Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

CI/CD STATIC SELFSERVE WEB #81

CI/CD STATIC SELFSERVE WEB

CI/CD STATIC SELFSERVE WEB #81

name: CI/CD STATIC SELFSERVE WEB
run-name: CI/CD STATIC SELFSERVE WEB
on:
pull_request_review:
types: [edited, submitted]
pull_request:
branches:
- master
env:
AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
SSWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.SSWEB_NONPROD_TOOLING_ECR_REPO_URL }} #{account}.dkr.ecr.{region}.amazonaws.com/non-prod-vol-ssweb
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}
# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
# security-events: write
jobs:
dockerfile-lint-check:
name: Dockerfile Lint Check
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: dvsa/.github/.github/workflows/docker-hadolint.yaml@feature/AddMiscAuxilaryWorkflows
with:
dockerfile_name: dockerfile
supress_rule_list: DL3018,DL3048
# security:
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# uses: dvsa/.github/.github/workflows/[email protected]
# secrets:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# static-analysis:
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# uses: dvsa/.github/.github/workflows/[email protected]
# # with:
# # php-version: '7.4'
# tests:
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# uses: dvsa/.github/.github/workflows/[email protected]
# with:
# php-versions: "[\"7.4\"]"
# # fail-fast: false
unit-tests:
name: Run Unit Tests
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
runs-on: ubuntu-latest
steps:
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- name: Run unit tests
run: |
echo 'Run unit tests'
ls -la ./
build-test-push-sign-image:
name: Build, Push & Sign Image
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
runs-on: ubuntu-latest
strategy:
matrix:
php:
- '7.4'
steps:
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
tools: composer:v2
coverage: none
- name: Build SelfServe Web artifact
uses: dvsa/olcs-selfserve/.github/actions/build-ssweb@feat/awsreset-container
- name: Set BASE_IMAGE & SSWEB_IMAGE_TAG
if: github.event.review.state == 'APPROVED'
run: |
envsubst < dockerfile | tee dockerfile.tmp
mv dockerfile.tmp dockerfile
BASE_IMAGE=$(head -n1 dockerfile)
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
echo "SSWEB_IMAGE_TAG=pr-approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Configure AWS credentials on Shared Core ECR
if: github.event.review.state == 'APPROVED'
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
- name: Login to Shared Core ECR
if: github.event.review.state == 'APPROVED'
id: login-ecr-sharedcoreecr
uses: aws-actions/[email protected]
- name: Verify base image
if: github.event.review.state == 'APPROVED'
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
with:
ecr_tagged_image: $BASE_IMAGE
image_sign_inspect: 'true'
- name: Build SelfServe Web image
if: github.event.review.state == 'APPROVED'
run: |
docker build -t ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} \
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .
- name: Snyk scan SelfServe Web image
if: github.event.review.state == 'APPROVED'
id: scan-api-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG}
args: --file=dockerfile --severity-threshold=high
continue-on-error: true
- name: Configure AWS credentials on Non Production VOL ECR
if: github.event.review.state == 'APPROVED'
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
- name: Login to Non Production VOL ECR
if: github.event.review.state == 'APPROVED'
id: login-ecr-vol-tooling-non-prod
uses: aws-actions/[email protected]
- name: Push SelfServe Web image
if: github.event.review.state == 'APPROVED'
id: push-image
run: |
echo "image_tag=${SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
docker push ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG}
outputs:
image_tag: ${{ steps.push-image.outputs.image_tag }}
deploy-on-static-cluster:
name: Deploy on Static ECS Cluster
if: github.event.review.state == 'APPROVED'
needs:
- dockerfile-lint-check
- unit-tests
# - security
# - static-analysis
# - tests
- build-test-push-sign-image
runs-on: ubuntu-latest
steps:
- name: Deploy
run: |
echo 'Deploy on Static'
# uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows
# with:
# branch: 'feature/AWSRESET1-514'
# git_repository: 'dvsa/dvsa-container-registry'
# workflow_name: 'CD NON-PROD SelfServe Web'
# input_arguments: 'ssweb_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
# secrets:
# gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}
automation-tests:
name: Run Automation Tests
if: github.event.review.state == 'APPROVED'
runs-on: ubuntu-latest
needs:
- deploy-on-static-cluster
steps:
- name: Run automation tests
run: |
echo 'Run automation tests'