DDLS-323 add trivy config scan to pipeline #3030
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "[Workflow] All branch based pushes" | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| defaults: | |
| run: | |
| shell: bash | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| id-token: write | |
| contents: write | |
| security-events: write | |
| pull-requests: write | |
| actions: none | |
| checks: none | |
| deployments: none | |
| issues: none | |
| packages: none | |
| repository-projects: none | |
| statuses: none | |
| jobs: | |
| workflow_variables: | |
| runs-on: ubuntu-latest | |
| name: output workflow variables | |
| outputs: | |
| parsed_branch: ${{ steps.variables.outputs.branch_formatted }} | |
| build_identifier: ${{ steps.variables.outputs.build_identifier }} | |
| version_tag: ${{ steps.semver_tag.outputs.created_tag }} | |
| steps: | |
| - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # pin@v3 | |
| - name: extract variables for workflow | |
| id: variables | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| export BRANCH=$(echo ${GITHUB_HEAD_REF:-${GITHUB_REF##*/}} | awk -F'_' '{print $1}' | tr -cd '[:alnum:]' | tr '[:upper:]' '[:lower:]' | cut -c1-8) | |
| echo "branch_formatted=$(echo ${BRANCH})" >> $GITHUB_OUTPUT | |
| echo "build_identifier=$(echo ${BRANCH}${PR_NUMBER})" >> $GITHUB_OUTPUT | |
| echo ${build_identifier} | |
| - name: Generate build output using Markdown | |
| env: | |
| PARSED_BRANCH: ${{ steps.variables.outputs.branch_formatted }} | |
| BUILD_IDENTIFIER: ${{ steps.variables.outputs.build_identifier }} | |
| run: | | |
| echo "### Build Variables" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- Branch: ${PARSED_BRANCH}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Build Identifier: ${BUILD_IDENTIFIER}" >> $GITHUB_STEP_SUMMARY | |
| - name: generate semver tag and release | |
| id: semver_tag | |
| uses: ministryofjustice/opg-github-actions/.github/actions/semver-tag@v3.1.0 | |
| with: | |
| prerelease: true | |
| default_bump: "minor" | |
| - name: show build identifier and tag | |
| id: show | |
| env: | |
| BUILD: ${{ steps.variables.outputs.build_identifier }} | |
| TAG: ${{ steps.semver_tag.outputs.created_tag }} | |
| run: | | |
| echo "Build Identifier: ${BUILD}" | |
| echo "Container Tag: ${TAG}" | |
| - uses: actions/labeler@main | |
| if: github.event_name == 'pull_request' | |
| with: | |
| configuration-path: .github/labeller.yml | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| sync-labels: true | |
| build_web_resources: | |
| name: build web resources | |
| uses: ./.github/workflows/_web-resources.yml | |
| secrets: inherit | |
| terraform_lint: | |
| name: lint terraform code | |
| uses: ./.github/workflows/_lint-terraform.yml | |
| needs: | |
| - workflow_variables | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| secrets: inherit | |
| test_js: | |
| name: test javascript code | |
| uses: ./.github/workflows/_test-js.yml | |
| needs: | |
| - workflow_variables | |
| docker_build_scan_push: | |
| name: build, scan and push | |
| uses: ./.github/workflows/_build-and-push.yml | |
| needs: | |
| - workflow_variables | |
| - build_web_resources | |
| with: | |
| tag: ${{ needs.workflow_variables.outputs.version_tag }} | |
| branch_name: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| push_to_ecr: true | |
| secrets: inherit | |
| api_unit_tests_1: | |
| name: api unit tests 1 | |
| uses: ./.github/workflows/_unit-tests-api.yml | |
| with: | |
| selection: selection-1 | |
| branch_name: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| needs: | |
| - workflow_variables | |
| api_unit_tests_2: | |
| name: api unit tests 2 | |
| uses: ./.github/workflows/_unit-tests-api.yml | |
| with: | |
| selection: selection-2 | |
| branch_name: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| needs: | |
| - workflow_variables | |
| api_unit_tests_3: | |
| name: api unit tests 3 | |
| uses: ./.github/workflows/_unit-tests-api.yml | |
| with: | |
| selection: selection-3 | |
| branch_name: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| needs: | |
| - workflow_variables | |
| client_unit_tests: | |
| name: client unit tests | |
| uses: ./.github/workflows/_unit-tests-client.yml | |
| needs: | |
| - workflow_variables | |
| - build_web_resources | |
| codecov: | |
| name: upload to codecov | |
| uses: ./.github/workflows/_codecov.yml | |
| needs: | |
| - client_unit_tests | |
| - miscellaneous_unit_tests | |
| - api_unit_tests_1 | |
| - api_unit_tests_2 | |
| - api_unit_tests_3 | |
| secrets: inherit | |
| miscellaneous_unit_tests: | |
| name: miscellaneous unit tests | |
| uses: ./.github/workflows/_unit-tests-miscellaneous.yml | |
| needs: | |
| - workflow_variables | |
| terraform_plan_account_development: | |
| name: account plan terraform development | |
| uses: ./.github/workflows/_run-terraform.yml | |
| needs: | |
| - workflow_variables | |
| - terraform_lint | |
| with: | |
| workspace: development | |
| terraform_path: account | |
| container_version: ${{ needs.workflow_variables.outputs.version_tag }} | |
| account_name: development | |
| secrets: inherit | |
| terraform_apply_environment: | |
| name: environment apply terraform | |
| uses: ./.github/workflows/_run-terraform.yml | |
| needs: | |
| - docker_build_scan_push | |
| - terraform_lint | |
| - workflow_variables | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| terraform_path: environment | |
| apply: true | |
| container_version: ${{ needs.workflow_variables.outputs.version_tag }} | |
| account_name: development | |
| pull_request_path: true | |
| secrets: inherit | |
| ecr_scan_results: | |
| name: ecr scan results | |
| uses: ./.github/workflows/_ecr-scanning.yml | |
| with: | |
