This repository has been archived by the owner on Aug 16, 2024. It is now read-only.
CI/CD STATIC VOL SELFSERVE #7
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD STATIC VOL SELFSERVE | |
run-name: CI/CD STATIC VOL SELFSERVE | |
on: | |
pull_request_review: | |
types: [edited, submitted] | |
pull_request: | |
# branches: | |
# - master | |
env: | |
AWS_REGION : ${{ vars.DVSA_AWS_REGION }} | |
VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} #{account}.dkr.ecr.{region}.amazonaws.com/non-prod-vol-ssweb | |
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} | |
# Permission can be added at job level or workflow level | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
# security-events: write | |
jobs: | |
dockerfile-lint-check: | |
name: Dockerfile Lint Check | |
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' | |
uses: ./.github/workflows/docker-hadolint.yaml | |
security: | |
# name: Run security Check | |
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' | |
uses: dvsa/.github/.github/workflows/[email protected] | |
secrets: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
static-analysis: | |
# name: Perform static analysis | |
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' | |
uses: dvsa/.github/.github/workflows/[email protected] | |
# with: | |
# php-version: '7.4' | |
tests: | |
# name: Run tests | |
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' | |
uses: dvsa/.github/.github/workflows/[email protected] | |
with: | |
php-versions: "[\"7.4\"]" | |
# fail-fast: false | |
build-test-push-sign-image: | |
name: Build, Push & Sign Image | |
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' | |
runs-on: ubuntu-latest | |
# needs: | |
# - build | |
steps: | |
- name: Checkout the repository to this runner | |
uses: actions/checkout@v3 | |
- name: Build VOL API artifact | |
uses: dvsa/olcs-backend/.github/actions/build-ssweb@feature/AddWorkflows | |
- name: Set BASE_IMAGE & VOL_SSWEB_IMAGE_TAG | |
if: github.event.review.state == 'APPROVED' | |
run: | | |
envsubst < dockerfile | tee dockerfile.tmp | |
mv dockerfile.tmp dockerfile | |
BASE_IMAGE=$(head -n1 dockerfile) | |
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV | |
echo "VOL_SSWEB_IMAGE_TAG=pr-approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- name: Configure AWS credentials on Shared Core ECR | |
if: github.event.review.state == 'APPROVED' | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ vars.DVSA_AWS_REGION }} | |
- name: Login to Shared Core ECR | |
if: github.event.review.state == 'APPROVED' | |
id: login-ecr-sharedcoreecr | |
uses: aws-actions/[email protected] | |
- name: Verify base image | |
if: github.event.review.state == 'APPROVED' | |
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows | |
with: | |
ecr_tagged_image: $BASE_IMAGE | |
image_sign_inspect: 'true' | |
# - name: Build VOL API image | |
# if: github.event.review.state == 'APPROVED' | |
# run: | | |
# docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG} \ | |
# --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . | |
# - name: Snyk scan VOL API image | |
# if: github.event.review.state == 'APPROVED' | |
# id: scan-api-image | |
# uses: snyk/actions/docker@master | |
# env: | |
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
# with: | |
# image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG} | |
# args: --file=dockerfile --severity-threshold=high | |
# continue-on-error: true | |
# - name: Configure AWS credentials on Non Production VOL ECR | |
# if: github.event.review.state == 'APPROVED' | |
# uses: aws-actions/[email protected] | |
# with: | |
# role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} | |
# role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
# aws-region: ${{ vars.DVSA_AWS_REGION}} | |
# - name: Login to Non Production VOL ECR | |
# if: github.event.review.state == 'APPROVED' | |
# id: login-ecr-vol-tooling-non-prod | |
# uses: aws-actions/[email protected] | |
# - name: Push VOL API image | |
# if: github.event.review.state == 'APPROVED' | |
# id: push-image | |
# run: | | |
# echo "image_tag=${VOL_SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT | |
# docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG} | |
# outputs: | |
# image_tag: ${{ steps.push-image.outputs.image_tag }} | |
# deploy-on-static-cluster: | |
# name: Deploy on Static ECS Cluster | |
# if: github.event.review.state == 'APPROVED' | |
# needs: | |
# - dockerfile-lint-check | |
# - unit-tests | |
# - build-test-push-sign-image | |
# runs-on: ubuntu-latest | |
# steps: | |
# - name: Deploy | |
# run: | | |
# echo 'Deploy on Static' | |
# # uses: ./.github/workflows/trigger-github-workflow.yaml | |
# # with: | |
# # branch: 'feature/AWSRESET1-514' | |
# # git_repository: 'dvsa/dvsa-container-registry' | |
# # workflow_name: 'CD NON-PROD VOL API' | |
# # input_arguments: 'VOL_SSWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}' | |
# # secrets: | |
# # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} | |
# automation-tests: | |
# name: Run Automation Tests | |
# if: github.event.review.state == 'APPROVED' | |
# runs-on: ubuntu-latest | |
# needs: | |
# - deploy-on-static-cluster | |
# steps: | |
# - name: Run automation tests | |
# run: | | |
# echo 'Run automation tests' |