opensight-postgres/.github/workflows/push.yml at main · greenbone/opensight-postgres · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Build and Push Container

on:
  workflow_dispatch:
    inputs:
      postgres-major-version:
        description: "Postgres major version to use for release."
        type: string
        required: true
      services:
        description: "Json list with postgres services to upgrade."
        type: string
        required: true
      version:
        description: "Opensight-postgres version to release."
        type: string
        required: true

  workflow_call:
    inputs:
      postgres-major-version:
        description: "Postgres major version to release."
        type: string
        required: true
      services:
        description: "Json list with postgres services to upgrade."
        type: string
        required: true
      version:
        description: "Opensight-postgres version to release."
        type: string
        required: true
    secrets:
      COSIGN_KEY_OPENSIGHT:
        required: true
      COSIGN_KEY_PASSWORD_OPENSIGHT:
        required: true
      GREENBONE_BOT_TOKEN:
        required: true

jobs:
  push-postgres:
    runs-on: self-hosted-generic
    steps:
      - name: Checkout
        uses: actions/checkout@v6.0.2

      - name: Build and Push Greenbone Registry
        id: build
        uses: greenbone/actions/container-build-push-generic@v3
        with:
          build-args: "POSTGRES_VERSION=${{ inputs.postgres-major-version }}"
          cosign-key: ${{ secrets.COSIGN_KEY_OPENSIGHT }}
          cosign-key-password: ${{ secrets.COSIGN_KEY_PASSWORD_OPENSIGHT }}
          cosign-tlog-upload: "false"
          image-url: opensight-dev/opensight-postgres
          image-labels: |
            org.opencontainers.image.vendor=Greenbone
            org.opencontainers.image.base.name=postgres:${{ inputs.postgres-major-version }}
            org.opencontainers.image.version=${{ inputs.version }}
          image-tags: |
            type=raw,value=${{ inputs.postgres-major-version }}
            type=raw,value=${{ inputs.version }}
            type=raw,value=v${{ inputs.version }}
          registry: ${{ vars.GREENBONE_REGISTRY }}
          registry-username: ${{ secrets.GREENBONE_REGISTRY_USER }}
          registry-password: ${{ secrets.GREENBONE_REGISTRY_TOKEN }}
          # For whatever reason, the native buildx doesn't build annotations!
          buildx-container: 'true'

      - name: Service upgrade matrix
        id: upgrade
        run: |
          echo "matrix=$(echo '${{ inputs.services }}' | jq -r '{include:[.[] | {service: ., "image-url": "opensight-dev/opensight-postgres", digest: "${{ steps.build.outputs.digest }}", version: "${{ inputs.version }}" }]} | @json')" >> $GITHUB_OUTPUT

    outputs:
      matrix: ${{ steps.upgrade.outputs.matrix }}

  push-sbom:
    name: Scan image and push SBOM
    if: ${{ needs.push-postgres.outputs.matrix }}
    needs: push-postgres
    uses: greenbone/workflows/.github/workflows/generate-and-push-sbom-with-trivy-3rd-gen.yml@main
    with:
      image-url: "${{ vars.GREENBONE_REGISTRY}}/opensight-dev/opensight-postgres:${{ inputs.version }}"
      image-registry-username-secret-name: "GREENBONE_REGISTRY_READ_USER"
      image-registry-password-secret-name: "GREENBONE_REGISTRY_READ_TOKEN"
      output-file-name: 'opensight-postgres.${{ inputs.version }}.sbom.json'
      artifact-url: "${{ vars.GREENBONE_REGISTRY }}/opensight-dev/opensight-postgres-sbom:${{ inputs.version }}"
    secrets: inherit

  harbor-replication:
    needs:
      - push-postgres
      - push-sbom
    runs-on: self-hosted-generic
    steps:
      - name: Trigger harbor replication
        shell: bash
        run: |
          if ! [ '${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}' ]; then
            echo "Secret GREENBONE_REGISTRY_REPLICATION_TOKEN does not exist"
            exit 0
          fi
          curl --fail-with-body -X POST \
            https://${{ vars.GREENBONE_REGISTRY }}/api/v2.0/replication/executions \
            -u '${{ secrets.GREENBONE_REGISTRY_REPLICATION_USER }}:${{ secrets.GREENBONE_REGISTRY_REPLICATION_TOKEN }}' \
            -H "Content-Type: application/json" \
            -d '{"policy_id": 1}'

  push-service:
    needs:
      - push-postgres
      - push-sbom
      - harbor-replication
    if: ${{ needs.push-postgres.outputs.matrix }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      # We have to run one workflow after the other here
      # because our product compose Construction Process cannot handle multiple processes.
      max-parallel: 1
      matrix: ${{ fromJSON(needs.push-postgres.outputs.matrix) }}
    steps:
      - name: Trigger product compose upgrade
        uses: greenbone/actions/trigger-workflow@v3
        with:
          token: ${{ secrets.GREENBONE_BOT_TOKEN }}
          repository: "greenbone/automatix"
          workflow: "push.yml"
          inputs: '{"service": "${{ matrix.service }}", "image-url": "${{ matrix.image-url }}", "digest": "${{ matrix.digest }}", "version": "${{ matrix.version }}"}'