https://github.com/cdcgov/nedss-workflows

https://github.com/cdcgov/nedss-workflows

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.5%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Basic Info
  • Host: GitHub
  • Owner: CDCgov
  • Default Branch: main
  • Size: 86.9 KB
Statistics
  • Stars: 0
  • Watchers: 5
  • Forks: 2
  • Open Issues: 0
  • Releases: 0
Created over 3 years ago · Last pushed 10 months ago
Metadata Files
Readme

README.md

NEDSS Reusable Workflows and custom GitHub actions

Overview

This repository is a central location for managing reusable workflows to be used in microservices developed as a part of the NBS modernization project for consistent CI/CD processes. GitHub Actions is the tool used to create these workflows which are intended to be adopted by any team who needs any of the services provided below.

Prerequisites for container related workflows

  1. Request your repository be granted access to the environment containing the Elastic Container Registry (ECR).
  2. Request and received confirmation that an ECR was created to store your artifact (microservice container image).

Usage

Reusable workflows are meant to be easily picked up and placed in your repositories CI/CD pipeline. To further this effort sample_templates are provided. 1. Sample-call-build-and-deploy-workflow.yaml - this workflow is intended to be used when container images need to be built. It promotes automated deployment by modifiying a helm charts values.yaml file. - Note 1: This is a general template and a full list of variables can be found below. - Note 2: This template only references Build-other-microservice-container.yaml and the uses line for the call-build-microservice-container-workflow job should be changed to reflect the intended reusuable workflow. 2. Sample-call-release-and-deploy-workflow.yaml - this workflow is intended to be used when container release are required either using a new container or tagging an existing container image in AWS ECR. It promotes automated deployment by modifiying a helm charts values.yaml file. - Note 1: This is a general template and a full list of variables can be found below. - Note 2: This template only references Build-other-microservice-container.yaml and the uses line for the call-build-microservice-container-workflow job should be changed to reflect the intended reusuable workflow. 3. Sample-call-trivy-container-scan.yaml - this workflow is intended to be used when container scans are required in addition to those run automatically in the build and release workflows. 4. Create-github-draft-release.yaml - This workflow creates a draft release within GitHub and upload an artifact. In addition, there is an update only mode which will update the artifact in an existing draft release.

Custom Github Actions

Trivy-Scanner

This action uses Trivy to scan built container images for vulnerabilties and output results either within the runner logs or to the GitHub Security tab.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | container-ref | string | | 'Locally built container id which Trivy should scan' | true | | exit-code | string | '0' | 'Exit code when specified vulnerabilities are found (0).' | false | | ignore-unfixed | boolean | false | 'Ignore unpatched/unfixed vulnerabilities' | false | | limit-severities-for-sarif | boolean | true | 'By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true' | false | | severity | string | 'CRITICAL,HIGH' | 'Severities of vulnerabilities to be scanned for and displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)' | false | | skip-dirs | string | '' | 'Comma separated list of directories where traversal is skipped' | false | | skip-files | string | '' | 'Comma separated list of files where traversal is skipped' | false | | timeout | string | '10m0s' | 'Scan timeout duration' | false | | trivyignores | string | | 'Comma-separated list of relative paths in repository to one or more .trivyignore files, for usage see https://aquasecurity.github.io/trivy/v0.19.2/vulnerability/examples/filter/' | false | | upload-to-github-security-tab | boolean | false | 'Upload results to GitHub security tab?' | false |