| tag: ${{ needs.workflow_variables.outputs.version_tag }} | |
| needs: | |
| - terraform_apply_environment | |
| - workflow_variables | |
| secrets: inherit | |
| scale_services_up: | |
| name: scale up services | |
| uses: ./.github/workflows/_scale-services.yml | |
| needs: | |
| - workflow_variables | |
| - terraform_apply_environment | |
| with: | |
| replicas: 10 | |
| acu: 16 | |
| account_id: 248804316466 | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| secrets: inherit | |
| reset_database: | |
| name: reset database | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - terraform_apply_environment | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "reset_database" | |
| timeout: "500" | |
| secrets: inherit | |
| smoke_tests: | |
| name: smoke tests | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "smoke_tests" | |
| timeout: "900" | |
| secrets: inherit | |
| integration_tests_1: | |
| name: integration tests frontend 1 | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "integration_test_v2" | |
| timeout: "1200" | |
| override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_reporting_1,--profile,v2-tests-browserkit" | |
| secrets: inherit | |
| integration_tests_2: | |
| name: integration tests frontend 2 | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "integration_test_v2" | |
| timeout: "1200" | |
| override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_reporting_2,--profile,v2-tests-browserkit" | |
| secrets: inherit | |
| integration_tests_admin: | |
| name: integration tests admin | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "integration_test_v2" | |
| timeout: "1200" | |
| override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_admin,--profile,v2-tests-browserkit" | |
| secrets: inherit | |
| integration_tests_sequential_1: | |
| name: integration tests sequential 1 | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "integration_test_v2" | |
| timeout: "1200" | |
| override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_1,--profile,v2-tests-browserkit" | |
| secrets: inherit | |
| integration_tests_sequential_2: | |
| name: integration tests sequential 2 | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "integration_test_v2" | |
| timeout: "1200" | |
| override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_2,--profile,v2-tests-browserkit" | |
| secrets: inherit | |
| integration_tests_sequential_3: | |
| name: integration tests sequential 3 | |
| uses: ./.github/workflows/_run-task.yml | |
| needs: | |
| - workflow_variables | |
| - reset_database | |
| - scale_services_up | |
| with: | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account_name: development | |
| task_name: "integration_test_v2" | |
| timeout: "1200" | |
| override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_3,--profile,v2-tests-browserkit" | |
| secrets: inherit | |
| scale_services_down: | |
| if: always() | |
| name: scale down services | |
| uses: ./.github/workflows/_scale-services.yml | |
| needs: | |
| - workflow_variables | |
| - integration_tests_sequential_1 | |
| - integration_tests_sequential_2 | |
| - integration_tests_sequential_3 | |
| - integration_tests_admin | |
| - integration_tests_1 | |
| - integration_tests_2 | |
| with: | |
| replicas: 1 | |
| acu: 4 | |
| account_id: 248804316466 | |
| workspace: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| secrets: inherit | |
| end_of_workflow: | |
| name: end of workflow | |
| runs-on: ubuntu-latest | |
| needs: | |
| - scale_services_down | |
| - codecov | |
| - workflow_variables | |
| if: ${{ always() }} | |
| steps: | |
| - name: Check workflow result | |
| if: ${{ failure() }} | |
| run: | | |
| echo "A job failed. Marking end-workflow as failed." | |
| exit 1 | |
| - name: workflow ended successfully | |
| if: ${{ success() }} | |
| run: | | |
| export PUBLIC_FRONTEND_URL="https://${{ needs.workflow_variables.outputs.build_identifier }}.complete-deputy-report.service.gov.uk" | |
| export SERVICE_FRONTEND_URL="https://${{ needs.workflow_variables.outputs.build_identifier }}.digideps.opg.service.justice.gov.uk" | |
| export SERVICE_ADMIN_URL="https://${{ needs.workflow_variables.outputs.build_identifier }}.admin.digideps.opg.service.justice.gov.uk" | |
| echo "${{ needs.workflow_variables.outputs.build_identifier }} PR environment tested, built and deployed" | |
| echo "Public Frontend URL: ${PUBLIC_FRONTEND_URL}" | |
| echo "Service Frontend URL: ${SERVICE_FRONTEND_URL}" | |
| echo "Service Admin URL: ${SERVICE_ADMIN_URL}" | |
| echo "Tag Used: ${{ needs.workflow_variables.outputs.version_tag }}" | |
| echo "### Environment Details" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- Public Frontend URL: ${PUBLIC_FRONTEND_URL}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Service Frontend URL: ${SERVICE_FRONTEND_URL}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Service Admin URL: ${SERVICE_ADMIN_URL}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Tag Used: ${{ needs.workflow_variables.outputs.version_tag }}" >> $GITHUB_STEP_SUMMARY | |
| slack_notify_success: | |
| name: notify of success | |
| uses: ./.github/workflows/_slack-notification.yml | |
| needs: | |
| - workflow_variables | |
| - end_of_workflow | |
| with: | |
| success: yes | |
| branch: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account: 248804316466 | |
| secrets: inherit | |
| slack_notify_failure: | |
| name: notify of failure | |
| uses: ./.github/workflows/_slack-notification.yml | |
| if: ${{ failure() }} | |
| needs: | |
| - workflow_variables | |
| - end_of_workflow | |
| with: | |
| success: no | |
| branch: ${{ needs.workflow_variables.outputs.build_identifier }} | |
| account: 248804316466 | |
| secrets: inherit |