Skip to content
Secure Pipeline Test, Build, Package & Ship Core Back

PYIC-7571: Fetch historic signing keys up front (#2626) #1528

Sign in to view logs

PYIC-7571: Fetch historic signing keys up front (#2626)

PYIC-7571: Fetch historic signing keys up front (#2626) #1528

Workflow file for this run

.github/workflows/secure-post-merge.yml at e6c7b8a
name: Secure Pipeline Test, Build, Package & Ship Core Back
on:
push:
branches:
- main
paths-ignore:
- 'deploy-delete-user-data/**'
- '.github/workflows/secure-post-merge.yml'
- 'lambdas/delete-user-data/**'
- '.github/workflows/secure-post-merge-notags.yml'
jobs:
check-if-api-tests-changed:
runs-on: ubuntu-latest
outputs:
api-tests-changed: ${{ steps.get-changed-files.outputs.any_changed }}
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed api-tests files
id: get-changed-files
uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3
with:
files: |
api-tests/**
.github/workflows/secure-pipeline-api-tests-image.yml
- name: List changed files
env:
CHANGED_FILES: ${{ steps.get-changed-files.outputs.all_changed_files }}
run: |
for file in ${CHANGED_FILES}; do
echo "$file was changed"
done
build-test-images-if-needed:
needs: check-if-api-tests-changed
if: ${{ needs.check-if-api-tests-changed.outputs.api-tests-changed == 'true' }}
uses: govuk-one-login/ipv-core-back/.github/workflows/secure-pipeline-api-tests-image.yml@main
secrets: inherit # pragma: allowlist secret
permissions:
id-token: write
packages: read
contents: read
deploy:
needs: build-test-images-if-needed
if: '!failure()'
runs-on: ubuntu-latest
timeout-minutes: 15
env:
AWS_REGION: eu-west-2
ENVIRONMENT: build
permissions:
id-token: write
contents: read
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'adopt'
cache: gradle
- name: Set up Python 3.8
uses: actions/setup-python@v5
with:
python-version: "3.8"
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
with:
gradle-version: 8.2.1
- name: Set up SAM cli
uses: aws-actions/setup-sam@v2
- name: sam fix https://github.com/aws/aws-sam-cli/issues/4527
run: $(dirname $(readlink $(which sam)))/pip install --force-reinstall "cryptography==38.0.4"
- name: Set up AWS creds For Pipeline
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}
aws-region: eu-west-2
- name: SAM validate
working-directory: ./deploy
run: sam validate --region ${{ env.AWS_REGION }}
- name: SAM build and test
working-directory: ./deploy
run: sam build
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Deploy SAM app
uses: govuk-one-login/[email protected]
with:
artifact-bucket-name: ${{ secrets.ARTIFACT_BUCKET_NAME }}
signing-profile-name: ${{ secrets.SIGNING_PROFILE_NAME }}
working-directory: ./deploy
template-file: .aws-sam/build/template.yaml