Skip to content
Build and deploy API modules

Merge pull request #5740 from govuk-one-login/ATO-1178-max-age-audit-… #602

Sign in to view logs

Merge pull request #5740 from govuk-one-login/ATO-1178-max-age-audit-…

Merge pull request #5740 from govuk-one-login/ATO-1178-max-age-audit-… #602

Workflow file for this run

.github/workflows/deploy-api-modules.yml at 70956fb
name: "Build and deploy API modules"
env:
AWS_REGION: eu-west-2
DEPLOYER_ROLE: arn:aws:iam::114407264696:role/deployers/github-actions-publish-to-s3-for-code-signing
SOURCE_BUCKET: di-auth-lambda-source-20220215170204376700000003
SIGNING_PROFILE: di_auth_lambda_signing_20220215170204371800000001
DESTINATION_BUCKET: di-auth-lambda-signed-20220215170204376200000002
GHA_ROLE: arn:aws:iam::761723964695:role/build-auth-deploy-pipeline-GitHubActionsRole-160U5ADTRKQ2O
ARTIFACT_BUCKET: build-auth-deploy-pipeli-githubartifactsourcebuck-1o4hcrnik6ayv
ARTIFACT_LOOKUP_TABLE: arn:aws:dynamodb:eu-west-2:114407264696:table/di-auth-production-artifact-lookup
JAVA_VERSION: 17
JAVA_DISTRIBUTION: corretto
on:
push:
branches:
- main
concurrency:
group: "build-and-deploy-api-modules"
cancel-in-progress: false
jobs:
set-up:
name: Set up environment
runs-on: ubuntu-latest
outputs:
aws_region: ${{ env.AWS_REGION }}
deployer_role: ${{ steps.secrets.outputs.DEPLOYER_ROLE }}
promotion_role: ${{ steps.secrets.outputs.PROMOTION_ROLE }}
source_bucket: ${{ steps.secrets.outputs.SOURCE_BUCKET }}
signing_profile: ${{ steps.secrets.outputs.SIGNING_PROFILE }}
destination_bucket: ${{ steps.secrets.outputs.DESTINATION_BUCKET }}
artifact_bucket: ${{ steps.secrets.outputs.ARTIFACT_BUCKET }}
artifact_lookup_table: ${{ steps.secrets.outputs.ARTIFACT_LOOKUP_TABLE }}
steps:
- id: secrets
run: |
{
echo "DEPLOYER_ROLE=${{ env.DEPLOYER_ROLE }}"
echo "SOURCE_BUCKET=${{ env.SOURCE_BUCKET }}"
echo "SIGNING_PROFILE=${{ env.SIGNING_PROFILE }}"
echo "DESTINATION_BUCKET=${{ env.DESTINATION_BUCKET }}"
echo "PROMOTION_ROLE=${{ env.GHA_ROLE }}"
echo "ARTIFACT_BUCKET=${{ env.ARTIFACT_BUCKET }}"
echo "ARTIFACT_LOOKUP_TABLE=${{ env.ARTIFACT_LOOKUP_TABLE }}"
} >> "$GITHUB_OUTPUT"
pr-data:
name: Get data for merged PR
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
data: ${{ steps.fetch-pr-metadata.outputs.escaped-json }}
steps:
- name: Fetch PR Metadata
uses: govuk-one-login/authentication-artifact-metadata-action@d0ea2b26de2edf3ba08e649f9f06e6300460f2f6
id: fetch-pr-metadata
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
shell: bash
build-cache:
name: Set up build cache
runs-on: ubuntu-latest
outputs:
java_version: ${{ env.JAVA_VERSION }}
java_distribution: ${{ env.JAVA_DISTRIBUTION }}
steps:
- name: Check out repository code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up JDK 17
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
java-version: ${{ env.JAVA_VERSION}}
distribution: ${{ env.JAVA_DISTRIBUTION}}
- name: Set up Gradle
uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4
with:
gradle-version: wrapper
cache-read-only: false
- name: Download dependencies for caching
run: ./gradlew --no-daemon --console=plain assemble
build:
name: Build modules
needs:
- set-up
- build-cache
strategy:
matrix:
module:
- account-management-api
- auth-external-api
- client-registry-api
- delivery-receipts-api
- doc-checking-app-api
- frontend-api
- interventions-api-stub
- ipv-api
- oidc-api
