Skip to content

DP-875 - Informal Consortium - Add additional organisations #4893

DP-875 - Informal Consortium - Add additional organisations

DP-875 - Informal Consortium - Add additional organisations #4893

Workflow file for this run

# Run github actions locally with act https://github.com/nektos/act
# act --container-architecture linux/amd64 --artifact-server-path ./build/artifacts -W ./.github/workflows/build.yml
name: Build
on:
push:
branches: [main]
tags: ['*']
pull_request:
jobs:
test:
runs-on: ubuntu-latest
name: Tests
strategy:
matrix:
dotnet-version: [ '8.0.x' ]
steps:
- uses: actions/checkout@v4
- name: Setup dotnet ${{ matrix.dotnet-version }}
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ matrix.dotnet-version }}
- uses: actions/cache@v4
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
restore-keys: |
${{ runner.os }}-nuget
- name: Build
run: make build OpenAPI
- name: Test
run: make test TEST_OPTIONS="--logger trx --results-directory 'TestResults-${{ matrix.dotnet-version }}'"
- name: Upload test results
uses: actions/upload-artifact@v4
with:
name: test-results-dotnet-${{ matrix.dotnet-version }}
path: TestResults-${{ matrix.dotnet-version }}
if: ${{ always() }}
- name: Upload OpenAPI contracts
uses: actions/upload-artifact@v4
with:
name: OpenAPI
path: OpenAPI
package:
runs-on: ubuntu-latest
name: Build containers
env:
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
CDP_ORGANISATION_APP_PORT: 8888
CDP_TENANT_PORT: 8811
CDP_ORGANISATION_PORT: 8822
CDP_PERSON_PORT: 8833
CDP_FORMS_PORT: 8844
CDP_DATA_SHARING_PORT: 8855
CDP_ENTITY_VERIFICATION_PORT: 8094
outputs:
version: ${{ steps.version.outputs.version }}
images: ${{ steps.save.outputs.images }}
images_json: ${{ steps.save.outputs.images_json }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine the version
id: version
run: |
COMMIT_REF=$(if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then echo "${{ github.event.pull_request.head.sha }}"; else echo "${GITHUB_SHA:-HEAD}"; fi)
CURRENT_COMMIT=$(make version-commit COMMIT_REF=$COMMIT_REF)
CURRENT_TAG=$([[ "${GITHUB_REF:0:10}" = "refs/tags/" ]] && echo ${GITHUB_REF#refs/tags/} || echo "")
LAST_TAG=$(make last-tag)
VERSION=$([[ "${CURRENT_TAG}" = "" ]] && echo "${LAST_TAG}-${CURRENT_COMMIT}" || echo "$CURRENT_TAG")
echo "Version: $VERSION"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Build
run: make build-docker VERSION=${IMAGE_VERSION}
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Start services
run: make up
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Verify services
run: make verify-up
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Test migrations
run: make db
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Stop services
run: make down
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Save Docker Images
id: save
run: |
IMAGES=$(docker images | awk '$1 ~ /cabinetoffice\/cdp-/ && $2 ~ /^'$IMAGE_VERSION'$/ { print $1":"$2}' | tr '\n' ' ')
IMAGES_JSON=$(echo $IMAGES | tr " " "\n" | jq -R . | jq -c -s .)
echo "Images to be saved: $IMAGES"
echo "Images to be saved (json): $IMAGES_JSON"
docker save -o cdp-images.tar $IMAGES
echo "images=${IMAGES}" >> $GITHUB_OUTPUT
echo "images_json=${IMAGES_JSON}" >> $GITHUB_OUTPUT
env:
IMAGE_VERSION: ${{ steps.version.outputs.version }}
- name: Upload Docker Images as Artifacts
uses: actions/upload-artifact@v4
with:
name: docker-images
path: cdp-images.tar
vulnerability-scan:
# since we do not fail the build for now, but the report is to get feedback, only run it on the main branch and tags
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'cabinetoffice'
runs-on: ubuntu-latest
name: Scan for vulnerabilities
needs: [test, package]
strategy:
matrix:
image: ${{ fromJSON(needs.package.outputs.images_json) }}
steps:
- uses: actions/checkout@v4
- name: Download Docker Images
uses: actions/download-artifact@v4
with:
name: docker-images
- name: Load Docker Images
run: docker load -i cdp-images.tar
- name: Determine the category
id: category
run: |
image=${{ matrix.image }}
category=${image%%:*}
echo "category=$category" >> $GITHUB_OUTPUT
- name: Scan ${{ matrix.image }}
uses: anchore/scan-action@v5
id: scan
with:
image: "${{ matrix.image }}"
fail-build: false
severity-cutoff: critical
output-format: sarif
- name: Upload Image Vulnerability Reports
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: ${{ steps.category.outputs.category }}
publish:
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'cabinetoffice'
runs-on: ubuntu-latest
name: Publish containers
needs: [test, package]
env:
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
IMAGE_VERSION: ${{ needs.package.outputs.version }}
IMAGES: ${{ needs.package.outputs.images }}
steps:
- uses: actions/checkout@v4
- name: Download Docker Images
uses: actions/download-artifact@v4
with:
name: docker-images
- name: Load Docker Images
run: docker load -i cdp-images.tar
- name: Set up AWS CLI
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Tag and Push Docker Images
run: make aws-push-to-ecr AWS_ACCOUNT_ID="${{ secrets.AWS_ACCOUNT_ID }}" IMAGES="${{ env.IMAGES }}"
- name: Store Version in SSM Parameter Store
run: |
aws ssm put-parameter --name "cdp-sirsi-service-version" --value "${{ env.IMAGE_VERSION }}" --type String --overwrite