.github/workflows/game-2048-kubescape.yaml

name: Game 2048 Kubescape CI/CD Example

on:
  # push:
  #   branches: [ master ]
  # pull_request:
  #   branches: [ master ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      kubescape_fail_threshold:
        description: "Sets fail threshold for Kubescape"
        required: true
        default: "30"

env:
  ENVIRONMENT: "dev"
  PROJECT_DIR: "game-2048-example"
  PROJECT_NAME: "game-2048"
  KUBESCAPE_FAIL_THRESHOLD: 30

jobs:
  build-and-test-application:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: npm install, build, and test
        run: |
          npm install
          npm run build --if-present
          npm test
        working-directory: ${{ env.PROJECT_DIR }}

  kubescape-nsa-security-check:
    runs-on: ubuntu-latest
    needs: build-and-test-application

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Install Kubescape
        run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

      - name: Scan Kubernetes YAML files
        run: |
          kubescape scan framework nsa kustomize/ \
            -t ${{ github.event.inputs.kubescape_fail_threshold || env.KUBESCAPE_FAIL_THRESHOLD }} \
            --submit --account=${{ secrets.ARMOSEC_PORTAL_ACCOUNT_ID }}
        working-directory: ${{ env.PROJECT_DIR }}

      - name: Notify using Slack about Kubescape Scan Issues
        if: ${{ always() }}
        uses: 8398a7/action-slack@v3
        with:
          status: custom
          fields: workflow,job,commit,repo,ref,author,took
          custom_payload: |
            {
              attachments: [
              {
                color: '${{ job.status }}' === 'success' ? 'good' : '${{ job.status }}' === 'failure' ? 'danger' : 'warning',
                text:`
                  ${process.env.AS_WORKFLOW}\n
                  *Environment*: ${process.env.ENVIRONMENT}\n
                  *Job:* ${process.env.AS_JOB}\n
                  *Commit:* (${process.env.AS_COMMIT})\n
                  *Repo:* ${process.env.AS_REPO}\n
                  *Ref:* ${process.env.AS_REF}\n
                  *Author:* ${process.env.AS_AUTHOR}\n
                  *Status:* ${{ job.status }} in ${process.env.AS_TOOK}\n
                  *Kubescape scan results:* https://cloud.armosec.io/repositories-scan/
                `,
              }]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

  build-and-push-app-image:
    runs-on: ubuntu-latest
    needs: kubescape-nsa-security-check

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Install doctl
        uses: digitalocean/action-doctl@v2
        with:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

      - name: Log in to DigitalOcean Container Registry with short-lived credentials
        run: doctl registry login --expiry-seconds 600

      - name: Push App Image to DigitalOcean Container Registry
        uses: docker/build-push-action@v3
        with:
          context: ${{ env.PROJECT_DIR }}
          push: true
          tags: "${{ secrets.DOCKER_REGISTRY }}/${{ env.PROJECT_NAME }}:${{ github.sha }}"

  deploy-to-k8s:
    runs-on: ubuntu-latest
    needs: build-and-push-app-image

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Install doctl
        uses: digitalocean/action-doctl@v2
        with:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

      - name: Install kubectl
        uses: azure/setup-kubectl@v3

      - name: Configure kubectl
        run: |
          doctl kubernetes cluster kubeconfig save ${{ secrets.DOKS_CLUSTER }} --expiry-seconds 600

      - name: Configure app deployment registry
        run: |
          DOCKER_IMAGE="${{ secrets.DOCKER_REGISTRY }}/${{ env.PROJECT_NAME }}:${{ github.sha }}"
          sed -i "s#image:.*#image: ${DOCKER_IMAGE}#g" deployment.yaml
        working-directory: ${{ env.PROJECT_DIR }}/kustomize/resources/

      - name: Deploy app to Kubernetes
        run: kubectl apply --prune --all -k kustomize/
        working-directory: ${{ env.PROJECT_DIR }}