Skip to content

Update Minor & Patch Updates #patch #157

Update Minor & Patch Updates #patch

Update Minor & Patch Updates #patch #157

name: "[Example Workflow]"
on:
workflow_dispatch:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: write
security-events: write
actions: read
checks: read
deployments: none
issues: none
packages: none
pull-requests: read
repository-projects: none
statuses: none
jobs:
# generate a branch name
branch_name:
name: "Generate a safe branch name"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
# generate workspace name
workspace_name:
name: "Generate the workspace name"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
tf_version:
needs: [branch_name, workspace_name]
name: "Get terraform version"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
with:
terraform_directory: "./terraform/account/"
# LINTING
# run linting for terraform
tf_lint:
needs: [tf_version]
name: "Run terraform linting"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
with:
directory: "./terraform"
terraform_version: "${{ needs.tf_version.outputs.version}}"
terraform_wrapper: false
# tfsec for terraform
tfsec_analysis:
needs: [tf_lint]
name: "Run TFSec against the code base"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
# SAST
# codeql for pythong
codeql_analysis:
name: "Run CodeQL against the code base"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
with:
application_languages: '["python"]'
# generate tag
semver_tag:
needs: [branch_name, tfsec_analysis, codeql_analysis]
name: "Generate the semver tag value"
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
with:
branch_name: ${{ needs.branch_name.outputs.parsed }}
secrets: inherit
# Docker build, trivy scan, ECR push as a matrix
# The matrix loops over each app to build in a complicated
# structure
# ADD IN ECR PUSH
build_scan_push:
name: "Docker build, trivy scan, ECR push"
runs-on: ubuntu-latest
# require all steps before this matrix to have passed
needs: [tf_version, branch_name, workspace_name, semver_tag]
strategy:
fail-fast: true
matrix:
# services to scan over
data:
- docker_build_directory: "./service-app"
image_app_name: "helloworld"
test_command: "ls -l"
# we use these a few times, so its easier to generate them once and env
# vars are visible in the output, so helps with debug
env:
local_docker_image: ${{ matrix.data.image_app_name }}:latest
sarif_file: trivy-results.sarif
steps:
- uses: actions/checkout@v4
- name: Show environment values
run: |
echo "local_docker_image: ${{ env.local_docker_image }}"
echo "sarif_file: ${{ env.sarif_file }}"
# build our sample docker image
- name: Docker build
# set the working directory to the variable
working-directory: ${{ matrix.data.docker_build_directory }}
run: |
docker build -t ${{ env.local_docker_image }} .
# to check if things worked, output docker image list
- name: Docker image list
run: |
docker images
# log in to ECR
- name: Configure AWS Credentials With Assumed Role to Management
uses: aws-actions/[email protected]
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
# management account role
role-to-assume: arn:aws:iam::311462405659:role/gh-template-repo-ci
role-duration-seconds: 900
role-session-name: OPGExampleWorkflowGithubAction
- name: ECR Login
id: login_ecr
uses: aws-actions/[email protected]
with:
registries: 311462405659
- name: Trivy scan
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
with:
image-ref: ${{ env.local_docker_image }}
severity: "HIGH,CRITICAL"
format: 'sarif'
output: ${{ env.sarif_file }}
- name: Trivy scan upload to github
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ env.sarif_file }}
# for a lot of our services, there could be a test process here
- name: Run Tests
run: |
${{ matrix.data.test_command }}
######
## Push to ECR
######
- name: Push Container
env:
SEMVER_TAG: ${{ needs.semver_tag.outputs.tag }}
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
ECR_REPOSITORY: github-template-repository/helloworld
run: |
docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }}
docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest
docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY
# example terraform build stage
terraform_account_build:
name: "Terraform Account [Apply: ${{ github.ref == 'refs/heads/main'}}]"
needs: [workspace_name, semver_tag, build_scan_push, tf_version]
uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected]
with:
terraform_version: "${{ needs.tf_version.outputs.version}}"
terraform_directory: "./terraform/account"
terraform_apply: ${{ github.ref == 'refs/heads/main' && true || false }}
# this would be replaced with the dynamic value from needs.workspace_name.output.name
# but we're just using sandbox account and single env, so use default
terraform_workspace: "default"
# normally would need some logic to decide this based on branch name etc
# - if its true we would then need to pass workspace_manager_aws_account_id &
# workspace_manager_aws_iam_role as well
is_ephemeral: false
secrets:
AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
PAGERDUTY_TOKEN: "NONE"
GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
end:
name: 'End of workflow'
runs-on: 'ubuntu-latest'
needs: [branch_name, workspace_name, semver_tag, build_scan_push, terraform_account_build]
steps:
- name: "End"
run: |
echo "Done"