Outputs

None

Workflows

Build-gradle-microservice-container.yaml

This workflow build a container and push it to ECR. Application versioning is obtained using ./gradlew printVersion from the GitHub Repositories root directory and tacking on some metadata. Uses Trivy-Scanner for container scanning.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | dockerfilerelativepath | string | | 'Relative path to dockerfile being built (use '-f' docker argument if the dockerfile referenced from the root directory).' | true | | environmentclassifier | string | | 'Metadata to append to application version. Ex. if version=1.0.0, and environmentclassifier=SNAPSHOT result will be 1.0.0-SNAPSHOT..' | true | | exit-code | string | '0' | 'Exit code when specified vulnerabilities are found (0).' | false | | ignore-unfixed | boolean | false | 'Ignore unpatched/unfixed vulnerabilities' | false | | javaversion | string | '17' | 'Version of java which you are using to build you code.' | false | | limit-severities-for-sarif | boolean | true | 'By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true' | false | | microservicename | string | | 'Name of microservice corresponding to a container in ECR.' | true | | severity | string | 'CRITICAL,HIGH' | 'Severities of vulnerabilities to be scanned for and displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)' | false | | skip-dirs | string | '' | 'Comma separated list of directories where traversal is skipped' | false | | skip-files | string | '' | 'Comma separated list of files where traversal is skipped' | false | | timeout | string | '10m0s' | 'Scan timeout duration' | false | | trivyignores | string | | 'Comma-separated list of relative paths in repository to one or more .trivyignore files, for usage see https://aquasecurity.github.io/trivy/v0.19.2/vulnerability/examples/filter/' | false | | upload-to-github-security-tab | boolean | true | 'Upload results to GitHub security tab?' | false |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | CDCNBSSANDBOXSHAREDSERVICESACCOUNTID | string | | 'Secret named CDCNBSSANDBOXSHAREDSERVICESACCOUNTID where ECR resides.' | true | | ECRREPOBASENAME | string | | 'Secret named ECRREPOBASENAME where ECR resides.' | true | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | false | | GITUSERNAME | string | | 'Secret named ECRREPOBASENAME for the CI user name.' | false | | HELMTOKEN | string | | 'Secret named HELM_TOKEN to access helm chart repository' | false |

Outputs

| Key | Type | Description | | -------------- | -------------- | -------------- | | outputimagetag | string | "Container image tag" |

Build-other-microservice-container.yaml

This workflow build a container and push it to ECR. Application versioning is obtained using from the dockerfile after the initial FROM block (e.g. FROM elasticsearch:v1.0.0 results in v1.0.0). Uses Trivy-Scanner for container scanning.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | dockerfilerelativepath | string | | 'Relative path to dockerfile being built (use '-f' docker argument if the dockerfile referenced from the root directory).' | true | | environmentclassifier | string | | 'Metadata to append to application version. Ex. if version=1.0.0, and environmentclassifier=SNAPSHOT result will be 1.0.0-SNAPSHOT..' | true | | exit-code | string | '0' | 'Exit code when specified vulnerabilities are found (0).' | false | | ignore-unfixed | boolean | false | 'Ignore unpatched/unfixed vulnerabilities' | false | | limit-severities-for-sarif | boolean | true | 'By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true' | false | | microservice_name | string | | 'Name of microservice corresponding to a container in ECR.' | true | | severity | string | 'CRITICAL,HIGH' | 'Severities of vulnerabilities to be scanned for and displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)' | false | | skip-dirs | string | '' | 'Comma separated list of directories where traversal is skipped' | false | | skip-files | string | '' | 'Comma separated list of files where traversal is skipped' | false | | timeout | string | '10m0s' | 'Scan timeout duration' | false | | trivyignores | string | | 'Comma-separated list of relative paths in repository to one or more .trivyignore files, for usage see https://aquasecurity.github.io/trivy/v0.19.2/vulnerability/examples/filter/' | false | | upload-to-github-security-tab | boolean | true | 'Upload results to GitHub security tab?' | false |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | CDCNBSSANDBOXSHAREDSERVICESACCOUNTID | string | | 'Secret named CDCNBSSANDBOXSHAREDSERVICESACCOUNTID where ECR resides.' | true | | ECRREPOBASENAME | string | | 'Secret named ECRREPOBASENAME where ECR resides.' | true | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | false | | GITUSERNAME | string | | 'Secret named ECRREPOBASENAME for the CI user name.' | false | | HELMTOKEN | string | | 'Secret named HELM_TOKEN to access helm chart repository' | false |

