This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

CI/CD NON PROD VOL selfserve #2

Workflow file for this run

.github/workflows/non-prod-vol-selfserve-build-deploy.yaml at a4ec268

	name: CI/CD NON PROD VOL selfserve
	run-name: CI/CD NON PROD VOL selfserve

	on:
	pull_request:
	branches:
	- master

	env:
	AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
	AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }}
	VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }}
	AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}

	# Permission can be added at job level or workflow level
	permissions:
	id-token: write # This is required for requesting the JWT
	contents: read # This is required for actions/checkout

	jobs:

	build:

	name: Build VOL selfserve
	runs-on: ubuntu-latest

	steps:

	- name: Checkout the repository to this runner
	uses: actions/checkout@v3

	# Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer
	- name: Download the compose file
	run: \|
	php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
	php composer-setup.php --install-dir=/usr/local/bin --filename=composer
	php -r "unlink('composer-setup.php');"

	- name: Install Composer dependencies
	run: \|
	composer install --optimize-autoloader --no-interaction --no-dev

	- name: Build VOL selfserve
	run: \|
	date > config/version
	git describe --all >> config/version
	tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor

	- name: Upload VOL selfserve artifact
	uses: actions/[email protected]
	with:
	name: selfserve
	path: ./selfserve.tar.gz

	unit-tests:

	name: Run Unit Tests
	runs-on: ubuntu-latest

	steps:

	- name: Checkout the repository to this runner
	uses: actions/checkout@v3

	- name: Run unit tests
	# if: github.event_name == 'pull_request'
	run: \|
	echo 'Run unit tests'
	ls -la ./

	build-test-push-sign-image:

	name: Build, Push & Sign Image
	runs-on: ubuntu-latest
	needs:
	- build
	- unit-tests

	steps:

	- name: Checkout the repository to this runner
	uses: actions/checkout@v3

	- name: Download VOL selfserve artifact
	uses: actions/[email protected]
	with:
	name: selfserve
	path: ./

	- name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG
	run: \|
	envsubst < dockerfile \| tee dockerfile.tmp
	mv dockerfile.tmp dockerfile
	BASE_IMAGE=$(head -n1 dockerfile)
	echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
	echo "VOL_selfserve_IMAGE_TAG=approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV

	- name: Setup Notation CLI
	uses: notaryproject/notation-action/setup@v1
	with:
	version: 1.0.0

	- name: Set up Notation AWS Signer plugin
	run: \|
	wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
	sudo dpkg -i aws-signer-notation-cli_amd64.deb
	notation version
	notation plugin ls

	- name: Configure AWS credentials on Shared Core ECR
	uses: aws-actions/[email protected]
	with:
	role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
	role-session-name: GitHub_to_AWS_via_FederatedOIDC
	aws-region: ${{ vars.DVSA_AWS_REGION }}

	- name: Login to Shared Core ECR
	id: login-ecr-sharedcoreecr
	uses: aws-actions/[email protected]

	- name: Build VOL selfserve image after verifying Base image
	run: \|
	notation inspect $BASE_IMAGE
	docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
	--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .

	- name: Snyk scan VOL selfserve image
	id: scan-selfserve-image
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}
	args: --file=dockerfile --severity-threshold=high
	continue-on-error: true

	- name: Configure AWS credentials on Non Production VOL ECR
	uses: aws-actions/[email protected]
	with:
	role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
	role-session-name: GitHub_to_AWS_via_FederatedOIDC
	aws-region: ${{ vars.DVSA_AWS_REGION}}

	- name: Login to Non Production VOL ECR
	id: login-ecr-vol-tooling-non-prod
	uses: aws-actions/[email protected]

	- name: Push VOL selfserve image
	# if: github.ref == 'refs/heads/main'
	id: push-image
	run: \|
	echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT
	docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}

	- name: Sign VOL selfserve image
	# if: github.ref == 'refs/heads/main'
	run: \|
	notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
	--plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}"

	outputs:
	image_tag: ${{ steps.push-image.outputs.image_tag }}

	deploy-on-non-prod-cluster:

	name: Deploy on Non Prod Cluster
	# if: github.ref == 'refs/heads/main'

	needs:
	- build-test-push-sign-image

	uses: ./.github/workflows/trigger-github-workflow.yaml
	with:
	branch: 'feature/AWSRESET1-514'
	git_repository: 'dvsa/dvsa-container-registry'
	workflow_name: 'CD NON-PROD VOL selfserve'
	input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
	secrets:
	gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}

	automation-tests:

	name: Run Automation Tests
	# if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest

	needs:
	- deploy-on-non-prod-cluster

	steps:

	- name: Run automation tests
	run: \|
	echo 'Run automation tests'

	build-nonprod-approved-image:

	name: Build Non PROD Approved Image
	# if: github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest

	needs:
	- automation-tests

	steps:

	- name: VOL_selfserve_IMAGE_TAG
	run: \|
	echo "VOL_selfserve_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV

	- name: Setup Notation CLI
	uses: notaryproject/notation-action/setup@v1
	with:
	version: 1.0.0

	- name: Set up Notation AWS Signer plugin
	run: \|
	wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
	sudo dpkg -i aws-signer-notation-cli_amd64.deb
	notation version
	notation plugin ls

	- name: Configure AWS credentials on Non Production VOL ECR
	uses: aws-actions/[email protected]
	with:
	role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
	role-session-name: GitHub_to_AWS_via_FederatedOIDC
	aws-region: ${{ vars.DVSA_AWS_REGION}}

	- name: Login to Non Production VOL ECR
	id: login-ecr-vol-tooling-non-prod
	uses: aws-actions/[email protected]

	- name: Push VOL selfserve image
	# if: github.ref == 'refs/heads/main'
	id: push-approved-image
	run: \|
	echo "approved_image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT
	docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ needs.build-test-push-sign-image.outputs.image_tag }} \
	${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}

	- name: Sign VOL selfserve image
	# if: github.ref == 'refs/heads/main'
	run: \|
	notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
	--plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}"

	outputs:
	image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }}

	qa-approval:

	name: QA VOL selfserve Image Approval
	# if: github.ref == 'refs/heads/main'

	needs:
	- build-nonprod-approved-image

	uses: ./.github/workflows/trigger-github-workflow.yaml
	with:
	branch: 'feature/AWSRESET1-514'
	git_repository: 'dvsa/olcs-selfserve'
	workflow_name: 'QA VOL selfserve ARTIFACT APPROVAL'
	input_arguments: '${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}'
	secrets:
	gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI/CD NON PROD VOL selfserve #2

Workflow file

CI/CD NON PROD VOL selfserve #2

Jobs

Run details

Workflow file for this run