tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244
							run-name: Launch Push Docker Images - ${{ inputs.id }}
name: Push Docker Images

on:
  workflow_dispatch:
    inputs:
      image_tag:
        description: 'Docker image tag'
        default: '4.14.3'
        required: true
      docker_reference:
        description: 'wazuh-docker reference'
        required: true
      filebeat_module_version:
        description: 'Filebeat module version'
        default: '0.5'
        required: true
      revision:
        description: 'Package revision'
        default: '1'
        required: true
      id:
        description: "ID used to identify the workflow uniquely."
        type: string
        required: false
      dev:
        description: "Add tag suffix '-dev' to the image tag ?"
        type: boolean
        default: true
        required: false
  workflow_call:
    inputs:
      image_tag:
        description: 'Docker image tag'
        default: '4.14.3'
        required: true
        type: string
      docker_reference:
        description: 'wazuh-docker reference'
        required: false
        type: string
      filebeat_module_version:
        description: 'Filebeat module version'
        default: '0.5'
        required: true
        type: string
      revision:
        description: 'Package revision'
        default: '1'
        required: true
        type: string
      id:
        description: "ID used to identify the workflow uniquely."
        type: string
        required: false
      dev:
        description: "Add tag suffix '-dev' to the image tag ?"
        type: boolean
        default: false
        required: false

jobs:
  build-and-push:
    runs-on: ubuntu-22.04

    permissions:
      id-token: write
      contents: read

    env:
      IMAGE_REGISTRY: ${{ inputs.dev && vars.IMAGE_REGISTRY_DEV || vars.IMAGE_REGISTRY_PROD }}
      IMAGE_TAG: ${{ inputs.image_tag }}
      FILEBEAT_MODULE_VERSION: ${{ inputs.filebeat_module_version }}
      REVISION: ${{ inputs.revision }}

    steps:
    - name: Print inputs
      run: |
        echo "---------------------------------------------"
        echo "Running Procedure_push_docker_images workflow"
        echo "---------------------------------------------"
        echo "* BRANCH: ${{ github.ref }}"
        echo "* COMMIT: ${{ github.sha }}"
        echo "---------------------------------------------"
        echo "Inputs provided:"
        echo "---------------------------------------------"
        echo "* id: ${{ inputs.id }}"
        echo "* image_tag: ${{ inputs.image_tag }}"
        echo "* docker_reference: ${{ inputs.docker_reference }}"
        echo "* filebeat_module_version: ${{ inputs.filebeat_module_version }}"
        echo "* revision: ${{ inputs.revision }}"
        echo "* dev: ${{ inputs.dev }}"
        echo "---------------------------------------------"

    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        ref: ${{ inputs.docker_reference }}

    - name: free disk space
      uses: ./.github/free-disk-space

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Configure aws credentials
      if: ${{ inputs.dev == true }}
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ secrets.AWS_IAM_DOCKER_ROLE }}
        aws-region: "${{ secrets.AWS_REGION }}"

    - name: Log in to Amazon ECR
      if: ${{ inputs.dev == true }}
      uses: aws-actions/amazon-ecr-login@v2

    - name: Log in to Docker Hub
      if: ${{ inputs.dev == false }}
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_PASSWORD }}

    - name: Build Wazuh images
      run: |
        IMAGE_TAG="${{ inputs.image_tag }}"
        FILEBEAT_MODULE_VERSION=${{ inputs.filebeat_module_version }}
        REVISION=${{ inputs.revision }}

        if [[ "$IMAGE_TAG" == *"-"* ]]; then
          IFS='-' read -r -a tokens <<< "$IMAGE_TAG"
          if [ -z "${tokens[1]}" ]; then
            echo "Invalid image tag: $IMAGE_TAG"
            exit 1
          fi
          DEV_STAGE=${tokens[1]}
          WAZUH_VER=${tokens[0]}
          ./build-images.sh -v $WAZUH_VER -r $REVISION -d $DEV_STAGE -f $FILEBEAT_MODULE_VERSION -rg $IMAGE_REGISTRY -m
        else
          ./build-images.sh -v $IMAGE_TAG -r $REVISION -f $FILEBEAT_MODULE_VERSION -rg $IMAGE_REGISTRY -m
        fi

