DCMAW-11057: Push STS test image to dev and build #338
Conversation
| - name: Setup nodeJS v20 | ||
| uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 | ||
| with: | ||
| node-version-file: '.nvmrc' |
There was a problem hiding this comment.
Enforces the use of an .nvmrc file (a standard we use in all our async stacks), but I think the easiest way to ensure this is running on the version of Node that we develop with. Happy for suggestions.
| jobs: | ||
| build-and-push: | ||
| name: build-and-push | ||
| runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
Note this is a later version than what we use elsewhere (ubuntu-22)
sandymay-dd
force-pushed
the
DCMAW-11057
branch
from
25dd116 to
f0bf11e
Compare
| version: 1.132.0 | ||
|
|
||
| - name: Install npm packages | ||
| run: npm install |
There was a problem hiding this comment.
note: also enforces the use of npm. This is a programme standard now and is preferred to yarn.
There was a problem hiding this comment.
annoyingly - I don't think you can have sub-directories for workflows. Happy for naming suggestions to make this file stand out.
There was a problem hiding this comment.
A cheeky prefix?
_name.yml
or
action-${name}.yaml
There was a problem hiding this comment.
or potentially job-{name}.yaml
There was a problem hiding this comment.
(ideas for tomorrow me)
|
|
||
| build-and-upload-sam-artifact-to-dev: | ||
| name: Validate & upload S3 artifact to dev | ||
| runs-on: ubuntu-22.04 | ||
| needs: sonar-scan |
There was a problem hiding this comment.
I don't believe our route to live should be blocked by a Sonar main branch analysis scan. We check the quality gate has been met on our pull-request workflows.
sandymay-dd
force-pushed
the
DCMAW-11057
branch
from
e22659f to
911a814
Compare
| secrets: | ||
| GH_ACTIONS_ROLE_ARN: | ||
| required: true | ||
| TEST_IMAGE_REPOSITORY: | ||
| required: true | ||
| CONTAINER_SIGN_KMS_KEY: | ||
| required: true |
There was a problem hiding this comment.
These aren't strictly secrets; however, I had issues passing these through as inputs. I would prefer to keep these as secrets in this template, to help understand provenance and maintain consistency.
There was a problem hiding this comment.
Keeping them as secrets for the moment matches the other pipelines. I'm happy with this atm.
There was a problem hiding this comment.
to clarify: I had technical issues, not moral ones 😀
|
| COPY package.json package-lock.json / | ||
| RUN npm install --ignore-scripts | ||
|
|
||
| FROM node:iron-alpine AS final |
There was a problem hiding this comment.
I don't think there's any value of a multi-stage build given that we're copying all the node_modules over. Will remove. Thought this was saving space at the time (oops).
|
|
||
| stack_name=${1:-mob-sts-mock} | ||
|
|
||
| echo "Running test against ${stack_name}" |
There was a problem hiding this comment.
| echo "Running test against ${stack_name}" | |
| echo "Running tests against ${stack_name}" |
| # id: cosign-image | ||
| # run: | | ||
| # cosign sign --key awskms:///$BUILD_CONTAINER_SIGN_KMS_KEY $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG | ||
| test-image-build: |
There was a problem hiding this comment.
this calls the reusable workflow job
| uses: | ||
| ./.github/workflows/shared-build-and-push-test-image.yml | ||
| with: | ||
| WORKING_DIRECTORY: sts-mock |
There was a problem hiding this comment.
will see if there's a way to avoid needing to pass this through
| docker build --tag testcontainer . | ||
|
|
||
| docker run --rm --interactive --tty \ | ||
| --user root \ |
There was a problem hiding this comment.
note to me: I think this is run as the root in the pipeline and we can't change that in ID Check.
| cosign-release: 'v1.9.0' | ||
|
|
||
| - name: Install SAM CLI | ||
| uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #v2 |
| version: 1.132.0 | ||
|
|
||
| - name: Install npm packages | ||
| run: npm install |
There was a problem hiding this comment.
could we just install --dev-dependencies
| version: 1.132.0 | ||
|
|
||
| - name: Install npm packages | ||
| run: npm install |
There was a problem hiding this comment.
npm clean-install (alias for npm ci)
| FROM node:iron-alpine AS builder | ||
|
|
||
| COPY package.json package-lock.json / | ||
| RUN npm install --ignore-scripts |
What changed
Containerises the API test suite and updates the STS mock push-to-main.yml action to build/tag/publish the test image to Dev and Build.
Why did it change
This partially implements the Testing step in the Secure Pipeline methodology, whereby automated tests are run and are used to determine whether to promote the application to the next environment. The other part of the implementation will be done in the https://github.com/govuk-one-login/mobile-id-check-async-infra repository (updating the secure pipeline and test image repository Cloudformation stacks).
This is a mock asset that isn't promoted to Production; however, it is still good to run these tests so that we are alerted in case there are issues in Dev or Build that we need to address.
This also introduces a new pattern for the team - Github reusable workflows (https://docs.github.com/en/actions/sharing-automations/reusing-workflows). The intent here is to create re-usable abstracted assets helping with maintainability and improves speed of adoption for new applications. This has only been done for functionality that builds/pushes/tags the docker image used in the test containers (AWS CodeBuild)
Testing
Action successfully runs for the Dev environment. It fails for Build due to IAM policy restrictions (only the
mainbranch can push assets to Build`; this is expected.run-tests-locally.sh passes, when run against the
mob-sts-mockstackChecklists