Home Explore Help
Sign In
tum
/
soc
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Commits 1 Releases 0 Wiki

No Description

Tree: 9de2549954
Branches Tags
soc
/
wazuh-docker
/
.github
/
workflows
/
Procedure_pu...

Procedure_push_docker_images.yml 8.6KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244 
  1. run-name: Launch Push Docker Images - ${{ inputs.id }}
    2. 

  2. name: Push Docker Images
    3. 

  3. 

  4. on:
    5. 

  5.   workflow_dispatch:
    6. 

  6.     inputs:
    7. 

  7.       image_tag:
    8. 

  8.         description: 'Docker image tag'
    9. 

  9.         default: '4.14.3'
    10. 

  10.         required: true
    11. 

  11.       docker_reference:
    12. 

  12.         description: 'wazuh-docker reference'
    13. 

  13.         required: true
    14. 

  14.       filebeat_module_version:
    15. 

  15.         description: 'Filebeat module version'
    16. 

  16.         default: '0.5'
    17. 

  17.         required: true
    18. 

  18.       revision:
    19. 

  19.         description: 'Package revision'
    20. 

  20.         default: '1'
    21. 

  21.         required: true
    22. 

  22.       id:
    23. 

  23.         description: "ID used to identify the workflow uniquely."
    24. 

  24.         type: string
    25. 

  25.         required: false
    26. 

  26.       dev:
    27. 

  27.         description: "Add tag suffix '-dev' to the image tag ?"
    28. 

  28.         type: boolean
    29. 

  29.         default: true
    30. 

  30.         required: false
    31. 

  31.   workflow_call:
    32. 

  32.     inputs:
    33. 

  33.       image_tag:
    34. 

  34.         description: 'Docker image tag'
    35. 

  35.         default: '4.14.3'
    36. 

  36.         required: true
    37. 

  37.         type: string
    38. 

  38.       docker_reference:
    39. 

  39.         description: 'wazuh-docker reference'
    40. 

  40.         required: false
    41. 

  41.         type: string
    42. 

  42.       filebeat_module_version:
    43. 

  43.         description: 'Filebeat module version'
    44. 

  44.         default: '0.5'
    45. 

  45.         required: true
    46. 

  46.         type: string
    47. 

  47.       revision:
    48. 

  48.         description: 'Package revision'
    49. 

  49.         default: '1'
    50. 

  50.         required: true
    51. 

  51.         type: string
    52. 

  52.       id:
    53. 

  53.         description: "ID used to identify the workflow uniquely."
    54. 

  54.         type: string
    55. 

  55.         required: false
    56. 

  56.       dev:
    57. 

  57.         description: "Add tag suffix '-dev' to the image tag ?"
    58. 

  58.         type: boolean
    59. 

  59.         default: false
    60. 

  60.         required: false
    61. 

  61. 

  62. jobs:
    63. 

  63.   build-and-push:
    64. 

  64.     runs-on: ubuntu-22.04
    65. 

  65. 

  66.     permissions:
    67. 

  67.       id-token: write
    68. 

  68.       contents: read
    69. 

  69. 

  70.     env:
    71. 

  71.       IMAGE_REGISTRY: ${{ inputs.dev && vars.IMAGE_REGISTRY_DEV || vars.IMAGE_REGISTRY_PROD }}
    72. 

  72.       IMAGE_TAG: ${{ inputs.image_tag }}
    73. 

  73.       FILEBEAT_MODULE_VERSION: ${{ inputs.filebeat_module_version }}
    74. 

  74.       REVISION: ${{ inputs.revision }}
    75. 

  75. 

  76.     steps:
    77. 

  77.     - name: Print inputs
    78. 

  78.       run: |
    79. 

  79.         echo "---------------------------------------------"
    80. 

  80.         echo "Running Procedure_push_docker_images workflow"
    81. 

  81.         echo "---------------------------------------------"
    82. 

  82.         echo "* BRANCH: ${{ github.ref }}"
    83. 

  83.         echo "* COMMIT: ${{ github.sha }}"
    84. 

  84.         echo "---------------------------------------------"
    85. 

  85.         echo "Inputs provided:"
    86. 

  86.         echo "---------------------------------------------"
    87. 

  87.         echo "* id: ${{ inputs.id }}"
    88. 

  88.         echo "* image_tag: ${{ inputs.image_tag }}"
    89. 

  89.         echo "* docker_reference: ${{ inputs.docker_reference }}"
    90. 

  90.         echo "* filebeat_module_version: ${{ inputs.filebeat_module_version }}"
    91. 

  91.         echo "* revision: ${{ inputs.revision }}"
    92. 

  92.         echo "* dev: ${{ inputs.dev }}"
    93. 

