Feat/dtoss 8958 publish to GitHub (#182)

* new CI workflow template

* YAML syntax

* move from expression to shell logic

* Provide required parameters from the CI pipeline
Add outputs references

* Correct path reference in uses

* Refactor in new GitHub actions

* Use case-insensitive checks

* added ghcr.io logins

* Support for the change_folders environment variable

* registry interpolation is readable

* one line conditional

* quote string comparison

* thread the azurecr retagging

* more than 30 items returned in gh api packages call

* workflow consumes templates from working branch

* GitHub action reference paths

* more concise way to enforce lower case registry name

* Improved job name

* fail-fast false, simplify tagging: scrap env tag, tag initially with PR only, then later all images are tagged with merge commit hash

* azurecr login doesn't need its own step

* fix ghcr.io tagging console output

* Dump directory structure before SBOM

* Include subdirectories in the directory list

* Update directory list to list YAML / Dockerfile

* Update to find expression

* templates repo path for new GitHub Actions

* Add bash command

* execute permission on scripts

* explicitly use bash for scripts

* fix container names for SBOM, vulnerabilities scanning, remove redundant inputs

* debug SBOM file paths

* SBOM report upload fix

* SBOM action output definition

* SBOM action artifact

* Fetch tag metadata outside matrix job

* Token not needed

* needs dependency fixed

* use needs inline

* Determine PR number

* Work on PR Number

* PR-tag-logic

* Test deployment to GitHub

* Ensure that we can push with environment tag is specified

* name workflow jobs

* Outputs on containers-to-build
Remove duplicate fetch tag metadata
Build Docker Images has an id for repository_path
Set output for docker_compose_dir

* Fix incorrect repository reference

* Set repository path

* Update to ensure test on GitHub

* Additional output to ensure buildx occurs

* Add support to test deployment on last job

* Test for access to the GH repo before accessing all packages

* Lowercase requirement for repository

* Filter first gh api by container type

* Update ref
Add sample query to view output from github api

* Add tag for short commit hash
Remove unnecessary step 1b in get_docker_names

* Return all docker services for updates to tags

* Residual array reference

* Improved handling of array from bash script

* Testing the manifest overwrites of buildx

* Test azure repo integration

* Test azure containers

* Fix reference to acr name

* Update Azure login step

* Case sensitive casing for images

* Improve naming convention for clearer understanding
Remove redundant step for buildx
Ensure az acr login uses correct reference

* Test this with GitHub

* One final run for Github

* Improve naming convention for clearer understanding
Remove redundant step for buildx
Ensure az acr login uses correct reference

* Remove test_deployment reference
Case sensitivity

* Final commit

* Updates to remove unneeded changes

* Remove unneeded bash script file.

* Revert parameters to first iteration

* Update to use case-sensitive folder check

---------

Co-authored-by: patrickmoore-nc <[email protected]>

Author: micjustus-nc

.github/actions/create-sbom-report/action.yaml

@@ -0,0 +1,40 @@
+name: Software Bill of Materials Report
+description: Generates and uploads an SBOM report for the specified Docker image.
+
+inputs:
+  build_datetime:
+    description: Build datetime, set by the CI/CD pipeline workflow
+    required: true
+  build_timestamp:
+    description: Build timestamp, set by the CI/CD pipeline workflow
+    required: true
+  image_name:
+    description: Docker Image to be scanned
+    required: true
+
+outputs:
+  sbom_repository_report:
+    value: ${{ steps.report.outputs.sbom_repository_report }}
+
+runs:
+  using: composite
+  steps:
+    - name: Create SBOM report
+      id: report
+      shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
+        SBOM_REPOSITORY_REPORT: ${{ inputs.image_name }}-sbom
+        CHECK_DOCKER_IMAGE: ${{ inputs.image_name }}:latest
+        FORCE_USE_DOCKER: true
+      run: |
+        mkdir sbom
+        echo "sbom_repository_report=${SBOM_REPOSITORY_REPORT}" >> ${GITHUB_OUTPUT}
+        bash ${GITHUB_WORKSPACE}/templates/scripts/reports/create-sbom-report.sh
+
+    - name: Upload SBOM report as an artefact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.image_name }}-sbom
+        path: ${{ inputs.image_name }}-sbom.json
+        retention-days: 21

.github/actions/scan-vulnerabilities/action.yaml

@@ -0,0 +1,62 @@
+name: Vulnerabilities Report
+description: Generates and uploads a vulnerability report from an SBOM for the given image.
+
+inputs:
+  build_datetime:
+    description: Build datetime, set by the CI/CD pipeline workflow
+    required: true
+  build_timestamp:
+    description: Build timestamp, set by the CI/CD pipeline workflow
+    required: true
+  image_name:
+    description: Docker Image to be scanned
+    required: true
+  sbom_repository_report:
+    description: File path of SBOM report
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Create vulnerabilites report
+      shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
+        CHECK_DOCKER_IMAGE: ${{ inputs.image_name }}:latest
+        FORCE_USE_DOCKER: true
+        VULNERABILITIES_REPOSITORY_REPORT: ${{ inputs.image_name }}-vulnerabilities-repository-report
+        VULNERABILITIES_SUMMARY_LOGFILE: ${{ inputs.image_name }}-vulnerabilities-summary.txt
+        SBOM_REPOSITORY_REPORT: ${{ inputs.sbom_repository_report }}
+      run: |
+        mkdir vulnerabilities
+        bash -x ${GITHUB_WORKSPACE}/templates/scripts/reports/scan-vulnerabilities.sh
+        curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
+
+        SCAN_RESULTS=$(grype "${CHECK_DOCKER_IMAGE}" --scope all-layers)
+        echo "${SCAN_RESULTS}" > "vulnerabilities/${VULNERABILITIES_REPOSITORY_REPORT}.json"
+
+        # ANSI color codes
+        RED="\033[0;31m"
+        RESET="\033[0m"
+
+        # Clear existing log file (or create if it doesn't exist)
+        > "vulnerabilities/${VULNERABILITIES_SUMMARY_LOGFILE}"
+
+        for SEVERITY in CRITICAL HIGH MEDIUM; do
+          {
+            echo
+            echo "${CHECK_DOCKER_IMAGE}: vulnerabilities"
+            echo -e "=== ${RED}${SEVERITY}${RESET} Vulnerabilities list ==="
+            # If grep finds nothing, we print a fallback message
+            echo "${SCAN_RESULTS}" | grep -i "${SEVERITY}" || echo "No ${SEVERITY} vulnerabilities found."
+          } | tee -a "vulnerabilities/${VULNERABILITIES_SUMMARY_LOGFILE}"
+        done
+    - name: Upload vulnerabilities report
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.image_name }}-vulnerabilities
+        path: |
+          vulnerabilities/${{ inputs.image_name }}-vulnerabilities-repository-report.json
+          vulnerabilities/${{ inputs.image_name }}-vulnerabilities-summary.txt
+        retention-days: 21