Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

CI/CD NON PROD SELFSERVE WEB #86

CI/CD NON PROD SELFSERVE WEB

CI/CD NON PROD SELFSERVE WEB #86

name: CI/CD NON PROD SELFSERVE WEB
run-name: CI/CD NON PROD SELFSERVE WEB
on:
push:
branches:
- master
pull_request:
env:
AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
SSWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.SSWEB_NONPROD_TOOLING_ECR_REPO_URL }}
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}
# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
# security:
# uses: dvsa/.github/.github/workflows/[email protected]
# secrets:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# static-analysis:
# uses: dvsa/.github/.github/workflows/[email protected]
# # with:
# # php-version: '7.4'
# tests:
# uses: dvsa/.github/.github/workflows/[email protected]
# with:
# php-versions: "[\"7.4\"]"
# # fail-fast: false
unit-tests:
name: Run Unit Tests
runs-on: ubuntu-latest
steps:
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- name: Run unit tests
run: |
echo 'Run unit tests'
ls -la ./
# build-olcs-static:
# uses: ./.github/actions/build-ssweb/build-static-asset.yaml
# strategy:
# matrix:
# node-version: [14]
# npm-version: [6]
# python-version: [2.7]
# checkout-repo: 'dvsa/olcs-static'
build-test-push-sign-image:
name: Build, Push & Sign Image
runs-on: ubuntu-latest
strategy:
matrix:
php:
- '7.4'
steps:
- name: build olcs static container
uses: dvsa/olcs-selfserve/.github/actions/build-static@feat/awsreset-container
with:
checkout-repo: 'dvsa/olcs-static'
npm-version: '6'
python-version: '2.7'
node-version: '14'
- name: Checkout the repository to this runner
uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: olcs-static-artifact
path: static
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
tools: composer:v2
coverage: none
- name: Build SelfServe Web artifact
uses: dvsa/olcs-selfserve/.github/actions/build-ssweb@feat/awsreset-container
- name: Set BASE_IMAGE & SSWEB_IMAGE_TAG
run: |
envsubst < dockerfile | tee dockerfile.tmp
mv dockerfile.tmp dockerfile
BASE_IMAGE=$(head -n1 dockerfile)
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
echo "SSWEB_IMAGE_TAG=approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Configure AWS credentials on Shared Core ECR
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
- name: Login to Shared Core ECR
id: login-ecr-sharedcoreecr
uses: aws-actions/[email protected]
- name: Verify base image
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
with:
ecr_tagged_image: $BASE_IMAGE
image_sign_inspect: 'true'
- name: Build SelfServe Web image
run: |
docker build -t ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} \
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .
- name: Snyk scan SelfServe Web image
id: scan-api-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG}
args: --file=dockerfile --severity-threshold=critical
continue-on-error: true
- name: Configure AWS credentials on Non Production SSWEB ECR
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}
- name: Login to Non Production SSWEB ECR
id: login-ecr-ssweb-tooling-non-prod
uses: aws-actions/[email protected]
- name: Push SelfServe Web image
# if: github.ref == 'refs/heads/master'
id: push-image
run: |
echo "image_tag=${SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
docker push ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG}
- name: Sign SelfServe Web image
# # # if: github.ref == 'refs/heads/master'
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
with:
aws_signer_profile_arn: ${{ secrets.DVSA_AWS_SSWEB_NONPROD_TOOLING_IMAGE_SIGNING_PROFILE }}
ecr_tagged_image: ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG}
image_sign_create: 'true'
# - name: Release SelfServe Web
# uses: google-github-actions/release-please-action@v3
# id: release
# with:
# release-type: php
# package-name: ${{ github.event.repository.name }}
outputs:
image_tag: ${{ steps.push-image.outputs.image_tag }}
# deploy-on-non-prod-cluster:
# name: Deploy on Non Prod Cluster
# # # if: github.ref == 'refs/heads/master'
# needs:
# - unit-tests
# # - security
# # - static-analysis
# # - tests
# - build-test-push-sign-image
# runs-on: ubuntu-latest
# steps:
# - name: Deploy
# run: |
# echo 'Deploy on Non Prod'
# # uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows
# # with:
# # branch: 'feature/AWSRESET1-514'
# # git_repository: 'dvsa/dvsa-container-registry'
# # workflow_name: 'CD NON PROD SELFSERVE WEB'
# # input_arguments: 'ssweb_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
# # secrets:
# # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}
# automation-tests:
# name: Run Automation Tests
# # # if: github.ref == 'refs/heads/master'
# runs-on: ubuntu-latest
# needs:
# - deploy-on-non-prod-cluster
# steps:
# - name: Run automation tests
# run: |
# echo 'Run automation tests'
# build-nonprod-approved-image:
# name: Build Non PROD Approved Image
# # if: github.ref == 'refs/heads/master'
# runs-on: ubuntu-latest
# needs:
# - build-test-push-sign-image
# - deploy-on-non-prod-cluster
# - automation-tests
# steps:
# - name: SSWEB_IMAGE_TAG & NONPROD_SSWEB_IMAGE_TAG
# run: |
# echo "SSWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV
# echo "NONPROD_SSWEB_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV
# - name: Configure AWS credentials on Non Production SSWEB ECR
# uses: aws-actions/[email protected]
# with:
# role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
# role-session-name: GitHub_to_AWS_via_FederatedOIDC
# aws-region: ${{ env.AWS_REGION }}
# - name: Login to Non Production SSWEB ECR
# id: login-ecr-ssweb-tooling-non-prod
# uses: aws-actions/[email protected]
# - name: Push SelfServe Web image
# # if: github.ref == 'refs/heads/master'
# id: push-approved-image
# run: |
# echo "approved_image_tag=${NONPROD_SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
# docker pull ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG}
# docker tag ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} ${SSWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_SSWEB_IMAGE_TAG}
# docker push ${SSWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_SSWEB_IMAGE_TAG}
# outputs:
# approved_image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }}
# qa-approval:
# name: QA SelfServe Web Image Approval
# # if: github.ref == 'refs/heads/master'
# needs:
# - build-nonprod-approved-image
# uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows
# with:
# branch: 'feat/awsreset-container'
# git_repository: 'dvsa/olcs-selfserve'
# workflow_name: 'qa-selfserve-web-approval.yaml'
# input_arguments: 'ssweb_image_tag=${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}'
# secrets:
# gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}