Deploy containers to Azure #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy containers to Azure | |
| on: | |
| push: | |
| branches: | |
| - main | |
| # TODO match on regex instead | |
| paths: | |
| - pwn/** | |
| - web/** | |
| workflow_dispatch: | |
| jobs: | |
| main: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: 3.x | |
| cache: pip | |
| - name: Setup ctfcli | |
| run: | | |
| pip install -r requirements.txt | |
| ctf plugins install https://github.com/pl4nty/ctfcli-deploy-azure.git | |
| mkdir .ctf | |
| cat <<EOF > .ctf/config | |
| [config] | |
| url = https://${{ vars.CTFD_DOMAIN }} | |
| access_token = ${{ secrets.CTFD_TOKEN }} | |
| [cookies] | |
| site_password = ${{ secrets.CTFD_SITE_PASSWORD }} | |
| [challenges] | |
| EOF | |
| shopt -s extglob | |
| for chal in ?(pwn|web)/*/; do | |
| echo "$chal = $chal" >> .ctf/config | |
| done | |
| - uses: docker/setup-buildx-action@v3 | |
| - name: Add cache parameters to docker build | |
| run: | | |
| cat <<EOF > /tmp/rcfile | |
| docker() { | |
| if [ "$1" = "build" ]; then | |
| command docker build --cache-from type=gha --cache-to type=gha,mode=max "${@:2}" | |
| else | |
| command docker "$@" | |
| fi | |
| } | |
| EOF | |
| # azure-identity doesn't support GitHub WIF | |
| - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2 | |
| with: | |
| tenant-id: ${{ vars.AZURE_TENANT_ID }} | |
| client-id: ${{ vars.AZURE_CLIENT_ID }} | |
| allow-no-subscriptions: true | |
| - name: Setup Azure Container Registry | |
| run: az acr login --name ${{ vars.REGISTRY }} | |
| # TODO raise issue, throws error even if target challenge isn't deployable. ignore all errors for now | |
| - name: Deploy containers | |
| run: | | |
| source /tmp/rcfile | |
| ctf challenge deploy --skip-login --host "azure://management.azure.com${{ vars.AZURE_CONTAINER_ENV }}?registry=${{ vars.REGISTRY }}&identity=${{ vars.AZURE_CONTAINER_IDENTITY }}&suffix=${{ vars.AZURE_CONTAINER_SUFFIX }}" || true | |
| - name: Setup GitHub container registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Push container images to GitHub | |
| run: |- | |
| images=$(docker images $REGISTRY/*:latest --format "{{.Repository}}") | |
| for image in $images; do | |
| lowercase=${GITHUB_REPOSITORY_OWNER,,} | |
| newtag=${image//$REGISTRY/ghcr\.io\/$lowercase}:latest | |
| docker tag $image:latest $newtag | |
| docker push $newtag | |
| done | |
| env: | |
| REGISTRY: ${{ vars.REGISTRY }} |