Outputs

| Key | Type | Description | | -------------- | -------------- | -------------- | | outputimagetag | string | "Container image tag" |

Release-gradle-microservice-container.yaml

This workflow has 2 runtime options. The first option is to tag an existing container in AWS ECR with a new container tag. The second option is to on-demand build a container and push it to ECR. Application versioning is obtained using ./gradlew printVersion from the GitHub Repositories root directory and tacking on some metadata. Uses Trivy-Scanner for container scanning.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | build-new-container | boolean | false | '(true or false) Should a new container be built.' | true | | dockerfilerelativepath | string | | 'Relative path to dockerfile being built (use '-f' docker argument if the dockerfile referenced from the root directory).' | true | | environmentclassifier | string | | 'Metadata to append to application version. Ex. if version=1.0.0, and environmentclassifier=SNAPSHOT result will be 1.0.0-SNAPSHOT..' | true | | existing-image-tag | string | | 'Image tag of existing container in ECR (not used if build-new-container=true).' | true | | exit-code | string | '0' | 'Exit code when specified vulnerabilities are found (0).' | false | | ignore-unfixed | boolean | false | 'Ignore unpatched/unfixed vulnerabilities' | false | | javaversion | string | '17' | 'Version of java which you are using to build you code.' | false | | limit-severities-for-sarif | boolean | true | 'By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true' | false | | microservicename | string | | 'Name of microservice corresponding to a container in ECR.' | true | | severity | string | 'CRITICAL,HIGH' | 'Severities of vulnerabilities to be scanned for and displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)' | false | | skip-dirs | string | '' | 'Comma separated list of directories where traversal is skipped' | false | | skip-files | string | '' | 'Comma separated list of files where traversal is skipped' | false | | timeout | string | '10m0s' | 'Scan timeout duration' | false | | trivyignores | string | | 'Comma-separated list of relative paths in repository to one or more .trivyignore files, for usage see https://aquasecurity.github.io/trivy/v0.19.2/vulnerability/examples/filter/' | false | | upload-to-github-security-tab | boolean | true | 'Upload results to GitHub security tab?' | false |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | CDCNBSSANDBOXSHAREDSERVICESACCOUNTID | string | | 'Secret named CDCNBSSANDBOXSHAREDSERVICESACCOUNTID where ECR resides.' | true | | ECRREPOBASENAME | string | | 'Secret named ECRREPOBASENAME where ECR resides.' | true | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | false | | GITUSERNAME | string | | 'Secret named ECRREPOBASENAME for the CI user name.' | false | | HELMTOKEN | string | | 'Secret named HELM_TOKEN to access helm chart repository' | false |

Outputs

| Key | Type | Description | | -------------- | -------------- | -------------- | | outputimagetag | string | "Container image tag" |

