the repository
	if [ "${GITHUB_REF}" == 'refs/heads/main' ]; then
	docker push "${repo_name}:${COMMIT_HASH_TAG}"
	if [ "${PR_NUM_TAG}" != 'pr' ]; then
	docker push "${repo_name}:${PR_NUM_TAG}"
	fi
	docker push "${repo_name}:${ENVIRONMENT_TAG}"
	fi

	export SBOM_REPOSITORY_REPORT="sbom-${function}-repository-report"
	echo "SBOM_REPOSITORY_REPORT=$SBOM_REPOSITORY_REPORT" >> $GITHUB_ENV
	bash -x ${GITHUB_WORKSPACE}/templates/scripts/reports/create-sbom-report.sh

	export VULNERABILITIES_REPOSITORY_REPORT="vulnerabilities-${function}-repository-report"
	echo "VULNERABILITIES_REPOSITORY_REPORT=$VULNERABILITIES_REPOSITORY_REPORT" >> $GITHUB_ENV
	bash -x ${GITHUB_WORKSPACE}/templates/scripts/reports/scan-vulnerabilities.sh

	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \| sudo sh -s -- -b /usr/local/bin

	SCAN_RESULTS=$(grype "${PROJECT_NAME}-${function}:latest" --scope all-layers)
	# ANSI color codes
	RED="\033[0;31m"
	RESET="\033[0m"

	# Define your log file
	VULNERABILITIES_SUMMARY_LOGFILE="${PROJECT_NAME}-${function}-vulnerabilities-summary.txt"
	echo "VULNERABILITIES_SUMMARY_LOGFILE=$VULNERABILITIES_SUMMARY_LOGFILE" >> $GITHUB_ENV

	# Clear existing log file (or create if it doesn't exist)
	> "$VULNERABILITIES_SUMMARY_LOGFILE"

	for SEVERITY in CRITICAL HIGH MEDIUM; do
	{
	echo ""
	echo "${PROJECT_NAME}-${function}: vulnerabilities"
	echo -e "=== ${RED}${SEVERITY}${RESET} Vulnerabilities list ==="
	# If grep finds nothing, we print a fallback message
	echo "$SCAN_RESULTS" \| grep -i "$SEVERITY" \|\| echo "No $SEVERITY vulnerabilities found."
	} \| tee -a "$VULNERABILITIES_SUMMARY_LOGFILE"
	done

	# Remove the image
	docker rmi "${repo_name}:${COMMIT_HASH_TAG}"
	docker rmi "${repo_name}:${PR_NUM_TAG}"
	docker rmi "${repo_name}:${ENVIRONMENT_TAG}"
	docker rmi ${PROJECT_NAME}-${function}:latest

	- name: Compress SBOM report
	shell: bash
	run: \|
	echo SBOM_REPOSITORY_REPORT: ${SBOM_REPOSITORY_REPORT}
	zip "${SBOM_REPOSITORY_REPORT}.json.zip" "${SBOM_REPOSITORY_REPORT}.json"

	- name: Upload SBOM report as an artefact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.SBOM_REPOSITORY_REPORT }}.json.zip
	path: ./${{ env.SBOM_REPOSITORY_REPORT }}.json.zip
	retention-days: 21

	- name: Compress vulnerabilities report
	shell: bash
	run: \|
	echo VULNERABILITIES_REPOSITORY_REPORT: ${VULNERABILITIES_REPOSITORY_REPORT}
	zip ${VULNERABILITIES_REPOSITORY_REPORT}.json.zip ${VULNERABILITIES_REPOSITORY_REPORT}.json

	- name: Upload vulnerabilities report as an artefact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip
	path: ./${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip
	retention-days: 21

	- name: Upload vulnerabilities summary report as an artefact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.VULNERABILITIES_SUMMARY_LOGFILE }}
	path: ./${{ env.VULNERABILITIES_SUMMARY_LOGFILE }}
	retention-days: 21

	aggregate-json:
	runs-on: ubuntu-latest
	needs: build-and-push
	steps:
	- name: Download SBOM JSON artifacts
	uses: actions/download-artifact@v4
	with:
	path: ./downloaded-artifacts

	- name: Combine sbom report JSON files
	run: \|
	zip sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/*/sbom.json.zip

	- name: Combine vulnerabilities report JSON files
	run: \|
	zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/*/vulnerabilities.json.zip
	zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/*/vulnerabilities-summary*.txt

	- name: Upload sbom zip file
	uses: actions/upload-artifact@v4
	with:
	name: aggregated-sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
	path: sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip

	- name: Upload repository zip file
	uses: actions/upload-artifact@v4
	with:
	name: aggregated-vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
	path: vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[DTOSS-11103] Azure monitor infrastructure metrics for container app … #194

Workflow file

[DTOSS-11103] Azure monitor infrastructure metrics for container app … #194

Uh oh!

Workflow file for this run