Merge pull request #5764 from govuk-one-login/AUT-3895/allow-reverifi… #611
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build and deploy API modules" | |
env: | |
AWS_REGION: eu-west-2 | |
DEPLOYER_ROLE: arn:aws:iam::114407264696:role/deployers/github-actions-publish-to-s3-for-code-signing | |
SOURCE_BUCKET: di-auth-lambda-source-20220215170204376700000003 | |
SIGNING_PROFILE: di_auth_lambda_signing_20220215170204371800000001 | |
DESTINATION_BUCKET: di-auth-lambda-signed-20220215170204376200000002 | |
GHA_ROLE: arn:aws:iam::761723964695:role/build-auth-deploy-pipeline-GitHubActionsRole-160U5ADTRKQ2O | |
ARTIFACT_BUCKET: build-auth-deploy-pipeli-githubartifactsourcebuck-1o4hcrnik6ayv | |
ARTIFACT_LOOKUP_TABLE: arn:aws:dynamodb:eu-west-2:114407264696:table/di-auth-production-artifact-lookup | |
JAVA_VERSION: 17 | |
JAVA_DISTRIBUTION: corretto | |
on: | |
push: | |
branches: | |
- main | |
concurrency: | |
group: "build-and-deploy-api-modules" | |
cancel-in-progress: false | |
jobs: | |
set-up: | |
name: Set up environment | |
runs-on: ubuntu-latest | |
outputs: | |
aws_region: ${{ env.AWS_REGION }} | |
deployer_role: ${{ steps.secrets.outputs.DEPLOYER_ROLE }} | |
promotion_role: ${{ steps.secrets.outputs.PROMOTION_ROLE }} | |
source_bucket: ${{ steps.secrets.outputs.SOURCE_BUCKET }} | |
signing_profile: ${{ steps.secrets.outputs.SIGNING_PROFILE }} | |
destination_bucket: ${{ steps.secrets.outputs.DESTINATION_BUCKET }} | |
artifact_bucket: ${{ steps.secrets.outputs.ARTIFACT_BUCKET }} | |
artifact_lookup_table: ${{ steps.secrets.outputs.ARTIFACT_LOOKUP_TABLE }} | |
steps: | |
- id: secrets | |
run: | | |
{ | |
echo "DEPLOYER_ROLE=${{ env.DEPLOYER_ROLE }}" | |
echo "SOURCE_BUCKET=${{ env.SOURCE_BUCKET }}" | |
echo "SIGNING_PROFILE=${{ env.SIGNING_PROFILE }}" | |
echo "DESTINATION_BUCKET=${{ env.DESTINATION_BUCKET }}" | |
echo "PROMOTION_ROLE=${{ env.GHA_ROLE }}" | |
echo "ARTIFACT_BUCKET=${{ env.ARTIFACT_BUCKET }}" | |
echo "ARTIFACT_LOOKUP_TABLE=${{ env.ARTIFACT_LOOKUP_TABLE }}" | |
} >> "$GITHUB_OUTPUT" | |
pr-data: | |
name: Get data for merged PR | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
pull-requests: read | |
outputs: | |
data: ${{ steps.fetch-pr-metadata.outputs.escaped-json }} | |
steps: | |
- name: Fetch PR Metadata | |
uses: govuk-one-login/authentication-artifact-metadata-action@d0ea2b26de2edf3ba08e649f9f06e6300460f2f6 | |
id: fetch-pr-metadata | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
shell: bash | |
build-cache: | |
name: Set up build cache | |
runs-on: ubuntu-latest | |
outputs: | |
java_version: ${{ env.JAVA_VERSION }} | |
java_distribution: ${{ env.JAVA_DISTRIBUTION }} | |
steps: | |
- name: Check out repository code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 | |
with: | |
java-version: ${{ env.JAVA_VERSION}} | |
distribution: ${{ env.JAVA_DISTRIBUTION}} | |
- name: Set up Gradle | |
uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4 | |
with: | |
gradle-version: wrapper | |
cache-read-only: false | |
- name: Download dependencies for caching | |
run: ./gradlew --no-daemon --console=plain assemble | |
build: | |
name: Build modules | |
needs: | |
- set-up | |
- build-cache | |
strategy: | |
matrix: | |
module: | |
- account-management-api | |
- auth-external-api | |
- client-registry-api | |
- delivery-receipts-api | |
- doc-checking-app-api | |
- frontend-api | |
- interventions-api-stub | |
- ipv-api | |
- oidc-api | |
- test-services-api | |
- ticf-cri-stub | |
- utils | |
permissions: | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/call_build-single-api-module.yml | |
with: | |
module_name: ${{ matrix.module }} | |
