diff --git a/.github/workflows/image-sign-validation.yaml b/.github/workflows/image-sign-validation.yaml deleted file mode 100644 index c09a75c0c..000000000 --- a/.github/workflows/image-sign-validation.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Validate AWS ECR Image Signature - -on: - workflow_call: - secrets: - aws_role_arn: - required: true - ecr_tagged_image: - required: true - -jobs: - - validate-image-signature: - - name: Validate Image Sign - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to the runner - uses: actions/checkout@v3 - - - name: Configure aws credential - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.aws_role_arn }} - role-session-name: GithubActionsSession - aws-region: ${{ vars.DVSA_AWS_REGION }} - - - name: Login to ECR - id: login-to-ecr - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - - - name: Validate signature of VOL API image - run: | - notation inspect ${{ secrets.ecr_tagged_image }} \ No newline at end of file diff --git a/.github/workflows/static-vol-selfserve-build-deploy.yaml b/.github/workflows/static-vol-selfserve-build-deploy.yaml index 77a9b9750..e6f745278 100644 --- a/.github/workflows/static-vol-selfserve-build-deploy.yaml +++ b/.github/workflows/static-vol-selfserve-build-deploy.yaml @@ -1,14 +1,15 @@ -name: CI/CD STATIC VOL selfserve -run-name: CI/CD STATIC VOL selfserve +name: CI/CD STATIC VOL SELFSERVE +run-name: CI/CD STATIC VOL SELFSERVE on: pull_request_review: + types: [edited, submitted] + pull_request: branches: - master env: AWS_REGION : ${{ vars.DVSA_AWS_REGION }} - AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} @@ -21,48 +22,13 @@ jobs: dockerfile-lint-check: name: Dockerfile Lint Check - if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED' + if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' uses: ./.github/workflows/docker-hadolint.yaml - build: - - name: Build VOL selfserve - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - # Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer - - name: Download the compose file - run: | - php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" - php composer-setup.php --install-dir=/usr/local/bin --filename=composer - php -r "unlink('composer-setup.php');" - - - name: Install Composer dependencies - run: | - composer install --optimize-autoloader --no-interaction --no-dev - - - name: Build VOL selfserve - run: | - date > config/version - git describe --all >> config/version - tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor - ls -la - echo $PWD - - - name: Upload VOL selfserve artifact - uses: actions/upload-artifact@v3.1.3 - with: - name: selfserve - path: ./selfserve.tar.gz - unit-tests: name: Run Unit Tests - if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED' + if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' runs-on: ubuntu-latest steps: @@ -75,122 +41,128 @@ jobs: echo 'Run unit tests' ls -la ./ - build-test-push-sign-image: - - name: Build, Push & Sign Image - runs-on: ubuntu-latest - - needs: - - build - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - - name: Download VOL selfserve artifact - uses: actions/download-artifact@v3.0.2 - with: - name: selfserve - path: ./ - - - name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG - run: | - envsubst < dockerfile | tee dockerfile.tmp - mv dockerfile.tmp dockerfile - BASE_IMAGE=$(head -n1 dockerfile) - echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV - echo "VOL_selfserve_IMAGE_TAG=pr-approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - notation version - notation plugin ls - - - name: Configure AWS credentials on Shared Core ECR - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION }} - - - name: Login to Shared Core ECR - id: login-ecr-sharedcoreecr - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Build VOL selfserve image after verifying Base image - run: | - notation inspect $BASE_IMAGE - docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ - --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . - - - name: Snyk scan VOL selfserve image - id: scan-selfserve-image - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - args: --file=dockerfile --severity-threshold=high - continue-on-error: true - - - name: Configure AWS credentials on Non Production VOL ECR - if: github.event.review.state == 'APPROVED' - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION}} - - - name: Login to Non Production VOL ECR - if: github.event.review.state == 'APPROVED' - id: login-ecr-vol-tooling-non-prod - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Push VOL selfserve image - if: github.event.review.state == 'APPROVED' - id: push-image - run: | - echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT - docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - - outputs: - image_tag: ${{ steps.push-image.outputs.image_tag }} - - deploy-on-static-cluster: - - name: Deploy on Static ECS Cluster - if: github.event.review.state == 'APPROVED' - needs: - - build-test-push-sign-image - - uses: ./.github/workflows/trigger-github-workflow.yaml - with: - branch: 'feature/AWSRESET1-514' - git_repository: 'dvsa/dvsa-container-registry' - workflow_name: 'CD NON-PROD VOL selfserve' - input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' - secrets: - gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} - - automation-tests: - - name: Run Automation Tests - if: github.event.review.state == 'APPROVED' - runs-on: ubuntu-latest - - needs: - - deploy-on-static-cluster - - steps: - - - name: Run automation tests - run: | - echo 'Run automation tests' + # build-test-push-sign-image: + + # name: Build, Push & Sign Image + # if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + # runs-on: ubuntu-latest + + # # needs: + # # - build + + # steps: + + # - name: Checkout the repository to this runner + # uses: actions/checkout@v3 + + # - name: Build VOL API artifact + # uses: dvsa/olcs-backend/.github/actions/build-vol-api@feature/AWSRESET1-514 + + # - name: Set BASE_IMAGE & VOL_API_IMAGE_TAG + # if: github.event.review.state == 'APPROVED' + # run: | + # envsubst < dockerfile | tee dockerfile.tmp + # mv dockerfile.tmp dockerfile + # BASE_IMAGE=$(head -n1 dockerfile) + # echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV + # echo "VOL_API_IMAGE_TAG=pr-approved-vol-api-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV + + # - name: Configure AWS credentials on Shared Core ECR + # if: github.event.review.state == 'APPROVED' + # uses: aws-actions/configure-aws-credentials@v4.0.1 + # with: + # role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} + # role-session-name: GitHub_to_AWS_via_FederatedOIDC + # aws-region: ${{ vars.DVSA_AWS_REGION }} + + # - name: Login to Shared Core ECR + # if: github.event.review.state == 'APPROVED' + # id: login-ecr-sharedcoreecr + # uses: aws-actions/amazon-ecr-login@v2.0.1 + + # - name: Verify base image + # if: github.event.review.state == 'APPROVED' + # uses: dvsa/olcs-backend/.github/actions/image-integrity@feature/AWSRESET1-514 + # with: + # ecr_tagged_image: $BASE_IMAGE + # image_sign_inspect: 'true' + + # - name: Build VOL API image + # if: github.event.review.state == 'APPROVED' + # run: | + # docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_API_IMAGE_TAG} \ + # --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . + + # - name: Snyk scan VOL API image + # if: github.event.review.state == 'APPROVED' + # id: scan-api-image + # uses: snyk/actions/docker@master + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_API_IMAGE_TAG} + # args: --file=dockerfile --severity-threshold=high + # continue-on-error: true + + # - name: Configure AWS credentials on Non Production VOL ECR + # if: github.event.review.state == 'APPROVED' + # uses: aws-actions/configure-aws-credentials@v4.0.1 + # with: + # role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + # role-session-name: GitHub_to_AWS_via_FederatedOIDC + # aws-region: ${{ vars.DVSA_AWS_REGION}} + + # - name: Login to Non Production VOL ECR + # if: github.event.review.state == 'APPROVED' + # id: login-ecr-vol-tooling-non-prod + # uses: aws-actions/amazon-ecr-login@v2.0.1 + + # - name: Push VOL API image + # if: github.event.review.state == 'APPROVED' + # id: push-image + # run: | + # echo "image_tag=${VOL_API_IMAGE_TAG}" >> $GITHUB_OUTPUT + # docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_API_IMAGE_TAG} + + # outputs: + # image_tag: ${{ steps.push-image.outputs.image_tag }} + + # deploy-on-static-cluster: + + # name: Deploy on Static ECS Cluster + # if: github.event.review.state == 'APPROVED' + # needs: + # - dockerfile-lint-check + # - unit-tests + # - build-test-push-sign-image + # runs-on: ubuntu-latest + + # steps: + + # - name: Deploy + # run: | + # echo 'Deploy on Static' + + # # uses: ./.github/workflows/trigger-github-workflow.yaml + # # with: + # # branch: 'feature/AWSRESET1-514' + # # git_repository: 'dvsa/dvsa-container-registry' + # # workflow_name: 'CD NON-PROD VOL API' + # # input_arguments: 'vol_api_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' + # # secrets: + # # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} + + # automation-tests: + + # name: Run Automation Tests + # if: github.event.review.state == 'APPROVED' + # runs-on: ubuntu-latest + + # needs: + # - deploy-on-static-cluster + + # steps: + + # - name: Run automation tests + # run: | + # echo 'Run automation tests'