From 5cda630706b197f4ac4d10c5f041519b89fd9fad Mon Sep 17 00:00:00 2001
From: Greg Tyler <greg.tyler@digital.justice.gov.uk>
Date: Mon, 4 Nov 2024 12:24:21 +0000
Subject: [PATCH 1/2] Fix build pipeline

- Configure CodeQL for Go
- Add Dockerfile
- Run tests in pipeline
---
 .github/workflows/_example_workflow.yml | 31 +++++++++++++------------
 service-app/Dockerfile                  | 30 ++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 15 deletions(-)
 create mode 100644 service-app/Dockerfile

diff --git a/.github/workflows/_example_workflow.yml b/.github/workflows/_example_workflow.yml
index 9ae36c7..41aa774 100644
--- a/.github/workflows/_example_workflow.yml
+++ b/.github/workflows/_example_workflow.yml
@@ -21,16 +21,16 @@ permissions:
 
 
 jobs:
-  # generate a branch name  
+  # generate a branch name
   branch_name:
     name: "Generate a safe branch name"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-branch-name.yml@v1.36.0
-  
+
   # generate workspace name
   workspace_name:
     name: "Generate the workspace name"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-workspace.yml@v1.36.0
-  
+
   tf_version:
     needs: [branch_name, workspace_name]
     name: "Get terraform version"
@@ -48,21 +48,21 @@ jobs:
       directory: "./terraform"
       terraform_version: "${{ needs.tf_version.outputs.version}}"
       terraform_wrapper: false
-  
-  # tfsec for terraform 
+
+  # tfsec for terraform
   tfsec_analysis:
     needs: [tf_lint]
     name: "Run TFSec against the code base"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/analysis-infrastructure-tfsec-to-github-security.yml@v1.36.0
 
   # SAST
-  # codeql for pythong
+  # codeql for go
   codeql_analysis:
     name: "Run CodeQL against the code base"
     uses: ministryofjustice/opg-github-workflows/.github/workflows/analysis-application-codeql-sast-to-github-security.yml@v1.36.0
     with:
-      application_languages: '["python"]'
-  
+      application_languages: '["go"]'
+
   # generate tag
   semver_tag:
     needs: [branch_name, tfsec_analysis, codeql_analysis]
@@ -88,8 +88,8 @@ jobs:
         # services to scan over
         data:
           - docker_build_directory: "./service-app"
-            image_app_name: "helloworld"    
-            test_command: "ls -l"
+            image_app_name: "helloworld"
+            test_command: "go test ./..."
     # we use these a few times, so its easier to generate them once and env
     # vars are visible in the output, so helps with debug
     env:
@@ -123,8 +123,9 @@ jobs:
         if: always()
         with:
           sarif_file: ${{ env.sarif_file }}
-      # for a lot of our services, there could be a test process here 
+      # for a lot of our services, there could be a test process here
       - name: Run Tests
+        working-directory: ${{ matrix.data.docker_build_directory }}
         run: |
           ${{ matrix.data.test_command }}
       ######
@@ -155,7 +156,7 @@ jobs:
           docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:${{ env.SEMVER_TAG }}
           docker tag ${{ env.local_docker_image }} $ECR_REGISTRY/$ECR_REPOSITORY:latest
           docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY
-          
+
   # example terraform build stage
   terraform_account_build:
     name: "Terraform Account [Apply: ${{ github.ref == 'refs/heads/main'}}]"
@@ -167,9 +168,9 @@ jobs:
       terraform_apply: ${{ github.ref == 'refs/heads/main' && true || false }}
       # this would be replaced with the dynamic value from needs.workspace_name.output.name
       # but we're just using sandbox account and single env, so use default
-      terraform_workspace: "default" 
+      terraform_workspace: "default"
       # normally would need some logic to decide this based on branch name etc
-      # - if its true we would then need to pass workspace_manager_aws_account_id & 
+      # - if its true we would then need to pass workspace_manager_aws_account_id &
       #   workspace_manager_aws_iam_role as well
       is_ephemeral: false
     secrets:
@@ -185,4 +186,4 @@ jobs:
     steps:
       - name: "End"
         run: |
-          echo "Done"
\ No newline at end of file
+          echo "Done"
diff --git a/service-app/Dockerfile b/service-app/Dockerfile
new file mode 100644
index 0000000..3d6eff1
--- /dev/null
+++ b/service-app/Dockerfile
@@ -0,0 +1,30 @@
+FROM golang:1.23-alpine3.20 AS build-env
+
+RUN apk add gcc libc-dev libxml2-dev
+
+WORKDIR /app
+
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=1 go build -a -installsuffix cgo -o /go/bin/opg-scanning /app/cmd/service
+
+FROM alpine:3
+
+RUN apk add libxml2-dev
+ENV PROJECT_PATH=/go
+
+WORKDIR /go/bin
+
+COPY --from=build-env /go/bin/opg-scanning main
+COPY config/config.yml /go/config/config.yml
+
+RUN addgroup -S app && \
+    adduser -S -g app app && \
+    chown -R app:app main
+USER app
+ENTRYPOINT ["./main"]

From c3cd52c3848d8eb010bc34019f0cfbd18b8e5ed4 Mon Sep 17 00:00:00 2001
From: Greg Tyler <greg.tyler@digital.justice.gov.uk>
Date: Mon, 4 Nov 2024 12:29:17 +0000
Subject: [PATCH 2/2] Set PROJECT_PATH when running tests

---
 .github/workflows/_example_workflow.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/_example_workflow.yml b/.github/workflows/_example_workflow.yml
index 41aa774..57045f1 100644
--- a/.github/workflows/_example_workflow.yml
+++ b/.github/workflows/_example_workflow.yml
@@ -19,7 +19,6 @@ permissions:
   repository-projects: none
   statuses: none
 
-
 jobs:
   # generate a branch name
   branch_name:
@@ -72,7 +71,6 @@ jobs:
       branch_name: ${{ needs.branch_name.outputs.parsed }}
     secrets: inherit
 
-
   # Docker build, trivy scan, ECR push as a matrix
   # The matrix loops over each app to build in a complicated
   # structure
@@ -116,7 +114,7 @@ jobs:
         with:
           image-ref: ${{ env.local_docker_image }}
           severity: "HIGH,CRITICAL"
-          format: 'sarif'
+          format: "sarif"
           output: ${{ env.sarif_file }}
       - name: Trivy scan upload to github
         uses: github/codeql-action/upload-sarif@v2
@@ -126,6 +124,8 @@ jobs:
       # for a lot of our services, there could be a test process here
       - name: Run Tests
         working-directory: ${{ matrix.data.docker_build_directory }}
+        env:
+          PROJECT_PATH: service-app
         run: |
           ${{ matrix.data.test_command }}
       ######
@@ -180,9 +180,16 @@ jobs:
       GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   end:
-    name: 'End of workflow'
-    runs-on: 'ubuntu-latest'
-    needs: [branch_name, workspace_name, semver_tag, build_scan_push, terraform_account_build]
+    name: "End of workflow"
+    runs-on: "ubuntu-latest"
+    needs:
+      [
+        branch_name,
+        workspace_name,
+        semver_tag,
+        build_scan_push,
+        terraform_account_build,
+      ]
     steps:
       - name: "End"
         run: |