diff --git a/.github/workflows/build-push-images.yml b/.github/workflows/build-push-images.yml new file mode 100644 index 00000000..ae690aa8 --- /dev/null +++ b/.github/workflows/build-push-images.yml @@ -0,0 +1,90 @@ +name: "[Job] Docker Build, Scan and Push to ECR" + +on: + workflow_call: + inputs: + docker_tag: + description: "Tag for docker image" + required: true + type: string + checkout_tag: + description: "Ref or tag to checkout" + default: ${{ github.ref }} + required: false + type: string + +defaults: + run: + shell: bash + +permissions: + id-token: write + contents: write + security-events: write + pull-requests: read + +jobs: + docker_build_scan_push: + strategy: + matrix: + include: + - ecr_repository: lpa-store/lambda/api-create + dir: create + runs-on: ubuntu-latest + name: ${{ matrix.ecr_repository }} + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.checkout_tag }} + - name: Build ${{ matrix.ecr_repository }} Image + id: build_image + run: | + docker build -f ./lambda/Dockerfile -t ${{ matrix.ecr_repository }} --build-arg DIR=${{ matrix.dir }} . + - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} + id: trivy_scan + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ matrix.ecr_repository }}:latest + severity: "HIGH,CRITICAL" + format: "sarif" + output: "trivy-results.sarif" + - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }} + id: trivy_upload_sarif + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: "trivy-results.sarif" + - uses: unfor19/install-aws-cli-action@v1 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::311462405659:role/lpa-store-ci + role-duration-seconds: 3600 + role-session-name: GitHubActions + - name: ECR Login + id: login_ecr + uses: aws-actions/amazon-ecr-login@v1.7.0 + with: + mask-password: true + registries: 311462405659 + - name: Output push intentions + env: + ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} + ECR_REPOSITORY: ${{ matrix.ecr_repository }} + run: | + docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.docker_tag }} + echo "Would push $ECR_REGISTRY/$ECR_REPOSITORY" + # - name: Push ${{ matrix.ecr_repository }} Image to ECR + # env: + # ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} + # ECR_REPOSITORY: ${{ matrix.ecr_repository }} + # run: | + # docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.docker_tag }} + # if ${{ github.workflow == 'Path To Live' }}; then + # docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest + # docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.docker_tag }} + # fi + # docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index f970d5d4..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Test & Build - -on: - pull_request: - branches: - - main - push: - branches: - - main - workflow_dispatch: - -defaults: - run: - shell: bash - -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: "0" - - name: Build Images - run: make build - - name: Test API - run: make up test-api diff --git a/.github/workflows/validate-api.yaml b/.github/workflows/validate-api.yaml index 8a7265f7..41fd0be8 100644 --- a/.github/workflows/validate-api.yaml +++ b/.github/workflows/validate-api.yaml @@ -13,7 +13,7 @@ jobs: name: Validate runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: actions/setup-node@v3 diff --git a/.github/workflows/workflow-pr.yml b/.github/workflows/workflow-pr.yml new file mode 100644 index 00000000..c32a7be8 --- /dev/null +++ b/.github/workflows/workflow-pr.yml @@ -0,0 +1,83 @@ +name: Test & Build + +on: + pull_request: + branches: + - main + workflow_dispatch: + +defaults: + run: + shell: bash + +jobs: + generate-tags: + name: Generate tags + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: "0" + - name: Extract branch name + id: extract_branch + run: | + if [ "$GITHUB_EVENT_NAME" == "push" ]; then + echo BRANCH_NAME=main >> $GITHUB_ENV + else + branch=${{ github.head_ref }} + branch=${branch//-} + branch=${branch//_} + branch=${branch//\/} + echo BRANCH_NAME=${branch} >> $GITHUB_ENV + fi + - name: Bump version + id: bump_version + uses: anothrNick/github-tag-action@1.67.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + INITIAL_VERSION: 0.0.0 + DEFAULT_BUMP: minor + PRERELEASE: true + PRERELEASE_SUFFIX: ${{ env.BRANCH_NAME }} + RELEASE_BRANCHES: main + WITH_V: true + outputs: + docker_tag: ${{ steps.bump_version.outputs.tag }} + + generate-environment-workspace-name: + runs-on: ubuntu-latest + steps: + - name: Generate workspace name + id: name_workspace + run: | + workspace=${{ github.event.number }}${{ github.head_ref }} + workspace=${workspace//-} + workspace=${workspace//_} + workspace=${workspace//\/} + workspace=${workspace:0:11} + workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]') + echo "name=${workspace}" >> $GITHUB_OUTPUT + echo ${workspace} + outputs: + environment_workspace_name: ${{ steps.name_workspace.outputs.name }} + + build: + name: Build, Scan & Push Images + needs: [generate-tags] + uses: ./.github/workflows/build-push-images.yml + with: + docker_tag: ${{ needs.generate-tags.outputs.docker_tag }} + secrets: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # deploy-pr-env: + # name: Deploy PR Environment + # needs: [build, generate-environment-workspace-name] + # uses: ./.github/workflows/deploy.yml + # with: + # workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }} + # version_tag: ${{ needs.generate-tags.outputs.docker_tag }} + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}