CICD: Added Workflows & Docker Manifests

dvsa · Nov 18, 2023 · 2ece865 · 2ece865
1 parent f61e6df
commit 2ece865
Show file tree

Hide file tree

Showing 5 changed files with 615 additions and 0 deletions.
diff --git a/.github/actions/build-iuweb/README.md b/.github/actions/build-iuweb/README.md
@@ -0,0 +1,17 @@
+# Build Internal Web Artifact
+Action to build Internal Web artifact
+
+####  Prerequisites
+Git checkout
+
+####  Context
+This action allows the workflow to build Internal Web artifact
+
+####  Outputs
+N/A
+
+####  Usage
+```yaml
+- name: Build Internal Web artifact
+  uses: dvsa/olcs-internal/.github/actions/build-iuweb@main
+```
diff --git a/.github/actions/build-iuweb/action.yaml b/.github/actions/build-iuweb/action.yaml
@@ -0,0 +1,26 @@
+name: Build VOL IUWEB FE
+description: Build VOL IUWEB FE
+
+runs:
+  using: 'composite'
+  steps:
+
+    - name: Download the compose file
+      run: |
+        php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+        php composer-setup.php --install-dir=/usr/local/bin --filename=composer
+        php -r "unlink('composer-setup.php');"
+      shell: bash
+
+    - name: Install Composer dependencies
+      run: |
+       composer install --optimize-autoloader --no-interaction --no-dev
+      shell: bash
+
+    - name: Build VOL IUWEB FE
+      run: |
+        date > config/version
+        git describe --all >> config/version
+        tar cvzf selfserve.tar.gz --exclude=config/autoload/local.php \
+          --exclude=config/autoload/local.php.dist composer.lock init_autoloader.php config module public data/autoload data/cache vendor
+      shell: bash
diff --git a/.github/workflows/non-prod-internal-web-build-deploy.yaml b/.github/workflows/non-prod-internal-web-build-deploy.yaml
@@ -0,0 +1,252 @@
+name: CI/CD NON PROD INTERNAL WEB
+run-name: CI/CD NON PROD INTERNAL WEB
+
+on:
+  push:
+    branches:
+      - master
+
+env:
+  AWS_REGION : ${{ vars.DVSA_AWS_REGION }}
+  IUWEB_NONPROD_TOOLING_REPO_URL: ${{ secrets.IUWEB_NONPROD_TOOLING_ECR_REPO_URL }}
+  AWS_ACCOUNT_ID_SHAREDCOREECR: ${{ vars.AWS_ACCOUNT_ID_SHAREDCOREECR }}
+
+# Permission can be added at job level or workflow level
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+jobs:
+
+  # security:
+  #   uses: dvsa/.github/.github/workflows/[email protected]
+  #   secrets:
+  #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  # static-analysis:
+  #   uses: dvsa/.github/.github/workflows/[email protected]
+  #   # with:
+  #   #   php-version: '7.4'
+
+  # tests:
+  #   uses: dvsa/.github/.github/workflows/[email protected]
+  #   with:
+  #     php-versions: "[\"7.4\"]"
+  #     # fail-fast: false
+
+  unit-tests:
+
+    name: Run Unit Tests
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Checkout the repository to this runner
+      uses: actions/checkout@v3
+
+    - name: Run unit tests
+      run: |
+       echo 'Run unit tests'
+       ls -la ./
+
+  build-test-push-sign-image:
+
+    name: Build, Push & Sign Image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        php: 
+        - '7.4'
+
+    steps:
+
+    - name: Checkout the repository to this runner
+      uses: actions/checkout@v3
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: ${{ matrix.php }}
+        tools: composer:v2
+        coverage: none
+
+    - name: Build Internal Web artifact
+      uses: dvsa/olcs-internal/.github/actions/build-iuweb@feature/AddWorkflows
+
+    - name: Set BASE_IMAGE & IUWEB_IMAGE_TAG
+      run: |
+        envsubst < dockerfile | tee dockerfile.tmp
+        mv dockerfile.tmp dockerfile
+        BASE_IMAGE=$(head -n1 dockerfile)
+        echo "BASE_IMAGE=${BASE_IMAGE#* }" >> $GITHUB_ENV
+        echo "IUWEB_IMAGE_TAG=approved-iuweb-${BASE_IMAGE#*:}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+    - name: Configure AWS credentials on Shared Core ECR
+      uses: aws-actions/[email protected]
+      with:
+        role-to-assume: ${{ secrets.DVSA_AWS_ROLE_SHAREDCORECR }}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Login to Shared Core ECR
+      id: login-ecr-sharedcoreecr
+      uses: aws-actions/[email protected]
+
+    - name: Verify base image
+      uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
+      with:
+        ecr_tagged_image: $BASE_IMAGE
+        image_sign_inspect: 'true'
+
+    - name: Build Internal Web image
+      run: |
+        docker build -t ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} \
+          --build-arg DVSA_AWS_SHAREDCOREECR_ID=${{ env.AWS_ACCOUNT_ID_SHAREDCOREECR }} .
+
+    - name: Snyk scan Internal Web image
+      id: scan-api-image