Release-other-microservice-container.yaml

This workflow has 2 runtime options. The first option is to tag an existing container in AWS ECR with a new container tag. The second option is to on-demand build a container and push it to ECR. Application versioning is obtained using from the dockerfile after the initial FROM block (e.g. FROM elasticsearch:v1.0.0 results in v1.0.0). Uses Trivy-Scanner for container scanning.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | build-new-container | boolean | false | '(true or false) Should a new container be built.' | true | | dockerfilerelativepath | string | | 'Relative path to dockerfile being built (use '-f' docker argument if the dockerfile referenced from the root directory).' | true | | environmentclassifier | string | | 'Metadata to append to application version. Ex. if version=1.0.0, and environmentclassifier=SNAPSHOT result will be 1.0.0-SNAPSHOT..' | true | | existing-image-tag | string | | 'Image tag of existing container in ECR (not used if build-new-container=true).' | true | | exit-code | string | '0' | 'Exit code when specified vulnerabilities are found (0).' | false | | ignore-unfixed | boolean | false | 'Ignore unpatched/unfixed vulnerabilities' | false | | limit-severities-for-sarif | boolean | true | 'By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true' | false | | microservice_name | string | | 'Name of microservice corresponding to a container in ECR.' | true | | severity | string | 'CRITICAL,HIGH' | 'Severities of vulnerabilities to be scanned for and displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)' | false | | skip-dirs | string | '' | 'Comma separated list of directories where traversal is skipped' | false | | skip-files | string | '' | 'Comma separated list of files where traversal is skipped' | false | | timeout | string | '10m0s' | 'Scan timeout duration' | false | | trivyignores | string | | 'Comma-separated list of relative paths in repository to one or more .trivyignore files, for usage see https://aquasecurity.github.io/trivy/v0.19.2/vulnerability/examples/filter/' | false | | upload-to-github-security-tab | boolean | true | 'Upload results to GitHub security tab?' | false |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | CDCNBSSANDBOXSHAREDSERVICESACCOUNTID | string | | 'Secret named CDCNBSSANDBOXSHAREDSERVICESACCOUNTID where ECR resides.' | true | | ECRREPOBASENAME | string | | 'Secret named ECRREPOBASENAME where ECR resides.' | true | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | false | | GITUSERNAME | string | | 'Secret named ECRREPOBASENAME for the CI user name.' | false | | HELMTOKEN | string | | 'Secret named HELM_TOKEN to access helm chart repository' | false |

Outputs

| Key | Type | Description | | -------------- | -------------- | -------------- | | outputimagetag | string | "Container image tag" |

Trivy-container-scan.yaml

This workflow builds a container and scans it for security vulnerabilities using Trivy-Scanner.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | dockerfilerelativepath | string | | 'Relative path to dockerfile being built (use '-f' docker argument if the dockerfile referenced from the root directory).' | true | | exit-code | string | '0' | 'Exit code when specified vulnerabilities are found (0).' | false | | ignore-unfixed | boolean | false | 'Ignore unpatched/unfixed vulnerabilities' | false | | limit-severities-for-sarif | boolean | true | 'By default SARIF format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to true' | false | | microservice_name | string | | 'Name of microservice corresponding to a container in ECR.' | true | | severity | string | 'CRITICAL,HIGH' | 'Severities of vulnerabilities to be scanned for and displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)' | false | | skip-dirs | string | '' | 'Comma separated list of directories where traversal is skipped' | false | | skip-files | string | '' | 'Comma separated list of files where traversal is skipped' | false | | timeout | string | '10m0s' | 'Scan timeout duration' | false | | trivyignores | string | | 'Comma-separated list of relative paths in repository to one or more .trivyignore files, for usage see https://aquasecurity.github.io/trivy/v0.19.2/vulnerability/examples/filter/' | false | | upload-to-github-security-tab | boolean | false | 'Upload results to GitHub security tab?' | false |

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | valuesfilewithpath | string | | 'Relative path Helm chart values file, including the file itself (Ex. elasticsearch/values-dev.yaml) | true | | newimagetag | string | | 'Image tag to add to helm chart' | true | | microservicename | string | | 'Name of microservice corresponding to a container in ECR.' | true |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | true | | GITUSERNAME | string | | 'Secret named ECRREPOBASENAME for the CI user name.' | true | | HELMTOKEN | string | | 'Secret named HELM_TOKEN to access helm chart repository' | true |

Outputs

None

Update-helm-chart.yaml

This workflow takes in an image tag and updates a supplied helm chart values.yaml file in the NEDSS-Helm GitHub repository.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | valuesfilewithpath | string | | 'Relative path Helm chart values file, including the file itself (Ex. elasticsearch/values-dev.yaml) | true | | newimagetag | string | | 'Image tag to add to helm chart' | true | | microservicename | string | | 'Name of microservice corresponding to a container in ECR.' | true |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | true | | GITUSERNAME | string | | 'Secret named ECRREPOBASENAME for the CI user name.' | true | | HELMTOKEN | string | | 'Secret named HELM_TOKEN to access helm chart repository' | true |

Outputs

None

Create-github-draft-release.yaml

This workflow creates a draft release and an artifact.

