.github/workflows/default.yaml

on: workflow_dispatch
permissions:
  id-token: write
  checks: write
jobs:
  cdk-deploy-gradle-test:
    environment: nonprod
    runs-on: ubuntu-22.04
    steps:
      - name: check-aws-account-id
        uses: actions/github-script@v6.4.1
        with:
          script: |
            if ("${{ vars.AWS_ACCOUNT_ID }}" == "") {
              core.setFailed("AWS_ACCOUNT_ID is unspecified")
            } else {
              core.info("AWS_ACCOUNT_ID is ${{ vars.AWS_ACCOUNT_ID }}")
            }
      - name: configure-aws-credentials
        uses: aws-actions/configure-aws-credentials@v4.0.1
        with:
          role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/GitHubActions"
          role-session-name: GitHubActions-${{ github.run_id }}-${{ github.run_number }}
          aws-region: eu-west-1
      - name: npm-install-cdk
        run: npm install -g aws-cdk@2.102.0
      - name: checkout
        uses: actions/checkout@v4.1.0
      - name: setup-java
        uses: actions/setup-java@v3.13.0
        with:
          distribution: 'corretto'
          java-version: '17'
          cache: 'gradle'
      - name: cdk-permissions-broadening
        id: cdk-permissions-broadening
        run: cdk diff --security-only --fail Binsley > cdk-diff-security
        continue-on-error: true
      - name: cdk-diff-security
        id: cdk-diff-security
        uses: actions/upload-artifact@v3.1.3
        if: steps.cdk-permissions-broadening.outcome == 'failure'
        with:
          name: cdk-diff-security
          path: cdk-diff-security
      - name: cdk-deploy
        run: cdk deploy --require-approval never Binsley
        if: steps.cdk-diff-security.outcome == 'success' || steps.cdk-diff-security.outcome == 'failure' || steps.cdk-diff-security.outcome == 'skipped'
      - name: assume-test-runner-role
        uses: aws-actions/configure-aws-credentials@v4.0.1
        with:
          role-to-assume: BinsleyTestRunner
          role-chaining: true
          aws-region: eu-west-1
      - name: gradle-test
        run: ./gradlew test
      - name: test-report
        uses: mikepenz/action-junit-report@v4.0.1
        if: steps.gradle-test.outcome == 'success' || steps.gradle-test.outcome == 'failure'
        with:
          report_paths: 'build/test-results/test/TEST-*.xml'