Skip to content
CRI Core Stub - Secure Pipeline build, push & Ship

Merge pull request #1252 from govuk-one-login/revert-1251-IPS-225-cor… #164

Sign in to view logs

Merge pull request #1252 from govuk-one-login/revert-1251-IPS-225-cor…

Merge pull request #1252 from govuk-one-login/revert-1251-IPS-225-cor… #164

Workflow file for this run

.github/workflows/core-cri-stub.yml at a6ddb02
name: CRI Core Stub - Secure Pipeline build, push & Ship
on:
push:
branches:
- main
paths:
- di-ipv-core-stub/deploy/cri/**
- di-ipv-core-stub/gradle/**
- di-ipv-core-stub/src/**
- di-ipv-core-stub/*
- .github/workflows/core-cri-stub.yml
workflow_dispatch:
jobs:
dockerBuildAndPush:
name: Docker build and push
runs-on: ubuntu-latest
timeout-minutes: 15
env:
AWS_REGION: eu-west-2
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: '0'
- name: Checkout config repo
uses: actions/checkout@v4
with:
repository: govuk-one-login/ipv-config
token: ${{ secrets.IPV_CONFIG_PAT }}
path: ./di-ipv-config
fetch-depth: '0'
ref: 'refs/heads/main'
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up AWS creds
uses: aws-actions/configure-aws-credentials@v4.0.2
with:
role-to-assume: ${{ secrets.CORE_CRI_GH_ACTIONS_ROLE_ARN }}
aws-region: eu-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Login to GDS Dev Dynatrace Container Registry
uses: docker/login-action@v3
with:
registry: khw46367.live.dynatrace.com
username: khw46367
password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
- name: Create tag
id: create-tag
run: |
IMAGE_TAG="${{ github.sha }}-$(date +'%Y-%m-%d-%H%M%S')"
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.9.0'
- name: Copy Core Config into place
id: copy-config-to-stub
run: cp -rpfv ./di-ipv-config/stubs/di-ipv-core-stub ./di-ipv-core-stub/config
- name: Build, tag, sign and push image to Amazon ECR
working-directory: ./di-ipv-core-stub
env:
CONTAINER_SIGN_KEY: ${{ secrets.CONTAINER_SIGN_KMS_KEY }}
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ secrets.CORE_CRI_ECR_REPOSITORY }}
IMAGE_TAG: ${{ steps.create-tag.outputs.image_tag }}
DT_API_TOKEN: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG --build-arg DT_API_TOKEN=${DT_API_TOKEN} --platform linux/arm64 --f Dockerfile-arm64 .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
cosign sign --key awskms:///${CONTAINER_SIGN_KEY} $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
- name: Set up SAM cli
uses: aws-actions/setup-sam@v2
- name: sam fix https://github.com/aws/aws-sam-cli/issues/4527
run: $(dirname $(readlink $(which sam)))/pip install --force-reinstall "cryptography==38.0.4"
- name: SAM Validate
working-directory: ./di-ipv-core-stub/deploy/cri
run: sam validate --region ${{ env.AWS_REGION }}
- name: SAM Package
working-directory: ./di-ipv-core-stub/deploy/cri
env:
ARTIFACT_BUCKET: ${{ secrets.CORE_CRI_ARTIFACT_BUCKET_NAME }}
run: sam package --s3-bucket="$ARTIFACT_BUCKET" --output-template-file=cf-template.yaml
- name: Update SAM template with ECR image
working-directory: ./di-ipv-core-stub/deploy/cri
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ secrets.CORE_CRI_ECR_REPOSITORY }}
IMAGE_TAG: ${{ steps.create-tag.outputs.image_tag }}
run: sed -i "s|CONTAINER-IMAGE-PLACEHOLDER|$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG|" cf-template.yaml
- name: SAM build and test
working-directory: ./di-ipv-core-stub/deploy/cri
run: sam build -t cf-template.yaml
- name: Deploy SAM app
uses: govuk-one-login/devplatform-upload-action@v3.9
with:
artifact-bucket-name: ${{ secrets.CORE_CRI_ARTIFACT_BUCKET_NAME }}
signing-profile-name: ${{ secrets.SIGNING_PROFILE_NAME }}
working-directory: ./di-ipv-core-stub/deploy/cri
template-file: cf-template.yaml