Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 39 additions & 16 deletions .github/workflows/build-newman.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ on:
pull_request:
paths:
- 'docker/**'
- 'helm/**'
# push:
# branches:
# - master
Expand Down Expand Up @@ -43,8 +44,8 @@ jobs:
run: |
# Get the latest tag from ECR (or set to default if no tags)
LATEST_TAG=$(aws ecr describe-images --repository-name $ECR_REPOSITORY \
--query 'sort_by(imageDetails, &imagePushedAt)[-1].imageTags[0]' \
--output text 2>/dev/null | awk '{print ($0 == "None" || $0 == "" ? "0.1.8" : $0)}')
--query 'sort_by(imageDetails, &imagePushedAt)[-1].imageTags[0]' \
--output text 2>/dev/null | awk '{print ($0 == "None" || $0 == "" ? "0.1.8" : $0)}')

# Increment the patch version by 1
IFS='.' read -r -a TAG_PARTS <<< "$LATEST_TAG"
Expand All @@ -55,21 +56,21 @@ jobs:
echo "image_tag=$NEW_TAG" >> $GITHUB_ENV


- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3

- name: Build, tag, and push image to Amazon ECR
id: build-image
uses: docker/build-push-action@v6
timeout-minutes: 15
with:
platforms: |
linux/amd64
context: './docker'
file: './docker/Dockerfile.k8s'
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ env.image_tag }}
# - name: Build, tag, and push image to Amazon ECR
# id: build-image
# uses: docker/build-push-action@v6
# timeout-minutes: 15
# with:
# platforms: |
# linux/amd64
# context: './docker'
# file: './docker/Dockerfile.k8s'
# push: true
# tags: |
# ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ env.image_tag }}

# an event for calling a listening workflow
# - name: Update helm chart
Expand All @@ -78,3 +79,25 @@ jobs:
# event-type: helm-chart-update
# client-payload: '{"application-image-tag": "${{ env.image_tag }}"}'

check-updated-charts:
runs-on: ubuntu-22.04
outputs:
chart-list: ${{ steps.get-changed-files.outputs.chart-list }}
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: get list of changed files
id: changed-files
uses: tj-actions/changed-files@v45
with:
since_last_remote_commit: true
- name: Get of changed helm charts changed files
id: get-changed-files
run: |
set -xe
for CHART in ${{ steps.changed-files.outputs.all_changed_files }}; do
[[ $(echo ${CHART} | grep 'helm/.*/') ]] && echo ${CHART} | awk -F / '{print $2}' >> changed_charts.txt
done
cat changed_charts.txt | uniq | jq --raw-input --slurp --compact-output 'split("\n") | map(select(length > 0))' > result.txt
cat result.txt
echo "chart-list=$(cat result.txt)" >> $GITHUB_OUTPUT

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Yaml

Shell Injection In Github Actions

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Shell Injection in GitHub Actions" in .github/workflows/build-newman.yaml; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

11 changes: 10 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,9 @@ crashlytics-build.properties
*.war
*.ear

# MongoDB data
docker/data/*

# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

Expand Down Expand Up @@ -268,4 +271,10 @@ tests-logs/
logs
elm-stuff
*.keystore
Main.js
Main.js

# Ignore helm charts
*/*.tgz

# Ignore passhprases
*/ecrpass.*
20 changes: 14 additions & 6 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ ARG gid=1001
RUN apt-get update -y
RUN apt-get install coreutils wget -y

ENV MAVEN_VERSION 3.6.3
ENV MAVEN_FILE apache-maven-${MAVEN_VERSION}-bin.tar.gz
ENV NODE_VERSION 22.11.0
ENV NODE_FILE node-v${NODE_VERSION}-linux-x64.tar.gz
ENV MAVEN_VERSION=3.6.3
ENV MAVEN_FILE=apache-maven-${MAVEN_VERSION}-bin.tar.gz
ENV NODE_VERSION=22.11.0
ENV NODE_FILE=node-v${NODE_VERSION}-linux-x64.tar.gz

# Jenkins is run with user `newman`, uid = 1000
# If you bind mount a volume from the host or a data container,
Expand All @@ -21,7 +21,7 @@ RUN groupadd -g ${gid} ${group} \

# Install Java.
RUN apt-get install openjdk-8-jdk -y
ENV JAVA_HOME /usr/lib/jvm/java-8-openjdk-amd64/
ENV JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/

# Install Maven
RUN wget --no-verbose -O /tmp/${MAVEN_FILE} \
Expand All @@ -31,7 +31,6 @@ RUN wget --no-verbose -O /tmp/${MAVEN_FILE} \
RUN echo "9792c717f5845d952907d5144b8253c3 /tmp/${MAVEN_FILE}" | \
md5sum -c


# install in /opt/maven
RUN mkdir -p /opt/maven

Expand Down Expand Up @@ -65,4 +64,13 @@ ENV PATH=$JAVA_HOME/bin:$PATH
USER root
RUN apt-get install sudo curl -y netbase

RUN mkdir /.m2
COPY . newman
WORKDIR /newman
RUN ls -lah
RUN mvn clean install -DskipTests -Dmaven.repo.local=~/.m2/repository
RUN mkdir -p /newman-server/bin \
&& cp /newman/newman-server/target/newman-server-1.0.jar /newman-server/bin/newman-server.jar
RUN chown -R ${user}:${group} /newman-server
RUN rm -rf /newman
USER ${user}
78 changes: 78 additions & 0 deletions docker/Dockerfile.k8s
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
FROM ubuntu:24.04

