add workflows

cedricve · cedricve · commit e9d2a3ca6312 · 2025-01-09T16:22:54.000+01:00
diff --git a/.github/workflows/pr-description.yml b/.github/workflows/pr-description.yml
@@ -0,0 +1,19 @@
+name: Autofill PR description
+
+on: pull_request
+
+jobs:
+  openai-pr-description:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Autofill PR description if empty using OpenAI
+        uses: cedricve/azureopenai-pr-description@master
+        with:
+          github_token: ${{ secrets.TOKEN }}
+          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
+          azure_openai_api_key: ${{ secrets.AZURE_OPENAI_API_KEY }}
+          azure_openai_endpoint: ${{ secrets.AZURE_OPENAI_ENDPOINT }}
+          azure_openai_version: ${{ secrets.AZURE_OPENAI_VERSION }}
+          overwrite_description: true
diff --git a/.github/workflows/pr-security-scan.yaml b/.github/workflows/pr-security-scan.yaml
@@ -0,0 +1,61 @@
+name: Security scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    env:
+      PR_NUMBER: ${{ github.event.number }}
+      COMMIT_SHA: ${{ github.sha }}
+      TAG: hub-pipeline-sprite-pr${{ github.event.number }}-${{ github.sha }}
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      # Build the Docker image with the latest tag and the release tag
+      # Build the Docker image with the latest tag and the release tag
+      - name: Build Docker image with PR tag
+        run: |
+          docker build -t uugai/pullrequests:${{ env.TAG }} \
+          --build-arg github_username=${{ secrets.USERNAME }} \
+          --build-arg github_token=${{ secrets.TOKEN }} .
+
+      # This is a workaround for the issue with the Trivy DBs not being available due to
+      # rate limiting. The workaround is to download the DBs and cache them.
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+
+      # Scan the Docker image for vulnerabilities
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          skip-setup-trivy: false
+          scan-type: "image"
+          image-ref: "uugai/pullrequests:${{ env.TAG }}"
+          format: "table"
+          exit-code: "0"
+          ignore-unfixed: false
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN"
+          #Below only works on the main branch
+          #format: "github"
+          #github-pat: ${{ secrets.TOKEN }}
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
diff --git a/.github/workflows/release-create.yml b/.github/workflows/release-create.yml
@@ -0,0 +1,59 @@
+name: Create a new release
+on:
+  release:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the Docker image"
+        required: true
+        default: "test"
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      # Build the Docker image with the latest tag and the release tag
+      - name: Build and push Docker image with latest tag
+        uses: docker/build-push-action@v2
+        if: github.event.inputs.tag != 'test'
+        with:
+          context: .
+          push: true
+          build-args: |
+            github_username=${{ secrets.USERNAME }}
+            github_token=${{ secrets.TOKEN }}
+          tags: uugai/hub-pipeline-Classifier:latest
+      - name: Build and push Docker image with release tag
+        uses: docker/build-push-action@v2
+        if: github.event.inputs.tag != 'test'
+        with:
+          context: .
+          push: true
+          build-args: |
+            github_username=${{ secrets.USERNAME }}
+            github_token=${{ secrets.TOKEN }}
+          tags: uugai/hub-pipeline-Classifier:${{ github.event.inputs.tag || github.ref_name }}
+      # After we build the Docker image, we create a pull request to update the GitOps repository
+      # This will allow us to update the Helm chart with the new Docker image tag.
+      - name: Create GitOps Pull Request
+        uses: cedricve/gitops-pullrequest-action@master
+        with:
+          github-token: ${{ secrets.TOKEN }}
+          gitops-repo: "uug-ai/gitops"
+          gitops-file: "environments/staging/kerberos-hub/hub-pipeline-classifier.yaml"
+          gitops-pr-branch: "release-hub-pipeline-classifier-${{ github.event.inputs.tag || github.ref_name }}"
+          gitops-key: "k.spec.template.spec.containers[0].image"
+          gitops-value: "${{ github.event.inputs.tag || github.ref_name }}"
+          commit-email: "gitops@uug.ai"
+          commit-name: "GitOps - UUG.AI"
+          commit-message: "A new release for Kerberos Hub Pipeline Classifier - ${{ github.event.inputs.tag || github.ref_name }}"
