.github/workflows/build.yml

name: "[Build]"

on:
  workflow_dispatch:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: write
  security-events: write
  actions: read
  checks: read
  deployments: none
  issues: none
  packages: none
  pull-requests: read
  repository-projects: none
  statuses: none

jobs:
  # generate a branch name
  branch_name:
    name: "Generate a safe branch name"
    uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-branch-name.yml@v3.1.0

  # generate workspace name
  workspace_name:
    name: "Generate the workspace name"
    uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-workspace.yml@v3.1.0

  # SAST
  # codeql for go
  codeql_analysis:
    name: "Run CodeQL against the code base"
    uses: ministryofjustice/opg-github-workflows/.github/workflows/analysis-application-codeql-sast-to-github-security.yml@v3.1.0
    with:
      application_languages: '["go"]'

  # generate tag
  semver_tag:
    needs: [branch_name, codeql_analysis]
    name: "Generate the semver tag value"
    uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-semver-tag.yml@v3.1.0
    with:
      branch_name: ${{ needs.branch_name.outputs.parsed }}
    secrets: inherit

  # Docker build, trivy scan, ECR push as a matrix
  # The matrix loops over each app to build in a complicated
  # structure
  # ADD IN ECR PUSH
  build_scan_push:
    name: "Docker build, trivy scan, ECR push"
    runs-on: ubuntu-latest
    # require all steps before this matrix to have passed
    needs: [branch_name, workspace_name, semver_tag]
    strategy:
      fail-fast: true
      matrix:
        # services to scan over
        data:
          - docker_build_directory: "./service-app"
            image_app_name: "helloworld"
            test_command: "go test ./..."
    # we use these a few times, so its easier to generate them once and env
    # vars are visible in the output, so helps with debug
    env:
      local_docker_image: ${{ matrix.data.image_app_name }}:latest
      sarif_file: trivy-results.sarif
    steps:
      - uses: actions/checkout@v4
      - name: Show environment values
        run: |
          echo "local_docker_image: ${{ env.local_docker_image }}"
          echo "sarif_file: ${{ env.sarif_file }}"
      # build our sample docker image
      - name: Docker build
        # set the working directory to the variable
        working-directory: ${{ matrix.data.docker_build_directory }}
        run: |
          docker build -t ${{ env.local_docker_image }} .
      # log in to ECR
      - name: Configure AWS Credentials With Assumed Role to Management
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-1
          # management account role
          role-to-assume: arn:aws:iam::311462405659:role/sirius-actions-ci
          role-duration-seconds: 900
          role-session-name: OPGScanningWorkflowGithubAction
      - name: ECR Login
        id: login_ecr
        uses: aws-actions/amazon-ecr-login@v2.0.1
        with:
          registries: 311462405659
      # to check if things worked, output docker image list
      - name: Docker image list
        run: |
          docker images
      - name: Trivy scan
        uses: aquasecurity/trivy-action@0.29.0
        env:
          TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db:1
        with:
          image-ref: ${{ env.local_docker_image }}
          severity: "HIGH,CRITICAL"
          format: "sarif"
          output: ${{ env.sarif_file }}
      - name: Trivy scan upload to github
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: ${{ env.sarif_file }}
      # for a lot of our services, there could be a test process here
      - name: Run Tests
        working-directory: ${{ matrix.data.docker_build_directory }}
        env:
          PROJECT_PATH: service-app
        run: |
          ${{ matrix.data.test_command }}
      ######
      ## Push to ECR
      ######
      - name: Push Container
        env:
          SEMVER_TAG: ${{ needs.semver_tag.outputs.tag }}
          ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
          ECR_REPOSITORY: sirius/scanning/app
        run: |
          docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }}
          docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest
          docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY

  end:
    name: "End of workflow"
    runs-on: "ubuntu-latest"
    needs:
      [
        branch_name,
        workspace_name,
        semver_tag,
        build_scan_push,
      ]
    steps:
      - name: "End"
        run: |
          echo "Done"