Skip to content

New namespace #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

New namespace #361

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
b2287cb
updated namespace
jjstratton May 15, 2025
0f1c1c0
syntax
jjstratton May 15, 2025
7f698d2
took out step
jjstratton May 15, 2025
4d2a9e8
testing out repo
jjstratton May 16, 2025
c4eda88
updated writer
jjstratton May 16, 2025
f7b73fd
updated pipelines
jjstratton May 16, 2025
e8830fc
updated piepline
jjstratton May 16, 2025
3a8e740
pipelines
jjstratton May 16, 2025
3c52f8b
updated pipelines
jjstratton May 16, 2025
e3fe63e
pipelines
jjstratton May 16, 2025
5792842
updated naming
jjstratton May 16, 2025
9dd5cfc
took out old pipelines, added trivy
jjstratton May 16, 2025
2f2bb43
added gitops build step
jjstratton May 29, 2025
0c7277a
updated env vars
jjstratton May 29, 2025
874360d
updated path
jjstratton May 29, 2025
36e908e
updated path
jjstratton May 29, 2025
82f07f3
added gitops build step
jjstratton May 29, 2025
11b5fe1
added test and prod actions
jjstratton May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions .github/workflows/build-push-clamav-client.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
name: clamav-client-build-and-push-dev

on:
push:
branches: [master]
paths:
- "Java/README.md"
- "Java/clamav_client/**"
- .github/workflows/build-push-clamav-client.yaml
workflow_dispatch:

env:
IMAGE_NAME: clamav
WORKING_DIRECTORY: Java/clamav_client
REPO_KEY: af03
BRANCH_NAME: develop
VALUES_FILE: dev

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Login to Artifactory
uses: docker/login-action@v1
with:
registry: artifacts.developer.gov.bc.ca
username: ${{ secrets.ARTIFACTORY_USERNAME }}
password: ${{ secrets.ARTIFACTORY_PASSWORD }}

# Get SHORT_SHA for the version
- name: Get short SHA
id: short_sha
run: |
echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
echo "Short SHA: $SHORT_SHA"

- name: Build Image
working-directory: ${{env.WORKING_DIRECTORY}}
run: |
docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}-client:dev .

- name: Docker Push to Artifactory
run: |
docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}-client:dev

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}-client:dev
format: 'table'
ignore-unfixed: true
limit-severities-for-sarif: true
severity: HIGH,CRITICAL

- name: Set GitOps SSH Key
uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}

- name: Update Helm Dev Values and Commit
id: helm
run: |

echo "Updating ${{ env.BRANCH_NAME }} helm values to trigger ArgoCD deployment "

# Commit and push the changes
git config --global user.email "actions@github.com"
git config --global user.name "RSBC-APR GitHub Actions"
git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git

# Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test

cd tenant-gitops-f0392a/charts

# Update the Helm values file with the new image tag and version
DATETIME=$(date +'%Y-%m-%d %H:%M:%S') # Get current date and time
echo "Updating tag ccversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"

sed -i "s/ccversion: .*/ccversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml

git add .

git add ../deploy/${{ env.VALUES_FILE }}_values.yaml

# Repackage Helm Chart

cd gitops

helm dependency build

git add .

git commit -m "Update ${{ env.BRANCH_NAME }} clamavclient image tag"

# pull any changes
git pull origin ${{ env.BRANCH_NAME }}
git push origin ${{ env.BRANCH_NAME }} # Update the branch name as needed
Comment on lines +21 to +101

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 18 days ago

To fix the issue, we will add a permissions block at the root of the workflow. This block will define the minimal permissions required for the workflow to function correctly. Based on the actions used in the workflow, the following permissions are needed:

  • contents: write for committing and pushing changes to the repository.
  • packages: write for pushing Docker images to the Artifactory registry.

The permissions block will be added after the name field in the workflow file.

Suggested changeset 1
.github/workflows/build-push-clamav-client.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-push-clamav-client.yaml b/.github/workflows/build-push-clamav-client.yaml
--- a/.github/workflows/build-push-clamav-client.yaml
+++ b/.github/workflows/build-push-clamav-client.yaml
@@ -1,2 +1,5 @@
 name: clamav-client-build-and-push-dev
+permissions:
+  contents: write
+  packages: write
 
EOF
@@ -1,2 +1,5 @@
name: clamav-client-build-and-push-dev
permissions:
contents: write
packages: write

Copilot is powered by AI and may make mistakes. Always verify output.
103 changes: 103 additions & 0 deletions .github/workflows/build-push-form-handler.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: form-handler-build-and-push-dev

on:
push:
branches: [master]
paths:
- python/*.py
- python/common/**
- python/form_handler/**
- .github/workflows/build-push-form-handler.yaml
- trigger.txt
workflow_dispatch:

env:
IMAGE_NAME: form-handler
WORKING_DIRECTORY: ./python
REPO_KEY: af03
BRANCH_NAME: develop
VALUES_FILE: dev

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Login to Artifactory
uses: docker/login-action@v1
with:
registry: artifacts.developer.gov.bc.ca
username: ${{ secrets.ARTIFACTORY_USERNAME }}
password: ${{ secrets.ARTIFACTORY_PASSWORD }}

# Get SHORT_SHA for the version
- name: Get short SHA
id: short_sha
run: |
echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
echo "Short SHA: $SHORT_SHA"

- name: Build Image
working-directory: ${{env.WORKING_DIRECTORY}}
run: |
docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f form_handler/Dockerfile .