ARG user=newman
ARG group=newman
ARG uid=1001
ARG gid=1001

RUN apt-get update -y
RUN apt-get install coreutils wget -y

ENV MAVEN_VERSION=3.6.3
ENV MAVEN_FILE=apache-maven-${MAVEN_VERSION}-bin.tar.gz
ENV NODE_VERSION=22.11.0
ENV NODE_FILE=node-v${NODE_VERSION}-linux-x64.tar.gz

# Jenkins is run with user `newman`, uid = 1000
# If you bind mount a volume from the host or a data container,
# ensure you use the same uid
RUN groupadd -g ${gid} ${group} \
&& useradd -d "/home/${user}" -u ${uid} -g ${gid} -m -s /bin/bash ${user}

# Install Java.
RUN apt-get update && apt-get install -y openjdk-8-jdk-headless unzip
ENV JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/

# Install Maven
RUN wget --no-verbose -O /tmp/${MAVEN_FILE} \
http://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/${MAVEN_FILE}

# stop building if md5sum does not match
RUN echo "9792c717f5845d952907d5144b8253c3 /tmp/${MAVEN_FILE}" | \
md5sum -c

# install in /opt/maven
RUN mkdir -p /opt/maven

RUN tar xzf /tmp/${MAVEN_FILE} --strip-components=1 \
-C /opt/maven

RUN ln -s /opt/maven/bin/mvn /usr/local/bin
RUN rm -f /tmp/${MAVEN_FILE}

# get node
RUN echo 'get node tar.gz'
RUN wget --no-verbose -O /tmp/${NODE_FILE} \
https://nodejs.org/dist/v${NODE_VERSION}/${NODE_FILE}

RUN mkdir /opt/node

# unpack node tar.gz
RUN echo 'unpacking node tar.gz' && \
tar zxvf /tmp/${NODE_FILE} --strip-components=1 \
-C /opt/node && \
rm -f /tmp/${NODE_FILE}

RUN ln -s /opt/node/bin/node /usr/local/bin && ln -s /opt/node/bin/npm /usr/local/bin

RUN node --version && \
npm --version

VOLUME /data/
ENV PATH=$JAVA_HOME/bin:$PATH

USER root
RUN apt-get install sudo curl -y netbase

RUN mkdir /.m2 && chown ${user}:${group} /.m2
#COPY --chown=${user}:${group} --from=newman . /newman
RUN wget https://github.com/giga-dev/newman/archive/refs/heads/master.zip -O /tmp/master.zip \
&& unzip /tmp/master.zip -d /tmp \
&& mv /tmp/newman-master /newman \
&& rm /tmp/master.zip
RUN chown -R ${user}:${group} /newman
USER ${user}
WORKDIR /newman
RUN mvn clean install
WORKDIR /
# ENTRYPOINT [ "sh", "-c", "/newman", "/newman/newman-server/bin/newman-server.sh"]
4 changes: 2 additions & 2 deletions docker/docker-build.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash
DIRNAME=`cd $(dirname ${BASH_SOURCE[0]}) && pwd`

docker build --build-arg user=$USER --build-arg uid=$(id -u) --build-arg gid=$(id -g) -t newman ${DIRNAME}
docker build --build-arg user=$USER --build-arg uid=$(id -u) --build-arg gid=$(id -g) -t newman/newman-server:latest ${DIRNAME}

docker pull mongo
#docker pull mongo:4.0.27
5 changes: 2 additions & 3 deletions docker/server-run.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash
DIRNAME=`cd $(dirname ${BASH_SOURCE[0]}) && pwd`

echo $DIRNAME
MODE="-d"
if [[ -n "$1" ]]; then
if [[ "$1" == "-iii" ]]; then
Expand All @@ -10,7 +10,6 @@ if [[ -n "$1" ]]; then
fi
fi


docker stop newman-server
docker rm newman-server

Expand All @@ -21,4 +20,4 @@ while [[ -z "$(${cmd})" ]]; do
sleep 5s
done

docker run ${MODE} --link mongo-server --rm -v "${DIRNAME}/..":"/newman" --name newman-server --user $(id -u) -p 8443:8443 newman "/newman/newman-server/bin/newman-server.sh"
docker run ${MODE} --link mongo-server --rm -v "${DIRNAME}/..":"/newman" --name newman-server --user $(id -u) -p 8443:8443 newman "/newman/newman-server/bin/newman-server.sh"
23 changes: 23 additions & 0 deletions helm/mongo-server/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions helm/mongo-server/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: mongo-server
description: A Helm chart for deploying MongoDB
type: application
version: 0.1.10
appVersion: "4.0.27"
16 changes: 16 additions & 0 deletions helm/mongo-server/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ .Release.Name }}-config"
namespace: {{ .Release.Namespace }}
labels:
app: mongo-server
data:
mongodb.conf: |
storage:
dbPath: /data/db
net:
bindIp: 0.0.0.0
port: 27017
security:
authorization: enabled
13 changes: 13 additions & 0 deletions helm/mongo-server/templates/pvc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "{{ .Release.Name }}-pvc"
namespace: {{ .Release.Namespace }}
labels:
app: mongo-server
spec:
accessModes: {{ .Values.persistence.accessModes | toJson }}
resources:
requests:
storage: {{ .Values.persistence.size }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
13 changes: 13 additions & 0 deletions helm/mongo-server/templates/service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: mongo-server
spec:
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.port }}
selector:
app: mongo-server
Loading