        # Save .env file (generated by build-images.sh) contents to $GITHUB_ENV
        ENV_FILE_PATH="../.env"

        if [ -f $ENV_FILE_PATH ]; then
          while IFS= read -r line || [ -n "$line" ]; do
            echo "$line" >> $GITHUB_ENV
          done < $ENV_FILE_PATH
        else
          echo "The environment file $ENV_FILE_PATH does not exist!"
          exit 1
        fi
      working-directory: ./build-docker-images

    - name: Image exists validation
      if: ${{ inputs.dev == false }}
      id: validation
      run: |
        IMAGE_TAG=${{ inputs.image_tag }}
        PURPOSE=""

        if [[ "$IMAGE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
          if docker manifest inspect $IMAGE_REGISTRY/wazuh/wazuh-manager:$IMAGE_TAG > /dev/null 2>&1; then
            PURPOSE="regeneration"
            echo "Image wazuh/wazuh-manager:$IMAGE_TAG exists. Setting PURPOSE to 'regeneration'"
          else
            PURPOSE="new release"
            echo "Image wazuh/wazuh-manager:$IMAGE_TAG does NOT exist. Setting PURPOSE to 'new release'"
          fi
          echo "✅ Release tag: '$IMAGE_TAG'"
        elif [[ "$IMAGE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+-(alpha|beta|rc)[0-9]+$ ]]; then
          PURPOSE="new stage"
          echo "✅ Stage tag: '$IMAGE_TAG'. Setting PURPOSE to 'new stage'"
        else
          echo "❌ No release or stage tag ('$IMAGE_TAG'), the GH issue will not be created"
        fi

        echo "purpose=$PURPOSE" >> $GITHUB_OUTPUT

    - name: GH issue notification
      if: ${{ inputs.dev == false && steps.validation.outputs.purpose != '' }}
      run: |
        IMAGE_TAG=${{ inputs.image_tag }}
        GH_TITLE=""
        GH_MESSAGE=""
        PURPOSE="${{ steps.validation.outputs.purpose }}"

        ## Setting GH issue title
        GH_TITLE="Artifactory vulnerabilities update \`v$IMAGE_TAG\`"

        ## Setting GH issue body
        GH_MESSAGE=$(cat <<- EOF | tr -d '\r' | sed 's/^[[:space:]]*//'
        ### Description
        - [ ] Update the [Artifactory vulnerabilities](${{ secrets.NOTIFICATION_SHEET_URL }}) sheet with the \`v$IMAGE_TAG\` vulnerabilities.

        **Purpose**: $PURPOSE
        >[!NOTE]
        >To update the \`Tentative Release\` column, follow these steps:
        https://github.com/wazuh/${{ secrets.NOTIFICATION_REPO }}/issues/2049#issuecomment-2671590268
        EOF
        )

        # Print the GH Variables content
        echo "--- Variable Content ---"
        echo "$GH_TITLE"
        echo "------------------------"

        echo "--- Variable Content ---"
        echo "$GH_MESSAGE"
        echo "------------------------"

        ## GH issue creation
        ISSUE_URL=$(gh issue create \
          -R wazuh/${{ secrets.NOTIFICATION_REPO }} \
          --title "$GH_TITLE" \
          --body "$GH_MESSAGE" \
          --label "level/task" \
          --label "type/maintenance" \
          --label "request/operational")

        ## Adding the issue to the team project
        PROJECT_ITEM_ID=$(gh project item-add \
          ${{ secrets.NOTIFICATION_PROJECT_NUMBER }} \
          --url $ISSUE_URL \
          --owner wazuh \
          --format json \
          | jq -r '.id')

          ## Setting Objective
          gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_OBJECTIVE_ID }} --text  "Security scans"
          ## Setting Priority
          gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_PRIORITY_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_PRIORITY_OPTION_ID }}
          ## Setting Size
          gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_SIZE_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_SIZE_OPTION_ID }}
          ## Setting Subteam
          gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_SUBTEAM_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_SUBTEAM_OPTION_ID }}

      env:
        GH_TOKEN: ${{ secrets.NOTIFICATION_GH_ARTIFACT_TOKEN }}