- name: Docker Push to Artifactory
run: |
docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
format: 'table'
ignore-unfixed: true
limit-severities-for-sarif: true
severity: HIGH,CRITICAL

- name: Set GitOps SSH Key
uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}

- name: Update Helm Dev Values and Commit
id: helm
run: |

echo "Updating ${{ env.BRANCH_NAME }} helm values to trigger ArgoCD deployment "

# Commit and push the changes
git config --global user.email "actions@github.com"
git config --global user.name "RSBC-APR GitHub Actions"
git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git

# Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test

cd tenant-gitops-f0392a/charts

# Update the Helm values file with the new image tag and version
DATETIME=$(date +'%Y-%m-%d %H:%M:%S') # Get current date and time
echo "Updating tag fhversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"

sed -i "s/fhversion: .*/fhversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml

git add .

git add ../deploy/${{ env.VALUES_FILE }}_values.yaml

# Repackage Helm Chart

cd gitops

helm dependency build

git add .

git commit -m "Update ${{ env.BRANCH_NAME }} formhandler image tag"

# pull any changes
git pull origin ${{ env.BRANCH_NAME }}
git push origin ${{ env.BRANCH_NAME }} # Update the branch name as needed
Comment on lines +23 to +103

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 18 days ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are recommended:

  • contents: read for reading repository contents.
  • pull-requests: write for updating Helm values and committing changes.

The permissions block can be added at the root level of the workflow to apply to all jobs or within the build job to limit permissions to that specific job.

Suggested changeset 1
.github/workflows/build-push-form-handler.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-push-form-handler.yaml b/.github/workflows/build-push-form-handler.yaml
--- a/.github/workflows/build-push-form-handler.yaml
+++ b/.github/workflows/build-push-form-handler.yaml
@@ -13,2 +13,6 @@
 
+permissions:
+  contents: read
+  pull-requests: write
+
 env:
EOF
@@ -13,2 +13,6 @@

permissions:
contents: read
pull-requests: write

env:
Copilot is powered by AI and may make mistakes. Always verify output.
103 changes: 103 additions & 0 deletions .github/workflows/build-push-ingestor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: ingestor-build-and-push-dev

on:
push:
branches: [master]
paths:
- python/*.py
- python/common/**
- python/form_handler/**
- .github/workflows/build-push-ingestor.yaml
- trigger.txt
workflow_dispatch:

env:
IMAGE_NAME: ingestor
WORKING_DIRECTORY: ./python
REPO_KEY: af03
BRANCH_NAME: develop
VALUES_FILE: dev

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Login to Artifactory
uses: docker/login-action@v1
with:
registry: artifacts.developer.gov.bc.ca
username: ${{ secrets.ARTIFACTORY_USERNAME }}
password: ${{ secrets.ARTIFACTORY_PASSWORD }}

# Get SHORT_SHA for the version
- name: Get short SHA
id: short_sha
run: |
echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
echo "Short SHA: $SHORT_SHA"

- name: Build Image
working-directory: ${{env.WORKING_DIRECTORY}}
run: |
docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f ingestor/Dockerfile .

- name: Docker Push to Artifactory
run: |
docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
format: 'table'
ignore-unfixed: true
limit-severities-for-sarif: true
severity: HIGH,CRITICAL

- name: Set GitOps SSH Key
uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}

- name: Update Helm Dev Values and Commit
id: helm
run: |

echo "Updating ${{ env.BRANCH_NAME }} helm values to trigger ArgoCD deployment "

# Commit and push the changes
git config --global user.email "actions@github.com"
git config --global user.name "RSBC-APR GitHub Actions"
git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git

# Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test

cd tenant-gitops-f0392a/charts

# Update the Helm values file with the new image tag and version
DATETIME=$(date +'%Y-%m-%d %H:%M:%S') # Get current date and time
echo "Updating tag iversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"

sed -i "s/iversion: .*/iversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml

git add .

git add ../deploy/${{ env.VALUES_FILE }}_values.yaml

# Repackage Helm Chart

cd gitops

helm dependency build

git add .

git commit -m "Update ${{ env.BRANCH_NAME }} ingestor image tag"

# pull any changes
git pull origin ${{ env.BRANCH_NAME }}
git push origin ${{ env.BRANCH_NAME }} # Update the branch name as needed
Comment on lines +23 to +103

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 18 days ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are recommended:

  • contents: read for accessing repository files.
  • pull-requests: write for updating Helm values and committing changes.

The permissions block can be added at the root level of the workflow to apply to all jobs or within the build job to limit permissions to that specific job.

Suggested changeset 1
.github/workflows/build-push-ingestor.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-push-ingestor.yaml b/.github/workflows/build-push-ingestor.yaml
--- a/.github/workflows/build-push-ingestor.yaml
+++ b/.github/workflows/build-push-ingestor.yaml
@@ -13,2 +13,6 @@
 
+permissions:
+  contents: read
+  pull-requests: write
+
 env:
EOF
@@ -13,2 +13,6 @@

permissions:
contents: read
pull-requests: write

env:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading