Skip to content
Docker Build Main Push AWS Dev

fix: Update code to account for params on end of asset url in s3 (#1217) #821

Sign in to view logs

fix: Update code to account for params on end of asset url in s3 (#1217)

fix: Update code to account for params on end of asset url in s3 (#1217) #821

Workflow file for this run

.github/workflows/dev-aws-ecr.yml at abb88ac
name: Docker Build Main Push AWS Dev
on:
push:
paths-ignore:
- 'docs/**'
- '**.md**'
branches: [main]
workflow_dispatch:
jobs:
build-and-push-aws:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Get tag
run: echo "RELEASE_VERSION=${GITHUB_REF:10}" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
with:
aws-access-key-id: ${{ secrets.GHA_ECR_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.GHA_ECR_AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
role-to-assume: ${{ secrets.GHA_ECR_ROLE_ASSUMPTION }}
role-skip-session-tagging: true
role-duration-seconds: '3600'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
- name: Login to ECR
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
with:
registry: ${{ steps.login-ecr.outputs.registry }}
- name: Docker meta
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
with:
# list of Docker images to use as base name for tags
images: |
${{ secrets.ECR_REGISTRY }}/${{ secrets.ECR_REPOSITORY }}
tags: |
type=sha,prefix=,format=long
flavor: |
latest=false
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
id: buildx
with:
install: true
- name: Add DoD Certificate Bundle
env:
CERT_BUNDLE_SHA256: ${{ secrets.DOD_CA_CERT_BUNDLE_SHA256 }}
run: |
echo "$CERT_BUNDLE_SHA256" > scripts/dod_ca_cert_bundle.sha256
- name: Build and push
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
with:
provenance: false
context: .
push: true
file: Dockerfile-gh
tags: ${{ steps.login-ecr.outputs.registry }}/portal-client:${{ github.sha }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILD=${{ github.sha }}
- name: Snapshot DocumentDB Cluster
env:
DOCDB_CLUSTER_IDENTIFIER: ${{ secrets.DOCDB_CLUSTER_IDENTIFIER }}
IMAGE_TAG: ${{ github.sha }}
run: |
./scripts/snapshot-docdb.sh
- name: Download task definition | Update Task Definition | Update ECS Service | Deploy new image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: portal-client
IMAGE_TAG: ${{ github.sha }}
run: |
./scripts/deploy-dev-aws.sh
trivy-scan-image:
needs: build-and-push-aws
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
with:
aws-access-key-id: ${{ secrets.GHA_ECR_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.GHA_ECR_AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
role-to-assume: ${{ secrets.GHA_ECR_ROLE_ASSUMPTION }}
role-skip-session-tagging: true
role-duration-seconds: '3600'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
- name: Aqua Security Trivy
id: scan-aws-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: portal-client
IMAGE_TAG: ${{ github.sha }}
uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # 0.14.0
with:
image-ref: '${{ steps.login-ecr.outputs.registry }}/portal-client:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2
with:
sarif_file: 'trivy-results.sarif'