feat: initial version of the new workflows

MacMur85 · MacMur85 · commit a4b4bad92d84 · 2025-12-12T14:02:20.000Z
diff --git a/.github/workflows/stage-3-build-images-devtest.yaml b/.github/workflows/stage-3-build-images-devtest.yaml
@@ -68,14 +68,6 @@ jobs:
           ref: main
 
       - name: Determine which Docker container(s) to build
-        id: get-function-names
-        env:
-          COMPOSE_FILES_CSV: ${{ inputs.docker_compose_file }}
-          EXCLUDED_CONTAINERS_CSV: ${{ inputs.excluded_containers_csv_list }}
-          SOURCE_CODE_PATH: ${{ inputs.function_app_source_code_path }}
-          MANUAL_BUILD_ALL: ${{ inputs.build_all_images || false }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: bash scripts/deployment/get-docker-names.sh
 
   build-and-push:
     runs-on: ubuntu-latest
@@ -170,7 +162,7 @@ jobs:
 
           # Tag the image
           echo "Tag the image:"
-          docker tag ${PROJECT_NAME}-${function}:latest "$repo_name:${COMMIT_HASH_TAG}"
+          docker tag ${PROJECT_NAME}-$ {function}:latest "$repo_name:${COMMIT_HASH_TAG}"
           docker tag ${PROJECT_NAME}-${function}:latest "$repo_name:${PR_NUM_TAG}"
           docker tag ${PROJECT_NAME}-${function}:latest "$repo_name:${ENVIRONMENT_TAG}"
 
@@ -182,86 +174,11 @@ jobs:
           echo "PR_NUM_TAG=${PR_NUM_TAG}" >> ${GITHUB_ENV}
 
           # Push the image to the repository
-          if [ "${GITHUB_REF}" == 'refs/heads/main' ]; then
-            docker push "${repo_name}:${COMMIT_HASH_TAG}"
-            if [ "${PR_NUM_TAG}" != 'pr' ]; then
-              docker push "${repo_name}:${PR_NUM_TAG}"
-            fi
-            docker push "${repo_name}:${ENVIRONMENT_TAG}"
-          fi
-
-      - name: Run Grype Scan and Save Full Report
-        uses: anchore/scan-action@56e320f818c551f3f035fde89894504f269ad30b
-        env:
-          PROJECT_NAME: ${{ inputs.project_name }}
-        id: grype
-        with:
-          image: "${{ env.PROJECT_NAME }}-${{ matrix.function }}:latest"
-          output-format: 'table'
-          output-file: grype-report.txt
-          fail-build: false
-
-      - name: Create Custom Summary Log from Report
-        working-directory: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }}
-        if: steps.grype.outcome == 'success'
-        env:
-          PROJECT_NAME: ${{ inputs.project_name }}
-        run: |
-          function=${{ matrix.function }}
-
-          SCAN_RESULTS=$(cat grype-report.txt)
-
-          # ANSI color codes
-          RED="\033[0;31m"
-          RESET="\033[0m"
-
-          # Define your log file
-          VULNERABILITIES_SUMMARY_LOGFILE="${PROJECT_NAME}-${function}-vulnerabilities-summary.txt"
-          echo "VULNERABILITIES_SUMMARY_LOGFILE=$VULNERABILITIES_SUMMARY_LOGFILE" >> $GITHUB_ENV
-
-          # Clear existing log file (or create if it doesn't exist)
-          > "$VULNERABILITIES_SUMMARY_LOGFILE"
-
-          for SEVERITY in CRITICAL HIGH MEDIUM; do
-            {
-              echo ""
-              echo "${PROJECT_NAME}-${function}: vulnerabilities"
-              echo -e "=== ${RED}${SEVERITY}${RESET} Vulnerabilities list ==="
-              # If grep finds nothing, we print a fallback message
-              echo "$SCAN_RESULTS" | grep -i "$SEVERITY" || echo "No $SEVERITY vulnerabilities found."
-            } | tee -a "$VULNERABILITIES_SUMMARY_LOGFILE"
-          done
-
-      - name: Run the SBOM and scan-vulnerabilities script
-        working-directory: ${{ steps.get-function-names.outputs.DOCKER_COMPOSE_DIR }}
-        env:
-          PROJECT_NAME: ${{ inputs.project_name }}
-        run: |
-          function=${{ matrix.function }}
-
-          export SBOM_REPOSITORY_REPORT="sbom-${function}-repository-report"
-          echo "SBOM_REPOSITORY_REPORT=$SBOM_REPOSITORY_REPORT" >> $GITHUB_ENV
-          bash -x ${GITHUB_WORKSPACE}/templates/scripts/reports/create-sbom-report.sh
-
-          export VULNERABILITIES_REPOSITORY_REPORT="vulnerabilities-${function}-repository-report"
-          echo "VULNERABILITIES_REPOSITORY_REPORT=$VULNERABILITIES_REPOSITORY_REPORT" >> $GITHUB_ENV
-
-          echo "Running the scan-vulnerabilities script in a look with 10 minutes timeout, with 3 retries..."
-          retries=3
-          delay=300 # 5 minutes
-          count=0
-          until [ $count -ge $retries ]
-          do
-            timeout 10m bash -x ${GITHUB_WORKSPACE}/templates/scripts/reports/scan-vulnerabilities.sh && break
-            count=$((count+1))
-            echo "Attempt $count/$retries failed, retrying after $delay seconds..."
-            sleep $delay
-          done
-
-          if [ $count -eq $retries ]; then
-            echo "All attempts failed. Exiting with error."
-            exit 1
+          docker push "${repo_name}:${COMMIT_HASH_TAG}"
+          if [ "${PR_NUM_TAG}" != 'pr' ]; then
+            docker push "${repo_name}:${PR_NUM_TAG}"
           fi
+          docker push "${repo_name}:${ENVIRONMENT_TAG}"
 