aws_region: ${{ needs.set-up.outputs.aws_region }} | |
aws_role: ${{ needs.set-up.outputs.deployer_role }} | |
source_bucket: ${{ needs.set-up.outputs.source_bucket }} | |
destination_bucket: ${{ needs.set-up.outputs.destination_bucket }} | |
signing_profile: ${{ needs.set-up.outputs.signing_profile }} | |
lookup_table: ${{ needs.set-up.outputs.artifact_lookup_table }} | |
java_version: ${{ needs.build-cache.outputs.java_version }} | |
java_distribution: ${{ needs.build-cache.outputs.java_distribution }} | |
create-promotion-artifact-shared: | |
name: Create Shared Promotion Artifact | |
needs: set-up | |
permissions: | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/call_create-shared-promotion-artifact.yml | |
create-promotion-artifacts-simple-modules: | |
name: Create Promotion Artifact | |
needs: | |
- set-up | |
- build | |
strategy: | |
matrix: | |
include: | |
- module_name: account-management-api | |
terraform_directory_name: account-management | |
- module_name: auth-external-api | |
terraform_directory_name: auth-external-api | |
- module_name: delivery-receipts-api | |
terraform_directory_name: delivery-receipts | |
- module_name: interventions-api-stub | |
terraform_directory_name: interventions-api-stub | |
- module_name: test-services-api | |
terraform_directory_name: test-services | |
- module_name: ticf-cri-stub | |
terraform_directory_name: ticf-cri-stub | |
- module_name: utils | |
terraform_directory_name: utils | |
permissions: | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/call_create-simple-module-promotion-artifact.yml | |
with: | |
module_name: ${{ matrix.module_name }} | |
terraform_directory_name: ${{ matrix.terraform_directory_name }} | |
create-promotion-artifact-oidc: | |
name: Create OIDC Promotion artifact | |
needs: | |
- set-up | |
- build | |
permissions: | |
id-token: write | |
contents: read | |
uses: ./.github/workflows/call_create-oidc-promotion-artifact.yml | |
with: | |
oidc_api_module_name: oidc-api | |
client_registry_api_module_name: client-registry-api | |
doc_checking_app_api_module_name: doc-checking-app-api | |
frontend_api_module_name: frontend-api | |
ipv_api_module_name: ipv-api | |
terraform_directory_name: oidc | |
gather-and-trigger-codepipeline: | |
name: Gather and trigger CodePipeline | |
needs: | |
- pr-data | |
- set-up | |
- create-promotion-artifact-shared | |
- create-promotion-artifacts-simple-modules | |
- create-promotion-artifact-oidc | |
permissions: | |
id-token: write | |
contents: read | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Set up AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: ${{ needs.set-up.outputs.promotion_role }} | |
aws-region: ${{ needs.set-up.outputs.aws_region }} | |
- name: Download all promotion artifacts | |
id: download_promotion_artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: promotion-artifacts | |
pattern: promotion_artifact_* | |
merge-multiple: true | |
- name: Upload single promotion artifact to S3 | |
working-directory: promotion-artifacts | |
env: | |
ARTIFACT_BUCKET: ${{ needs.set-up.outputs.artifact_bucket }} | |
run: | | |
echo "::group::Zip all promotion artifacts" | |
zip -r authentication-api.zip . | |
echo "::endgroup::" | |
echo "::group::Upload final artifact to S3" | |
OBJECT_VERSION="$(aws s3api put-object \ | |
--bucket "${ARTIFACT_BUCKET}" \ | |
--key authentication-api.zip \ | |
--body authentication-api.zip \ | |
--metadata ${{ needs.pr-data.outputs.data}} \ | |
--query VersionId --output text)" | |
echo "::endgroup::" | |
echo "::notice title=Final artifact uploaded to S3::object: authentication-api.zip, version: $OBJECT_VERSION" |