-
Notifications
You must be signed in to change notification settings - Fork 0
/
.drone.yml
152 lines (139 loc) · 4.2 KB
/
.drone.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
---
kind: pipeline
name: default
type: kubernetes
environment:
APP_NAME: epp
UAT_ENV: sas-epp-uat
BRANCH_ENV: sas-epp-branch
IMAGE_URL: 340268328991.dkr.ecr.eu-west-2.amazonaws.com
IMAGE_REPO: sas/epp
GIT_REPO: UKHomeOffice/explosives-precursors-poisons
HOF_CONFIG: hof-services-config/Explosives_Precursors_Poisons
NON_PROD_AVAILABILITY: Mon-Fri 08:00-23:00 Europe/London
READY_FOR_TEST_DELAY: 20s
include_default_branch: &include_default_branch
include:
- master
include_default_and_feature_branches: &include_default_and_feature_branches
include:
- master
- EPP-*
steps:
- name: clone_repos
pull: if-not-exists
image: alpine/git
environment:
DRONE_GIT_USERNAME:
from_secret: drone_git_username
DRONE_GIT_TOKEN:
from_secret: drone_git_token
commands:
- git clone https://$${DRONE_GIT_USERNAME}:$${DRONE_GIT_TOKEN}@github.com/UKHomeOfficeForms/hof-services-config.git
when:
branch:
<<: *include_default_and_feature_branches
event: [push, pull_request]
# Trivy Security Scannner for scanning OS related vulnerabilities in Base image of Dockerfile
- name: scan_base_image_os
pull: always
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
resources:
limits:
cpu: 1000
memory: 1024Mi
environment:
IMAGE_NAME: node:20.18.0-alpine3.20@sha256:d504f23acdda979406cf3bdbff0dff7933e5c4ec183dda404ed24286c6125e60
SERVICE_URL: https://acp-trivy-helm.acp-trivy.svc.cluster.local:443
SEVERITY: MEDIUM,HIGH,CRITICAL --dependency-tree
FAIL_ON_DETECTION: false
IGNORE_UNFIXED: false
ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml
volumes:
- name: dockersock
path: /root/.dockersock
when:
event: [push, pull_request]
depends_on:
- clone_repos
- name: build_image
pull: if-not-exists
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
commands:
- n=0; while [ "$n" -lt 60 ] && ! docker stats --no-stream >/dev/null 2>&1; do n=$(( n + 1 )); sleep 1; done
- docker build --no-cache -t $${IMAGE_REPO}:$${DRONE_COMMIT_SHA} .
volumes:
- name: dockersock
path: /var/run
when:
branch:
<<: *include_default_and_feature_branches
event: [push, pull_request]
- name: image_to_ecr
pull: if-not-exists
image: plugins/ecr
settings:
access_key:
from_secret: aws_access_key_id
secret_key:
from_secret: aws_secret_access_key
region: eu-west-2
repo: sas/epp
registry: 340268328991.dkr.ecr.eu-west-2.amazonaws.com
tags:
- ${DRONE_COMMIT_SHA}
when:
branch:
<<: *include_default_and_feature_branches
event: [push, pull_request]
# Trivy Security Scannner for scanning nodejs packages in Yarn
- name: scan_node_packages
pull: always
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
resources:
limits:
cpu: 1000
memory: 1024Mi
environment:
IMAGE_NAME: sas/epp:${DRONE_COMMIT_SHA}
SEVERITY: MEDIUM,HIGH,CRITICAL --dependency-tree --format table
FAIL_ON_DETECTION: false
IGNORE_UNFIXED: false
ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml
volumes:
- name: dockersock
path: /root/.dockersock
when:
event: [push, pull_request]
depends_on:
- build_image
- name: deploy_to_branch
pull: if-not-exists
image: quay.io/ukhomeofficedigital/kd:v1.18.0
environment:
KUBE_SERVER:
from_secret: kube_server_dev
KUBE_TOKEN:
from_secret: kube_token_dev
commands:
- bin/deploy.sh $${BRANCH_ENV}
when:
branch:
<<: *include_default_and_feature_branches
event: pull_request
depends_on:
- clone_repos
- image_to_ecr
services:
- name: docker
image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
# Redis session setup in background so ui integration tests can run
- name: session
image: redis
volumes:
- name: dockersock
path: /var/run
volumes:
- name: dockersock
temp: {}
...