Merge pull request #256 from ministryofjustice/LASB-2748-Fix-snyk-dep…

…endencies

LASB-2748: Resolve critical vulnerabilities reported by Snyk

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "gradle"
+    # Look for `package.json` and `lock` files in the `root` directory
+    directory: "/src"
+    # Check the npm registry for updates every day (weekdays)
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Gradle"
+      include: "scope"

.github/workflows/build-and-push-docker.yml

@@ -0,0 +1,68 @@
+name: Build and push docker image workflow
+
+on:
+  workflow_call:
+    inputs:
+      ecr-repository:
+        required: true
+        type: string
+      docker-tag:
+        required: true
+        type: string
+      aws-region:
+        required: true
+        type: string
+    secrets:
+      ecr-role:
+        required: true
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ecr-role }}
+          aws-region: ${{ inputs.aws-region }}
+      - uses: aws-actions/amazon-ecr-login@v1
+        id: login-ecr
+      - name: Determine Docker Tag
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ inputs.ecr-repository }}
+        id: get-docker-tag
+        run: |
+          DOCKER_TAG=${{ inputs.docker-tag }}
+          echo "Using docker tag '${DOCKER_TAG}'"
+
+          if docker pull "$REGISTRY/$REPOSITORY:${DOCKER_TAG}"; then
+              echo "Docker tag '${DOCKER_TAG}' already exists in the ECR - Not rebuilding Docker container"
+          else
+              echo >&2 "Docker tag '${DOCKER_TAG}' does not exist in the ECR - Application will be redeployed"
+          fi
+
+          echo "DOCKER_TAG=${DOCKER_TAG}" >> "$GITHUB_ENV"
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_OUTPUT"
+      - name: Building the NOLASA image
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ inputs.ecr-repository }}
+        run: |
+          if docker pull "$REGISTRY/$REPOSITORY:$DOCKER_TAG"; then
+              echo "Docker image '$DOCKER_TAG' is up to date - not rebuilding"
+          else
+              echo "No Docker image for tag $DOCKER_TAG - Building the image with gradle ..."
+              chmod +x ./gradlew && ./gradlew build
+              echo Building the Docker image...
+              docker build -f Dockerfile_cp -t $REGISTRY/$REPOSITORY:$DOCKER_TAG --no-cache .
+              mkdir artifacts
+              zip -rq artifacts/buildreports.zip ./build/reports/tests/test/*
+              docker push $REGISTRY/$REPOSITORY:$DOCKER_TAG
+          fi
+      - name: Upload build tags and test reports
+        uses: actions/upload-artifact@v3
+        with:
+          name: build-reports
+          path: artifacts/
+

.github/workflows/cp-build-and-deploy-all-envs.yml

@@ -0,0 +1,84 @@
+# This workflow will deploy to all environments using the commit hash as the image tag.
+
+name: Deploy DEV, TEST PREPROD and PROD
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  push:
+    branches:
+    - 'master'
+
+
+jobs:
+  build-and-push-image:
+    uses: ./.github/workflows/build-and-push-docker.yml
+    with:
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      aws-region: ${{ vars.ECR_REGION }}
+    secrets:
+      ecr-role: ${{ secrets.ECR_ROLE_TO_ASSUME}}
+
+  deploy-application-dev:
+    needs: build-and-push-image
+    uses: ./.github/workflows/deploy-to-cloud-platform.yml
+    with:
+      env-name: development
+      helm-values-file: values_dev.yaml
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      ecr-base-uri: 754256621582.dkr.ecr.eu-west-2.amazonaws.com
+    secrets:
+      kube-cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube-namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube-cert: ${{ secrets.KUBE_CERT }}
+      kube-token: ${{ secrets.KUBE_TOKEN }}
+
+  deploy-application-test:
+    needs: deploy-application-dev
+    uses: ./.github/workflows/deploy-to-cloud-platform.yml
+    with:
+      env-name: test
+      helm-values-file: values_tst.yaml
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      ecr-base-uri: 754256621582.dkr.ecr.eu-west-2.amazonaws.com
+    secrets:
+      kube-cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube-namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube-cert: ${{ secrets.KUBE_CERT }}
+      kube-token: ${{ secrets.KUBE_TOKEN }}
+
+  deploy-application-preprod:
+    needs: deploy-application-test
+    uses: ./.github/workflows/deploy-to-cloud-platform.yml
+    with:
+      env-name: preproduction
+      helm-values-file: values_preprod.yaml
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      ecr-base-uri: 754256621582.dkr.ecr.eu-west-2.amazonaws.com
+    secrets:
+      kube-cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube-namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube-cert: ${{ secrets.KUBE_CERT }}
+      kube-token: ${{ secrets.KUBE_TOKEN }}
+
+  deploy-application-prod:
+    needs: deploy-application-preprod
+    uses: ./.github/workflows/deploy-to-cloud-platform.yml
+    with:
+      env-name: production
+      helm-values-file: values_prd.yaml
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      ecr-base-uri: 754256621582.dkr.ecr.eu-west-2.amazonaws.com
+    secrets:
+      kube-cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube-namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube-cert: ${{ secrets.KUBE_CERT }}
+      kube-token: ${{ secrets.KUBE_TOKEN }}
+

.github/workflows/cp-build-and-deploy-dev.yml

@@ -0,0 +1,40 @@
+# This workflow will build and deploy the current branch to dev.
+
+name: Build image and deploy to DEV
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  build-and-push-image:
+    uses: ./.github/workflows/build-and-push-docker.yml
+    with:
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      aws-region: ${{ vars.ECR_REGION }}
+    secrets:
+      ecr-role: ${{ secrets.ECR_ROLE_TO_ASSUME}}
+
+  deploy-application-to-dev:
+    needs: build-and-push-image
+    uses: ./.github/workflows/deploy-to-cloud-platform.yml
+    with:
+      env-name: development
+      helm-values-file: values_dev.yaml
+      ecr-repository: ${{ vars.ECR_REPOSITORY }}
+      docker-tag: ${{ github.sha }}
+      ecr-base-uri: 754256621582.dkr.ecr.eu-west-2.amazonaws.com
+    secrets:
+      kube-cluster: ${{ secrets.KUBE_CLUSTER }}
+      kube-namespace: ${{ secrets.KUBE_NAMESPACE }}
+      kube-cert: ${{ secrets.KUBE_CERT }}
+      kube-token: ${{ secrets.KUBE_TOKEN }}
+
+
+