  93.         echo "---------------------------------------------"
    94. 

  94. 

  95.     - name: Checkout repository
    96. 

  96.       uses: actions/checkout@v4
    97. 

  97.       with:
    98. 

  98.         ref: ${{ inputs.docker_reference }}
    99. 

  99. 

  100.     - name: free disk space
    101. 

  101.       uses: ./.github/free-disk-space
    102. 

  102. 

  103.     - name: Set up QEMU
    104. 

  104.       uses: docker/setup-qemu-action@v3
    105. 

  105. 

  106.     - name: Set up Docker Buildx
    107. 

  107.       uses: docker/setup-buildx-action@v3
    108. 

  108. 

  109.     - name: Configure aws credentials
    110. 

  110.       if: ${{ inputs.dev == true }}
    111. 

  111.       uses: aws-actions/configure-aws-credentials@v4
    112. 

  112.       with:
    113. 

  113.         role-to-assume: ${{ secrets.AWS_IAM_DOCKER_ROLE }}
    114. 

  114.         aws-region: "${{ secrets.AWS_REGION }}"
    115. 

  115. 

  116.     - name: Log in to Amazon ECR
    117. 

  117.       if: ${{ inputs.dev == true }}
    118. 

  118.       uses: aws-actions/amazon-ecr-login@v2
    119. 

  119. 

  120.     - name: Log in to Docker Hub
    121. 

  121.       if: ${{ inputs.dev == false }}
    122. 

  122.       uses: docker/login-action@v3
    123. 

  123.       with:
    124. 

  124.         username: ${{ secrets.DOCKERHUB_USERNAME }}
    125. 

  125.         password: ${{ secrets.DOCKERHUB_PASSWORD }}
    126. 

  126. 

  127.     - name: Build Wazuh images
    128. 

  128.       run: |
    129. 

  129.         IMAGE_TAG="${{ inputs.image_tag }}"
    130. 

  130.         FILEBEAT_MODULE_VERSION=${{ inputs.filebeat_module_version }}
    131. 

  131.         REVISION=${{ inputs.revision }}
    132. 

  132. 

  133.         if [[ "$IMAGE_TAG" == *"-"* ]]; then
    134. 

  134.           IFS='-' read -r -a tokens <<< "$IMAGE_TAG"
    135. 

  135.           if [ -z "${tokens[1]}" ]; then
    136. 

  136.             echo "Invalid image tag: $IMAGE_TAG"
    137. 

  137.             exit 1
    138. 

  138.           fi
    139. 

  139.           DEV_STAGE=${tokens[1]}
    140. 

  140.           WAZUH_VER=${tokens[0]}
    141. 

  141.           ./build-images.sh -v $WAZUH_VER -r $REVISION -d $DEV_STAGE -f $FILEBEAT_MODULE_VERSION -rg $IMAGE_REGISTRY -m
    142. 

  142.         else
    143. 

  143.           ./build-images.sh -v $IMAGE_TAG -r $REVISION -f $FILEBEAT_MODULE_VERSION -rg $IMAGE_REGISTRY -m
    144. 

  144.         fi
    145. 

  145. 

  146.         # Save .env file (generated by build-images.sh) contents to $GITHUB_ENV
    147. 

  147.         ENV_FILE_PATH="../.env"
    148. 

  148. 

  149.         if [ -f $ENV_FILE_PATH ]; then
    150. 

  150.           while IFS= read -r line || [ -n "$line" ]; do
    151. 

  151.             echo "$line" >> $GITHUB_ENV
    152. 

  152.           done < $ENV_FILE_PATH
    153. 

  153.         else
    154. 

  154.           echo "The environment file $ENV_FILE_PATH does not exist!"
    155. 

  155.           exit 1
    156. 

  156.         fi
    157. 

  157.       working-directory: ./build-docker-images
    158. 

  158. 

  159.     - name: Image exists validation
    160. 

  160.       if: ${{ inputs.dev == false }}
    161. 

  161.       id: validation
    162. 

  162.       run: |
    163. 

  163.         IMAGE_TAG=${{ inputs.image_tag }}
    164. 

  164.         PURPOSE=""
    165. 

  165. 

  166.         if [[ "$IMAGE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    167. 

  167.           if docker manifest inspect $IMAGE_REGISTRY/wazuh/wazuh-manager:$IMAGE_TAG > /dev/null 2>&1; then
    168. 

  168.             PURPOSE="regeneration"
    169. 

  169.             echo "Image wazuh/wazuh-manager:$IMAGE_TAG exists. Setting PURPOSE to 'regeneration'"
    170. 

  170.           else
    171. 

