Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

Commit

Permalink
Added workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@awshuss
awshuss committed Nov 17, 2023
1 parent fd63c9a commit c7fa646
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 205 deletions.
46 changes: 0 additions & 46 deletions .github/workflows/image-sign-validation.yaml
View file

This file was deleted.

290 changes: 131 additions & 159 deletions .github/workflows/static-vol-selfserve-build-deploy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
name: CI/CD STATIC VOL selfserve
run-name: CI/CD STATIC VOL selfserve
name: CI/CD STATIC VOL SELFSERVE
run-name: CI/CD STATIC VOL SELFSERVE

on:
pull_request_review:
types: [edited, submitted]
pull_request:
branches:
- master

env:
AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }}
VOL_NONPROD_TOOLING_REPO_URL: ${{ secrets.VOL_NONPROD_TOOLING_ECR_REPO_URL }}
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}

Expand All @@ -21,48 +22,13 @@ jobs:

dockerfile-lint-check:
name: Dockerfile Lint Check
if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED'
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
uses: ./.github/workflows/docker-hadolint.yaml

build:

name: Build VOL selfserve
runs-on: ubuntu-latest

steps:

- name: Checkout the repository to this runner
uses: actions/checkout@v3

# Create s3 bucket in vol-non-prod tooling & vol-prod tooling to get the composer
- name: Download the compose file
run: |
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php --install-dir=/usr/local/bin --filename=composer
php -r "unlink('composer-setup.php');"
- name: Install Composer dependencies
run: |
composer install --optimize-autoloader --no-interaction --no-dev
- name: Build VOL selfserve
run: |
date > config/version
git describe --all >> config/version
tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor
ls -la
echo $PWD
- name: Upload VOL selfserve artifact
uses: actions/upload-artifact@v3.1.3
with:
name: selfserve
path: ./selfserve.tar.gz

unit-tests:

name: Run Unit Tests
if: github.event_name == 'pull_request_review' || github.event.review.state != 'APPROVED'
if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
runs-on: ubuntu-latest

steps:
Expand All @@ -75,122 +41,128 @@ jobs:
echo 'Run unit tests'
ls -la ./
build-test-push-sign-image:

name: Build, Push & Sign Image
runs-on: ubuntu-latest

needs:
- build

steps:

- name: Checkout the repository to this runner
uses: actions/checkout@v3

- name: Download VOL selfserve artifact
uses: actions/download-artifact@v3.0.2
with:
name: selfserve
path: ./

- name: Set BASE_IMAGE & VOL_selfserve_IMAGE_TAG
run: |
envsubst < dockerfile | tee dockerfile.tmp
mv dockerfile.tmp dockerfile
BASE_IMAGE=$(head -n1 dockerfile)
echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
echo "VOL_selfserve_IMAGE_TAG=pr-approved-vol-selfserve-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Setup Notation CLI
uses: notaryproject/notation-action/setup@v1
with:
version: 1.0.0

- name: Set up Notation AWS Signer plugin
run: |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
sudo dpkg -i aws-signer-notation-cli_amd64.deb
notation version
notation plugin ls
- name: Configure AWS credentials on Shared Core ECR
uses: aws-actions/configure-aws-credentials@v4.0.1
with:
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION }}

- name: Login to Shared Core ECR
id: login-ecr-sharedcoreecr
uses: aws-actions/amazon-ecr-login@v2.0.1

- name: Build VOL selfserve image after verifying Base image
run: |
notation inspect $BASE_IMAGE
docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG} \
--build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .
- name: Snyk scan VOL selfserve image
id: scan-selfserve-image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}
args: --file=dockerfile --severity-threshold=high
continue-on-error: true

- name: Configure AWS credentials on Non Production VOL ECR
if: github.event.review.state == 'APPROVED'
uses: aws-actions/configure-aws-credentials@v4.0.1
with:
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.DVSA_AWS_REGION}}

- name: Login to Non Production VOL ECR
if: github.event.review.state == 'APPROVED'
id: login-ecr-vol-tooling-non-prod
uses: aws-actions/amazon-ecr-login@v2.0.1

- name: Push VOL selfserve image
if: github.event.review.state == 'APPROVED'
id: push-image
run: |
echo "image_tag=${VOL_selfserve_IMAGE_TAG}" >> $GITHUB_OUTPUT
docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_selfserve_IMAGE_TAG}
outputs:
image_tag: ${{ steps.push-image.outputs.image_tag }}

deploy-on-static-cluster:

name: Deploy on Static ECS Cluster
if: github.event.review.state == 'APPROVED'
needs:
- build-test-push-sign-image

uses: ./.github/workflows/trigger-github-workflow.yaml
with:
branch: 'feature/AWSRESET1-514'
git_repository: 'dvsa/dvsa-container-registry'
workflow_name: 'CD NON-PROD VOL selfserve'
input_arguments: 'vol_selfserve_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
secrets:
gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}

automation-tests:

name: Run Automation Tests
if: github.event.review.state == 'APPROVED'
runs-on: ubuntu-latest

needs:
- deploy-on-static-cluster

steps:

