Skip to content

refactor(ci/cd) Updated main.yml with docker-scout vuln check in fron… #30

refactor(ci/cd) Updated main.yml with docker-scout vuln check in fron…

refactor(ci/cd) Updated main.yml with docker-scout vuln check in fron… #30

Workflow file for this run

name: DevOps Engineer Assignment Workflow
on:
push:
branches: [main, dev]
paths:
- .github/workflows/main.yml
- frontend/*
- backend/*
- k8s/manifests/**/*
pull_request:
branches: [main]
defaults:
run:
shell: bash
permissions:
actions: write
contents: write
jobs:
Build-And-Test:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-22.04
defaults:
run:
shell: bash
working-directory: ./backend
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
refs: ${{ github.refs_name }}
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: '14.21.3'
- name: Install dependencies
run: npm install
- name: Create production build folder
run: npm run build --if-present
- name: Testing API
run: npm test
################################### FRONTEND ###############################################
Build-And-Push-Frontend:
if: contains(github.event.head_commit.message, 'frontend')
runs-on: ubuntu-24.04
defaults:
run:
shell: bash
working-directory: frontend/
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
ref: ${{ github.ref_name }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USER }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Building Docker Image
run: docker build . -t ${{ vars.DOCKER_USER }}/eng-frontend:1.${{ github.run_number }}.${{ github.run_attempt}}
- name: Pushing Docker Image
run: docker push ${{ vars.DOCKER_USER }}/eng-frontend:1.${{ github.run_number }}.${{ github.run_attempt}}
Image-Vuln-Check-Frontend:
runs-on: ubuntu-24.04
needs: [Build-And-Push-Frontend]
steps:
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USER }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Docker Scout
id: docker-scout
uses: docker/scout-action@v1
with:
command: cves,recommendations
image: docker.io/${{ vars.DOCKER_USER }}/eng-frontend:1.${{ github.run_number }}.${{ github.run_attempt}}
ignore-unchanged: true
only-severities: critical,high
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
Update-ImgTag-Frontend:
runs-on: ubuntu-24.04
needs: [Image-Vuln-Check-Frontend]
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Update tag in K8s Deployment
run: |
sed -i 's|\(uj5ghare/eng-frontend:\)[^[:space:]]*|\11.${{ github.run_number }}.${{ github.run_attempt}}|' k8s/manifests/frontend/deployment.yml
- name: Commit and push changes
run: |
git pull origin ${{ github.ref_name }}
git config --global user.email "${{ secrets.GH_USER_MAIL }}"
git config --global user.name "${{ vars.GH_USER_NAME }}"
git add .
git commit -m "refactor(k8s) updated k8s deployment image tag"
git push
#NOTE: I understand that following job does not adhere to real-world practices, but it is simply an experiment to showcase that we can use k8s to deploy our apps to github servers to simulate how it will function on our actual server/vm.
# I could have utilized EKS cluster here, but it's a very expensive service, and my AWS credits are ov
Deploy-On-Minikube-Frontend:
if: contains(github.event.head_commit.message, 'frontend')
runs-on: ubuntu-24.04
needs: [Update-ImgTag-Frontend]
defaults:
run:
shell: bash
working-directory: k8s/manifests/frontend/
steps:
- uses: actions/checkout@v4
with:
refs: ${{ github.refs_name }}
- name: Start minikube
uses: medyagh/setup-minikube@latest
- name: Try the cluster!
run: kubectl get pods -A
- name: Deploy to minikube
run: |
kubectl apply -f namespace.yml
kubectl apply -f .
- name: Watch the changes
run: |
sleep 20
kubectl get all -n app
sleep 10
kubectl get all -n app
Slack-Notification-Frontend:
if: contains(github.event.head_commit.message, 'frontend')
runs-on: ubuntu-24.04
needs: [Deploy-On-Minikube-Frontend]
steps:
- name: Post to a Slack channel
uses: slackapi/[email protected]
with:
method: chat.postMessage
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
text: "GitHub Action Deployment result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
blocks:
- type: "section"
text:
type: "mrkdwn"
text: "GitHub Action Deployment result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
################################### BACKEND ###############################################
Build-And-Push-Backend:
if: contains(github.event.head_commit.message, 'backend')
runs-on: ubuntu-24.04
defaults:
run:
shell: bash
working-directory: backend/
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
ref: ${{ github.ref_name }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USER }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Building Docker Image
run: docker build . -t ${{ vars.DOCKER_USER }}/eng-backend:1.${{ github.run_number }}.${{ github.run_attempt}}
- name: Pushing Docker Image
run: docker push ${{ vars.DOCKER_USER }}/eng-backend:1.${{ github.run_number }}.${{ github.run_attempt}}
Image-Vuln-Check-Backend:
runs-on: ubuntu-24.04
needs: [Build-And-Push-Backend]
steps:
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USER }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Docker Scout
id: docker-scout
uses: docker/scout-action@v1
with:
command: cves,recommendations
image: docker.io/${{ vars.DOCKER_USER }}/eng-backend:1.${{ github.run_number }}.${{ github.run_attempt}}
ignore-unchanged: true
only-severities: critical,high
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
Update-ImgTag-Backend:
runs-on: ubuntu-24.04
needs: [Image-Vuln-Check-Backend]
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Update tag in K8s Deployment
run: |
sed -i 's|\(uj5ghare/eng-backend:\)[^[:space:]]*|\11.${{ github.run_number }}.${{ github.run_attempt}}|' k8s/manifests/backend/deployment.yml
- name: Commit and push changes
run: |
git pull origin ${{ github.ref_name }}
git config --global user.email "${{ secrets.GH_USER_MAIL }}"
git config --global user.name "${{ vars.GH_USER_NAME }}"
git add .
git commit -m "refactor(k8s) updated k8s deployment image tag"
git push
#NOTE: I understand that following job does not adhere to real-world practices, but it is simply an experiment to showcase that we can use k8s to deploy our apps to github servers to simulate how it will function on our actual server/vm.
# I could have utilized EKS cluster here, but it's a very expensive service, and my AWS credits are over.
Deploy-On-Minikube-Backend:
if: contains(github.event.head_commit.message, 'backend')
runs-on: ubuntu-24.04
needs: [Update-ImgTag-Backend]
defaults:
run:
shell: bash
working-directory: k8s/manifests/backend/
steps:
- uses: actions/checkout@v4
with:
refs: ${{ github.refs_name }}
- name: Start minikube
uses: medyagh/setup-minikube@latest
- name: Enable Metrics Server
run: |
minikube addons enable metrics-server
kubectl wait --for=condition=available --timeout=300s deployment/metrics-server -n kube-system
- name: Install Prometheus and Grafana
run: |
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install prometheus prometheus-community/prometheus --set alertmanager.enabled=true
- name: Deploy to minikube
run: |
kubectl apply -f namespace.yml
kubectl apply -f .
- name: Watch the changes
run: |
sleep 10
kubectl get all -n kube-system
sleep 15
kubectl get all -n app
sleep 5
kubectl port-forward svc/node-svc 8000:80 --address 0.0.0.0 -n app &
# - name: Monitor Resource Usage
# run: |
# sleep 30
# kubectl top pods -n app
# kubectl get all -n app
- name: Health Check for Backend
run: |
set -e
for i in {1..5}; do
if curl -fsS http://localhost:8000/status; then
echo "Backend is healthy!"
exit 0
else
echo "Attempt $i: Backend is down!"
sleep 10
fi
done
echo "ALERT: Backend is down!" >&2
Slack-Notification-Backend:
if: contains(github.event.head_commit.message, 'backend')
runs-on: ubuntu-24.04
needs: [Deploy-On-Minikube-Backend]
steps:
- name: Post to a Slack channel
uses: slackapi/[email protected]
with:
method: chat.postMessage
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
text: "GitHub Action Deployment result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
blocks:
- type: "section"
text:
type: "mrkdwn"
text: "GitHub Action Deployment result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"