- test-services-api
- ticf-cri-stub
- utils
permissions:
id-token: write
contents: read
uses: ./.github/workflows/call_build-single-api-module.yml
with:
module_name: ${{ matrix.module }}
aws_region: ${{ needs.set-up.outputs.aws_region }}
aws_role: ${{ needs.set-up.outputs.deployer_role }}
source_bucket: ${{ needs.set-up.outputs.source_bucket }}
destination_bucket: ${{ needs.set-up.outputs.destination_bucket }}
signing_profile: ${{ needs.set-up.outputs.signing_profile }}
lookup_table: ${{ needs.set-up.outputs.artifact_lookup_table }}
java_version: ${{ needs.build-cache.outputs.java_version }}
java_distribution: ${{ needs.build-cache.outputs.java_distribution }}
create-promotion-artifact-shared:
name: Create Shared Promotion Artifact
needs: set-up
permissions:
id-token: write
contents: read
uses: ./.github/workflows/call_create-shared-promotion-artifact.yml
create-promotion-artifacts-simple-modules:
name: Create Promotion Artifact
needs:
- set-up
- build
strategy:
matrix:
include:
- module_name: account-management-api
terraform_directory_name: account-management
- module_name: auth-external-api
terraform_directory_name: auth-external-api
- module_name: delivery-receipts-api
terraform_directory_name: delivery-receipts
- module_name: interventions-api-stub
terraform_directory_name: interventions-api-stub
- module_name: test-services-api
terraform_directory_name: test-services
- module_name: ticf-cri-stub
terraform_directory_name: ticf-cri-stub
- module_name: utils
terraform_directory_name: utils
permissions:
id-token: write
contents: read
uses: ./.github/workflows/call_create-simple-module-promotion-artifact.yml
with:
module_name: ${{ matrix.module_name }}
terraform_directory_name: ${{ matrix.terraform_directory_name }}
create-promotion-artifact-oidc:
name: Create OIDC Promotion artifact
needs:
- set-up
- build
permissions:
id-token: write
contents: read
uses: ./.github/workflows/call_create-oidc-promotion-artifact.yml
with:
oidc_api_module_name: oidc-api
client_registry_api_module_name: client-registry-api
doc_checking_app_api_module_name: doc-checking-app-api
frontend_api_module_name: frontend-api
ipv_api_module_name: ipv-api
terraform_directory_name: oidc
gather-and-trigger-codepipeline:
name: Gather and trigger CodePipeline
needs:
- pr-data
- set-up
- create-promotion-artifact-shared
- create-promotion-artifacts-simple-modules
- create-promotion-artifact-oidc
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ needs.set-up.outputs.promotion_role }}
aws-region: ${{ needs.set-up.outputs.aws_region }}
- name: Download all promotion artifacts
id: download_promotion_artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: promotion-artifacts
pattern: promotion_artifact_*
merge-multiple: true
- name: Upload single promotion artifact to S3
working-directory: promotion-artifacts
env:
ARTIFACT_BUCKET: ${{ needs.set-up.outputs.artifact_bucket }}
run: |
echo "::group::Zip all promotion artifacts"
zip -r authentication-api.zip .
echo "::endgroup::"
echo "::group::Upload final artifact to S3"
OBJECT_VERSION="$(aws s3api put-object \
--bucket "${ARTIFACT_BUCKET}" \
--key authentication-api.zip \
--body authentication-api.zip \
--metadata ${{ needs.pr-data.outputs.data}} \
--query VersionId --output text)"
echo "::endgroup::"
echo "::notice title=Final artifact uploaded to S3::object: authentication-api.zip, version: $OBJECT_VERSION"