Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

CI/CD STATIC SELFSERVE #11

CI/CD STATIC SELFSERVE

CI/CD STATIC SELFSERVE #11

name: CI/CD STATIC SELFSERVE
run-name: CI/CD STATIC SELFSERVE
on:
pull_request_review:
types: [edited, submitted]
pull_request:
# branches:
# - master
env:
AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} #{account}.dkr.ecr.{region}.amazonaws.com/non-prod-vol-ssweb
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}
# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# security-events: write
jobs:
dockerfile-lint-check:
name: Dockerfile Lint Check
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: ./.github/workflows/docker-hadolint.yaml
# security:
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# uses: dvsa/.github/.github/workflows/[email protected]
# secrets:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# static-analysis:
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# uses: dvsa/.github/.github/workflows/[email protected]
# # with:
# # php-version: '7.4'
# tests:
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# uses: dvsa/.github/.github/workflows/[email protected]
# with:
# php-versions: "[\"7.4\"]"
# # fail-fast: false
unit-tests:
name: Run Unit Tests
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
runs-on: ubuntu-latest
steps:
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- name: Run unit tests
# if: github.event_name == 'pull_request'
run: |
echo 'Run unit tests'
ls -la ./
build-test-push-sign-image:
name: Build, Push & Sign Image
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
runs-on: ubuntu-latest
# needs:
# - build
steps:
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- name: Build VOL API artifact
uses: dvsa/olcs-selfserve/.github/actions/build-ssweb@feature/AddWorkflows
- name: Set BASE_IMAGE & VOL_SSWEB_IMAGE_TAG
# if: github.event.review.state == 'APPROVED'
run: |
envsubst < dockerfile | tee dockerfile.tmp
mv dockerfile.tmp dockerfile
BASE_IMAGE=$(head -n1 dockerfile)
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
echo "VOL_SSWEB_IMAGE_TAG=pr-approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Configure AWS credentials on Shared Core ECR
# if: github.event.review.state == 'APPROVED'
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION }}
- name: Login to Shared Core ECR
# if: github.event.review.state == 'APPROVED'
id: login-ecr-sharedcoreecr
uses: aws-actions/[email protected]
- name: Verify base image
# if: github.event.review.state == 'APPROVED'
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
with:
ecr_tagged_image: $BASE_IMAGE
image_sign_inspect: 'true'
- name: Build SelfServe image
# if: github.event.review.state == 'APPROVED'
run: |
docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG} \
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .
- name: Snyk scan SelfServe image
# if: github.event.review.state == 'APPROVED'
id: scan-api-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG}
args: --file=dockerfile --severity-threshold=high
continue-on-error: true
- name: Configure AWS credentials on Non Production VOL ECR
# if: github.event.review.state == 'APPROVED'
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION}}
- name: Login to Non Production VOL ECR
# if: github.event.review.state == 'APPROVED'
id: login-ecr-vol-tooling-non-prod
uses: aws-actions/[email protected]
- name: Push SelfServe image
# if: github.event.review.state == 'APPROVED'
id: push-image
run: |
echo "image_tag=${VOL_SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_SSWEB_IMAGE_TAG}
outputs:
image_tag: ${{ steps.push-image.outputs.image_tag }}
# deploy-on-static-cluster:
# name: Deploy on Static ECS Cluster
# if: github.event.review.state == 'APPROVED'
# needs:
# - dockerfile-lint-check
# - unit-tests
# - build-test-push-sign-image
# runs-on: ubuntu-latest
# steps:
# - name: Deploy
# run: |
# echo 'Deploy on Static'
# # uses: ./.github/workflows/trigger-github-workflow.yaml
# # with:
# # branch: 'feature/AWSRESET1-514'
# # git_repository: 'dvsa/dvsa-container-registry'
# # workflow_name: 'CD NON-PROD VOL API'
# # input_arguments: 'VOL_SSWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
# # secrets:
# # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}
# automation-tests:
# name: Run Automation Tests
# if: github.event.review.state == 'APPROVED'
# runs-on: ubuntu-latest
# needs:
# - deploy-on-static-cluster
# steps:
# - name: Run automation tests
# run: |
# echo 'Run automation tests'