diff --git a/.github/actions/build-ssweb/README.md b/.github/actions/build-ssweb/README.md index f8b7078aa..bc0229f57 100644 --- a/.github/actions/build-ssweb/README.md +++ b/.github/actions/build-ssweb/README.md @@ -1,17 +1,17 @@ -# Build VOL API Artifact -Action to build VOL API artifact +# Build SelfServe Web Artifact +Action to buildSelfServe Web artifact #### Prerequisites Git checkout #### Context -This action allows the workflow to build VOL API artifact +This action allows the workflow to build SelfServe Web artifact #### Outputs VOL_API_Artifact -#### Usage +#### Usage ```yaml - name: Build VOL API artifact - uses: dvsa/olcs-backend/.github/actions/build-vol-api@main + uses: dvsa/olcs-backend/.github/actions/build-ssweb@main ``` \ No newline at end of file diff --git a/.github/actions/build-ssweb/action.yaml b/.github/actions/build-ssweb/action.yaml index e09d388a9..7ab1a6968 100644 --- a/.github/actions/build-ssweb/action.yaml +++ b/.github/actions/build-ssweb/action.yaml @@ -3,10 +3,10 @@ description: Build VOL SSWEB FE runs: using: 'composite' - steps: + steps: - uses: hashicorp/setup-terraform@v2 with: - terraform_version: ${{ inputs.terraform_version }} + terraform_version: ${{ inputs.terraform_version }} terraform_wrapper: false # Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer diff --git a/.github/actions/image-integrity/README.md b/.github/actions/image-integrity/README.md deleted file mode 100644 index f8b7078aa..000000000 --- a/.github/actions/image-integrity/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Build VOL API Artifact -Action to build VOL API artifact - -#### Prerequisites -Git checkout - -#### Context -This action allows the workflow to build VOL API artifact - -#### Outputs -VOL_API_Artifact - -#### Usage -```yaml -- name: Build VOL API artifact - uses: dvsa/olcs-backend/.github/actions/build-vol-api@main -``` \ No newline at end of file diff --git a/.github/actions/image-integrity/action.yaml b/.github/actions/image-integrity/action.yaml deleted file mode 100644 index f445a6a15..000000000 --- a/.github/actions/image-integrity/action.yaml +++ /dev/null @@ -1,50 +0,0 @@ -name: Validate AWS ECR Image Signature -description: Validate AWS ECR Image Signature - -inputs: - aws_signer_profile_arn: - description: 'AWS Signer Profile ARN if `image_sign_create` is set to `true`' - required: false - ecr_tagged_image: - description: 'AWS ECR Image: {ACCOUNT_ID}.dkr.ecr.{REGION}.amazonaws.com/{REPO_NAME}:{IMAGE_TAG}' - required: true - image_sign_create: - description: 'Sign image if `true`' - required: true - default: 'false' - image_sign_inspect: - description: 'Inspect sign if `true`' - required: true - default: 'false' - -runs: - using: 'composite' - steps: - - name: Login to ECR - id: login-to-ecr - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - shell: bash - - - name: Sign image - if: inputs.image_sign_create == 'true' - run: | - notation sign ${{ inputs.ecr_tagged_image }} \ - --plugin "com.amazonaws.signer.notation.plugin" \ - --id "${{ inputs.aws_signer_profile_arn }}" - shell: bash - - - name: Validate signature of image - if: inputs.image_sign_inspect == 'true' - run: | - notation inspect ${{ inputs.ecr_tagged_image }} - shell: bash \ No newline at end of file diff --git a/.github/workflows/docker-hadolint.yaml b/.github/workflows/docker-hadolint.yaml deleted file mode 100644 index 33109e03b..000000000 --- a/.github/workflows/docker-hadolint.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: Lint check Dockerfile - -on: - workflow_call: - -jobs: - hadolint: - - name: Run hadolint on Dockerfile - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to the runner - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - - - name: Lint check on dockerfile - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: dockerfile - ignore: DL3018,DL3048 \ No newline at end of file diff --git a/.github/workflows/image-sign-validation.yaml b/.github/workflows/image-sign-validation.yaml deleted file mode 100644 index c09a75c0c..000000000 --- a/.github/workflows/image-sign-validation.