Review Release Workflow
You now explore the Release workflow.
Check out .github/workflows/release.yml file.
name: Release
on:
push:
tags:
- "v*.*.*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
env:
TEST_IMAGE_NAME: localbuild/prepared-image:latest
permissions:
id-token: write
contents: read
jobs:
validate-version-format:
name: Validate semantic version format
uses: ./.github/workflows/wc-validate-version-format.yml
with:
version: ${{ github.ref_name }}
build-image:
name: Build image
needs: [validate-version-format]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image for vulnerability scanning
uses: docker/build-push-action@v5
with:
context: .
target: production
load: true
tags: ${{ env.TEST_IMAGE_NAME }}
outputs: type=docker,dest=/tmp/prepared-image.tar
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: prepared-image
path: /tmp/prepared-image.tar
scan-image:
name: Scan image
needs: [build-image]
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: prepared-image
path: /tmp
- name: Load image
run: docker load --input /tmp/prepared-image.tar
- name: OCI image vulnerability scanning
uses: anchore/scan-action@v3
id: scan
with:
image: ${{ env.TEST_IMAGE_NAME }}
fail-build: false
severity-cutoff: high
- if: ${{ !cancelled() }}
name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: image-scanning-report
release:
name: Release
needs: [scan-image]
uses: ./.github/workflows/wc-deploy.yml
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ vars.ROLE_TO_ASSUME }}
download-artifact-name: prepared-image
download-artifact-path: /tmp
ecr-repository: ${{ vars.PROJECT }}
image-tag: ${{ github.ref_name }}
task-definition: ${{ vars.PROJECT }}
container-name: ${{ vars.PROJECT }}
ecs-cluster: ${{ vars.ECS_CLUSTER }}
ecs-service: ${{ vars.PROJECT }}
codedeploy-application: ${{ vars.CODEDEPLOY_APPLICATION }}
codedeploy-application-group: ${{ vars.CODEDEPLOY_APPLICATION_GROUP }}
This GitHub Actions workflow is designed to perform release tasks when specific events occur on the repository. Let’s take a high-level look at key components of the workflow.
Events
- push: triggered when a push event happens on any tag matching the specific pattern (typically indicating semantic versioning tags like v1.0.0)
Concurrency
Ensures that only one instance of this workflow runs for a given tag at a time, identified by the workflow name and reference. You might not want to run multiple releases in at the same time (explore more about concurrency group in 14. Experiments With GitHub Actions Concurrency Group).
Jobs
validate-version-format:
- This job reuses jobs or steps defined in the workflow .github/workflows/wc-validate-version-format.yml.
- Validates the format of the version tag to ensure it follows semantic versioning.
build-image
- Builds a Docker image for the application.
- Steps:
- Checkout the code.
- Set up Docker Buildx.
- Build the Docker image and prepare it for vulnerability scanning.
- Upload the built image as an artifact.
scan-image
- Scans the Docker image for vulnerabilities.
- Depends on: build-image job. This job might wait for the build-image job to be successful before running.
- Steps:
- Download the image artifact built in job build-image.
- Load the Docker image to Docker engine.
- Perform image vulnerability scanning.
- Upload the vulnerability report for review later if the scanning are not canceled.
release
- This job reuses jobs or steps defined in the workflow ./.github/workflows/wc-deploy.yml.
- It essentially automates the release of an ECS service using AWS resources defined in the workflow.