-
Notifications
You must be signed in to change notification settings - Fork 1
195 lines (178 loc) · 6.64 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
# Run github actions locally with act https://github.com/nektos/act
# act --container-architecture linux/amd64 --artifact-server-path ./build/artifacts -W ./.github/workflows/build.yml
name: Build
on:
push:
branches: [main]
tags: ['*']
pull_request:
jobs:
test:
runs-on: ubuntu-latest
name: Tests
strategy:
matrix:
dotnet-version: [ '8.0.x' ]
steps:
- uses: actions/checkout@v4
- name: Setup dotnet ${{ matrix.dotnet-version }}
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ matrix.dotnet-version }}
- uses: actions/cache@v4
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
restore-keys: |
${{ runner.os }}-nuget
- name: Build
run: make build OpenAPI
- name: Test
run: make test TEST_OPTIONS="--logger trx --results-directory 'TestResults-${{ matrix.dotnet-version }}'"
- name: Upload test results
uses: actions/upload-artifact@v4
with:
name: test-results-dotnet-${{ matrix.dotnet-version }}
path: TestResults-${{ matrix.dotnet-version }}
if: ${{ always() }}
- name: Upload OpenAPI contracts
uses: actions/upload-artifact@v4
with:
name: OpenAPI
path: OpenAPI
package:
runs-on: ubuntu-latest
name: Build containers
env:
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
CDP_ORGANISATION_APP_PORT: 8888
CDP_TENANT_PORT: 8811
CDP_ORGANISATION_PORT: 8822
CDP_PERSON_PORT: 8833
CDP_FORMS_PORT: 8844
CDP_DATA_SHARING_PORT: 8855
CDP_ENTITY_VERIFICATION_PORT: 8094
outputs:
version: ${{ steps.version.outputs.version }}
images: ${{ steps.save.outputs.images }}
images_json: ${{ steps.save.outputs.images_json }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine the version
id: version
run: |
COMMIT_REF=$(if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then echo "${{ github.event.pull_request.head.sha }}"; else echo "${GITHUB_SHA:-HEAD}"; fi)
CURRENT_COMMIT=$(make version-commit COMMIT_REF=$COMMIT_REF)
CURRENT_TAG=$([[ "${GITHUB_REF:0:10}" = "refs/tags/" ]] && echo ${GITHUB_REF#refs/tags/} || echo "")
LAST_TAG=$(make last-tag)
VERSION=$([[ "${CURRENT_TAG}" = "" ]] && echo "${LAST_TAG}-${CURRENT_COMMIT}" || echo "$CURRENT_TAG")
echo "Version: $VERSION"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Build
run: make build-docker VERSION=${IMAGE_VERSION}
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Start services
run: make up
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Verify services
run: make verify-up
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Test migrations
run: make db
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Stop services
run: make down
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Save Docker Images
id: save
run: |
IMAGES=$(docker images | awk '$1 ~ /cabinetoffice\/cdp-/ && $2 ~ /^'$IMAGE_VERSION'$/ { print $1":"$2}' | tr '\n' ' ')
IMAGES_JSON=$(echo $IMAGES | tr " " "\n" | jq -R . | jq -c -s .)
echo "Images to be saved: $IMAGES"
echo "Images to be saved (json): $IMAGES_JSON"
docker save -o cdp-images.tar $IMAGES
echo "images=${IMAGES}" >> $GITHUB_OUTPUT
echo "images_json=${IMAGES_JSON}" >> $GITHUB_OUTPUT
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Upload Docker Images as Artifacts
uses: actions/upload-artifact@v4
with:
name: docker-images
path: cdp-images.tar
vulnerability-scan:
# since we do not fail the build for now, but the report is to get feedback, only run it on the main branch and tags
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'cabinetoffice'
runs-on: ubuntu-latest
name: Scan for vulnerabilities
needs: [test, package]
strategy:
matrix:
image: ${{ fromJSON(needs.package.outputs.images_json) }}
steps:
- uses: actions/checkout@v4
- name: Download Docker Images
uses: actions/download-artifact@v4
with:
name: docker-images
- name: Load Docker Images
run: docker load -i cdp-images.tar
- name: Determine the category
id: category
run: |
image=${{ matrix.image }}
category=${image%%:*}
echo "category=$category" >> $GITHUB_OUTPUT
- name: Scan ${{ matrix.image }}
uses: anchore/scan-action@v5
id: scan
with:
image: "${{ matrix.image }}"
fail-build: false
severity-cutoff: critical
output-format: sarif
- name: Upload Image Vulnerability Reports
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: ${{ steps.category.outputs.category }}
publish:
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'cabinetoffice'
runs-on: ubuntu-latest
name: Publish containers
needs: [test, package]
env:
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
IMAGE_VERSION: ${{ needs.package.outputs.version }}
IMAGES: ${{ needs.package.outputs.images }}
steps:
- uses: actions/checkout@v4
- name: Download Docker Images
uses: actions/download-artifact@v4
with:
name: docker-images
- name: Load Docker Images
run: docker load -i cdp-images.tar
- name: Set up AWS CLI
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Tag and Push Docker Images
run: make aws-push-to-ecr AWS_ACCOUNT_ID="${{ secrets.AWS_ACCOUNT_ID }}" IMAGES="${{ env.IMAGES }}"
- name: Store Version in SSM Parameter Store
run: |
aws ssm put-parameter --name "cdp-sirsi-service-version" --value "${{ env.IMAGE_VERSION }}" --type String --overwrite