From dc49f1a2b88f75d3f01bbbe7cfd2a1732a18804d Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 13:03:12 +0000 Subject: [PATCH 01/20] DCMAW-11057: Push STS test image to dev and build --- .../shared-build-and-push-test-image.yml | 74 ++++++++++++ .github/workflows/sts-mock-push-to-main.yml | 112 ++++-------------- 2 files changed, 94 insertions(+), 92 deletions(-) create mode 100644 .github/workflows/shared-build-and-push-test-image.yml diff --git a/.github/workflows/shared-build-and-push-test-image.yml b/.github/workflows/shared-build-and-push-test-image.yml new file mode 100644 index 000000000..d760f7211 --- /dev/null +++ b/.github/workflows/shared-build-and-push-test-image.yml @@ -0,0 +1,74 @@ +name: Build, Sign, Push and Tag test image + +on: + workflow_call: + inputs: + WORKING_DIRECTORY: + required: true + type: string + GH_ACTIONS_ROLE_ARN: + required: true + type: string + TEST_IMAGE_REPOSITORY: + required: true + type: string + CONTAINER_SIGN_KMS_KEY: + required: true + type: string + +jobs: + build-and-push: + name: build-and-push + runs-on: ubuntu-24.04 + env: + IMAGE_TAG: latest + defaults: + run: + shell: bash + working-directory: ${{ inputs.WORKING_DIRECTORY }} + steps: + - name: Check out repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + submodules: true + fetch-depth: 0 + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version-file: '.nvmrc' + + - name: Install Cosign + uses: sigstore/cosign-installer@9a4cfe1aae777984c07ce373d97a65428bbff734 #v2.4.1 + with: + cosign-release: 'v1.9.0' + + - name: Install SAM CLI + uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #v2 + with: + use-installer: true + version: 1.132.0 + + - name: Install npm packages + run: npm install + + - name: Authenticate with AWS + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }} + + - name: Login to AWS ECR + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1 + + - name: Build image + run: | + docker build -t ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . + + - name: Push image + run: | + docker push ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + + - name: Sign image + run: | + cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index ab9e0fe8b..cba561d1b 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -51,56 +51,20 @@ jobs: with: projectBaseDir: sts-mock - # build-and-push-test-image-to-dev: - # name: Build and push test image to Dev - # needs: sts-mock-tests-and-sonar-scan - # runs-on: ubuntu-22.04 - # env: - # STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} - # DEV_CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} - # IMAGE_TAG: latest - # defaults: - # run: - # shell: bash - # working-directory: sts-mock - # steps: - # - name: Check out repository code - # uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main - # with: - # submodules: true - # fetch-depth: 0 - - # - name: Build test image - # run: | - # docker build -t $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG . - - # - name: Configure AWS credentials for DEV - # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - # with: - # aws-region: eu-west-2 - # role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} - - # - name: Login to Amazon ECR DEV - # uses: aws-actions/amazon-ecr-login@a81a5945e74802f35ca53aa274a9e00436e6210e #main - - # - name: Push image to DEV - # run: | - # docker push $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG - - # - name: Install Cosign - # uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #main - # with: - # cosign-release: 'v1.9.0' - - # - name: Code sign the Docker image - # id: cosign-image - # run: | - # cosign sign --key awskms:///$DEV_CONTAINER_SIGN_KMS_KEY $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG + test-image-dev: + name: build and push test image to dev + uses: + ./.github/workflows/shared-build-and-push-test-image.yml + with: + WORKING_DIRECTORY: sts-mock + GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} + TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} + CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} build-and-upload-sam-artifact-to-dev: name: Validate & upload S3 artifact to dev runs-on: ubuntu-22.04 - needs: sonar-scan + needs: test-image-dev defaults: run: shell: bash @@ -147,56 +111,20 @@ jobs: template-file: .aws-sam/build/template.yaml working-directory: sts-mock - # build-and-push-test-image-to-build: - # name: Build and push test image to Build - # needs: sts-mock-tests-and-sonar-scan - # runs-on: ubuntu-22.04 - # env: - # STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} - # BUILD_CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} - # IMAGE_TAG: latest - # defaults: - # run: - # shell: bash - # working-directory: sts-mock - # steps: - # - name: Check out repository code - # uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main - # with: - # submodules: true - # fetch-depth: 0 - - # - name: Build test