Merge abfa5b8 into 571eb10

.github/workflows/docker_job.yml

@@ -12,6 +12,10 @@ on:
         default: ${{ github.ref }}
         required: false
         type: string
+      branch_name:
+        description: 'Branch name'
+        required: true
+        type: string
 
 defaults:
   run:
@@ -32,15 +36,24 @@ jobs:
           - ecr_repository: modernising-lpa/app
             path: ./docker/mlpa/Dockerfile
             platforms: linux/amd64
+            push_provenance: mode=max # options are false, mode=min, mode=max, false is required for lambda functions at this time
+            push_sbom: true # options are false, true, false is required for lambda functions at this time
           - ecr_repository: modernising-lpa/create-s3-batch-replication-job
             path: ./lambda/create_s3_replication_job/Dockerfile
             platforms: linux/amd64
+            push_provenance: false
+            push_sbom: false
           - ecr_repository: modernising-lpa/event-received
             path: ./docker/event-received/Dockerfile
             platforms: linux/amd64
+            push_provenance: false
+            push_sbom: false
           - ecr_repository: modernising-lpa/mock-pay
             path: ./docker/mock-pay/Dockerfile
             platforms: linux/amd64
+            push_provenance: mode=max
+            push_sbom: true
+
     runs-on: ubuntu-latest
     name: ${{ matrix.ecr_repository }}
     steps:
@@ -57,6 +70,21 @@ jobs:
           version: v0.15.1
           platforms: linux/amd64,linux/arm64
 
+      - uses: unfor19/install-aws-cli-action@v1
+      - name: Configure AWS Credentials
+        uses: aws-actions/[email protected]
+        with:
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-push
+          role-duration-seconds: 900
+          role-session-name: GithubActionsECRPushMLPAB
+      - name: ECR Login
+        id: login_ecr
+        uses: aws-actions/[email protected]
+        with:
+          mask-password: true
+          registries: 311462405659
+
       - name: Build ${{ matrix.ecr_repository }} Image
         uses: docker/[email protected]
         with:
@@ -65,10 +93,13 @@ jobs:
           platforms: linux/amd64
           push: false
           load: true
+          cache-from: type=registry,ref=${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:cache-${{ inputs.branch_name }}
           tags: |
             ${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
+        env:
+          SOURCE_DATE_EPOCH: 0
 
       - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
         id: trivy_scan
@@ -85,20 +116,6 @@ jobs:
         with:
           sarif_file: 'trivy-results.sarif'
 
-      - uses: unfor19/install-aws-cli-action@v1
-      - name: Configure AWS Credentials
-        uses: aws-actions/[email protected]
-        with:
-          aws-region: eu-west-1
-          role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ecr-push
-          role-duration-seconds: 900
-          role-session-name: GithubActionsECRPushMLPAB
-      - name: ECR Login
-        id: login_ecr
-        uses: aws-actions/[email protected]
-        with:
-          mask-password: true
-          registries: 311462405659
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for PR
         if: ${{ github.workflow != 'Path To Live' }}
         uses: docker/[email protected]
@@ -108,12 +125,15 @@ jobs:
           builder: ${{ steps.buildx_setup.outputs.name }}
           push: true
           platforms:  ${{ matrix.platforms }}
+          cache-to: type=registry,mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:cache-${{ inputs.branch_name }}
           tags: |
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
           build-args: |
             TAG=${{inputs.tag}}
-          sbom: false
-          provenance: false
+          sbom: ${{ matrix.push_sbom }}
+          provenance: ${{ matrix.push_provenance }}
+        env:
+          SOURCE_DATE_EPOCH: 0
 
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live
         if: ${{ github.workflow == 'Path To Live' }}
@@ -124,11 +144,14 @@ jobs:
           builder: ${{ steps.buildx_setup.outputs.name }}
           push: true
           platforms:  ${{ matrix.platforms }}
+          cache-to: type=registry,mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:cache-${{ inputs.branch_name }}
           tags: |
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:${{ inputs.tag }}
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:main-${{ inputs.tag }}
             ${{ steps.login_ecr.outputs.registry }}/${{ matrix.ecr_repository }}:latest
           build-args: |
             TAG=${{inputs.tag}}
-          sbom: false
-          provenance: false
+          sbom: ${{ matrix.push_sbom }}
+          provenance: ${{ matrix.push_provenance }}
+        env:
+          SOURCE_DATE_EPOCH: 0

.github/workflows/workflow_path_to_live.yml

@@ -47,6 +47,7 @@ jobs:
     needs: [go_unit_tests,create_tags]
     with:
       tag: ${{ needs.create_tags.outputs.version_tag }}
+      branch_name: main
 
   terraform_account_workflow_development:
     name: TF Apply Dev Account

.github/workflows/workflow_pr.yml

@@ -58,6 +58,7 @@ jobs:
       ]
     with:
       tag: ${{ needs.create_tags.outputs.version_tag }}
+      branch_name: ${{ github.head_ref }}
 
   terraform_account_workflow_development:
     name: TF Plan Dev Account