fix workflow

Mathis Marcotte · Mathis Marcotte · commit 9a915e1e9eba · 2024-03-26T14:39:28.000Z
diff --git a/.github/workflows/build_push.yaml b/.github/workflows/build_push.yaml
@@ -281,7 +281,7 @@ jobs:
     - name: Pull built base jupyterlab image
       run: |
         docker images
-        docker pull $REGISTRY/jupyterlab:$(GIT_SHA)
+        docker pull $REGISTRY/jupyterlab:$CI_COMMIT_REF_NAME
         docker tag ${{ needs.build-jupyter.outputs.jupyter-image-name }} zone-jupyterlab
         
     # make build emits full_image_name, image_tag, and image_repo outputs
diff --git a/.github/workflows/build_push2.yaml b/.github/workflows/build_push2.yaml
@@ -0,0 +1,285 @@
+# This workflow:
+# * Builds, tests, and scans all images
+# * (optionally) pushes the images to ACR
+#
+# This workflow triggers on:
+# * a push to master
+# * any create/synchronize to a PR (eg: any time you push an update to a PR).
+#
+# Image build/test/scan will run on any of the above events.
+# Image push will run only if:
+# * this is a push to master
+# * if the PR triggering this event has the label 'auto-deploy'
+#
+# To configure this workflow:
+#
+# 1. Set up the following secrets in your workspace:
+#     a. REGISTRY_USERNAME with ACR username
+#     b. REGISTRY_PASSWORD with ACR Password
+#     c. AZURE_CREDENTIALS with the output of `az ad sp create-for-rbac --sdk-auth`
+#     d. DEV_REGISTRY_USERNAME with the DEV ACR username
+#     e. DEV_REGISTRY_PASSWORD with the DEV ACR Password
+#
+# 2. Change the values for the REGISTRY_NAME, CLUSTER_NAME, CLUSTER_RESOURCE_GROUP and NAMESPACE environment variables (below in build-push).
+name: build_and_push2
+on:
+  schedule:
+    # Execute at 2am EST every day
+    - cron:  '0 21 * * *'
+  push:
+    branches:
+      - 'master-2.0'
+  pull_request:
+    types:
+      - 'opened'
+      - 'synchronize'
+      - 'reopened'
+env:
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  
+jobs:
+  # Any checks that run pre-build
+  # pre-build-checks:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #   - uses: actions/checkout@master
+
+  #   - name: Assert committed ./output folder matches `make generate-dockerfiles` output
+  #     run: |
+  #       sudo apt-get install --yes make
+  #       make clean
+  #       make generate-dockerfiles
+  #       if ! git diff --quiet output/; then
+  #           echo 'output folder and docker-bits/resources out of sync!'
+  #           exit 1
+  #       fi
+        
+  build-jupyter2:
+    env:
+      REGISTRY_NAME: k8scc01covidacr
+      DEV_REGISTRY_NAME: k8scc01covidacrdev
+      CLUSTER_NAME: k8s-cancentral-01-covid-aks
+      CLUSTER_RESOURCE_GROUP: k8s-cancentral-01-covid-aks
+      LOCAL_REPO: localhost:5000
+      TRIVY_VERSION: "v0.31.3"
+      HADOLINT_VERSION: "2.12.0"
+    strategy:
+      fail-fast: false
+    # needs: pre-build-checks
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    outputs:
+      jupyter-image-name: ${{ steps.build-image.outputs.full_image_name }}
+    steps:
+    - name: Set ENV variables for a PR containing the auto-deploy tag
+      if: github.event_name == 'pull_request' && contains( github.event.pull_request.labels.*.name, 'auto-deploy')
+      run: | 
+        echo "REGISTRY=k8scc01covidacrdev.azurecr.io" >> "$GITHUB_ENV"
+        echo "IMAGE_VERSION=dev" >> "$GITHUB_ENV"
+   
+    - name: Set ENV variables for pushes to master
+      if: github.event_name == 'push' && github.ref == 'refs/heads/master-2.0'
+      run: | 
+        echo "REGISTRY=k8scc01covidacr.azurecr.io" >> "$GITHUB_ENV"
+        echo "IMAGE_VERSION=v2" >> "$GITHUB_ENV"
+        echo "IS_LATEST=true" >> "$GITHUB_ENV"
