DP-1002 Exclude WAF from the Orchestrator account #4636
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run github actions locally with act https://github.com/nektos/act | |
# act --container-architecture linux/amd64 --artifact-server-path ./build/artifacts -W ./.github/workflows/build.yml | |
name: Build | |
on: | |
push: | |
branches: [main] | |
tags: ['*'] | |
pull_request: | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
name: Tests | |
strategy: | |
matrix: | |
dotnet-version: [ '8.0.x' ] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup dotnet ${{ matrix.dotnet-version }} | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: ${{ matrix.dotnet-version }} | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.nuget/packages | |
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }} | |
restore-keys: | | |
${{ runner.os }}-nuget | |
- name: Build | |
run: make build OpenAPI | |
- name: Test | |
run: make test TEST_OPTIONS="--logger trx --results-directory 'TestResults-${{ matrix.dotnet-version }}'" | |
- name: Upload test results | |
uses: actions/upload-artifact@v4 | |
with: | |
name: test-results-dotnet-${{ matrix.dotnet-version }} | |
path: TestResults-${{ matrix.dotnet-version }} | |
if: ${{ always() }} | |
- name: Upload OpenAPI contracts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: OpenAPI | |
path: OpenAPI | |
package: | |
runs-on: ubuntu-latest | |
name: Build containers | |
env: | |
DOCKER_BUILDKIT: 1 | |
COMPOSE_DOCKER_CLI_BUILD: 1 | |
CDP_ORGANISATION_APP_PORT: 8888 | |
CDP_TENANT_PORT: 8811 | |
CDP_ORGANISATION_PORT: 8822 | |
CDP_PERSON_PORT: 8833 | |
CDP_FORMS_PORT: 8844 | |
CDP_DATA_SHARING_PORT: 8855 | |
CDP_ENTITY_VERIFICATION_PORT: 8094 | |
outputs: | |
version: ${{ steps.version.outputs.version }} | |
images: ${{ steps.save.outputs.images }} | |
images_json: ${{ steps.save.outputs.images_json }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Determine the version | |
id: version | |
run: | | |
COMMIT_REF=$(if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then echo "${{ github.event.pull_request.head.sha }}"; else echo "${GITHUB_SHA:-HEAD}"; fi) | |
CURRENT_COMMIT=$(make version-commit COMMIT_REF=$COMMIT_REF) | |
CURRENT_TAG=$([[ "${GITHUB_REF:0:10}" = "refs/tags/" ]] && echo ${GITHUB_REF#refs/tags/} || echo "") | |
LAST_TAG=$(make last-tag) | |
VERSION=$([[ "${CURRENT_TAG}" = "" ]] && echo "${LAST_TAG}-${CURRENT_COMMIT}" || echo "$CURRENT_TAG") | |
echo "Version: $VERSION" | |
echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
- name: Build | |
run: make build-docker VERSION=${IMAGE_VERSION} | |
env: | |
IMAGE_VERSION: ${{ steps.version.outputs.version }} | |
- name: Start services | |
run: make up | |
env: | |
IMAGE_VERSION: ${{ steps.version.outputs.version }} | |
- name: Verify services | |
run: make verify-up | |
env: | |
IMAGE_VERSION: ${{ steps.version.outputs.version }} | |
- name: Test migrations | |
run: make db | |
env: | |
IMAGE_VERSION: ${{ steps.version.outputs.version }} | |
- name: Stop services | |
run: make down | |
env: | |
IMAGE_VERSION: ${{ steps.version.outputs.version }} | |
- name: Save Docker Images | |
id: save | |
run: | | |
IMAGES=$(docker images | awk '$1 ~ /cabinetoffice\/cdp-/ && $2 ~ /^'$IMAGE_VERSION'$/ { print $1":"$2}' | tr '\n' ' ') | |
IMAGES_JSON=$(echo $IMAGES | tr " " "\n" | jq -R . | jq -c -s .) | |
echo "Images to be saved: $IMAGES" | |
echo "Images to be saved (json): $IMAGES_JSON" | |
docker save -o cdp-images.tar $IMAGES | |
echo "images=${IMAGES}" >> $GITHUB_OUTPUT | |
echo "images_json=${IMAGES_JSON}" >> $GITHUB_OUTPUT | |
env: | |
IMAGE_VERSION: ${{ steps.version.outputs.version }} | |
- name: Upload Docker Images as Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: docker-images | |
path: cdp-images.tar | |
vulnerability-scan: | |
# since we do not fail the build for now, but the report is to get feedback, only run it on the main branch and tags | |
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'cabinetoffice' | |
runs-on: ubuntu-latest | |
name: Scan for vulnerabilities | |
needs: [test, package] | |
strategy: | |
matrix: | |
image: ${{ fromJSON(needs.package.outputs.images_json) }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download Docker Images | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker-images | |
- name: Load Docker Images | |
run: docker load -i cdp-images.tar | |
- name: Determine the category | |
id: category | |
run: | | |
image=${{ matrix.image }} | |
category=${image%%:*} | |
echo "category=$category" >> $GITHUB_OUTPUT | |
- name: Scan ${{ matrix.image }} | |
uses: anchore/scan-action@v5 | |
id: scan | |
with: | |
image: "${{ matrix.image }}" | |
fail-build: false | |
severity-cutoff: critical | |
output-format: sarif | |
- name: Upload Image Vulnerability Reports | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: ${{ steps.scan.outputs.sarif }} | |
category: ${{ steps.category.outputs.category }} | |
publish: | |
if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'cabinetoffice' | |
runs-on: ubuntu-latest | |
name: Publish containers | |
needs: [test, package] | |
env: | |
DOCKER_BUILDKIT: 1 | |
COMPOSE_DOCKER_CLI_BUILD: 1 | |
IMAGE_VERSION: ${{ needs.package.outputs.version }} | |
IMAGES: ${{ needs.package.outputs.images }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download Docker Images | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker-images | |
- name: Load Docker Images | |
run: docker load -i cdp-images.tar | |
- name: Set up AWS CLI | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-west-2 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Tag and Push Docker Images | |
run: make aws-push-to-ecr AWS_ACCOUNT_ID="${{ secrets.AWS_ACCOUNT_ID }}" IMAGES="${{ env.IMAGES }}" | |
- name: Store Version in SSM Parameter Store | |
run: | | |
aws ssm put-parameter --name "cdp-sirsi-service-version" --value "${{ env.IMAGE_VERSION }}" --type String --overwrite |