AWSRESET1-514: CI/CD Vol API on Static & DEV

dvsa · Oct 19, 2023 · 6cb88dc · 6cb88dc
1 parent 5878d10
commit 6cb88dc
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 26 deletions.
diff --git a/.github/workflows/docker-hadolint.yaml b/.github/workflows/docker-hadolint.yaml
@@ -0,0 +1,20 @@
+name: Lint check Dockerfile
+
+on:
+  workflow_call:
+
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout the repository to the runner
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Lint check on dockerfile
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: dockerfile
+          ignore: DL3018,DL3048
diff --git a/.github/workflows/vol-api-build-merge-main-cd.yml b/.github/workflows/vol-api-build-merge-main-cd.yml
@@ -62,8 +62,6 @@ jobs:
         IMAGE_SHA=$(git rev-parse --short HEAD)
         echo "IMAGE_TAG=vol-api-$IMAGE_SHA" >> $GITHUB_ENV
   
-
-
     - name: configure aws credentials on shared core ecr
       uses: aws-actions/[email protected]
       with:

diff --git a/.github/workflows/vol-api-build-pr-main-ci.yml b/.github/workflows/vol-api-build-pr-main-ci.yml
@@ -9,6 +9,9 @@ on:
 
 jobs:
 
+  hadolint:
+    uses: ./.github/workflows/docker-hadolint.yaml
+
   ci-vol-api:
 
     runs-on: ubuntu-latest
@@ -25,11 +28,7 @@ jobs:
 
     steps:
 
-    # - name: Get branch name
-    #   id: branch
-    #   run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
-
-    - name: Checkout from ${GITHUB_REF_NAME}
+    - name: Checkout the repository to the runner
       uses: actions/checkout@v3
 
     ##create s3 bucket in vol-non-prod tooling and vol-prod tooling to get the composer
@@ -49,16 +48,14 @@ jobs:
        git describe --all >> config/version
        tar cvzf backend.tar.gz --exclude=config/autoload/local.php --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor
 
-    - name: Lint check on dockerfile
-      uses: hadolint/[email protected]
-      with:
-        dockerfile: dockerfile
-        ignore: DL3018,DL3048
-
-    - name: Set IMAGE_TAG
-      run: | 
+    - name: Set BASE_IMAGE and VOL_API_IMAGE_TAG
+      run: |
+        envsubst < Dockerfile | tee Dockerfile.tmp
+        mv Dockerfile.tmp Dockerfile
         IMAGE_SHA=$(git rev-parse --short HEAD)
-        echo "IMAGE_TAG=vol-api-7.4.33-alpine-fpm-$IMAGE_SHA" >> $GITHUB_ENV
+        BASE_IMAGE=$(head -n1 Dockerfile)
+        BASE_IMAGE=${BASE_IMAGE#* }
+        echo "VOL_API_IMAGE_TAG=vol-api-7.4.33-alpine-fpm-$IMAGE_SHA" >> $GITHUB_ENV
     
     - name: Setup Notation CLI
       uses: notaryproject/notation-action/setup@v1
@@ -71,7 +68,6 @@ jobs:
         sudo dpkg -i aws-signer-notation-cli_amd64.deb
         notation version
         notation plugin ls
-        echo ${{ steps.branch.outputs.branch }}
 
     - name: Configure AWS credentials on Shared Core ECR
       uses: aws-actions/[email protected]
@@ -84,9 +80,10 @@ jobs:
       id: login-ecr-sharedcoreecr
       uses: aws-actions/[email protected]
 
-    - name: Build VOL API image
+    - name: Build VOL API image after verifying Base image
       run: |
-        docker build -t $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$IMAGE_TAG --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . 
+        notation verify $BASE_IMAGE
+        docker build -t $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$VOL_API_IMAGE_TAG --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{secrets.DVSA_AWS_SHAREDCOREECR_ID}} . 
     
     - name: Configure AWS credentials on Non Production VOL ECR
       uses: aws-actions/[email protected]
@@ -101,8 +98,8 @@ jobs:
 
     - name: Push VOL API image
       run: |
-        docker push $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$IMAGE_TAG
+        docker push $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$VOL_API_IMAGE_TAG
 
     - name: Sign VOL API image
       run: |
-        notation sign $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$IMAGE_TAG --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" 
+        notation sign $AWS_ACCOUNT_ID_VOL_NP_TOOLING.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO_NAME:$VOL_API_IMAGE_TAG --plugin "com.amazonaws.signer.notation.plugin" --id "${{ secrets.DVSA_AWS_NONPRODVOLTOOLING_IMAGE_SIGNING_PROFILE }}" 
diff --git a/dockerfile b/dockerfile
@@ -1,5 +1,4 @@
-
-FROM 245185850403.dkr.ecr.eu-west-1.amazonaws.com/php-base:7.4.0-alpine-fpm-8b0b625
+FROM ${AWS_ACCOUNT_ID_SHAREDCOREECR}.dkr.ecr.${AWS_REGION}.amazonaws.com/php-base:7.4.0-alpine-fpm-8b0b625
 
 LABEL maintainer="[email protected]"
 LABEL description="PHP Alpine base image with dependency packages"
@@ -42,6 +41,3 @@ RUN rm -f /opt/dvsa/olcs-backend/config/autoload/local* && \
 #USER www-data
 
 CMD ["/start.sh"]
-
-
-