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG}
+        args: --file=dockerfile --severity-threshold=critical
+      continue-on-error: true
+
+    - name: Configure AWS credentials on Non Production IUWEB ECR
+      uses: aws-actions/[email protected]
+      with:
+        role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Login to Non Production IUWEB ECR
+      id: login-ecr-iuweb-tooling-non-prod
+      uses: aws-actions/[email protected]
+
+    - name: Push Internal Web image
+      if: github.ref == 'refs/heads/master'
+      id: push-image
+      run: |
+        echo "image_tag=${IUWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
+        docker push ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG}
+
+    - name: Sign Internal Web image
+      if: github.ref == 'refs/heads/master'
+      uses: dvsa/.github/.github/actions/image-integrity@feature/AddMiscAuxilaryWorkflows
+      with:
+        aws_signer_profile_arn: ${{ secrets.DVSA_AWS_IUWEB_NONPROD_TOOLING_IMAGE_SIGNING_PROFILE }}
+        ecr_tagged_image: ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG}
+        image_sign_create: 'true'
+
+    # - name: Release Internal Web
+    #   uses: google-github-actions/release-please-action@v3
+    #   id: release
+    #   with:
+    #     release-type: php
+    #     package-name: ${{ github.event.repository.name }}
+
+    outputs:
+      image_tag: ${{ steps.push-image.outputs.image_tag }}
+
+  deploy-on-non-prod-cluster:
+
+    name: Deploy on Non Prod Cluster
+    if: github.ref == 'refs/heads/master'
+
+    needs:
+    - unit-tests
+    # - security
+    # - static-analysis
+    # - tests
+    -  build-test-push-sign-image
+
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Deploy
+      run: |
+       echo 'Deploy on Non Prod'
+
+    # uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows
+    # with:
+    #   branch: 'feature/AWSRESET1-514'
+    #   git_repository: 'dvsa/dvsa-container-registry'
+    #   workflow_name: 'CD NON PROD INTERNAL WEB'
+    #   input_arguments: 'iuweb_image_tag=${{ needs.build-test-push-sign-image.outputs.image_tag }}'
+    # secrets:
+    #   gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}
+
+  automation-tests:
+
+    name: Run Automation Tests
+    if: github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+
+    needs:
+    - deploy-on-non-prod-cluster
+
+    steps:
+
+    - name: Run automation tests
+      run: |
+       echo 'Run automation tests'
+
+  build-nonprod-approved-image:
+
+    name: Build Non PROD Approved Image
+    if: github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+
+    needs:
+    - build-test-push-sign-image
+    - deploy-on-non-prod-cluster
+    - automation-tests
+
+    steps:
+
+    - name: IUWEB_IMAGE_TAG & NONPROD_IUWEB_IMAGE_TAG
+      run: |
+        echo "IUWEB_IMAGE_TAG=${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV
+        echo "NONPROD_IUWEB_IMAGE_TAG=nonprod-${{ needs.build-test-push-sign-image.outputs.image_tag }}" >> $GITHUB_ENV
+
+    - name: Configure AWS credentials on Non Production IUWEB ECR
+      uses: aws-actions/[email protected]
+      with:
+        role-to-assume: ${{ secrets.VOL_AWS_ROLE_TOOLING_NONPROD }}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Login to Non Production IUWEB ECR
+      id: login-ecr-iuweb-tooling-non-prod
+      uses: aws-actions/[email protected]
+
+    - name: Push Internal Web image
+      if: github.ref == 'refs/heads/master'
+      id: push-approved-image
+      run: |
+        echo "approved_image_tag=${NONPROD_IUWEB_IMAGE_TAG}" >> $GITHUB_OUTPUT
+        docker pull ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG}
+        docker tag ${IUWEB_NONPROD_TOOLING_REPO_URL}:${IUWEB_IMAGE_TAG} ${IUWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_IUWEB_IMAGE_TAG}
+        docker push ${IUWEB_NONPROD_TOOLING_REPO_URL}:${NONPROD_IUWEB_IMAGE_TAG}
+
+    outputs:
+      approved_image_tag: ${{ steps.push-approved-image.outputs.approved_image_tag }}
+
+  qa-approval:
+
+    name: QA Internal Web Image Approval
+    if: github.ref == 'refs/heads/master'
+
+    needs:
+    -  build-nonprod-approved-image
+
+    uses: dvsa/.github/.github/workflows/trigger-github-workflow.yaml@feature/AddMiscAuxilaryWorkflows
+    with:
+      branch: 'feature/AddWorkflows'
+      git_repository: 'dvsa/olcs-internal'
+      workflow_name: 'qa-internal-web-approval.yaml'
+      input_arguments: 'iuweb_image_tag=${{ needs.build-nonprod-approved-image.outputs.approved_image_tag }}'
+    secrets:
+      gh_token: ${{ secrets.DVSA_VOL_TERRAFORM_ACCESS_TOKEN }}