- name: Run automation tests
run: |
echo 'Run automation tests'
# build-test-push-sign-image:

# name: Build, Push & Sign Image
# if: github.event_name == 'pull_request' && github.event_name != 'pull_request_review'
# runs-on: ubuntu-latest

# # needs:
# # - build

# steps:

# - name: Checkout the repository to this runner
# uses: actions/checkout@v3

# - name: Build VOL API artifact
# uses: dvsa/olcs-backend/.github/actions/build-vol-api@feature/AWSRESET1-514

# - name: Set BASE_IMAGE & VOL_API_IMAGE_TAG
# if: github.event.review.state == 'APPROVED'
# run: |
# envsubst < dockerfile | tee dockerfile.tmp
# mv dockerfile.tmp dockerfile
# BASE_IMAGE=$(head -n1 dockerfile)
# echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
# echo "VOL_API_IMAGE_TAG=pr-approved-vol-api-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV

# - name: Configure AWS credentials on Shared Core ECR
# if: github.event.review.state == 'APPROVED'
# uses: aws-actions/configure-aws-credentials@v4.0.1
# with:
# role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
# role-session-name: GitHub_to_AWS_via_FederatedOIDC
# aws-region: ${{ vars.DVSA_AWS_REGION }}

# - name: Login to Shared Core ECR
# if: github.event.review.state == 'APPROVED'
# id: login-ecr-sharedcoreecr
# uses: aws-actions/amazon-ecr-login@v2.0.1

# - name: Verify base image
# if: github.event.review.state == 'APPROVED'
# uses: dvsa/olcs-backend/.github/actions/image-integrity@feature/AWSRESET1-514
# with:
# ecr_tagged_image: $BASE_IMAGE
# image_sign_inspect: 'true'

# - name: Build VOL API image
# if: github.event.review.state == 'APPROVED'
# run: |
# docker build -t ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_API_IMAGE_TAG} \
# --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} .

# - name: Snyk scan VOL API image
# if: github.event.review.state == 'APPROVED'
# id: scan-api-image
# uses: snyk/actions/docker@master
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# image: ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_API_IMAGE_TAG}
# args: --file=dockerfile --severity-threshold=high
# continue-on-error: true

# - name: Configure AWS credentials on Non Production VOL ECR
# if: github.event.review.state == 'APPROVED'
# uses: aws-actions/configure-aws-credentials@v4.0.1
# with:
# role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
# role-session-name: GitHub_to_AWS_via_FederatedOIDC
# aws-region: ${{ vars.DVSA_AWS_REGION}}

# - name: Login to Non Production VOL ECR
# if: github.event.review.state == 'APPROVED'
# id: login-ecr-vol-tooling-non-prod
# uses: aws-actions/amazon-ecr-login@v2.0.1

# - name: Push VOL API image
# if: github.event.review.state == 'APPROVED'
# id: push-image
# run: |
# echo "image_tag=${VOL_API_IMAGE_TAG}" >> $GITHUB_OUTPUT
# docker push ${VOL_NONPROD_TOOLING_REPO_URL}:${VOL_API_IMAGE_TAG}

# outputs:
# image_tag: ${{ steps.push-image.outputs.image_tag }}

# deploy-on-static-cluster:

# name: Deploy on Static ECS Cluster
# if: github.event.review.state == 'APPROVED'
# needs:
# - dockerfile-lint-check
# - unit-tests
# - build-test-push-sign-image
# runs-on: ubuntu-latest

# steps:

# - name: Deploy
# run: |
# echo 'Deploy on Static'

# # uses: ./.github/workflows/trigger-github-workflow.yaml
# # with:
# # branch: 'feature/AWSRESET1-514'
# # git_repository: 'dvsa/dvsa-container-registry'
# # workflow_name: 'CD NON-PROD VOL API'
# # input_arguments: 'vol_api_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
# # secrets:
# # gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}

# automation-tests:

# name: Run Automation Tests
# if: github.event.review.state == 'APPROVED'
# runs-on: ubuntu-latest

# needs:
# - deploy-on-static-cluster

# steps:

# - name: Run automation tests
# run: |
# echo 'Run automation tests'

0 comments on commit c7fa646

Please sign in to comment.