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | dockerfilerelativepath | string | | 'Relative path to dockerfile being built (use '-f' docker argument if the dockerfile referenced from the root directory).' | true |

Input Variables

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | updateziponly | boolean | false | 'Will delete and update the artifact from an existing draft release (contents depend on selected branch/tag).' | true | | body | string | | 'A description of your release in markdown format (default is to autogenerate release notes).' | false | | releaseversion | string | | 'A release version (no 'v', this is added only to the final) to be created upon publishing the draft release (tag must not already exist in repository).' | true | | releasename | string | "NONE" | 'Provide a custom name for your release. If none is provided the release name will match the provided releaseversion (default=NONE).' | false | | artifactbasename | string | | 'Base name of the created artifact. The artifactreleaseversion is appended to this name.' | true | | artifactreleaseversion | string | | 'The artifact release version (no 'v', this is added only to the final).' | true | | paths | string | | 'A CSV string detailing which files and directories should be included in the artifact. If not provided only the standard artifacts will be created.' | true | | excludedpaths | string | "" | 'A CSV list detailing specific files and directories to exclude from the provided paths (this variable serves only to limit scope of the paths variable).' | false |

Input Secrets

| Key | Type | Default | Description | Required | | -------------- | -------------- | -------------- | -------------- | -------------- | | GITUSEREMAIL | string | | 'Secret named GITUSEREMAIL for the CI user email.' | true | | GITUSERNAME | string | | 'Secret named ECRREPOBASE_NAME for the CI user name.' | true |

Outputs

None

Owner

  • Name: Centers for Disease Control and Prevention
  • Login: CDCgov
  • Kind: organization
  • Email: data@cdc.gov
  • Location: Atlanta, GA

CDC's collaborative software projects to protect America from health, safety, and security threats, both foreign and in the U.S.

GitHub Events

Total
  • Delete event: 5
  • Member event: 3
  • Push event: 18
  • Pull request review comment event: 1
  • Pull request review event: 8
  • Pull request event: 7
  • Fork event: 3
  • Create event: 7
Last Year
  • Delete event: 5
  • Member event: 3
  • Push event: 18
  • Pull request review comment event: 1
  • Pull request review event: 8
  • Pull request event: 7
  • Fork event: 3
  • Create event: 7

Issues and Pull Requests

Last synced: over 1 year ago

All Time
  • Total issues: 0
  • Total pull requests: 30
  • Average time to close issues: N/A
  • Average time to close pull requests: about 13 hours
  • Total issue authors: 0
  • Total pull request authors: 3
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 27
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 6
  • Average time to close issues: N/A
  • Average time to close pull requests: 8 minutes
  • Issue authors: 0
  • Pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 6
  • Bot issues: 0
  • Bot pull requests: 0
Top Authors
Issue Authors
Pull Request Authors
  • szamfir (23)
  • tukhi (11)
  • njaved (8)
  • akhamraev (2)
Top Labels
Issue Labels
Pull Request Labels

Dependencies

.github/workflows/Build-gradle-microservice-container.yaml actions
  • actions/cache v1 composite
  • actions/checkout v3 composite
  • aws-actions/amazon-ecr-login v1 composite
  • aws-actions/configure-aws-credentials v1 composite
.github/workflows/Build-other-microservice-container.yaml actions
  • actions/cache v1 composite
  • actions/checkout v3 composite
  • aws-actions/amazon-ecr-login v1 composite
  • aws-actions/configure-aws-credentials v1 composite
.github/workflows/Release-gradle-microservice-container.yaml actions
  • actions/cache v1 composite
  • actions/checkout v3 composite
  • aws-actions/amazon-ecr-login v1 composite
  • aws-actions/configure-aws-credentials v1 composite
.github/workflows/Release-other-microservice-container.yaml actions
  • actions/checkout v3 composite
  • aws-actions/amazon-ecr-login v1 composite
  • aws-actions/configure-aws-credentials v1 composite
.github/workflows/Update-helm-charts.yaml actions
  • actions/checkout v3 composite