From 098ded4c417da3475facab6f7959900cf01e85b9 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 17 Nov 2023 17:10:47 +0000 Subject: [PATCH] updated workflows --- .github/workflows/docker-hadolint.yaml | 23 ++ .github/workflows/image-sign-validation.yaml | 46 +++ .../non-prod-vol-selfserve-build-deploy.yaml | 266 ++++++++++++++++++ .../workflows/qa-vol-selfserve-approval.yaml | 124 ++++++++ .../static-vol-selfserve-build-deploy.yaml | 196 +++++++++++++ .../workflows/trigger-github-workflow.yaml | 62 ++++ .../workflows/vol-api-build-pr-main-ci.yml | 0 .../vol-selfserve-build-merge-main-cd.yml | 0 8 files changed, 717 insertions(+) create mode 100644 .github/workflows/docker-hadolint.yaml create mode 100644 .github/workflows/image-sign-validation.yaml create mode 100644 .github/workflows/non-prod-vol-selfserve-build-deploy.yaml create mode 100644 .github/workflows/qa-vol-selfserve-approval.yaml create mode 100644 .github/workflows/static-vol-selfserve-build-deploy.yaml create mode 100644 .github/workflows/trigger-github-workflow.yaml create mode 100644 .github/workflows/vol-api-build-pr-main-ci.yml create mode 100644 .github/workflows/vol-selfserve-build-merge-main-cd.yml diff --git a/.github/workflows/docker-hadolint.yaml b/.github/workflows/docker-hadolint.yaml new file mode 100644 index 000000000..33109e03b --- /dev/null +++ b/.github/workflows/docker-hadolint.yaml @@ -0,0 +1,23 @@ +name: Lint check Dockerfile + +on: + workflow_call: + +jobs: + hadolint: + + name: Run hadolint on Dockerfile + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to the runner + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Lint check on dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: dockerfile + ignore: DL3018,DL3048 \ No newline at end of file diff --git a/.github/workflows/image-sign-validation.yaml b/.github/workflows/image-sign-validation.yaml new file mode 100644 index 000000000..c09a75c0c --- /dev/null +++ b/.github/workflows/image-sign-validation.yaml @@ -0,0 +1,46 @@ +name: Validate AWS ECR Image Signature + +on: + workflow_call: + secrets: + aws_role_arn: + required: true + ecr_tagged_image: + required: true + +jobs: + + validate-image-signature: + + name: Validate Image Sign + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to the runner + uses: actions/checkout@v3 + + - name: Configure aws credential + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.aws_role_arn }} + role-session-name: GithubActionsSession + aws-region: ${{ vars.DVSA_AWS_REGION }} + + - name: Login to ECR + id: login-to-ecr + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: 1.0.0 + + - name: Set up Notation AWS Signer plugin + run: | + wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb + sudo dpkg -i aws-signer-notation-cli_amd64.deb + + - name: Validate signature of VOL API image + run: | + notation inspect ${{ secrets.ecr_tagged_image }} \ No newline at end of file diff --git a/.github/workflows/non-prod-vol-selfserve-build-deploy.yaml b/.github/workflows/non-prod-vol-selfserve-build-deploy.yaml new file mode 100644 index 000000000..1a5e4c788 --- /dev/null +++ b/.github/workflows/non-prod-vol-selfserve-build-deploy.yaml @@ -0,0 +1,266 @@ +name: CI/CD NON PROD VOL selfserve +run-name: CI/CD NON PROD VOL selfserve + +on: + pull_request: + branches: + - master + +env: + AWS_REGION : ${{ vars.DVSA_AWS_REGION }} + AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} + VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} + AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + + build: + + name: Build VOL selfserve + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + # Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer + - name: Download the compose file + run: | + php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + php composer-setup.php --install-dir=/usr/local/bin --filename=composer + php -r "unlink('composer-setup.php');" + + - name: Install Composer dependencies + run: | + composer install --optimize-autoloader --no-interaction --no-dev + + - name: Build VOL selfserve + run: | + date > config/version + git describe --all >> config/version + tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor + + - name: Upload VOL selfserve artifact + uses: actions/upload-artifact@v3.1.3 + with: + name: selfserve + path: ./selfserve.tar.gz + + unit-tests: + + name: Run Unit Tests + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Run unit tests + # if: github.event_name == 'pull_request' + run: | + echo 'Run unit tests' + ls -la ./ + + build-test-push-sign-image: + + name: Build, Push & Sign Image + runs-on: ubuntu-latest + needs: + - build + - unit-tests + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Download VOL selfserve artifact + uses: actions/download-artifact@v3.0.2 + with: + name: selfserve + path: ./ + + - name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG + run: | + envsubst < dockerfile | tee dockerfile.tmp + mv dockerfile.tmp dockerfile + BASE_IMAGE=$(head -n1 