build-installer.yaml

name: Build workflow - Installer
on: 
  push:
    branches:
      - master
    paths:
      - .github/workflows/build-installer.yml
      - build/Dockerfile
      - ./*.sh
      - ./*.in
  pull_request:
    branches:
      - master
    paths:
      - .github/workflows/build-installer.yml
      - build/Dockerfile
      - ./*.sh
      - ./*.in
  workflow_dispatch:
  release:
    types:
      - published

jobs:
  check_bash:
    name: Bash shell lint check
    if: github.event_name == 'push' || github.event_name == 'pull_request'
    # This action fails for events that are not 'push' or 'pull_request' because it can't find the commit SHA
    runs-on: ubuntu-16.04
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Bash shell lint check with shellcheck
        uses: reviewdog/action-shellcheck@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          reporter: github-check
          level: error
          pattern: '*.sh'
          path: '.'
          exclude: './test/*'

  check_yaml:
    name: YAML lint check
    runs-on: ubuntu-16.04
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: 'Yaml lint'
        uses: karancode/yamllint-github-action@master
        with:
          yamllint_file_or_dir: './*.yaml*'
          yamllint_strict: false
          yamllint_comment: true
        env:
          GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  sysdig_dockerfile_cis_benchmark:
    name: Sysdig Dockerfile CIS benchmark
    needs: [check_yaml]
    runs-on: ubuntu-16.04
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Sysdig CIS dockerfile benchmark
        uses: sysdiglabs/benchmark-dockerfile@v1.0.0
        id: cis_dockerfile_benchmark
        with:
          directory: './build'
          dockerfilePattern: 'Dockerfile'
          disallowedPackages: 'netcat'
          secretPatterns: 'aws_secret,pass'    
      - name: Post run Sysdig CIS dockerfile benchmark
        env:
          SYSDIG_SECURE_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_SHA: ${{ github.event.pull_request.head.sha }}
          PR_OWNER: ${{ github.event.pull_request.head.user.login }}
        run: |
          echo "###"
          echo "{\"pr_name\": \"${PR_TITLE}\", \"pr_sha\": \"${PR_SHA}\", \"pr_owner\": \"${PR_OWNER}\"}" > /tmp/report.json
          echo ${{ toJSON(steps.cis_dockerfile_benchmark.outputs.violation_report) }} > /tmp/report
          reportString=$(sed 's/"/\\"/g' /tmp/report)
          echo $reportString
          # send result to Sysdig monitor
          curl -X POST -s https://app.sysdigcloud.com/api/events -H 'Content-Type: application/json; charset=UTF-8' -H 'Authorization: Bearer '"${SYSDIG_SECURE_TOKEN}"'' -d '{"event":{"name":"CIS Dockerfile Benchmark - PR: '"${PR_TITLE}"' ","description":"'"${reportString}"'","severity":"6"}}' --compressed
          echo "###"

  sysdig_image_scan:
    name: Sysdig image scan
    needs: [check_yaml]
    runs-on: ubuntu-16.04
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2      
      - name: Build the Docker image
        run: docker build -f ./build/Dockerfile . --tag sysdiglabs/aks-audit-log-installer
      - name: Pull Sysdig inline scan
        run: docker pull sysdiglabs/secure-inline-scan:2
      - name: Run Sysdig inline image scan
        id: run_sysdig_inline_scan
        env:
          SYSDIG_SECURE_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
        run: |          
          docker run --rm \
              -v /var/run/docker.sock:/var/run/docker.sock \
              quay.io/sysdig/secure-inline-scan:2 \
              --sysdig-url https://secure.sysdig.com \
              --sysdig-token "$SYSDIG_SECURE_TOKEN" \
              --storage-type docker-daemon \
              --storage-path /var/run/docker.sock \
              sysdiglabs/aks-audit-log-installer \
              | tee sysdig_image_scan_result.txt

          SCAN_RESULT=${PIPESTATUS[0]}
          echo "::set-output name=SCAN_RESULT::$SCAN_RESULT"
          echo "Scan finished with result: $SCAN_RESULT"
      - name: SCAN RESULT
        env:
          SCAN_RESULT: ${{ steps.run_sysdig_inline_scan.outputs.SCAN_RESULT }}
        run: |
          cat sysdig_image_scan_result.txt
          echo ; echo "******************************"
          [ "$SCAN_RESULT" -eq 0 ] && echo "** Scan result  > PASS <    **"
          [ "$SCAN_RESULT" -eq 1 ] && echo "** Scan result  > FAIL <    **"
          [ "$SCAN_RESULT" -eq 2 ] && echo "** Wrong script invokation  **"
          [ "$SCAN_RESULT" -eq 3 ] && echo "** Runtime error            **"
          echo "******************************" ; echo
          exit $SCAN_RESULT

  publish_images:
    name: Publish container images to registries
    needs: [sysdig_image_scan]
    runs-on: ubuntu-16.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Login to DockerHub
        uses: docker/login-action@v1 
        with:
          username: ${{ secrets.SYSDIGLABS_DOCKERHUB_USER }}
          password: ${{ secrets.SYSDIGLABS_DOCKERHUB_TOKEN }}
      - name: Prepare version labels
        id: prepare_version_labels
        env:
          VERSION_TAG: ${{ github.event.release.tag_name }}
        run: |
          echo "Version tag: $VERSION_TAG"
          VERSION_MAJOR=$(echo $VERSION_TAG | sed 's/v\([0-9]*\).*/\1/' )
          VERSION_FULL=$(echo $VERSION_TAG | sed 's/v\([0-9][0-9\.]*\).*/\1/' )
          [ -z $VERSION_TAG ] && VERSION_FULL="master"
          [ -z $VERSION_FULL ] && VERSION_FULL="master"
          [ -z $VERSION_MAJOR ] && VERSION_MAJOR="dev"
          echo "Version major: $VERSION_MAJOR"
          echo "Version full: $VERSION_FULL"
          echo "::set-output name=VERSION_MAJOR::$VERSION_MAJOR"
          echo "::set-output name=VERSION_FULL::$VERSION_FULL"
      - name: Build and push Docker Hub
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./build/Dockerfile
          platforms: linux/amd64
          push: true
          tags: |
            quay.io/sysdig/aks-audit-log-installer:latest
            quay.io/sysdig/aks-audit-log-installer:${{ steps.prepare_version_labels.outputs.VERSION_MAJOR }}
            quay.io/sysdig/aks-audit-log-installer:${{ steps.prepare_version_labels.outputs.VERSION_FULL }}
      - name: Login to GitHub Packages
        if: github.event_name == 'release'
        uses: docker/login-action@v1 
        with:
          registry: docker.pkg.github.com
          username: ${{ secrets.CR_PAT_PKG_USER }}
          password: ${{ secrets.CR_PAT_PKG }}
      - name: Build and Push to GitHub Packages
        if: github.event_name == 'release'
        run: |
          docker build ${CONTEXT_PATH} -f ${DOCKERFILE_PATH} \
            -t docker.pkg.github.com/${GH_REPO}/${IMAGE_NAME}:${VERSION_FULL}
          docker push \
               docker.pkg.github.com/${GH_REPO}/${IMAGE_NAME}:${VERSION_FULL}
        env:
          IMAGE_NAME: aks-audit-log-installer
          CONTEXT_PATH: ./
          DOCKERFILE_PATH: build/Dockerfile
          VERSION_FULL: ${{ steps.prepare_version_labels.outputs.VERSION_FULL }}
          GH_REPO: sysdiglabs/aks-audit-log