       - name: Cleanup the docker images
         env:
@@ -276,66 +193,3 @@ jobs:
           docker rmi "${repo_name}:${PR_NUM_TAG}"
           docker rmi "${repo_name}:${ENVIRONMENT_TAG}"
           docker rmi ${PROJECT_NAME}-${function}:latest
-
-      - name: Compress SBOM report
-        shell: bash
-        run: |
-          echo SBOM_REPOSITORY_REPORT: ${SBOM_REPOSITORY_REPORT}
-          zip "${SBOM_REPOSITORY_REPORT}.json.zip" "${SBOM_REPOSITORY_REPORT}.json"
-
-      - name: Upload SBOM report as an artefact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.SBOM_REPOSITORY_REPORT }}.json.zip
-          path: ./${{ env.SBOM_REPOSITORY_REPORT }}.json.zip
-          retention-days: 21
-
-      - name: Compress vulnerabilities report
-        shell: bash
-        run: |
-          echo VULNERABILITIES_REPOSITORY_REPORT: ${VULNERABILITIES_REPOSITORY_REPORT}
-          zip ${VULNERABILITIES_REPOSITORY_REPORT}.json.zip ${VULNERABILITIES_REPOSITORY_REPORT}.json
-
-      - name: Upload vulnerabilities report as an artefact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip
-          path: ./${{ env.VULNERABILITIES_REPOSITORY_REPORT }}.json.zip
-          retention-days: 21
-
-      - name: Upload vulnerabilities summary report as an artefact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.VULNERABILITIES_SUMMARY_LOGFILE }}
-          path: ./${{ env.VULNERABILITIES_SUMMARY_LOGFILE }}
-          retention-days: 21
-
-  aggregate-json:
-    runs-on: ubuntu-latest
-    needs: build-and-push
-    steps:
-      - name: Download SBOM JSON artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: ./downloaded-artifacts
-
-      - name: Combine sbom report JSON files
-        run: |
-          zip sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/sbom*.json.zip
-
-      - name: Combine vulnerabilities report JSON files
-        run: |
-          zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/vulnerabilities*.json.zip
-          zip vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip downloaded-artifacts/**/*vulnerabilities-summary*.txt
-
-      - name: Upload sbom zip file
-        uses: actions/upload-artifact@v4
-        with:
-          name: aggregated-sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
-          path: sbom-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
-
-      - name: Upload repository zip file
-        uses: actions/upload-artifact@v4
-        with:
-          name: aggregated-vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
-          path: vulnerabilities-repository-report-${{ needs.build-and-push.outputs.PR_NUM_TAG }}.zip
