Merge pull request #13 from storyprotocol/feat/push_image_for_push_ev…

…ent_only [feat] push images only if for push event
storyprotocol · Apr 12, 2024 · 1b30f28 · 1b30f28
2 parents 6da78bf + 3e1745d
commit 1b30f28
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 29 deletions.
diff --git a/.github/workflows/reusable-ecr-build-push.yml b/.github/workflows/reusable-ecr-build-push.yml
@@ -49,6 +49,7 @@ jobs:
             -t ${{ secrets.AWS_ACCOUNT_TARGET }}.dkr.ecr.${{ inputs.ecr-repo-aws-region }}.amazonaws.com/${{ inputs.ecr-repo }}:latest .
 
       - name: Run Trivy vulnerability scanner
+        id: trivy
         uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           image-ref: ${{ secrets.AWS_ACCOUNT_TARGET }}.dkr.ecr.${{ inputs.ecr-repo-aws-region }}.amazonaws.com/${{ inputs.ecr-repo }}:${{ github.sha }}
@@ -62,6 +63,8 @@ jobs:
           aws ecr get-login-password --region ${{ inputs.ecr-repo-aws-region }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_TARGET }}.dkr.ecr.${{ inputs.ecr-repo-aws-region }}.amazonaws.com
 
       - name: Docker push to AWS ECR
+        # Push the image to Amazon ECR only if the Trivy scan passes and the event is a push event
+        if: ${{ github.event_name == 'push' && steps.trivy.outputs.exit-code == 0 }}
         run: |
           docker push ${{ secrets.AWS_ACCOUNT_TARGET }}.dkr.ecr.${{ inputs.ecr-repo-aws-region }}.amazonaws.com/${{ inputs.ecr-repo }}:${{ github.sha }}
           docker push ${{ secrets.AWS_ACCOUNT_TARGET }}.dkr.ecr.${{ inputs.ecr-repo-aws-region }}.amazonaws.com/${{ inputs.ecr-repo }}:latest

diff --git a/.github/workflows/reusable-secrets-scanning.yml b/.github/workflows/reusable-secrets-scanning.yml
@@ -0,0 +1,53 @@
+name: Reusable TruffleHog Scan
+
+on:
+  workflow_call:
+    inputs:
+      branch:
+        required: true
+        type: string
+      depth:
+        required: false
+        type: number
+        default: 2
+
+jobs:
+  SecurityScan:
+    runs-on: ubuntu-latest
+    env:
+      BRANCH: ${{ inputs.branch }}
+      DEPTH: ${{ inputs.depth }}
+    steps:
+
+      - name: Checkout the repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 #v4.1.2 
+        with:
+          ref: ${{ env.BRANCH }}
+          fetch-depth: ${{ env.DEPTH }}
+
+      - name: Run TruffleHog Scan
+        uses: trufflesecurity/trufflehog@08b6f90c818deb9e0c28f1aeea788712ff4c97c4 #v3.73.0 
+        with:
+          extra_args: --only-verified
+
+      - name: Send notification to slack if secrets found
+        if: failure()
+        uses: slackapi/[email protected]
+        with:
+          channel-id: ${{ secrets.SLACK_CHANNEL_ID_GITHUB_NOTIFICATION }}
+          payload: |
+            {
+              "text": "${{ github.repository }}: API Integration Tests have been completed. Check the results at github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+              "blocks": [
+                { "type": "divider" },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text":"${{ github.repository }}: TruffleHog scan found secrets in the repository. Check the results at github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/secrets-scanning.yml b/.github/workflows/secrets-scanning.yml
@@ -1,37 +1,17 @@
-name: TruffleHog Scan
+name: Caller TruffleHog Scan
 
 on:
   push:
     branches:
       - main
-      - master
   pull_request:
-
-env:
-  DEPTH: 2
-  branch: main
+    branches:
+      - main
 
 jobs:
-  SecurityScan:
-    runs-on: ubuntu-latest
-    steps:
-      - name: shallow clone 
-        shell: bash
-        run: |
-          if [ "${{ github.event_name }}" == "push" ]; then
-            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
-            echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
-          fi
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
-            echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
-          fi
-
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-        with:
-          ref: ${{env.branch}}
-          fetch-depth: ${{env.depth}}
-
-      - uses: trufflesecurity/trufflehog@08b6f90c818deb9e0c28f1aeea788712ff4c97c4 # v3.73.0
-        with:
-          extra_args: --only-verified
+  trigger_scan:
+    uses: storyprotocol/gha-workflows/.github/workflows/reusable-trufflehog-scan.yml@main
+    with:
+      branch: ${{ github.ref_name }}
+    secrets:
+      SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}