  171.             PURPOSE="new release"
    172. 

  172.             echo "Image wazuh/wazuh-manager:$IMAGE_TAG does NOT exist. Setting PURPOSE to 'new release'"
    173. 

  173.           fi
    174. 

  174.           echo "✅ Release tag: '$IMAGE_TAG'"
    175. 

  175.         elif [[ "$IMAGE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+-(alpha|beta|rc)[0-9]+$ ]]; then
    176. 

  176.           PURPOSE="new stage"
    177. 

  177.           echo "✅ Stage tag: '$IMAGE_TAG'. Setting PURPOSE to 'new stage'"
    178. 

  178.         else
    179. 

  179.           echo "❌ No release or stage tag ('$IMAGE_TAG'), the GH issue will not be created"
    180. 

  180.         fi
    181. 

  181. 

  182.         echo "purpose=$PURPOSE" >> $GITHUB_OUTPUT
    183. 

  183. 

  184.     - name: GH issue notification
    185. 

  185.       if: ${{ inputs.dev == false && steps.validation.outputs.purpose != '' }}
    186. 

  186.       run: |
    187. 

  187.         IMAGE_TAG=${{ inputs.image_tag }}
    188. 

  188.         GH_TITLE=""
    189. 

  189.         GH_MESSAGE=""
    190. 

  190.         PURPOSE="${{ steps.validation.outputs.purpose }}"
    191. 

  191. 

  192.         ## Setting GH issue title
    193. 

  193.         GH_TITLE="Artifactory vulnerabilities update \`v$IMAGE_TAG\`"
    194. 

  194. 

  195.         ## Setting GH issue body
    196. 

  196.         GH_MESSAGE=$(cat <<- EOF | tr -d '\r' | sed 's/^[[:space:]]*//'
    197. 

  197.         ### Description
    198. 

  198.         - [ ] Update the [Artifactory vulnerabilities](${{ secrets.NOTIFICATION_SHEET_URL }}) sheet with the \`v$IMAGE_TAG\` vulnerabilities.
    199. 

  199. 

  200.         **Purpose**: $PURPOSE
    201. 

  201.         >[!NOTE]
    202. 

  202.         >To update the \`Tentative Release\` column, follow these steps:
    203. 

  203.         https://github.com/wazuh/${{ secrets.NOTIFICATION_REPO }}/issues/2049#issuecomment-2671590268
    204. 

  204.         EOF
    205. 

  205.         )
    206. 

  206. 

  207.         # Print the GH Variables content
    208. 

  208.         echo "--- Variable Content ---"
    209. 

  209.         echo "$GH_TITLE"
    210. 

  210.         echo "------------------------"
    211. 

  211. 

  212.         echo "--- Variable Content ---"
    213. 

  213.         echo "$GH_MESSAGE"
    214. 

  214.         echo "------------------------"
    215. 

  215. 

  216.         ## GH issue creation
    217. 

  217.         ISSUE_URL=$(gh issue create \
    218. 

  218.           -R wazuh/${{ secrets.NOTIFICATION_REPO }} \
    219. 

  219.           --title "$GH_TITLE" \
    220. 

  220.           --body "$GH_MESSAGE" \
    221. 

  221.           --label "level/task" \
    222. 

  222.           --label "type/maintenance" \
    223. 

  223.           --label "request/operational")
    224. 

  224. 

  225.         ## Adding the issue to the team project
    226. 

  226.         PROJECT_ITEM_ID=$(gh project item-add \
    227. 

  227.           ${{ secrets.NOTIFICATION_PROJECT_NUMBER }} \
    228. 

  228.           --url $ISSUE_URL \
    229. 

  229.           --owner wazuh \
    230. 

  230.           --format json \
    231. 

  231.           | jq -r '.id')
    232. 

  232. 

  233.           ## Setting Objective
    234. 

  234.           gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_OBJECTIVE_ID }} --text  "Security scans"
    235. 

  235.           ## Setting Priority
    236. 

  236.           gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_PRIORITY_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_PRIORITY_OPTION_ID }}
    237. 

  237.           ## Setting Size
    238. 

  238.           gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_SIZE_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_SIZE_OPTION_ID }}
    239. 

  239.           ## Setting Subteam
    240. 

  240.           gh project item-edit --id $PROJECT_ITEM_ID --project-id ${{ secrets.NOTIFICATION_PROJECT_ID }} --field-id ${{ secrets.NOTIFICATION_PROJECT_SUBTEAM_ID }} --single-select-option-id ${{ secrets.NOTIFICATION_PROJECT_SUBTEAM_OPTION_ID }}
    241. 

  241. 

  242.       env:
    243. 

  243.         GH_TOKEN: ${{ secrets.NOTIFICATION_GH_ARTIFACT_TOKEN }}
    244. 

  244.