This repository has been archived by the owner on Aug 16, 2024. It is now read-only.
CI/CD NON PROD VOL selfserve #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD NON PROD VOL selfserve | |
run-name: CI/CD NON PROD VOL selfserve | |
on: | |
pull_request: | |
branches: | |
- master | |
env: | |
AWS_REGION : ${{ vars.DVSA_AWS_REGION }} | |
AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} | |
VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} | |
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} | |
# Permission can be added at job level or workflow level | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
build: | |
name: Build VOL selfserve | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout the repository to this runner | |
uses: actions/checkout@v3 | |
# Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer | |
- name: Download the compose file | |
run: | | |
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" | |
php composer-setup.php --install-dir=/usr/local/bin --filename=composer | |
php -r "unlink('composer-setup.php');" | |
- name: Install Composer dependencies | |
run: | | |
composer install --optimize-autoloader --no-interaction --no-dev | |
- name: Build VOL selfserve | |
run: | | |
date > config/version | |
git describe --all >> config/version | |
tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor | |
- name: Upload VOL selfserve artifact | |
uses: actions/[email protected] | |
with: | |
name: selfserve | |
path: ./selfserve.tar.gz | |
unit-tests: | |
name: Run Unit Tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout the repository to this runner | |
uses: actions/checkout@v3 | |
- name: Run unit tests | |
# if: github.event_name == 'pull_request' | |
run: | | |
echo 'Run unit tests' | |
ls -la ./ | |
build-test-push-sign-image: | |
name: Build, Push & Sign Image | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
- unit-tests | |
steps: | |
- name: Checkout the repository to this runner | |
uses: actions/checkout@v3 | |
- name: Download VOL selfserve artifact | |
uses: actions/[email protected] | |
with: | |
name: selfserve | |
path: ./ | |
- name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG | |
run: | | |
envsubst < dockerfile | tee dockerfile.tmp | |
mv dockerfile.tmp dockerfile | |
BASE_IMAGE=$(head -n1 dockerfile) | |
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV | |
echo "VOL_selfserve_IMAGE_TAG=approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- name: Setup Notation CLI | |
uses: notaryproject/notation-action/setup@v1 | |
with: | |
version: 1.0.0 | |
- name: Set up Notation AWS Signer plugin | |
run: | | |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb | |
sudo dpkg -i aws-signer-notation-cli_amd64.deb | |
notation version | |
notation plugin ls | |
- name: Configure AWS credentials on Shared Core ECR | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ vars.DVSA_AWS_REGION }} | |
- name: Login to Shared Core ECR | |
id: login-ecr-sharedcoreecr | |
uses: aws-actions/[email protected] | |
- name: Build VOL selfserve image after verifying Base image | |
run: | | |
notation inspect $BASE_IMAGE | |
docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ | |
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . | |
- name: Snyk scan VOL selfserve image | |
id: scan-selfserve-image | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} | |
args: --file=dockerfile --severity-threshold=high | |
continue-on-error: true | |
- name: Configure AWS credentials on Non Production VOL ECR | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ vars.DVSA_AWS_REGION}} | |
- name: Login to Non Production VOL ECR | |
id: login-ecr-vol-tooling-non-prod | |
uses: aws-actions/[email protected] | |
- name: Push VOL selfserve image | |
# if: github.ref == 'refs/heads/main' | |
id: push-image | |
run: | | |
echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT | |
docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} | |
- name: Sign VOL selfserve image | |
# if: github.ref == 'refs/heads/main' | |
run: | | |
notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ | |
--plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" | |
outputs: | |
image_tag: ${{ steps.push-image.outputs.image_tag }} | |
deploy-on-non-prod-cluster: | |
name: Deploy on Non Prod Cluster | |
# if: github.ref == 'refs/heads/main' | |
needs: | |
- build-test-push-sign-image | |
uses: ./.github/workflows/trigger-github-workflow.yaml | |
with: | |
branch: 'feature/AWSRESET1-514' | |
git_repository: 'dvsa/dvsa-container-registry' | |
workflow_name: 'CD NON-PROD VOL selfserve' | |
input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' | |
secrets: | |
gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} | |
automation-tests: | |
name: Run Automation Tests | |
# if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: | |
- deploy-on-non-prod-cluster | |
steps: | |
- name: Run automation tests | |
run: | | |
echo 'Run automation tests' | |
build-nonprod-approved-image: | |
name: Build Non PROD Approved Image | |
# if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: | |
- automation-tests | |
steps: | |
- name: VOL_selfserve_IMAGE_TAG | |
run: | | |
echo "VOL_selfserve_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV | |
- name: Setup Notation CLI | |
uses: notaryproject/notation-action/setup@v1 | |
with: | |
version: 1.0.0 | |
- name: Set up Notation AWS Signer plugin | |
run: | | |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb | |
sudo dpkg -i aws-signer-notation-cli_amd64.deb | |
notation version | |
notation plugin ls | |
- name: Configure AWS credentials on Non Production VOL ECR | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ vars.DVSA_AWS_REGION}} | |
- name: Login to Non Production VOL ECR | |
id: login-ecr-vol-tooling-non-prod | |
uses: aws-actions/[email protected] | |
- name: Push VOL selfserve image | |
# if: github.ref == 'refs/heads/main' | |
id: push-approved-image | |
run: | | |
echo "approved_image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT | |
docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ needs.build-test-push-sign-image.outputs.image_tag }} \ | |
${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} | |
- name: Sign VOL selfserve image | |
# if: github.ref == 'refs/heads/main' | |
run: | | |
notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ | |
--plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" | |
outputs: | |
image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }} | |
qa-approval: | |
name: QA VOL selfserve Image Approval | |
# if: github.ref == 'refs/heads/main' | |
needs: | |
- build-nonprod-approved-image | |
uses: ./.github/workflows/trigger-github-workflow.yaml | |
with: | |
branch: 'feature/AWSRESET1-514' | |
git_repository: 'dvsa/olcs-selfserve' | |
workflow_name: 'QA VOL selfserve ARTIFACT APPROVAL' | |
input_arguments: '${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}' | |
secrets: | |
gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} |