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Validate AWS ECR Image Signature - -on: - workflow_call: - secrets: - aws_role_arn: - required: true - ecr_tagged_image: - required: true - -jobs: - - validate-image-signature: - - name: Validate Image Sign - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to the runner - uses: actions/checkout@v3 - - - name: Configure aws credential - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.aws_role_arn }} - role-session-name: GithubActionsSession - aws-region: ${{ vars.DVSA_AWS_REGION }} - - - name: Login to ECR - id: login-to-ecr - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - - - name: Validate signature of VOL API image - run: | - notation inspect ${{ secrets.ecr_tagged_image }} \ No newline at end of file diff --git a/.github/workflows/non-prod-selfserve-web-build-deploy.yaml b/.github/workflows/non-prod-selfserve-web-build-deploy.yaml new file mode 100644 index 000000000..ac6948bf8 --- /dev/null +++ b/.github/workflows/non-prod-selfserve-web-build-deploy.yaml @@ -0,0 +1,235 @@ +name: CI/CD NON PROD SELFSERVE WEB +run-name: CI/CD NON PROD SELFSERVE WEB + +on: + push: + branches: + - master + +env: + AWS_REGION : ${{ vars.DVSA_AWS_REGION }} + SSWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.SSWEB_NONPROD_TOOLING_ECR_REPO_URL }} + AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + + # security: + # uses: dvsa/.github/.github/workflows/php-security.yml@v3.2.0 + # secrets: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # static-analysis: + # uses: dvsa/.github/.github/workflows/php-static.yml@v3.2.0 + # # with: + # # php-version: '7.4' + + # tests: + # uses: dvsa/.github/.github/workflows/php-tests.yml@v3.2.0 + # with: + # php-versions: "[\"7.4\"]" + # # fail-fast: false + + unit-tests: + + name: Run Unit Tests + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Run unit tests + run: | + echo 'Run unit tests' + ls -la ./ + + build-test-push-sign-image: + + name: Build, Push & Sign Image + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Build SelfServe Web artifact + uses: dvsa/olcs-selfserve/.github/actions/build-ssweb@feature/AddWorkflows + + - name: Set BASE_IMAGE & SSWEB_IMAGE_TAG + run: | + envsubst < dockerfile | tee dockerfile.tmp + mv dockerfile.tmp dockerfile + BASE_IMAGE=$(head -n1 dockerfile) + echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV + echo "SSWEB_IMAGE_TAG=approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV + + - name: Configure AWS credentials on Shared Core ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Shared Core ECR + id: login-ecr-sharedcoreecr + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Verify base image + uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows + with: + ecr_tagged_image: $BASE_IMAGE + image_sign_inspect: 'true' + + - name: Build SelfServe Web image + run: | + # notation inspect $BASE_IMAGE + docker build -t ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} \ + --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . + + - name: Snyk scan SelfServe Web image + id: scan-api-image + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} + args: --file=dockerfile --severity-threshold=critical + continue-on-error: true + + - name: Configure AWS credentials on Non Production SSWEB ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Non Production SSWEB ECR + id: login-ecr-ssweb-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Push SelfServe Web image + if: github.ref == 'refs/heads/master' + id: push-image + run: | + echo "image_tag=${SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT + docker push ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} + + - name: Sign SelfServe Web image + if: github.ref == 'refs/heads/master' + uses: dvsa/.gitub/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows + with: + aws_signer_profile_arn: ${{ secrets.DVSA_AWS_SSWEB_NONPROD_TOOLING_IMAGE_SIGNING_PROFILE }} + ecr_tagged_image: ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} + image_sign_create: 'true' + + outputs: + image_tag: ${{ steps.push-image.outputs.image_tag }} + + deploy-on-non-prod-cluster: + + name: Deploy on Non Prod Cluster + if: github.ref == 'refs/heads/master' + + needs: + - unit-tests + # - security + # - static-analysis + # - tests + - build-test-push-sign-image + + runs-on: ubuntu-latest + + steps: + + - name: Deploy + run: | + echo 'Deploy on Non Prod' + + # uses: ./.github/workflows/trigger-github-workflow.yaml + # with: + # branch: 'feature/AWSRESET1-514' + # git_repository: 'dvsa/dvsa-container-registry' + # workflow_name: 'CD NON PROD SELFSERVE WEB' + # input_arguments: 'ssweb_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' + # secrets: + # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} + + automation-tests: + + name: Run Automation Tests + if: github.ref == 'refs/heads/master' + runs-on: ubuntu-latest + + needs: + - deploy-on-non-prod-cluster + + steps: + + - name: Run automation tests + run: | + echo 'Run automation tests' + + build-nonprod-approved-image: + + name: Build Non PROD Approved Image + if: github.ref == 'refs/heads/master' + runs-on: ubuntu-latest + + needs: + - build-test-push-sign-image + # - deploy-on-non-prod-cluster + - automation-tests + + steps: + + - name: SSWEB_IMAGE_TAG & NONPROD_SSWEB_IMAGE_TAG + run: | + echo "SSWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV + echo "NONPROD_SSWEB_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV + + - name: Configure AWS credentials on Non Production SSWEB ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Non Production SSWEB ECR + id: login-ecr-ssweb-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Push SelfServe Web image + if: github.ref == 'refs/heads/master' + id: push-approved-image + run: | + echo "approved_image_tag=${NONPROD_SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT + docker pull ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} + docker tag ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} ${SSWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_SSWEB_IMAGE_TAG} + docker push ${SSWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_SSWEB_IMAGE_TAG} + + outputs: + approved_image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }} + + qa-approval: + + name: QA SelfServe Web Image Approval + if: github.ref == 'refs/heads/master' + + needs: + - build-nonprod-approved-image + + uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows + with: + branch: 'feature/AddWorkflows' + git_repository: 'dvsa/olcs-selfserve' + workflow_name: 'qa-selfserve-web-approval.yaml' + input_arguments: 'ssweb_image_tag=${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}' + secrets: + gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} diff --git a/.github/workflows/non-prod-vol-selfserve-build-deploy.yaml b/.github/workflows/non-prod-vol-selfserve-build-deploy.yaml deleted file mode 100644 index 1a5e4c788..000000000 --- a/.github/workflows/non-prod-vol-selfserve-build-deploy.yaml +++ /dev/null @@ -1,266 +0,0 @@ -name: CI/CD NON PROD VOL selfserve -run-name: CI/CD NON PROD VOL selfserve - -on: - pull_request: - branches: - - master - -env: - AWS_REGION : ${{ vars.DVSA_AWS_REGION }} - AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} - VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} - AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} - -# Permission can be added at job level or workflow level -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - - build: - - name: Build VOL selfserve - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - # Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer - - name: Download the compose file - run: | - php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" - php composer-setup.php --install-dir=/usr/local/bin --filename=composer - php -r "unlink('composer-setup.php');" - - - name: Install Composer dependencies - run: | - composer install --optimize-autoloader --no-interaction --no-dev - - - name: Build VOL selfserve - run: | - date > config/version - git describe --all >> config/version - tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor - - - name: Upload VOL selfserve artifact - uses: actions/upload-artifact@v3.1.3 - with: - name: selfserve - path: ./selfserve.tar.gz - - unit-tests: - - name: Run Unit Tests - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - - name: Run unit tests - # if: github.event_name == 'pull_request' - run: | - echo 'Run unit tests' - ls -la ./ - - build-test-push-sign-image: - - name: Build, Push & Sign Image - runs-on: ubuntu-latest - needs: - - build - - unit-tests - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - - name: Download VOL selfserve artifact - uses: actions/download-artifact@v3.0.2 - with: - name: selfserve - path: ./ - - - name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG - run: | - envsubst < dockerfile | tee dockerfile.tmp - mv dockerfile.tmp dockerfile - BASE_IMAGE=$(head -n1 dockerfile) - echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV - echo "VOL_selfserve_IMAGE_TAG=approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - notation version - notation plugin ls - - - name: Configure AWS credentials on Shared Core ECR - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION }} - - - name: Login to Shared Core ECR - id: login-ecr-sharedcoreecr - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Build VOL selfserve image after verifying Base image - run: | - notation inspect $BASE_IMAGE - docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ - --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . - - - name: Snyk scan VOL selfserve image - id: scan-selfserve-image - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - args: --file=dockerfile --severity-threshold=high - continue-on-error: true - - - name: Configure AWS credentials on Non Production VOL ECR - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION}} - - - name: Login to Non Production VOL ECR - id: login-ecr-vol-tooling-non-prod - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Push VOL selfserve image - # if: github.ref == 'refs/heads/main' - id: push-image - run: | - echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT - docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - - - name: Sign VOL selfserve image - # if: github.ref == 'refs/heads/main' - run: | - notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ - --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" - - outputs: - image_tag: ${{ steps.push-image.outputs.image_tag }} - - deploy-on-non-prod-cluster: - - name: Deploy on Non Prod Cluster - # if: github.ref == 'refs/heads/main' - - needs: - - build-test-push-sign-image - - uses: ./.github/workflows/trigger-github-workflow.yaml - with: - branch: 'feature/AWSRESET1-514' - git_repository: 'dvsa/dvsa-container-registry' - workflow_name: 'CD NON-PROD VOL selfserve' - input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' - secrets: - gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} - - automation-tests: - - name: Run Automation Tests - # if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - - needs: - - deploy-on-non-prod-cluster - - steps: - - - name: Run automation tests - run: | - echo 'Run automation tests' - - build-nonprod-approved-image: - - name: Build Non PROD Approved Image - # if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - - needs: - - automation-tests - - steps: - - - name: VOL_selfserve_IMAGE_TAG - run: | - echo "VOL_selfserve_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - notation version - notation plugin ls - - - name: Configure AWS credentials on Non Production VOL ECR - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION}} - - - name: Login to Non Production VOL ECR - id: login-ecr-vol-tooling-non-prod - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Push VOL selfserve image - # if: github.ref == 'refs/heads/main' - id: push-approved-image - run: | - echo "approved_image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT - docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ needs.build-test-push-sign-image.outputs.image_tag }} \ - ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - - - name: Sign VOL selfserve image - # if: github.ref == 'refs/heads/main' - run: | - notation sign ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ - --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" - - outputs: - image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }} - - qa-approval: - - name: QA VOL selfserve Image Approval - # if: github.ref == 'refs/heads/main' - - needs: - - build-nonprod-approved-image - - uses: ./.github/workflows/trigger-github-workflow.yaml - with: - branch: 'feature/AWSRESET1-514' - git_repository: 'dvsa/olcs-selfserve' - workflow_name: 'QA VOL selfserve ARTIFACT APPROVAL' - input_arguments: '${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}' - secrets: - gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} diff --git a/.github/workflows/qa-selfserve-web-approval.yaml b/.github/workflows/qa-selfserve-web-approval.yaml new file mode 100644 index 000000000..242ecb579 --- /dev/null +++ b/.github/workflows/qa-selfserve-web-approval.yaml @@ -0,0 +1,117 @@ +name: CD QA SELFSERVE WEB +run-name: CD QA SELFSERVE WEB + +on: + workflow_dispatch: + inputs: + ssweb_image_tag: + description: 'Tag of SelfServe Web Image' + required: true + +env: + AWS_REGION : ${{ vars.DVSA_AWS_REGION }} + SSWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.SSWEB_NONPROD_TOOLING_ECR_REPO_URL }} + SSWEB_PROD_TOOLING_REPO_URL: ${{ secrets.SSWEB_PROD_TOOLING_ECR_REPO_URL }} + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + + deploy-on-qa-cluster: + + name: Deploy on QA Cluster + if: github.ref == 'refs/heads/master' + runs-on: ubuntu-latest + + steps: + + - name: Configure AWS credentials on Non Production SSWEB ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION}} + + - name: Login to Non Production SSWEB ECR + id: login-ecr-ssweb-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Validate SelfServe Web Image + uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows + with: + ecr_tagged_image: ${{ secrets.SSWEB_NONPROD_TOOLING_ECR_REPO_URL }}:${{ github.event.inputs.SSWEB_image_tag }} + image_sign_inspect: 'true' + + - name: Deploy on QA + run: | + echo 'Deploy on QA' + + # uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows + # with: + # branch: 'feature/AWSRESET1-514' + # git_repository: 'dvsa/dvsa-container-registry' + # workflow_name: 'CD NON-PROD SELFSERVE WEB' + # input_arguments: 'ssweb_image_tag=${{ github.event.inputs.ssweb_image_tag }}' + # secrets: + # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} + + + qa-automation-tests: + + name: Run QA Automation Tests + if: github.ref == 'refs/heads/master' + runs-on: ubuntu-latest + + needs: + - deploy-on-qa-cluster + + steps: + + - name: Run automation tests + run: | + echo 'Run automation tests' + + prod-approve-image: + + name: Approval PROD SelfServe Web Image + if: github.ref == 'refs/heads/master' + runs-on: ubuntu-latest + + needs: + - qa-automation-tests + + steps: + + - name: Set NONPROD_SSWEB_IMAGE_TAG & PROD_SSWEB_IMAGE_TAG + run: | + inputImageTag=${{ github.event.inputs.SSWEB_image_tag }} + echo "NONPROD_SSWEB_IMAGE_TAG=${inputImageTag}" >> $GITHUB_ENV + echo "PROD_SSWEB_IMAGE_TAG=${inputImageTag#non}" >> $GITHUB_ENV + + - name: Configure AWS credentials on SSWEB Non Production Tooling ECR + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ vars.DVSA_AWS_REGION}} + + - name: Login to ECR + id: login-ecr-ssweb-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Tag & Push PROD Approved SelfServe Web image + id: push-image + run: | + docker pull ${SSWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_SSWEB_IMAGE_TAG} + docker tag ${SSWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_SSWEB_IMAGE_TAG} ${SSWEB_PROD_TOOLING_REPO_URL}:${PROD_SSWEB_IMAGE_TAG} + docker push ${SSWEB_PROD_TOOLING_REPO_URL}:${PROD_SSWEB_IMAGE_TAG} + + - name: Sign PROD SelfServe Web image + uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows + with: + aws_signer_profile_arn: ${{ secrets.DVSA_AWS_SSWEB_NONPROD_TOOLING_IMAGE_SIGNING_PROFILE }} + ecr_tagged_image: ${SSWEB_PROD_TOOLING_REPO_URL}:${PROD_SSWEB_IMAGE_TAG} + image_sign_create: 'true' diff --git a/.github/workflows/qa-vol-selfserve-approval.yaml b/.github/workflows/qa-vol-selfserve-approval.yaml deleted file mode 100644 index 5dd913004..000000000 --- a/.github/workflows/qa-vol-selfserve-approval.yaml +++ /dev/null @@ -1,124 +0,0 @@ -name: QA VOL selfserve ARTIFACT APPROVAL -run-name: QA VOL selfserve ARTIFACT APPROVAL - -on: - workflow_dispatch: - inputs: - vol_selfserve_image_tag: - description: 'Tag of VOL selfserve Image' - required: true - -env: - AWS_REGION : ${{ vars.DVSA_AWS_REGION }} - AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} - VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} - VOL_PROD_TOOLING_REPO_URL: ${{ secrets.VOL_PROD_TOOLING_ECR_REPO_URL }} - -# Permission can be added at job level or workflow level -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - - validate-nonprod-vol-selfserve-image: - name: Validate VOL selfserve Image - uses: ./.github/workflows/image-sign-validation.yaml - secrets: - aws_role_arn: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} - ecr_tagged_image: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }}:${{ github.event.inputs.vol_selfserve_image_tag }} - - deploy-on-qa-cluster: - - name: Deploy on QA Cluster - runs-on: ubuntu-latest - needs: - - validate-nonprod-vol-selfserve-image - - steps: - - - name: Trigger workflow 'nonprod-vol-selfserve-manual-cd' - if: github.event_name == 'pull_request' - run: | - echo "Here: ${{ github.event.inputs.vol_selfserve_image_tag }}" - # uses: actions/github-script@v6.4.1 - # with: - # github-token: ${{ secrets.GITHUB_TOKEN }} - # script: | - # await github.rest.actions.createWorkflowDispatch({ - # owner: 'dvsa', - # repo: 'dvsa-container-registry', - # workflow_id: 'workflows/nonprod-vol-selfserve-manual-cd.yaml', - # ref: 'feature/AWSRESET1-514', - # inputs: { - # vol_selfserve_image_tag: 'vol-selfserve-7.4.33-alpine-fpm-ddea10a', - # }, - # }); - # # script: | - # # await github.rest.actions.createWorkflowDispatch({ - # # owner: 'dvsa' - # # repo: 'dvsa-container-registry', - # # workflow_id: 'nonprod-vol-selfserve-manual-cd.yaml', - # # ref: 'feature/AWSRESET1-514' - # # inputs: { - # # vol_selfserve_image_tag: ${{ needs.build-test-push-sign-image.outputs.image_tag }} - # # } - # # }) - - qa-automation-tests: - - name: Run QA Automation Tests - runs-on: ubuntu-latest - needs: - - deploy-on-qa-cluster - - steps: - - - name: Run automation tests - # if: github.ref == 'refs/heads/main' - run: | - echo 'Run automation tests' - - approve-image: - - name: PROD Approval For VOL Image - runs-on: ubuntu-latest - needs: - - qa-automation-tests - - steps: - - - name: Set VOL_selfserve_IMAGE_TAG - # if: github.ref == 'refs/heads/main' - run: | - echo "VOL_selfserve_IMAGE_TAG=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_ENV - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Configure AWS credentials on VOL Non Production Tooling ECR - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION}} - - - name: Login to ECR - id: login-ecr-vol-tooling-non-prod - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Tag & Push VOL selfserve image as PROD Approved - # if: github.ref == 'refs/heads/main' - id: push-image - run: | - docker pull ${VOL_NONPROD_TOOLING_REPO_URL}:${{ github.event.inputs.vol_selfserve_image_tag }} - docker tag ${VOL_NONPROD_TOOLING_REPO_URL}:${{ github.event.inputs.vol_selfserve_image_tag }} ${VOL_PROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - # docker push ${VOL_PROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - - # - name: Sign VOL selfserve image - # # if: github.ref == 'refs/heads/main' - # run: | - # notation sign ${VOL_PROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ - # --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" diff --git a/.github/workflows/static-selfserve-web-build-deploy.yaml b/.github/workflows/static-selfserve-web-build-deploy.yaml new file mode 100644 index 000000000..95300dfa4 --- /dev/null +++ b/.github/workflows/static-selfserve-web-build-deploy.yaml @@ -0,0 +1,191 @@ +name: CI/CD STATIC SELFSERVE WEB +run-name: CI/CD STATIC SELFSERVE WEB + +on: + pull_request_review: + types: [edited, submitted] + pull_request: + # branches: + # - master + +env: + AWS_REGION : ${{ vars.DVSA_AWS_REGION }} + SSWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.SSWEB_NONPROD_TOOLING_ECR_REPO_URL }} #{account}.dkr.ecr.{region}.amazonaws.com/non-prod-vol-ssweb + AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} + +# Permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # security-events: write + +jobs: + + dockerfile-lint-check: + name: Dockerfile Lint Check + if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + uses: dvsa/.github/.github/workflows/docker-hadolint.yaml@feature/AddMiscAuxilaryWorkflows + with: + dockerfile_name: dockerfile + supress_rule_list: DL3018,DL3048 + + # security: + # if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + # uses: dvsa/.github/.github/workflows/php-security.yml@v3.2.0 + # secrets: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # static-analysis: + # if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + # uses: dvsa/.github/.github/workflows/php-static.yml@v3.2.0 + # # with: + # # php-version: '7.4' + + # tests: + # if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + # uses: dvsa/.github/.github/workflows/php-tests.yml@v3.2.0 + # with: + # php-versions: "[\"7.4\"]" + # # fail-fast: false + + unit-tests: + + name: Run Unit Tests + if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Run unit tests + run: | + echo 'Run unit tests' + ls -la ./ + + build-test-push-sign-image: + + name: Build, Push & Sign Image + if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review' + runs-on: ubuntu-latest + + steps: + + - name: Checkout the repository to this runner + uses: actions/checkout@v3 + + - name: Build SelfServe Web artifact + uses: dvsa/olcs-selfserve/.github/actions/build-ssweb@feature/AddWorkflows + + - name: Set BASE_IMAGE & SSWEB_IMAGE_TAG + if: github.event.review.state == 'APPROVED' + run: | + envsubst < dockerfile | tee dockerfile.tmp + mv dockerfile.tmp dockerfile + BASE_IMAGE=$(head -n1 dockerfile) + echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV + echo "SSWEB_IMAGE_TAG=pr-approved-ssweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV + + - name: Configure AWS credentials on Shared Core ECR + if: github.event.review.state == 'APPROVED' + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Shared Core ECR + if: github.event.review.state == 'APPROVED' + id: login-ecr-sharedcoreecr + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Verify base image + if: github.event.review.state == 'APPROVED' + uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows + with: + ecr_tagged_image: $BASE_IMAGE + image_sign_inspect: 'true' + + - name: Build SelfServe Web image + if: github.event.review.state == 'APPROVED' + run: | + docker build -t ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} \ + --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . + + - name: Snyk scan SelfServe Web image + if: github.event.review.state == 'APPROVED' + id: scan-api-image + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} + args: --file=dockerfile --severity-threshold=high + continue-on-error: true + + - name: Configure AWS credentials on Non Production VOL ECR + if: github.event.review.state == 'APPROVED' + uses: aws-actions/configure-aws-credentials@v4.0.1 + with: + role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Non Production VOL ECR + if: github.event.review.state == 'APPROVED' + id: login-ecr-vol-tooling-non-prod + uses: aws-actions/amazon-ecr-login@v2.0.1 + + - name: Push SelfServe Web image + if: github.event.review.state == 'APPROVED' + id: push-image + run: | + echo "image_tag=${SSWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT + docker push ${SSWEB_NONPROD_TOOLING_REPO_URL}:${SSWEB_IMAGE_TAG} + + outputs: + image_tag: ${{ steps.push-image.outputs.image_tag }} + + deploy-on-static-cluster: + + name: Deploy on Static ECS Cluster + if: github.event.review.state == 'APPROVED' + needs: + - dockerfile-lint-check + - unit-tests + # - security + # - static-analysis + # - tests + - build-test-push-sign-image + runs-on: ubuntu-latest + + steps: + + - name: Deploy + run: | + echo 'Deploy on Static' + + # uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows + # with: + # branch: 'feature/AWSRESET1-514' + # git_repository: 'dvsa/dvsa-container-registry' + # workflow_name: 'CD NON-PROD SelfServe Web' + # input_arguments: 'ssweb_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' + # secrets: + # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} + + automation-tests: + + name: Run Automation Tests + if: github.event.review.state == 'APPROVED' + runs-on: ubuntu-latest + + needs: + - deploy-on-static-cluster + + steps: + + - name: Run automation tests + run: | + echo 'Run automation tests' diff --git a/.github/workflows/static-vol-selfserve-build-deploy.yaml b/.github/workflows/static-vol-selfserve-build-deploy.yaml deleted file mode 100644 index 77a9b9750..000000000 --- a/.github/workflows/static-vol-selfserve-build-deploy.yaml +++ /dev/null @@ -1,196 +0,0 @@ -name: CI/CD STATIC VOL selfserve -run-name: CI/CD STATIC VOL selfserve - -on: - pull_request_review: - branches: - - master - -env: - AWS_REGION : ${{ vars.DVSA_AWS_REGION }} - AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} - VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }} - AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }} - -# Permission can be added at job level or workflow level -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - - dockerfile-lint-check: - name: Dockerfile Lint Check - if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED' - uses: ./.github/workflows/docker-hadolint.yaml - - build: - - name: Build VOL selfserve - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - # Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer - - name: Download the compose file - run: | - php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" - php composer-setup.php --install-dir=/usr/local/bin --filename=composer - php -r "unlink('composer-setup.php');" - - - name: Install Composer dependencies - run: | - composer install --optimize-autoloader --no-interaction --no-dev - - - name: Build VOL selfserve - run: | - date > config/version - git describe --all >> config/version - tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor - ls -la - echo $PWD - - - name: Upload VOL selfserve artifact - uses: actions/upload-artifact@v3.1.3 - with: - name: selfserve - path: ./selfserve.tar.gz - - unit-tests: - - name: Run Unit Tests - if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED' - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - - name: Run unit tests - run: | - echo 'Run unit tests' - ls -la ./ - - build-test-push-sign-image: - - name: Build, Push & Sign Image - runs-on: ubuntu-latest - - needs: - - build - - steps: - - - name: Checkout the repository to this runner - uses: actions/checkout@v3 - - - name: Download VOL selfserve artifact - uses: actions/download-artifact@v3.0.2 - with: - name: selfserve - path: ./ - - - name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG - run: | - envsubst < dockerfile | tee dockerfile.tmp - mv dockerfile.tmp dockerfile - BASE_IMAGE=$(head -n1 dockerfile) - echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV - echo "VOL_selfserve_IMAGE_TAG=pr-approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV - - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: 1.0.0 - - - name: Set up Notation AWS Signer plugin - run: | - wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb - sudo dpkg -i aws-signer-notation-cli_amd64.deb - notation version - notation plugin ls - - - name: Configure AWS credentials on Shared Core ECR - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION }} - - - name: Login to Shared Core ECR - id: login-ecr-sharedcoreecr - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Build VOL selfserve image after verifying Base image - run: | - notation inspect $BASE_IMAGE - docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \ - --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . - - - name: Snyk scan VOL selfserve image - id: scan-selfserve-image - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - args: --file=dockerfile --severity-threshold=high - continue-on-error: true - - - name: Configure AWS credentials on Non Production VOL ECR - if: github.event.review.state == 'APPROVED' - uses: aws-actions/configure-aws-credentials@v4.0.1 - with: - role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} - role-session-name: GitHub_to_AWS_via_FederatedOIDC - aws-region: ${{ vars.DVSA_AWS_REGION}} - - - name: Login to Non Production VOL ECR - if: github.event.review.state == 'APPROVED' - id: login-ecr-vol-tooling-non-prod - uses: aws-actions/amazon-ecr-login@v2.0.1 - - - name: Push VOL selfserve image - if: github.event.review.state == 'APPROVED' - id: push-image - run: | - echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT - docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} - - outputs: - image_tag: ${{ steps.push-image.outputs.image_tag }} - - deploy-on-static-cluster: - - name: Deploy on Static ECS Cluster - if: github.event.review.state == 'APPROVED' - needs: - - build-test-push-sign-image - - uses: ./.github/workflows/trigger-github-workflow.yaml - with: - branch: 'feature/AWSRESET1-514' - git_repository: 'dvsa/dvsa-container-registry' - workflow_name: 'CD NON-PROD VOL selfserve' - input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}' - secrets: - gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }} - - automation-tests: - - name: Run Automation Tests - if: github.event.review.state == 'APPROVED' - runs-on: ubuntu-latest - - needs: - - deploy-on-static-cluster - - steps: - - - name: Run automation tests - run: | - echo 'Run automation tests' diff --git a/.github/workflows/trigger-github-workflow.yaml b/.github/workflows/trigger-github-workflow.yaml deleted file mode 100644 index 2ba8b90ed..000000000 --- a/.github/workflows/trigger-github-workflow.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Trigger GH Actions Workflow - -on: - workflow_call: - inputs: - branch: - description: 'Name of the branch which contains the given Workflow' - default: 'main' - required: true - type: string - git_repository: - description: 'Name of the Owner/Repo which contains the given Workflow' - default: '' - required: true - type: string - workflow_name: - description: 'Name of the given Workflow' - default: '' - required: true - type: string - input_arguments: - description: 'Input Arguments to the given Workflow' - default: '' - required: true - type: string - secrets: - gh_token: - required: true - -jobs: - - trigger-workflow: - - name: Trigger Workflow - runs-on: ubuntu-latest - - steps: - - - name: Checkout the repository to the runner - uses: actions/checkout@v3 - - - name: Trigger Workflow - run: | - gh workflow run '${{ inputs.workflow_name }}' \ - -R ${{ inputs.git_repository }} \ - --ref ${{ inputs.branch }} \ - -f ${{ inputs.input_arguments }} - sleep 60 # required to assign the run-id to worflow - env: - GITHUB_TOKEN: ${{ secrets.gh_token }} - - - name: Monitor Workflow Execution Progress - run: | - runID=`curl -L -H \ - "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.gh_token }}" \ - -H "X-GitHub-selfserve-Version: 2022-11-28" \ - https://selfserve.github.com/repos/${{ inputs.git_repository }}/actions/runs |\ - jq -r '.workflow_runs[0]|select(.name == "${{ inputs.workflow_name }}" and .status == "in_progress").id'` - gh run watch $runID --interval 10 --exit-status 1 -R ${{ inputs.git_repository }} - env: - GITHUB_TOKEN: ${{ secrets.gh_token }} \ No newline at end of file diff --git a/.github/workflows/vol-api-build-pr-main-ci.yml b/.github/workflows/vol-api-build-pr-main-ci.yml deleted file mode 100644 index e69de29bb..000000000 diff --git a/.github/workflows/vol-selfserve-build-merge-main-cd.yml b/.github/workflows/vol-selfserve-build-merge-main-cd.yml deleted file mode 100644 index e69de29bb..000000000