Updated Connectors based on T1 API changes #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deployment Pipeline | |
| on: | |
| push: | |
| branches: [main] | |
| jobs: | |
| connector-list: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| connectors: ${{ steps.list.outputs.connectors }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Collect Connector list | |
| id: list | |
| run: | | |
| CONNECTORS=() | |
| for connector in $(ls connectors);do | |
| if [ "$( git diff --name-only HEAD~1 -- connectors/${connector} )" != "" ] || [ "$( git diff --name-only HEAD~1 -- base )" != "" ] || [ "${{ vars.BUILD_ALL_CONNECTORS }}" == "true" ];then | |
| CONNECTORS+=("${connector}") | |
| fi | |
| done | |
| echo "connectors=$(echo -n "${CONNECTORS[@]}" | jq -R -s -c 'split(" ")')" >> $GITHUB_OUTPUT | |
| snyk: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: snyk/actions/setup@master | |
| - uses: astral-sh/setup-uv@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Export requirements file for Snyk | |
| run: | | |
| for connector in connectors/*/;do | |
| connector=${connector%*/} | |
| uv pip compile ${connector}/pyproject.toml -o ${connector}/requirements.txt --system | |
| uv pip install -r ${connector}/requirements.txt --system | |
| done | |
| which python | |
| - name: Run Snyk | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| snyk monitor --all-projects --policy-path=.snyk | |
| build-and-deploy: | |
| name: connector ${{ matrix.connector }} | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| needs: [connector-list, snyk] | |
| strategy: | |
| max-parallel: 1 | |
| matrix: | |
| connector: ${{ fromJSON(needs.connector-list.outputs.connectors) }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install TOML Tools | |
| run: pip install toml-cli | |
| - name: Create Build Environment | |
| id: build | |
| run: | | |
| mkdir build | |
| cp -a connectors/"${{ matrix.connector }}"/* build/ | |
| cp base/* build/ | |
| cp base/.dockerignore build/ | |
| echo "version=$(toml get --toml-path build/pyproject.toml project.version)" >> $GITHUB_OUTPUT | |
| echo "app_id=$(cat build/APP_ID)" >> $GITHUB_OUTPUT | |
| echo "name=tenable/connector-${{ matrix.connector }}" >> $GITHUB_OUTPUT | |
| - uses: docker/setup-docker-action@v4 | |
| with: | |
| daemon-config: | | |
| { | |
| "debug": true, | |
| "features": { | |
| "containerd-snapshotter": true | |
| } | |
| } | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Login to Artifactory | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: docker-terrascan-local.artifactory.eng.tenable.com | |
| username: svc_terrascan | |
| password: ${{ secrets.ARTIFACTORY_API_TOKEN }} | |
| - name: Build Image Meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| docker-terrascan-local.artifactory.eng.tenable.com/connector-${{ matrix.connector }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=semver,pattern={{version}},value=${{ steps.build.outputs.version }} | |
| type=sha | |
| - name: Build Connector | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: build | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| push: true | |
| sbom: true | |
| provenance: true | |
| load: true | |
| - name: Docker Login | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Docker Scout | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves,recommendations | |
| image: docker-terrascan-local.artifactory.eng.tenable.com/connector-${{ matrix.connector }} | |
| only-severities: critical,high,medium | |
| ignore-unchanged: true | |
| ignore-base: true | |
| - name: Pull Deployment Image | |
| run: docker pull docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest | |
| - name: Publish Connector Image | |
| run: | | |
| # "TARGETS": "${{ steps.build.outputs.name }}:latest,${{ steps.build.outputs.name }}:${{ steps.build.outputs.version }}" | |
| DATA=$(cat <<-END | |
| { | |
| "APPID": "${{ steps.build.outputs.app_id }}", | |
| "IMAGE": "docker-terrascan-local.artifactory.eng.tenable.com/connector-${{ matrix.connector }}:latest", | |
| "TARGETS": "tenable/connector-${{ matrix.connector }}:latest,tenable/connector-${{ matrix.connector }}:${{ steps.build.outputs.version }}", | |
| "MULTIARCH": "true" | |
| } | |
| END | |
| ) | |
| echo "${DATA}" | |
| docker run \ | |
| -e JKN_USERNAME="${{ secrets.JKN_USERNAME }}" \ | |
| -e JKN_PASSWORD="${{ secrets.JKN_PASSWORD }}" \ | |
| -t docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest \ | |
| jobs execute-job \ | |
| --credential-mode env \ | |
| -n teams-deleng-terraform \ | |
| -p deleng-terraform/dockerhub-publish \ | |
| --cloudflare-access-secret "${{ secrets.CF_ACCESS_TOKEN }}:${{ secrets.CF_SECRET }}" \ | |
| -d "${DATA}" | |