This repository has been archived by the owner on Aug 16, 2024. It is now read-only.
CI/CD NON PROD INTERNAL WEB #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD NON PROD INTERNAL WEB | |
run-name: CI/CD NON PROD INTERNAL WEB | |
on: | |
pull_request: | |
push: | |
branches: | |
- master | |
env: | |
AWS_REGION : ${{ vars.DVSA_AWS_REGION }} | |
IUWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.IUWEB_NONPROD_TOOLING_ECR_REPO_URL }} | |
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} | |
# Permission can be added at job level or workflow level | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
jobs: | |
# security: | |
# uses: dvsa/.github/.github/workflows/php-security.yml@v3.2.0 | |
# secrets: | |
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
# static-analysis: | |
# uses: dvsa/.github/.github/workflows/php-static.yml@v3.2.0 | |
# # with: | |
# # php-version: '7.4' | |
# tests: | |
# uses: dvsa/.github/.github/workflows/php-tests.yml@v3.2.0 | |
# with: | |
# php-versions: "[\"7.4\"]" | |
# # fail-fast: false | |
unit-tests: | |
name: Run Unit Tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout the repository to this runner | |
uses: actions/checkout@v3 | |
- name: Run unit tests | |
run: | | |
echo 'Run unit tests' | |
ls -la ./ | |
build-test-push-sign-image: | |
name: Build, Push & Sign Image | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
php: | |
- '7.4' | |
steps: | |
- name: build olcs static container | |
uses: dvsa/olcs-internal/.github/actions/build-static@feature/AddWorkflows | |
with: | |
checkout-repo: 'dvsa/olcs-static' | |
npm-version: '6' | |
python-version: '2.7' | |
node-version: '14' | |
- name: Checkout the repository to this runner | |
uses: actions/checkout@v3 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: olcs-static-artifact | |
path: static | |
- name: Setup PHP | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php }} | |
tools: composer:v2 | |
coverage: none | |
- name: Build Internal Web artifact | |
uses: dvsa/olcs-internal/.github/actions/build-iuweb@feature/AddWorkflows | |
- name: Set BASE_IMAGE & IUWEB_IMAGE_TAG | |
run: | | |
envsubst < dockerfile | tee dockerfile.tmp | |
mv dockerfile.tmp dockerfile | |
BASE_IMAGE=$(head -n1 dockerfile) | |
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV | |
echo "IUWEB_IMAGE_TAG=approved-iuweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- name: Configure AWS credentials on Shared Core ECR | |
uses: aws-actions/configure-aws-credentials@v4.0.1 | |
with: | |
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Login to Shared Core ECR | |
id: login-ecr-sharedcoreecr | |
uses: aws-actions/amazon-ecr-login@v2.0.1 | |
- name: Verify base image | |
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows | |
with: | |
ecr_tagged_image: $BASE_IMAGE | |
image_sign_inspect: 'true' | |
- name: Build Internal Web image | |
run: | | |
docker build -t ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} \ | |
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{ env.AWS_ACCOUNT_ID_SHAREDCOREECR }} . | |
- name: Snyk scan Internal Web image | |
id: scan-api-image | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} | |
args: --file=dockerfile --severity-threshold=critical | |
continue-on-error: true | |
- name: Configure AWS credentials on Non Production IUWEB ECR | |
uses: aws-actions/configure-aws-credentials@v4.0.1 | |
with: | |
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Login to Non Production IUWEB ECR | |
id: login-ecr-iuweb-tooling-non-prod | |
uses: aws-actions/amazon-ecr-login@v2.0.1 | |
- name: Push Internal Web image | |
# if: github.ref == 'refs/heads/master' | |
id: push-image | |
run: | | |
echo "image_tag=${IUWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT | |
docker push ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} | |
- name: Sign Internal Web image | |
# if: github.ref == 'refs/heads/master' | |
uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows | |
with: | |
aws_signer_profile_arn: ${{ secrets.DVSA_AWS_IUWEB_NONPROD_TOOLING_IMAGE_SIGNING_PROFILE }} | |
ecr_tagged_image: ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} | |
image_sign_create: 'true' | |
# - name: Release Internal Web | |
# uses: google-github-actions/release-please-action@v3 | |
# id: release | |
# with: | |
# release-type: php | |
# package-name: ${{ github.event.repository.name }} | |
outputs: | |
image_tag: ${{ steps.push-image.outputs.image_tag }} | |
# deploy-on-non-prod-cluster: | |
# name: Deploy on Non Prod Cluster | |
# # if: github.ref == 'refs/heads/master' | |
# needs: | |
# - unit-tests | |
# # - security | |
# # - static-analysis | |
# # - tests | |
# - build-test-push-sign-image | |
# runs-on: ubuntu-latest | |
# steps: | |
# - name: Deploy | |
# run: | | |
# echo 'Deploy on Non Prod' | |
# # uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows | |
# # with: | |
# # branch: 'feature/AWSRESET1-514' | |
# # git_repository: 'dvsa/dvsa-container-registry' | |
# # workflow_name: 'CD NON PROD INTERNAL WEB' | |
# # input_arguments: 'iuweb_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' | |
# # secrets: | |
# # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} | |
# automation-tests: | |
# name: Run Automation Tests | |
# # if: github.ref == 'refs/heads/master' | |
# runs-on: ubuntu-latest | |
# needs: | |
# - deploy-on-non-prod-cluster | |
# steps: | |
# - name: Run automation tests | |
# run: | | |
# echo 'Run automation tests' | |
# build-nonprod-approved-image: | |
# name: Build Non PROD Approved Image | |
# # if: github.ref == 'refs/heads/master' | |
# runs-on: ubuntu-latest | |
# needs: | |
# - build-test-push-sign-image | |
# - deploy-on-non-prod-cluster | |
# - automation-tests | |
# steps: | |
# - name: IUWEB_IMAGE_TAG & NONPROD_IUWEB_IMAGE_TAG | |
# run: | | |
# echo "IUWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV | |
# echo "NONPROD_IUWEB_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV | |
# - name: Configure AWS credentials on Non Production IUWEB ECR | |
# uses: aws-actions/configure-aws-credentials@v4.0.1 | |
# with: | |
# role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} | |
# role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
# aws-region: ${{ env.AWS_REGION }} | |
# - name: Login to Non Production IUWEB ECR | |
# id: login-ecr-iuweb-tooling-non-prod | |
# uses: aws-actions/amazon-ecr-login@v2.0.1 | |
# - name: Push Internal Web image | |
# # if: github.ref == 'refs/heads/master' | |
# id: push-approved-image | |
# run: | | |
# echo "approved_image_tag=${NONPROD_IUWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT | |
# docker pull ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} | |
# docker tag ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} ${IUWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_IUWEB_IMAGE_TAG} | |
# docker push ${IUWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_IUWEB_IMAGE_TAG} | |
# outputs: | |
# approved_image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }} | |
# qa-approval: | |
# name: QA Internal Web Image Approval | |
# # if: github.ref == 'refs/heads/master' | |
# needs: | |
# - build-nonprod-approved-image | |
# uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows | |
# with: | |
# branch: 'feature/AddWorkflows' | |
# git_repository: 'dvsa/olcs-internal' | |
# workflow_name: 'qa-internal-web-approval.yaml' | |
# input_arguments: 'iuweb_image_tag=${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}' | |
# secrets: | |
# gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} |