Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

Commit

Permalink
updated workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@rahul-dvsa
rahul-dvsa committed Nov 17, 2023
1 parent a843aac commit 098ded4
Show file tree
Hide file tree
Showing 8 changed files with 717 additions and 0 deletions.
23 changes: 23 additions & 0 deletions .github/workflows/docker-hadolint.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Lint check Dockerfile

on:
workflow_call:

jobs:
hadolint:

name: Run hadolint on Dockerfile
runs-on: ubuntu-latest

steps:

- name: Checkout the repository to the runner
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}

- name: Lint check on dockerfile
uses: hadolint/[email protected]
with:
dockerfile: dockerfile
ignore: DL3018,DL3048
46 changes: 46 additions & 0 deletions .github/workflows/image-sign-validation.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Validate AWS ECR Image Signature

on:
workflow_call:
secrets:
aws_role_arn:
required: true
ecr_tagged_image:
required: true

jobs:

validate-image-signature:

name: Validate Image Sign
runs-on: ubuntu-latest

steps:

- name: Checkout the repository to the runner
uses: actions/checkout@v3

- name: Configure aws credential
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.aws_role_arn }}
role-session-name: GithubActionsSession
aws-region: ${{ vars.DVSA_AWS_REGION }}

- name: Login to ECR
id: login-to-ecr
uses: aws-actions/[email protected]

- name: Setup Notation CLI
uses: notaryproject/notation-action/setup@v1
with:
version: 1.0.0

- name: Set up Notation AWS Signer plugin
run: |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
sudo dpkg -i aws-signer-notation-cli_amd64.deb
- name: Validate signature of VOL API image
run: |
notation inspect ${{ secrets.ecr_tagged_image }}
266 changes: 266 additions & 0 deletions .github/workflows/non-prod-vol-selfserve-build-deploy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,266 @@
name: CI/CD NON PROD VOL selfserve
run-name: CI/CD NON PROD VOL selfserve

on:
pull_request:
branches:
- master

env:
AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }}
VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }}
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}

# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:

build:

name: Build VOL selfserve
runs-on: ubuntu-latest

steps:

- name: Checkout the repository to this runner
uses: actions/checkout@v3

# Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer
- name: Download the compose file
run: |
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php --install-dir=/usr/local/bin --filename=composer
php -r "unlink('composer-setup.php');"
- name: Install Composer dependencies
run: |
composer install --optimize-autoloader --no-interaction --no-dev
- name: Build VOL selfserve
run: |
date > config/version
git describe --all >> config/version
tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor
- name: Upload VOL selfserve artifact
uses: actions/[email protected]
with:
name: selfserve
path: ./selfserve.tar.gz

unit-tests:

name: Run Unit Tests
runs-on: ubuntu-latest

steps:

- name: Checkout the repository to this runner
uses: actions/checkout@v3

- name: Run unit tests
# if: github.event_name == 'pull_request'
run: |
echo 'Run unit tests'
ls -la ./
build-test-push-sign-image:

name: Build, Push & Sign Image
runs-on: ubuntu-latest
needs:
- build
- unit-tests

steps:

- name: Checkout the repository to this runner
uses: actions/checkout@v3

- name: Download VOL selfserve artifact
uses: actions/[email protected]
with:
name: selfserve
path: ./

- name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG
run: |
envsubst < dockerfile | tee dockerfile.tmp
mv dockerfile.tmp dockerfile
BASE_IMAGE=$(head -n1 dockerfile)
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
echo "VOL_selfserve_IMAGE_TAG=approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Setup Notation CLI
uses: notaryproject/notation-action/setup@v1
with:
version: 1.0.0

- name: Set up Notation AWS Signer plugin
run: |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
sudo dpkg -i aws-signer-notation-cli_amd64.deb
notation version
notation plugin ls
- name: Configure AWS credentials on Shared Core ECR
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION }}

- name: Login to Shared Core ECR
id: login-ecr-sharedcoreecr
uses: aws-actions/[email protected]

- name: Build VOL selfserve image after verifying Base image
run: |
notation inspect $BASE_IMAGE
docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .
- name: Snyk scan VOL selfserve image
id: scan-selfserve-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}
args: --file=dockerfile --severity-threshold=high
continue-on-error: true

- name: Configure AWS credentials on Non Production VOL ECR
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION}}

- name: Login to Non Production VOL ECR
id: login-ecr-vol-tooling-non-prod
uses: aws-actions/[email protected]

- name: Push VOL selfserve image
# if: github.ref == 'refs/heads/main'
id: push-image
run: |
echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT
docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}
- name: Sign VOL selfserve image
# if: github.ref == 'refs/heads/main'
run: |
notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
--plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}"
outputs:
image_tag: ${{ steps.push-image.outputs.image_tag }}

deploy-on-non-prod-cluster:

name: Deploy on Non Prod Cluster
# if: github.ref == 'refs/heads/main'

needs:
- build-test-push-sign-image

uses: ./.github/workflows/trigger-github-workflow.yaml
with:
branch: 'feature/AWSRESET1-514'
git_repository: 'dvsa/dvsa-container-registry'
workflow_name: 'CD NON-PROD VOL selfserve'
input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
secrets:
gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}

automation-tests:

name: Run Automation Tests
# if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest

needs:
- deploy-on-non-prod-cluster

steps:

- name: Run automation tests
run: |
echo 'Run automation tests'
build-nonprod-approved-image:

name: Build Non PROD Approved Image
# if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest

needs:
- automation-tests

steps:

- name: VOL_selfserve_IMAGE_TAG
run: |
echo "VOL_selfserve_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV
- name: Setup Notation CLI
uses: notaryproject/notation-action/setup@v1
with:
version: 1.0.0

- name: Set up Notation AWS Signer plugin
run: |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
sudo dpkg -i aws-signer-notation-cli_amd64.deb
notation version
notation plugin ls
- name: Configure AWS credentials on Non Production VOL ECR
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION}}

- name: Login to Non Production VOL ECR
id: login-ecr-vol-tooling-non-prod
uses: aws-actions/[email protected]

- name: Push VOL selfserve image
# if: github.ref == 'refs/heads/main'
id: push-approved-image
run: |
echo "approved_image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT
docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ needs.build-test-push-sign-image.outputs.image_tag }} \
${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}
- name: Sign VOL selfserve image
# if: github.ref == 'refs/heads/main'
run: |
notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
--plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}"
outputs:
image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }}

qa-approval:

name: QA VOL selfserve Image Approval
# if: github.ref == 'refs/heads/main'

needs:
- build-nonprod-approved-image

uses: ./.github/workflows/trigger-github-workflow.yaml
with:
branch: 'feature/AWSRESET1-514'
git_repository: 'dvsa/olcs-selfserve'
workflow_name: 'QA VOL selfserve ARTIFACT APPROVAL'
input_arguments: '${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}'
secrets:
gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}
Loading

0 comments on commit 098ded4

Please sign in to comment.