15-June-25
Github actions, you can configure your workflows to run when spesific activity on github happens, schedule thime, or when event outside github occurs
Daily Quest #7: Workflow Triggers
Github actions, you can configure your workflows to run when spesific activity on github happens, schedule thime, or when event outside github occurs Workflow triggers are events that cause a worflow to run. Example you want to run job when somone push to main branch using push trigger, or pull_request when running job about validation to code before merge to main.
- Create
triggers-workflow.yml
name: artifacts-workflows
on:
push:
pull_request:
schedule:
- cron: '0 0 * * *' # Every day at midnight
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Get event
run: |
echo "Report at $(date)" > report.txt
echo "Triggered by ${{ github.event_name }}" >> report.txt
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: report
path: report.txt
explanation : This workflow running when push, pull_request, schedule on every midnight
- Push, and result
Workflow triggered by push to main branch
Answer :
- Schedule akan dipilih ketika ingin membuat workflow berjalan pada waktu tertentu secara otomatis. Sedangkan
workflow_dispatchdipilih jika ingin workflow tersebut berjalan manual - Hak akses harus diperhatikan ketika menggunakan manual trigger seperti
workflow_dispatch. Mengantisipasi orang yang tidak bertanggung jawab menjalankan workflow
Daily Quest #8: Parameterization & Reuse
Sometimes a complex workflow need value to adjust like environment name, script or flag build without duplicate a lot code in yaml workflow file. In github_actions, you can reuse wofklows so you and anyone. with access reusable workflow can call reusable workflow from another workflow
Real world case : If you have same deploy job for stg, QA, and production, you need one reusable workflowdeploy.yml. And then call iit with inputenv_stg, orenv_prodvalue.
- Create
reusable.ymlworkflow
name: Reusable Template
on:
workflow_call:
inputs:
env_name:
required: true
type: string
script_path:
required: true
type: string
jobs:
run-script:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Echo parameters
run: |
echo "Running script in environment: ${{ inputs.env_name }}"
echo "Script path: ${{ inputs.script_path }}"
- name: Run script
run: |
bash ${{ inputs.script_path }}
- Create another workflow to call reusable, for this i called reusable to using
stgpath
name: Call Reusable
on:
workflow_dispatch:
jobs:
invoke:
uses: ./.github/workflows/reusable.yaml
with:
env_name: staging
script_path: ./script/staging.sh
- Push and see result
Answer :
- Dengan menggunakan reusable workflow, kita dapat menggunakan satu workflow berkali" tanpa menulis satu workflow di berbagai environment
- Saya tidak akan menggunakan reusable workflows jika hanya menggunakan satu workflows saja.
Daily Quest #9: Conditional Execution
You can use expressions to programmatically set environment variables in workflows files and access contexts. Expression are commonly used with the conditional if keyword in a worflow file to determine whether a step should run. when an if conditional is true, the step will run
Reference :
- https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idif
Using if expression in github action for running spesific job/step when an if conditional matches for saving resources and make pipeline more efficient.
- Create
conditional-workflow.yaml
name: Conditional Workflow
on:
push:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run tests
if: github.ref == 'refs/heads/main'
run: |
echo "Running tests on main branch"
- name: Lint JS files
if: contains(join(github.event.head_commit.modified, ','), '.js')
run: |
echo "Linting JavaScript files"
- Push and see result
Makesure lint js skipped (because in repository jo js file found)
Answer
- Kondisi di level jobs diperlukan ketika kondisi tersebut dilakukan untuk berbagai step kedepanya. (tolong jelasin lebih dibagian ini)
- Kondisi terlalu komplex akan menyebabkan kesulitan saat membaca / maintain untuk yaml filesnya. Mitigasinya yaitu mengefisienkan js filesnya.
Reflection answer
- Using
ifstatement in jobs level if all job need to run or skipped based on condition. Example to run all lint or deploy job only on branch main. It will be clean than writing if in every job. - mitigation expresion to complex, first you can split condition to reusable workflows or composite actions to isolate the logic. Second you can using external script (JS/TS) to check condition,then call using
ifstatement on workflows.
Daily Quest #10: Security Scanning
Security is most important when we want to deploy our application to production. In pipeline devops, security scanning help to detect vulnerapility in source code or depedencies before deploy to production. Using tools like trivy (container & image scan), sonarcube, dependabot, can integrate to workflows. It's important so devops team can prevent security issues. Reference :
- http://trivy.dev/latest/docs/
- https://github.com/aquasecurity/trivy-action
Skenario : Creating actions to scan Dockerfile using trivy
- Create workflow
security-scan.yaml
name: Security Scanning
on:
- push
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build docker
uses: docker/build-push-action@v2
- name: Build docker image
run: |
echo "Building Docker image..."
docker build -t ${{github.repository}}:latest .
echo "Docker image built successfully."
- name: Run trivy scan scan
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: ${{github.repository}}:latest
format: table
exit-code: 1
vuln-type: os,library
severity: CRITICAL,HIGH,MEDIUM
- Create simple dockerfile
FROM ubuntu:20.04
- Push & see results
Found medium vulnerablity.
Answer :
- Set to exited code when found critical/high severity vulnerablitiy is for cancel workflows running further and notify dev have a vulnerability in image docker
- We need to makesure severity beetwen production and development can passed for security
Daily Quest #11: Concurrency & Cancellation
In ci/cd, concurrency makesure only one workflow run in group session (like branch/or workflow. Reference :
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
real world usecase : When all dev repetitivly commit and push hotfix to main branch, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will be pending
Skenario : Create concurency workflow, only run when latest update. And when another concurency running, just cancel. Only running latest push
- Create
concurrency-workflow.yaml
name: Concurency workflows
on:
- push
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
concurrency-workflow:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Run concurrency workflow
run: echo "This is a concurrency workflow that will run only once per branch."
- name: Show run number
run: |
echo "Run number: ${{ github.run_number }} on ref ${{ github.ref }}"
- name: Simulate work
run: |
echo "Simulating work..."
sleep 30
echo "Work done!"
- Push, & result.
Workflow canceled because have higher priority on latest update on repository.
Answer
groupandcancel-in-progresscan cancle running workflow when have a condiiton same group running workflow with higher priority (like latest update on repository)- Skenario when need to push another version (Tolong jelaskan)