image - # run: | - # docker build -t $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG . - - # - name: Configure AWS credentials for BUILD - # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - # with: - # aws-region: eu-west-2 - # role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - - # - name: Login to Amazon ECR BUILD - # uses: aws-actions/amazon-ecr-login@a81a5945e74802f35ca53aa274a9e00436e6210e #main - - # - name: Push image to BUILD - # run: | - # docker push $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG - - # - name: Install Cosign - # uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #main - # with: - # cosign-release: 'v1.9.0' - - # - name: Code sign the Docker image - # id: cosign-image - # run: | - # cosign sign --key awskms:///$BUILD_CONTAINER_SIGN_KMS_KEY $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG + test-image-build: + name: build and push test image to build + uses: + ./.github/workflows/shared-build-and-push-test-image.yml + with: + WORKING_DIRECTORY: sts-mock + GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} + CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} build-and-upload-sam-artifact-to-build: name: Validate & upload S3 artifact to Build runs-on: ubuntu-22.04 - needs: sonar-scan + needs: test-image-build defaults: run: shell: bash From f0bf11e4b61d932bab6f62854a7f398d2b7549a8 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:05:58 +0000 Subject: [PATCH 02/20] DCMAW-11057: Use nvmrc for Node version --- .github/workflows/sts-mock-push-to-main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index cba561d1b..1f58dea9d 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -75,10 +75,10 @@ jobs: with: submodules: true - - name: Setup nodeJS v20 - uses: actions/setup-node@v4 + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 with: - node-version: 20 + node-version-file: '.nvmrc' cache: npm cache-dependency-path: sts-mock/package-lock.json @@ -135,10 +135,10 @@ jobs: with: submodules: true - - name: Setup nodeJS v20 - uses: actions/setup-node@v4 + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 with: - node-version: 20 + node-version-file: '.nvmrc' cache: npm cache-dependency-path: sts-mock/package-lock.json From f031718f945d36409020141a0ea2691bc0bcf183 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:18:02 +0000 Subject: [PATCH 03/20] DCMAW-11057: move directory to env parameter --- .github/workflows/sts-mock-push-to-main.yml | 27 ++++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 1f58dea9d..4a2949bad 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -10,6 +10,9 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +env: + APPLICATION-DIRECTORY: sts-mock + permissions: contents: read id-token: write @@ -21,7 +24,7 @@ jobs: defaults: run: shell: bash - working-directory: sts-mock + working-directory: $APPLICATION-DIRECTORY steps: - name: Check out repository code uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main @@ -34,7 +37,7 @@ jobs: with: node-version: 20 cache: npm - cache-dependency-path: sts-mock/package-lock.json + cache-dependency-path: $APPLICATION-DIRECTORY/package-lock.json - name: Install dependencies run: npm install @@ -49,14 +52,14 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: - projectBaseDir: sts-mock + projectBaseDir: $APPLICATION-DIRECTORY test-image-dev: name: build and push test image to dev uses: ./.github/workflows/shared-build-and-push-test-image.yml with: - WORKING_DIRECTORY: sts-mock + WORKING_DIRECTORY: $APPLICATION-DIRECTORY GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} @@ -68,7 +71,7 @@ jobs: defaults: run: shell: bash - working-directory: sts-mock + working-directory: $APPLICATION-DIRECTORY steps: - name: Check out repository code uses: actions/checkout@v4 @@ -80,7 +83,7 @@ jobs: with: node-version-file: '.nvmrc' cache: npm - cache-dependency-path: sts-mock/package-lock.json + cache-dependency-path: $APPLICATION-DIRECTORY/package-lock.json - name: Setup SAM CLI uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main @@ -109,14 +112,14 @@ jobs: artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} template-file: .aws-sam/build/template.yaml - working-directory: sts-mock + working-directory: $APPLICATION-DIRECTORY - test-image-build: + test-image-build: name: build and push test image to build uses: ./.github/workflows/shared-build-and-push-test-image.yml with: - WORKING_DIRECTORY: sts-mock + WORKING_DIRECTORY: $APPLICATION-DIRECTORY GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} @@ -128,7 +131,7 @@ jobs: defaults: run: shell: bash - working-directory: sts-mock + working-directory: $APPLICATION-DIRECTORY steps: - name: Check out repository code uses: actions/checkout@v4 @@ -140,7 +143,7 @@ jobs: with: node-version-file: '.nvmrc' cache: npm - cache-dependency-path: sts-mock/package-lock.json + cache-dependency-path: $APPLICATION-DIRECTORY/package-lock.json - name: Setup