Skip to content
Passport Core Stub - Secure Pipeline build, push & Ship

Merge pull request #1253 from govuk-one-login/revert-1250-IPS-225-cor… #160

Sign in to view logs

Merge pull request #1253 from govuk-one-login/revert-1250-IPS-225-cor…

Merge pull request #1253 from govuk-one-login/revert-1250-IPS-225-cor… #160

Workflow file for this run

.github/workflows/core-passport-stub.yml at 6b861d8
name: Passport Core Stub - Secure Pipeline build, push & Ship
on:
push:
branches:
- main
paths:
- di-ipv-core-stub/deploy/passport/*
- di-ipv-core-stub/gradle/**
- di-ipv-core-stub/src/**
- di-ipv-core-stub/*
- .github/workflows/core-passport-stub.yml
workflow_dispatch:
jobs:
dockerBuildAndPush:
name: Docker build and push
runs-on: ubuntu-latest
timeout-minutes: 15
env:
AWS_REGION: eu-west-2
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: '0'
- name: Checkout config repo
uses: actions/checkout@v4
with:
repository: govuk-one-login/ipv-config
token: ${{ secrets.IPV_CONFIG_PAT }}
path: ./di-ipv-config
fetch-depth: '0'
ref: 'refs/heads/main'
- name: Set up AWS creds
uses: aws-actions/configure-aws-credentials@v4.0.2
with:
role-to-assume: ${{ secrets.CORE_PASSPORT_GH_ACTIONS_ROLE_ARN }}
aws-region: eu-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Login to GDS Dev Dynatrace Container Registry
uses: docker/login-action@v3
with:
registry: khw46367.live.dynatrace.com
username: khw46367
password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
- name: Create tag
id: create-tag
run: |
IMAGE_TAG="${{ github.sha }}-$(date +'%Y-%m-%d-%H%M%S')"
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.9.0'
- name: Copy Core Config into place
id: copy-config-to-stub
run: cp -rpfv ./di-ipv-config/stubs/di-ipv-core-stub ./di-ipv-core-stub/config
- name: Build, tag, sign and push image to Amazon ECR
working-directory: ./di-ipv-core-stub
env:
CONTAINER_SIGN_KEY: ${{ secrets.CONTAINER_SIGN_KMS_KEY }}
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ secrets.CORE_PASSPORT_ECR_REPOSITORY }}
IMAGE_TAG: ${{ steps.create-tag.outputs.image_tag }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
cosign sign --key awskms:///${CONTAINER_SIGN_KEY} $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
- name: Set up SAM cli
uses: aws-actions/setup-sam@v2
- name: sam fix https://github.com/aws/aws-sam-cli/issues/4527
run: $(dirname $(readlink $(which sam)))/pip install --force-reinstall "cryptography==38.0.4"
- name: SAM Validate
working-directory: ./di-ipv-core-stub/deploy/passport
run: sam validate --region ${{ env.AWS_REGION }}
- name: SAM Package
working-directory: ./di-ipv-core-stub/deploy/passport
env:
ARTIFACT_BUCKET: ${{ secrets.CORE_PASSPORT_ARTIFACT_BUCKET_NAME }}
run: sam package --s3-bucket="$ARTIFACT_BUCKET" --output-template-file=cf-template.yaml
- name: Update SAM template with ECR image
working-directory: ./di-ipv-core-stub/deploy/passport
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ secrets.CORE_PASSPORT_ECR_REPOSITORY }}
IMAGE_TAG: ${{ steps.create-tag.outputs.image_tag }}
run: sed -i "s|CONTAINER-IMAGE-PLACEHOLDER|$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG|" cf-template.yaml
- name: Compress Template
working-directory: ./di-ipv-core-stub/deploy/passport
run: zip template.zip cf-template.yaml
- name: Upload Compressed CloudFormation artifacts to S3
working-directory: ./di-ipv-core-stub/deploy/passport
env:
ARTIFACT_BUCKET: ${{ secrets.CORE_PASSPORT_ARTIFACT_BUCKET_NAME }}
run: aws s3 cp template.zip "s3://$ARTIFACT_BUCKET/template.zip" --metadata "repository=$GITHUB_REPOSITORY,commitsha=$GITHUB_SHA"