This repository has been archived by the owner on Aug 16, 2024. It is now read-only.
Build, lint, push and sign vol-api Image - CD #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build, lint, push and sign vol-api Image | |
run-name: Build, lint, push and sign vol-api Image - CD | |
on: | |
# pull_request: | |
push: | |
branches: | |
- AWSRESET1-313 | |
jobs: | |
php-base-image-build: | |
runs-on: ubuntu-latest | |
env: | |
AWS_REGION : ${{ vars.DVSA_AWS_REGION }} | |
AWS_ACCOUNT_ID_VOL_NP_TOOLING: ${{ vars.VOL_AWS_ACCOUNT_TOOLING_NONPROD }} | |
REPO_NAME: ${{vars.AWS_ECR_NP_VOLTOOLING_REPONAME}} | |
AWS_ACCOUNT_ID_SHAREDCOREECR: ${{vars.AWS_ACCOUNT_ID_SHAREDCOREECR}} | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Get branch name | |
id: branch | |
run: echo "::set-output name=branch::$(git rev-parse --abbrev-ref HEAD)" | |
##create s3 bucket in vol-non-prod tooling and vol-prod tooling to get the composer | |
- name: Download the compose file | |
run: | | |
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" | |
php composer-setup.php --install-dir=/usr/local/bin --filename=composer | |
php -r "unlink('composer-setup.php');" | |
- name: install composer dependency | |
run: | | |
composer install --optimize-autoloader --no-interaction --no-dev | |
- name: Build application | |
run: | | |
date > config/version | |
git describe --all >> config/version | |
tar cvzf backend.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor | |
- name: Lint check on dockerfile | |
run: docker run --rm --privileged -v `pwd`:/root/ projectatomic/dockerfile-lint dockerfile_lint -f dockerfile | |
continue-on-error: true #only for testing | |
# - uses: hadolint/[email protected] | |
# with: | |
# dockerfile: dockerfile | |
# failure-threshold: error | |
- name: Set IMAGE_TAG | |
run: | | |
IMAGE_SHA=$(git rev-parse --short HEAD) | |
echo "IMAGE_TAG=vol-api-7.4.33-alpine-fpm-$IMAGE_SHA" >> $GITHUB_ENV | |
- name: Setup Notation CLI | |
uses: notaryproject/notation-action/setup@v1 | |
with: | |
version: "1.0.0" | |
# plugin_name: <notation_signing_plugin_name> | |
# plugin_url: <plugin_download_url> | |
- name: Set up Notation plugin | |
run: | | |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb | |
sudo dpkg -i aws-signer-notation-cli_amd64.deb | |
notation version | |
notation plugin ls | |
- name: configure aws credentials on shared core ecr | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ vars.DVSA_AWS_REGION }} | |
- name: Login to Shared Core ECR | |
id: login-ecr-sharedcoreecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Build the Docker image | |
run: | | |
docker build -t $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$IMAGE_TAG --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} -f dockerfile . | |
- name: configure aws credentials on Non Production account | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }} | |
role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
aws-region: ${{ vars.DVSA_AWS_REGION}} | |
- name: Login to non prod vol tooling | |
id: login-ecr-vol-tooling-non-prod | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: push the docker image | |
run: | | |
docker push $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$IMAGE_TAG | |
#docker push 342926679414.dkr.ecr.eu-west-1.amazonaws.com/non-prod-vol-api:latest | |
- name: sign the base image | |
run: | | |
notation sign $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$IMAGE_TAG --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" | |