dockerfile) + echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV + echo "VOL_selfserve_IMAGE_TAG=approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV + + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: 1.0.0 + + - name: Set up Notation AWS Signer plugin + run: | + wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb + sudo dpkg -i aws-signer-notation-cli_amd64.deb + notation version + notation plugin ls + + - name: Configure AWS credentials on Shared Core ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION }} + + - name: Login to Shared Core ECR + id: login-ecr-sharedcoreecr + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Build VOL selfserve image after verifying Base image + run: | + notation inspect $BASE_IMAGE + docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ + --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . + + - name: Snyk scan VOL selfserve image + id: scan-selfserve-image + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + args: --file=dockerfile --severity-threshold=high + continue-on-error: true + + - name: Configure AWS credentials on Non Production VOL ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION}} + + - name: Login to Non Production VOL ECR + id: login-ecr-vol-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Push VOL selfserve image + # if: github.ref == 'refs/heads/main' + id: push-image + run: | + echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT + docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + + - name: Sign VOL selfserve image + # if: github.ref == 'refs/heads/main' + run: | + notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ + --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" + + outputs: + image_tag: ${{ steps.push-image.outputs.image_tag }} + + deploy-on-non-prod-cluster: + + name: Deploy on Non Prod Cluster + # if: github.ref == 'refs/heads/main' + + needs: + - build-test-push-sign-image + + uses: ./.github/workflows/trigger-github-workflow.yaml + with: + branch: 'feature/AWSRESET1-514' + git_repository: 'dvsa/dvsa-container-registry' + workflow_name: 'CD NON-PROD VOL selfserve' + input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' + secrets: + gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} + + automation-tests: + + name: Run Automation Tests + # if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + + needs: + - deploy-on-non-prod-cluster + + steps: + + - name: Run automation tests + run: | + echo 'Run automation tests' + + build-nonprod-approved-image: + + name: Build Non PROD Approved Image + # if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + + needs: + - automation-tests + + steps: + + - name: VOL_selfserve_IMAGE_TAG + run: | + echo "VOL_selfserve_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV + + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: 1.0.0 + + - name: Set up Notation AWS Signer plugin + run: | + wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb + sudo dpkg -i aws-signer-notation-cli_amd64.deb + notation version + notation plugin ls + + - name: Configure AWS credentials on Non Production VOL ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION}} + + - name: Login to Non Production VOL ECR + id: login-ecr-vol-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Push VOL selfserve image + # if: github.ref == 'refs/heads/main' + id: push-approved-image + run: | + echo "approved_image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT + docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ needs.build-test-push-sign-image.outputs.image_tag }} \ + ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + + - name: Sign VOL selfserve image + # if: github.ref == 'refs/heads/main' + run: | + notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ + --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" + + outputs: + image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }} + + qa-approval: + + name: QA VOL selfserve Image Approval + # if: github.ref == 'refs/heads/main' + + needs: + - build-nonprod-approved-image + + uses: ./.github/workflows/trigger-github-workflow.yaml + with: + branch: 'feature/AWSRESET1-514' + git_repository: 'dvsa/olcs-selfserve' + workflow_name: 'QA VOL selfserve ARTIFACT APPROVAL' + input_arguments: '${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}' + secrets: + gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} diff --git a/.github/workflows/qa-vol-selfserve-approval.yaml b/.github/workflows/qa-vol-selfserve-approval.yaml new file mode 100644 index 000000000..5dd913004 --- /dev/null +++ b/.github/workflows/qa-vol-selfserve-approval.yaml @@ -0,0 +1,124 @@ +name: QA VOL selfserve ARTIFACT APPROVAL +run-name: QA VOL selfserve ARTIFACT APPROVAL + +on: + workflow_dispatch: + inputs: + vol_selfserve_image_tag: + description: 'Tag of VOL selfserve Image' + required: true + +env: + AWS_REGION : ${{ vars.DVSA_AWS_REGION }} + AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} + VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} + VOL_PROD_TOOLING_REPO_URL: ${{ secrets.VOL_PROD_TOOLING_ECR_REPO_URL }} + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + + validate-nonprod-vol-selfserve-image: + name: Validate VOL selfserve Image + uses: ./.github/workflows/image-sign-validation.yaml + secrets: + aws_role_arn: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + ecr_tagged_image: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }}:${{ github.event.inputs.vol_selfserve_image_tag }} + + deploy-on-qa-cluster: + + name: Deploy on QA Cluster + runs-on: ubuntu-latest + needs: + - validate-nonprod-vol-selfserve-image + + steps: + + - name: Trigger workflow 'nonprod-vol-selfserve-manual-cd' + if: github.event_name == 'pull_request' + run: | + echo "Here: ${{ github.event.inputs.vol_selfserve_image_tag }}" + # uses: actions/github-script@v6.4.1 + # with: + # github-token: ${{ secrets.GITHUB_TOKEN }} + # script: | + # await github.rest.actions.createWorkflowDispatch({ + # owner: 'dvsa', + # repo: 'dvsa-container-registry', + # workflow_id: 'workflows/nonprod-vol-selfserve-manual-cd.yaml', + # ref: 'feature/AWSRESET1-514', + # inputs: { + # vol_selfserve_image_tag: 'vol-selfserve-7.4.33-alpine-fpm-ddea10a', + # }, + # }); + # # script: | + # # await github.rest.actions.createWorkflowDispatch({ + # # owner: 'dvsa' + # # repo: 'dvsa-container-registry', + # # workflow_id: 'nonprod-vol-selfserve-manual-cd.yaml', + # # ref: 'feature/AWSRESET1-514' + # # inputs: { + # # vol_selfserve_image_tag: ${{ needs.build-test-push-sign-image.outputs.image_tag }} + # # } + # # }) + + qa-automation-tests: + + name: Run QA Automation Tests + runs-on: ubuntu-latest + needs: + - deploy-on-qa-cluster + + steps: + + - name: Run automation tests + # if: github.ref == 'refs/heads/main' + run: | + echo 'Run automation tests' + + approve-image: + + name: PROD Approval For VOL Image + runs-on: ubuntu-latest + needs: + - qa-automation-tests + + steps: + + - name: Set VOL_selfserve_IMAGE_TAG + # if: github.ref == 'refs/heads/main' + run: | + echo "VOL_selfserve_IMAGE_TAG=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_ENV + + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: 1.0.0 + + - name: Configure AWS credentials on VOL Non Production Tooling ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION}} + + - name: Login to ECR + id: login-ecr-vol-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Tag & Push VOL selfserve image as PROD Approved + # if: github.ref == 'refs/heads/main' + id: push-image + run: | + docker pull ${VOL_NONPROD_TOOLING_REPO_URL}:${{ github.event.inputs.vol_selfserve_image_tag }} + docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ github.event.inputs.vol_selfserve_image_tag }} ${VOL_PROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + # docker push ${VOL_PROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + + # - name: Sign VOL selfserve image + # # if: github.ref == 'refs/heads/main' + # run: | + # notation sign ${VOL_PROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ + # --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" diff --git a/.github/workflows/static-vol-selfserve-build-deploy.yaml b/.github/workflows/static-vol-selfserve-build-deploy.yaml new file mode 100644 index 000000000..77a9b9750 --- /dev/null +++ b/.github/workflows/static-vol-selfserve-build-deploy.yaml @@ -0,0 +1,196 @@ +name: CI/CD STATIC VOL selfserve +run-name: CI/CD STATIC VOL selfserve + +on: + pull_request_review: + branches: + - master + +env: + AWS_REGION : ${{ vars.DVSA_AWS_REGION }} + AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} + VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} + AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + + dockerfile-lint-check: + name: Dockerfile Lint Check + if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED' + uses: ./.github/workflows/docker-hadolint.yaml + + build: + + name: Build VOL selfserve + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + # Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer + - name: Download the compose file + run: | + php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + php composer-setup.php --install-dir=/usr/local/bin --filename=composer + php -r "unlink('composer-setup.php');" + + - name: Install Composer dependencies + run: | + composer install --optimize-autoloader --no-interaction --no-dev + + - name: Build VOL selfserve + run: | + date > config/version + git describe --all >> config/version + tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor + ls -la + echo $PWD + + - name: Upload VOL selfserve artifact + uses: actions/upload-artifact@v3.1.3 + with: + name: selfserve + path: ./selfserve.tar.gz + + unit-tests: + + name: Run Unit Tests + if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED' + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Run unit tests + run: | + echo 'Run unit tests' + ls -la ./ + + build-test-push-sign-image: + + name: Build, Push & Sign Image + runs-on: ubuntu-latest + + needs: + - build + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Download VOL selfserve artifact + uses: actions/download-artifact@v3.0.2 + with: + name: selfserve + path: ./ + + - name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG + run: | + envsubst < dockerfile | tee dockerfile.tmp + mv dockerfile.tmp dockerfile + BASE_IMAGE=$(head -n1 dockerfile) + echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV + echo "VOL_selfserve_IMAGE_TAG=pr-approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV + + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: 1.0.0 + + - name: Set up Notation AWS Signer plugin + run: | + wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb + sudo dpkg -i aws-signer-notation-cli_amd64.deb + notation version + notation plugin ls + + - name: Configure AWS credentials on Shared Core ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION }} + + - name: Login to Shared Core ECR + id: login-ecr-sharedcoreecr + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Build VOL selfserve image after verifying Base image + run: | + notation inspect $BASE_IMAGE + docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ + --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . + + - name: Snyk scan VOL selfserve image + id: scan-selfserve-image + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + args: --file=dockerfile --severity-threshold=high + continue-on-error: true + + - name: Configure AWS credentials on Non Production VOL ECR + if: github.event.review.state == 'APPROVED' + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION}} + + - name: Login to Non Production VOL ECR + if: github.event.review.state == 'APPROVED' + id: login-ecr-vol-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Push VOL selfserve image + if: github.event.review.state == 'APPROVED' + id: push-image + run: | + echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT + docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} + + outputs: + image_tag: ${{ steps.push-image.outputs.image_tag }} + + deploy-on-static-cluster: + + name: Deploy on Static ECS Cluster + if: github.event.review.state == 'APPROVED' + needs: + - build-test-push-sign-image + + uses: ./.github/workflows/trigger-github-workflow.yaml + with: + branch: 'feature/AWSRESET1-514' + git_repository: 'dvsa/dvsa-container-registry' + workflow_name: 'CD NON-PROD VOL selfserve' + input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' + secrets: + gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} + + automation-tests: + + name: Run Automation Tests + if: github.event.review.state == 'APPROVED' + runs-on: ubuntu-latest + + needs: + - deploy-on-static-cluster + + steps: + + - name: Run automation tests + run: | + echo 'Run automation tests' diff --git a/.github/workflows/trigger-github-workflow.yaml b/.github/workflows/trigger-github-workflow.yaml new file mode 100644 index 000000000..2ba8b90ed --- /dev/null +++ b/.github/workflows/trigger-github-workflow.yaml @@ -0,0 +1,62 @@ +name: Trigger GH Actions Workflow + +on: + workflow_call: + inputs: + branch: + description: 'Name of the branch which contains the given Workflow' + default: 'main' + required: true + type: string + git_repository: + description: 'Name of the Owner/Repo which contains the given Workflow' + default: '' + required: true + type: string + workflow_name: + description: 'Name of the given Workflow' + default: '' + required: true + type: string + input_arguments: + description: 'Input Arguments to the given Workflow' + default: '' + required: true + type: string + secrets: + gh_token: + required: true + +jobs: + + trigger-workflow: + + name: Trigger Workflow + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to the runner + uses: actions/checkout@v3 + + - name: Trigger Workflow + run: | + gh workflow run '${{ inputs.workflow_name }}' \ + -R ${{ inputs.git_repository }} \ + --ref ${{ inputs.branch }} \ + -f ${{ inputs.input_arguments }} + sleep 60 # required to assign the run-id to worflow + env: + GITHUB_TOKEN: ${{ secrets.gh_token }} + + - name: Monitor Workflow Execution Progress + run: | + runID=`curl -L -H \ + "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ secrets.gh_token }}" \ + -H "X-GitHub-selfserve-Version: 2022-11-28" \ + https://selfserve.github.com/repos/${{ inputs.git_repository }}/actions/runs |\ + jq -r '.workflow_runs[0]|select(.name == "${{ inputs.workflow_name }}" and .status == "in_progress").id'` + gh run watch $runID --interval 10 --exit-status 1 -R ${{ inputs.git_repository }} + env: + GITHUB_TOKEN: ${{ secrets.gh_token }} \ No newline at end of file diff --git a/.github/workflows/vol-api-build-pr-main-ci.yml b/.github/workflows/vol-api-build-pr-main-ci.yml new file mode 100644 index 000000000..e69de29bb diff --git a/.github/workflows/vol-selfserve-build-merge-main-cd.yml b/.github/workflows/vol-selfserve-build-merge-main-cd.yml new file mode 100644 index 000000000..e69de29bb