+
+    - uses: actions/checkout@master
+
+    - name: Echo disk usage before clean up
+      run: ./.github/scripts/echo_usage.sh
+
+    - name: Free up all available disk space before building
+      run: ./.github/scripts/cleanup_runner.sh
+
+    - name: Echo disk usage before build start
+      run: ./.github/scripts/echo_usage.sh
+
+    - name: Get current notebook name
+      id: notebook-name
+      shell: bash
+      run: |
+        echo NOTEBOOK_NAME=jupyterlab >> $GITHUB_OUTPUT
+
+    # Connect to Azure Container registry (ACR)
+    - uses: azure/docker-login@v1
+      with:
+        login-server: ${{ env.REGISTRY_NAME }}.azurecr.io
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+    
+    # Connect to Azure DEV Container registry (ACR)
+    - uses: azure/docker-login@v1
+      with:
+        login-server: ${{ env.DEV_REGISTRY_NAME }}.azurecr.io
+        username: ${{ secrets.DEV_REGISTRY_USERNAME }}
+        password: ${{ secrets.DEV_REGISTRY_PASSWORD }}
+
+    - name: Run Hadolint
+      run:  |
+        sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
+        sudo chmod +x hadolint
+        ./hadolint dockerfiles/jupyterlab/Dockerfile --no-fail
+        
+    # make build emits full_image_name, image_tag, and image_repo outputs
+    - name: Build image
+      id: build-image
+      run: make build/jupyterlab REPO=${{ env.LOCAL_REPO }}
+
+    - name: Echo disk usage after build completion
+      run: ./.github/scripts/echo_usage.sh
+
+    - name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
+      run: make post-build/jupyterlab REPO=${{ env.LOCAL_REPO }}
+
+    - name: Push image to local registry (default pushes all tags)
+      run: make push/jupyterlab REPO=${{ env.LOCAL_REPO }}
+    # Image testing
+
+    - name: Set Up Python for Test Suite
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10' 
+
+    - name: Set up venv for Test Suite
+      run: |
+        python -m pip install --upgrade pip
+        make install-python-dev-venv
+
+    - name: Test image
+      run: make test/jupyterlab REPO=${{ env.LOCAL_REPO }}
+
+    # Free up space from build process (containerscan action will run out of space if we don't)
+    - run: ./.github/scripts/cleanup_runner.sh
+
+    # Scan image for vulnerabilities
+    - name: Aqua Security Trivy image scan
+    # see https://github.com/StatCan/aaw-private/issues/11 -- should be re-enabled
+      if: steps.notebook-name.outputs.NOTEBOOK_NAME != 'sas'
+      run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
+        trivy image ${{ steps.build-image.outputs.full_image_name }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
+
+    # Push image to ACR
+    # Pushes if this is a push to master or an update to a PR that has auto-deploy label
+    - name: Test if we should push to ACR
+      id: should-i-push
+      if: |
+        github.event_name == 'push' ||
+        (
+          github.event_name == 'pull_request' &&
+          contains( github.event.pull_request.labels.*.name, 'auto-deploy')
+        )
+      run: echo 'boolean=true' >> $GITHUB_OUTPUT
+
+    # Pull the local image back, then "build" it (will just tag the pulled image)
+    - name: Pull image back from local repo
+      if: steps.should-i-push.outputs.boolean == 'true'
+      run: docker pull ${{ steps.build-image.outputs.full_image_name }}
+
+    # Rename the localhost:5000/imagename:tag built above to use the real repo
+    # (get above's name from build-image's output)
+    - name: Tag images with real repository
+      if: steps.should-i-push.outputs.boolean == 'true'
+      run: > 
