diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml index b157380bf3..d09a21becd 100644 --- a/.github/workflows/docker_job.yml +++ b/.github/workflows/docker_job.yml @@ -30,36 +30,57 @@ jobs: include: - ecr_repository: modernising-lpa/app path: ./docker/mlpa/Dockerfile - - ecr_repository: modernising-lpa/create-s3-batch-replication-job - path: ./lambda/create_s3_replication_job/Dockerfile - - ecr_repository: modernising-lpa/event-received - path: ./docker/event-received/Dockerfile - - ecr_repository: modernising-lpa/mock-onelogin - path: ./docker/mock-onelogin/Dockerfile + # - ecr_repository: modernising-lpa/create-s3-batch-replication-job + # path: ./lambda/create_s3_replication_job/Dockerfile + # - ecr_repository: modernising-lpa/event-received + # path: ./docker/event-received/Dockerfile + # - ecr_repository: modernising-lpa/mock-onelogin + # path: ./docker/mock-onelogin/Dockerfile runs-on: ubuntu-latest name: ${{ matrix.ecr_repository }} steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.checkout_tag }} - - name: Build ${{ matrix.ecr_repository }} Image - id: build_image - run: | - docker build -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} . - - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} - id: trivy_scan - uses: aquasecurity/trivy-action@0.14.0 - with: - image-ref: ${{ matrix.ecr_repository }}:latest - severity: 'HIGH,CRITICAL' - format: 'sarif' - output: 'trivy-results.sarif' - - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }} - id: trivy_upload_sarif - uses: github/codeql-action/upload-sarif@v2 - if: always() + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 with: - sarif_file: 'trivy-results.sarif' + version: v0.12.0 + platforms: linux/amd64,linux/arm64 + + # - name: Build ${{ matrix.ecr_repository }} Image + # uses: docker/build-push-action@v5.1.0 + # with: + # context: . + # file: ${{ matrix.path }} + # push: false + # tags: | + # ${{ matrix.ecr_repository }}:${{ inputs.tag }} + # build-args: | + # TAG=${{inputs.tag}} + + # id: build_image + # run: | + # docker buildx build \ + # -f ${{ matrix.path }} -t ${{ matrix.ecr_repository }} --build-arg TAG=${{inputs.tag}} . + # - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }} + # id: trivy_scan + # uses: aquasecurity/trivy-action@0.14.0 + # with: + # image-ref: ${{ matrix.ecr_repository }}:latest + # severity: 'HIGH,CRITICAL' + # format: 'sarif' + # output: 'trivy-results.sarif' + # - name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }} + # id: trivy_upload_sarif + # uses: github/codeql-action/upload-sarif@v2 + # if: always() + # with: + # sarif_file: 'trivy-results.sarif' + - uses: unfor19/install-aws-cli-action@v1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4.0.1 @@ -74,14 +95,42 @@ jobs: with: mask-password: true registries: 311462405659 - - name: Push ${{ matrix.ecr_repository }} Image to ECR - env: - ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} - ECR_REPOSITORY: ${{ matrix.ecr_repository }} - run: | - docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} - if ${{ github.workflow == 'Path To Live' }}; then - docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest - docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} - fi - docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY + - name: Push ${{ matrix.ecr_repository }} Image to ECR for PR + if: ${{ github.workflow != 'Path To Live' }} + uses: docker/build-push-action@v5.1.0 + with: + context: . + file: ${{ matrix.path }} + push: true + tags: | + ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }} + build-args: | + TAG=${{inputs.tag}} + + - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live + if: ${{ github.workflow == 'Path To Live' }} + uses: docker/build-push-action@v5.1.0 + with: + context: . + file: ${{ matrix.path }} + push: true + tags: | + ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:main-${{ inputs.tag }} + ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest + build-args: | + TAG=${{inputs.tag}} + # env: + # ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} + # ECR_REPOSITORY: ${{ matrix.ecr_repository }} + # run: | + # if ${{ github.workflow == 'Path To Live' }}; then + # docker buildx build \ + # --push \ + # -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.tag }} -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \ + # --build-arg TAG=${{inputs.tag}} . + # else + # docker buildx build \ + # --push \ + # -f ${{ matrix.path }} -t $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} \ + # --build-arg TAG=${{inputs.tag}} . + # fi diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml index af9e3f1051..dbf9690012 100644 --- a/.github/workflows/workflow_pr.yml +++ b/.github/workflows/workflow_pr.yml @@ -32,150 +32,151 @@ jobs: needs: detect_changes uses: ./.github/workflows/tags_job.yml with: - changes_detected: ${{ needs.detect_changes.outputs.changes_detected }} - - go_unit_tests: - name: Run Go unit tests - if: needs.detect_changes.outputs.changes_detected == 'true' - needs: create_tags - uses: ./.github/workflows/go-unit-tests.yml - with: - tag: ${{ needs.create_tags.outputs.version_tag }} - commit_sha: ${{ github.event.pull_request.head.sha }} - branch: ${{ github.head_ref }} - secrets: - pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }} + changes_detected: true + # changes_detected: ${{ needs.detect_changes.outputs.changes_detected }} + + # go_unit_tests: + # name: Run Go unit tests + # if: needs.detect_changes.outputs.changes_detected == 'true' + # needs: create_tags + # uses: ./.github/workflows/go-unit-tests.yml + # with: + # tag: ${{ needs.create_tags.outputs.version_tag }} + # commit_sha: ${{ github.event.pull_request.head.sha }} + # branch: ${{ github.head_ref }} + # secrets: + # pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }} docker_build_scan_push: name: Docker Build, Scan and Push - if: needs.detect_changes.outputs.changes_detected == 'true' && - (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') + # if: needs.detect_changes.outputs.changes_detected == 'true' && + # (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') uses: ./.github/workflows/docker_job.yml needs: [ - go_unit_tests, + # go_unit_tests, create_tags ] with: tag: ${{ needs.create_tags.outputs.version_tag }} - terraform_account_workflow_development: - name: TF Plan Dev Account - uses: ./.github/workflows/terraform_account_job.yml - with: - workspace_name: development - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - - terraform_account_workflow_preproduction: - name: TF Plan Preprod Account - needs: terraform_account_workflow_development - uses: ./.github/workflows/terraform_account_job.yml - with: - workspace_name: preproduction - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - - terraform_account_workflow_production: - name: TF Plan Prod Account - needs: terraform_account_workflow_development - uses: ./.github/workflows/terraform_account_job.yml - with: - workspace_name: production - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - - ui_tests_image: - name: Run Cypress UI Tests On Images - if: needs.detect_changes.outputs.changes_detected == 'true' && - (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') - uses: ./.github/workflows/ui_test_job.yml - needs: [docker_build_scan_push, create_tags] - with: - run_against_image: true - tag: ${{ needs.create_tags.outputs.version_tag }} - skip: ${{ contains(fromJSON('["weblate-pr"]'), github.head_ref) }} - matrixSpecs: '["cypress/e2e/donor/*","cypress/e2e/attorney/*,cypress/e2e/certificate-provider/*,cypress/e2e/accessibility/*,cypress/e2e/dev-features.cy.js,cypress/e2e/error-pages.cy.js"]' - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }} - github_access_token: ${{ secrets.GITHUB_TOKEN }} - - pr_deploy: - name: PR Environment Deploy - if: always() && - (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') && - (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') && - (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped') - needs: [ - create_tags, - go_unit_tests, - docker_build_scan_push, - ui_tests_image - ] - uses: ./.github/workflows/terraform_environment_job.yml - with: - workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }} - version_tag: ${{ needs.create_tags.outputs.version_tag }} - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }} - github_access_token: ${{ secrets.GITHUB_TOKEN }} - pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }} - - ui_tests_pr_env: - name: Run Cypress UI Tests On PR Environment - if: always() && - needs.pr_deploy.result == 'success' - uses: ./.github/workflows/ui_test_job.yml - needs: [pr_deploy, create_tags] - with: - run_against_image: false - base_url: "https://${{ needs.pr_deploy.outputs.url }}" - tag: ${{ needs.create_tags.outputs.version_tag }} - environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }} - matrixSpecs: '["cypress/e2e/donor/start.cy.js,cypress/e2e/smoke/external.cy.js"]' - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }} - github_access_token: ${{ secrets.GITHUB_TOKEN }} - - always_remove_ingress: - name: Remove CI ingress from environment - if: always() - uses: ./.github/workflows/remove_ingress_job.yml - needs: [ui_tests_pr_env, pr_deploy] - with: - environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }} - secrets: - aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} - - end_of_pr_workflow: - name: End of PR Workflow - runs-on: ubuntu-latest - if: always() - environment: - name: "dev_${{ needs.create_tags.outputs.environment_workspace_name }}" - url: "https://${{ needs.pr_deploy.outputs.url }}" - needs: [pr_deploy, create_tags, ui_tests_pr_env] - steps: - - name: End of PR Workflow - run: | - echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed" - echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}" - echo "URL: https://${{ needs.pr_deploy.outputs.url }}" - - if ${{ contains(needs.ui_tests_pr_env.result,'success') }} - then - echo "PR environment tested, built and deployed" - exit 0 - else - echo "PR environment tested, built and deployed but UI tests failed" - exit 1 - fi + # terraform_account_workflow_development: + # name: TF Plan Dev Account + # uses: ./.github/workflows/terraform_account_job.yml + # with: + # workspace_name: development + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + + # terraform_account_workflow_preproduction: + # name: TF Plan Preprod Account + # needs: terraform_account_workflow_development + # uses: ./.github/workflows/terraform_account_job.yml + # with: + # workspace_name: preproduction + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + + # terraform_account_workflow_production: + # name: TF Plan Prod Account + # needs: terraform_account_workflow_development + # uses: ./.github/workflows/terraform_account_job.yml + # with: + # workspace_name: production + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + + # ui_tests_image: + # name: Run Cypress UI Tests On Images + # if: needs.detect_changes.outputs.changes_detected == 'true' && + # (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') + # uses: ./.github/workflows/ui_test_job.yml + # needs: [docker_build_scan_push, create_tags] + # with: + # run_against_image: true + # tag: ${{ needs.create_tags.outputs.version_tag }} + # skip: ${{ contains(fromJSON('["weblate-pr"]'), github.head_ref) }} + # matrixSpecs: '["cypress/e2e/donor/*","cypress/e2e/attorney/*,cypress/e2e/certificate-provider/*,cypress/e2e/accessibility/*,cypress/e2e/dev-features.cy.js,cypress/e2e/error-pages.cy.js"]' + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + # cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }} + # github_access_token: ${{ secrets.GITHUB_TOKEN }} + + # pr_deploy: + # name: PR Environment Deploy + # if: always() && + # (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') && + # (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') && + # (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped') + # needs: [ + # create_tags, + # go_unit_tests, + # docker_build_scan_push, + # ui_tests_image + # ] + # uses: ./.github/workflows/terraform_environment_job.yml + # with: + # workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }} + # version_tag: ${{ needs.create_tags.outputs.version_tag }} + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + # ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }} + # github_access_token: ${{ secrets.GITHUB_TOKEN }} + # pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }} + + # ui_tests_pr_env: + # name: Run Cypress UI Tests On PR Environment + # if: always() && + # needs.pr_deploy.result == 'success' + # uses: ./.github/workflows/ui_test_job.yml + # needs: [pr_deploy, create_tags] + # with: + # run_against_image: false + # base_url: "https://${{ needs.pr_deploy.outputs.url }}" + # tag: ${{ needs.create_tags.outputs.version_tag }} + # environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }} + # matrixSpecs: '["cypress/e2e/donor/start.cy.js,cypress/e2e/smoke/external.cy.js"]' + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + # cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }} + # github_access_token: ${{ secrets.GITHUB_TOKEN }} + + # always_remove_ingress: + # name: Remove CI ingress from environment + # if: always() + # uses: ./.github/workflows/remove_ingress_job.yml + # needs: [ui_tests_pr_env, pr_deploy] + # with: + # environment_config_json: ${{ needs.pr_deploy.outputs.environment_config_json }} + # secrets: + # aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} + # aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} + + # end_of_pr_workflow: + # name: End of PR Workflow + # runs-on: ubuntu-latest + # if: always() + # environment: + # name: "dev_${{ needs.create_tags.outputs.environment_workspace_name }}" + # url: "https://${{ needs.pr_deploy.outputs.url }}" + # needs: [pr_deploy, create_tags, ui_tests_pr_env] + # steps: + # - name: End of PR Workflow + # run: | + # echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed" + # echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}" + # echo "URL: https://${{ needs.pr_deploy.outputs.url }}" + + # if ${{ contains(needs.ui_tests_pr_env.result,'success') }} + # then + # echo "PR environment tested, built and deployed" + # exit 0 + # else + # echo "PR environment tested, built and deployed but UI tests failed" + # exit 1 + # fi diff --git a/docker/mlpa/Dockerfile b/docker/mlpa/Dockerfile index 7e2f59379b..4b167639f5 100644 --- a/docker/mlpa/Dockerfile +++ b/docker/mlpa/Dockerfile @@ -1,7 +1,5 @@ FROM golang:1.21.4-alpine as base -ARG ARCH=amd64 - WORKDIR /app FROM node:18.16.0-alpine3.16 as asset-env @@ -26,7 +24,7 @@ COPY internal ./internal COPY --from=asset-env /app/web/static web/static -RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go install github.com/cosmtrek/air@latest && go install github.com/go-delve/delve/cmd/dlv@latest +RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go install github.com/cosmtrek/air@latest && go install github.com/go-delve/delve/cmd/dlv@latest ENTRYPOINT ["air"] @@ -42,7 +40,7 @@ RUN go mod download COPY cmd/mlpa ./cmd/mlpa COPY internal ./internal -RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -ldflags="-X main.Tag=${TAG}" -o /go/bin/mlpab ./cmd/mlpa +RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETPLATFORM} go build -ldflags="-X main.Tag=${TAG}" -o /go/bin/mlpab ./cmd/mlpa FROM alpine:3.18.5 as production