Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

CI/CD STATIC VOL SELFSERVE #2

CI/CD STATIC VOL SELFSERVE

CI/CD STATIC VOL SELFSERVE #2

name: CI/CD STATIC VOL SELFSERVE
run-name: CI/CD STATIC VOL SELFSERVE
on:
pull_request_review:
types: [edited, submitted]
pull_request:
# branches:
# - master
env:
AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} #{account}.dkr.ecr.{region}.amazonaws.com/non-prod-vol-ssweb
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}
# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
dockerfile-lint-check:
name: Dockerfile Lint Check
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: ./.github/workflows/docker-hadolint.yaml
security:

Check failure on line 28 in .github/workflows/static-vol-selfserve-build-deploy.yaml

View workflow run for this annotation

GitHub Actions / CI/CD STATIC VOL SELFSERVE

Invalid workflow file

The workflow is not valid. .github/workflows/static-vol-selfserve-build-deploy.yaml (Line: 28, Col: 3): Error calling workflow 'dvsa/.github/.github/workflows/php-security.yml@main'. The nested job 'snyk' is requesting 'actions: read, security-events: write', but is only allowed 'actions: none, security-events: none'.
name: Run security Check
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: dvsa/.github/.github/workflows/php-security.yml@main
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
static-analysis:
name: Perform static analysis
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: dvsa/.github/.github/workflows/php-static.yml@main
with:
php-version: '7.4'
tests:
name: Run tests
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: dvsa/.github/.github/workflows/php-tests.yml@main
with:
php-versions: "[\"7.4\"]"
fail-fast: false
build-test-push-sign-image:
name: Build, Push & Sign Image
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
runs-on: ubuntu-latest
# needs:
# - build
steps:
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- name: Build VOL API artifact
uses: dvsa/olcs-backend/.github/actions/build-ssweb@feature/AddWorkflows
- name: Set BASE_IMAGE & VOL_SSWEB_IMAGE_TAG
if: github.event.review.state == 'APPROVED'
run: |
envsubst < dockerfile | tee dockerfile.tmp
mv dockerfile.tmp dockerfile
BASE_IMAGE=$(head -n1 dockerfile)
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
echo "VOL_SSWEB_IMAGE_TAG=pr-approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Configure AWS credentials on Shared Core ECR
if: github.event.review.state == 'APPROVED'
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION }}
- name: Login to Shared Core ECR
if: github.event.review.state == 'APPROVED'
id: login-ecr-sharedcoreecr
uses: aws-actions/[email protected]
- name: Verify base image
if: github.event.review.state == 'APPROVED'
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
with:
ecr_tagged_image: $BASE_IMAGE
image_sign_inspect: 'true'
# - name: Build VOL API image
# if: github.event.review.state == 'APPROVED'
# run: |
# docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG} \
# --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .
# - name: Snyk scan VOL API image
# if: github.event.review.state == 'APPROVED'
# id: scan-api-image
# uses: snyk/actions/docker@master
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG}
# args: --file=dockerfile --severity-threshold=high
# continue-on-error: true
# - name: Configure AWS credentials on Non Production VOL ECR
# if: github.event.review.state == 'APPROVED'
# uses: aws-actions/[email protected]
# with:
# role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
# role-session-name: GitHub_to_AWS_via_FederatedOIDC
# aws-region: ${{ vars.DVSA_AWS_REGION}}
# - name: Login to Non Production VOL ECR
# if: github.event.review.state == 'APPROVED'
# id: login-ecr-vol-tooling-non-prod
# uses: aws-actions/[email protected]
# - name: Push VOL API image
# if: github.event.review.state == 'APPROVED'
# id: push-image
# run: |
# echo "image_tag=${VOL_SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
# docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG}
# outputs:
# image_tag: ${{ steps.push-image.outputs.image_tag }}
# deploy-on-static-cluster:
# name: Deploy on Static ECS Cluster
# if: github.event.review.state == 'APPROVED'
# needs:
# - dockerfile-lint-check
# - unit-tests
# - build-test-push-sign-image
# runs-on: ubuntu-latest
# steps:
# - name: Deploy
# run: |
# echo 'Deploy on Static'
# # uses: ./.github/workflows/trigger-github-workflow.yaml
# # with:
# # branch: 'feature/AWSRESET1-514'
# # git_repository: 'dvsa/dvsa-container-registry'
# # workflow_name: 'CD NON-PROD VOL API'
# # input_arguments: 'VOL_SSWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
# # secrets:
# # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}
# automation-tests:
# name: Run Automation Tests
# if: github.event.review.state == 'APPROVED'
# runs-on: ubuntu-latest
# needs:
# - deploy-on-static-cluster
# steps:
# - name: Run automation tests
# run: |
# echo 'Run automation tests'