+        make post-build/jupyterlab DEFAULT_REPO=$REGISTRY IS_LATEST=$IS_LATEST
+        IMAGE_VERSION=$IMAGE_VERSION SOURCE_FULL_IMAGE_NAME=${{ steps.build-image.outputs.full_image_name }}
+
+    - name: Push image to registry
+      if: steps.should-i-push.outputs.boolean == 'true'
+      run: |
+        make push/jupyterlab DEFAULT_REPO=$REGISTRY
+
+    ## SAS BUILD
+    - name: Get current notebook name
+      id: notebook-name
+      shell: bash
+      run: |
+        echo NOTEBOOK_NAME=sas >> $GITHUB_OUTPUT
+
+    - name: Run Hadolint
+      run:  |
+        sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
+        sudo chmod +x hadolint
+        ./hadolint dockerfiles/sas/Dockerfile --no-fail
+
+    - name: Build image
+      id: build-image
+      run: make build/sas REPO=${{ env.LOCAL_REPO }}
+
+    - name: Echo disk usage after build completion
+      run: ./.github/scripts/echo_usage.sh
+
+    - name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
+      run: make post-build/sas REPO=${{ env.LOCAL_REPO }}
+
+    - name: Push image to local registry (default pushes all tags)
+      run: make push/sas REPO=${{ env.LOCAL_REPO }}
+    # Image testing
+
+    - name: Set Up Python for Test Suite
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10' 
+
+    - name: Set up venv for Test Suite
+      run: |
+        python -m pip install --upgrade pip
+        make install-python-dev-venv
+
+    - name: Test image
+      run: make test/sas REPO=${{ env.LOCAL_REPO }}
+
+    # Free up space from build process (containerscan action will run out of space if we don't)
+    - run: ./.github/scripts/cleanup_runner.sh
+
+    # Scan image for vulnerabilities
+    - name: Aqua Security Trivy image scan
+    # see https://github.com/StatCan/aaw-private/issues/11 -- should be re-enabled
+      if: steps.notebook-name.outputs.NOTEBOOK_NAME != 'sas'
+      run: |
+        printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
+        trivy image ${{ steps.build-image.outputs.full_image_name }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
+
+    # Push image to ACR
+    # Pushes if this is a push to master or an update to a PR that has auto-deploy label
+    - name: Test if we should push to ACR
+      id: should-i-push
+      if: |
+        github.event_name == 'push' ||
+        (
+          github.event_name == 'pull_request' &&
+          contains( github.event.pull_request.labels.*.name, 'auto-deploy')
+        )
+      run: echo 'boolean=true' >> $GITHUB_OUTPUT
+
+    # Pull the local image back, then "build" it (will just tag the pulled image)
+    - name: Pull image back from local repo
+      if: steps.should-i-push.outputs.boolean == 'true'
+      run: docker pull ${{ steps.build-image.outputs.full_image_name }}
+
+    # Rename the localhost:5000/imagename:tag built above to use the real repo
+    # (get above's name from build-image's output)
+    - name: Tag images with real repository
+      if: steps.should-i-push.outputs.boolean == 'true'
+      run: > 
+        make post-build/sas DEFAULT_REPO=$REGISTRY IS_LATEST=$IS_LATEST
+        IMAGE_VERSION=$IMAGE_VERSION SOURCE_FULL_IMAGE_NAME=${{ steps.build-image.outputs.full_image_name }}
+
+    - name: Push image to registry
+      if: steps.should-i-push.outputs.boolean == 'true'
+      run: |
+        make push/sas DEFAULT_REPO=$REGISTRY
+        
+    - name: Slack Notification
+      if: failure() && github.event_name=='schedule'
+      uses: act10ns/slack@v1
+      with: 
+        status: failure
+        message: Build failed. https://github.com/StatCan/aaw-kubeflow-containers/actions/runs/${{github.run_id}}
