Merge pull request #27 from devsecblueprint/25-move-from-aws-scheduled-lambda-to-always-on-kubernetes-bot

Migrating to K8s On-Prem

Author: damienjburks

.github/workflows/docker-publish.yml

@@ -0,0 +1,30 @@
+name: Linting and Formating checks
+on:
+  workflow_call:
+
+jobs:
+  # Run Pylint and Black formatter
+  lint_format:
+    name: Pylint and Black
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.12.6"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Setup Python ${{ matrix.python-version}}"
+        uses: actions/setup-python@v3
+        with:
+          python-version: "${{ matrix.python-version}}"
+
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          python -m pip install --upgrade pip
+
+      - name: Run pylint
+        run: pylint .
+
+      - name: Run black
+        run: black --check .

.github/workflows/lint-format.yml

@@ -1,35 +1,18 @@
-name: "Default Workflow (main)"
-
+name: Main Workflow
 on:
   push:
     branches:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+  id-token: write
+  packages: write
+
 jobs:
-  syntax-check:
-    uses: ./.github/workflows/syntax-check.yml
-  create-ecr-repositories:
-    needs:
-      - syntax-check
-    uses: ./.github/workflows/terraform-apply.yml
-    permissions:
-      contents: read
-    secrets: inherit
-    with:
-      tf_workspace: "discord-bot-repositories"
-      config_directory: "./terraform/repositories"
-  publish-images:
-    uses: ./.github/workflows/docker-publish.yml
-    secrets: inherit
-    needs: create-ecr-repositories
-  create-core-infrastructure:
-    needs:
-      - publish-images
-    uses: ./.github/workflows/terraform-apply.yml
-    permissions:
-      contents: read
-    secrets: inherit
-    with:
-      tf_workspace: "discord-bot"
-      config_directory: "./terraform/core"
+  push-docker-image:
+    uses: ./.github/workflows/push-docker-image.yml
+    secrets: inherit

.github/workflows/main.yml

@@ -4,6 +4,8 @@ on:
   pull_request_target:
 
 jobs:
-  syntax_check:
-    if: github.repository_owner == 'devsecblueprint'
-    uses: ./.github/workflows/syntax-check.yml
+  lint-format:
+    uses: ./.github/workflows/lint-format.yml
+  unit-sec-scan:
+    uses: ./.github/workflows/unit-sec-test.yml
+    needs: lint-format

.github/workflows/pr.yml

@@ -0,0 +1,45 @@
+name: Push Docker Image - GitHub Container Registry (GHCR)
+
+on:
+  workflow_call:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: "the-herald"
+
+jobs:
+  Push_Image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Set up Docker Buildx
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
+
+        # Extract metadata (tags, labels) for Docker
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
+
+      # Login against a Docker registry
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build and tag Docker Image
+      - name: Build & Push Multi-Arch Docker Image
+        run: |
+          docker buildx build \
+          --platform linux/amd64,linux/arm64 \
+          -t ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest \
+          --push \
+          .