SAM CLI uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main @@ -169,4 +172,4 @@ jobs: artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} template-file: .aws-sam/build/template.yaml - working-directory: sts-mock \ No newline at end of file + working-directory: $APPLICATION-DIRECTORY \ No newline at end of file From 1e85802576146cfdfd160c03f0419a04752006f5 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:23:05 +0000 Subject: [PATCH 04/20] DCMAW-11057: move from secrets to inputs --- .github/workflows/shared-build-and-push-test-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shared-build-and-push-test-image.yml b/.github/workflows/shared-build-and-push-test-image.yml index d760f7211..ce4f20dd5 100644 --- a/.github/workflows/shared-build-and-push-test-image.yml +++ b/.github/workflows/shared-build-and-push-test-image.yml @@ -56,19 +56,19 @@ jobs: uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2 with: aws-region: eu-west-2 - role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }} + role-to-assume: ${{ inputs.GH_ACTIONS_ROLE_ARN }} - name: Login to AWS ECR uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1 - name: Build image run: | - docker build -t ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . + docker build -t ${{ inputs.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . - name: Push image run: | - docker push ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + docker push ${{ inputs.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG - name: Sign image run: | - cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + cosign sign --key awskms:///${{ inputs.CONTAINER_SIGN_KMS_KEY }} ${{ inputs.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG From e1db5a3ec967b80add9f7219d2da0e325f3bc790 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:34:21 +0000 Subject: [PATCH 05/20] DCMAW-10057: env fix --- .github/workflows/sts-mock-push-to-main.yml | 24 ++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 4a2949bad..35002b7df 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -11,7 +11,7 @@ on: workflow_dispatch: env: - APPLICATION-DIRECTORY: sts-mock + APPLICATION_DIRECTORY: sts-mock permissions: contents: read @@ -24,7 +24,7 @@ jobs: defaults: run: shell: bash - working-directory: $APPLICATION-DIRECTORY + working-directory: ${{ env.APPLICATION_DIRECTORY }} steps: - name: Check out repository code uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main @@ -37,7 +37,7 @@ jobs: with: node-version: 20 cache: npm - cache-dependency-path: $APPLICATION-DIRECTORY/package-lock.json + cache-dependency-path: ${{ env.APPLICATION_DIRECTORY }}/package-lock.json - name: Install dependencies run: npm install @@ -52,14 +52,14 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: - projectBaseDir: $APPLICATION-DIRECTORY + projectBaseDir: ${{ env.APPLICATION_DIRECTORY }} test-image-dev: name: build and push test image to dev uses: ./.github/workflows/shared-build-and-push-test-image.yml with: - WORKING_DIRECTORY: $APPLICATION-DIRECTORY + WORKING_DIRECTORY: ${{ env.APPLICATION_DIRECTORY }} GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} @@ -71,7 +71,7 @@ jobs: defaults: run: shell: bash - working-directory: $APPLICATION-DIRECTORY + working-directory: ${{ env.APPLICATION_DIRECTORY }} steps: - name: Check out repository code uses: actions/checkout@v4 @@ -83,7 +83,7 @@ jobs: with: node-version-file: '.nvmrc' cache: npm - cache-dependency-path: $APPLICATION-DIRECTORY/package-lock.json + cache-dependency-path: ${{ env.APPLICATION_DIRECTORY }}/package-lock.json - name: Setup SAM CLI uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main @@ -112,14 +112,14 @@ jobs: artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} template-file: .aws-sam/build/template.yaml - working-directory: $APPLICATION-DIRECTORY + working-directory: ${{ env.APPLICATION_DIRECTORY }} test-image-build: name: build and push test image to build uses: ./.github/workflows/shared-build-and-push-test-image.yml with: - WORKING_DIRECTORY: $APPLICATION-DIRECTORY + WORKING_DIRECTORY: ${{ env.APPLICATION_DIRECTORY }} GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} @@ -131,7 +131,7 @@ jobs: defaults: run: shell: bash - working-directory: $APPLICATION-DIRECTORY + working-directory: ${{ env.APPLICATION_DIRECTORY }} steps: - name: Check out repository code uses: actions/checkout@v4 @@ -143,7 +143,7 @@ jobs: with: node-version-file: '.nvmrc' cache: npm - cache-dependency-path: $APPLICATION-DIRECTORY/package-lock.json + cache-dependency-path: ${{ env.APPLICATION_DIRECTORY }}/package-lock.json - name: Setup SAM CLI uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main @@ -172,4 +172,4 @@ jobs: artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} template-file: .aws-sam/build/template.yaml - working-directory: $APPLICATION-DIRECTORY \ No newline at end of file + working-directory: ${{ env.APPLICATION_DIRECTORY }} \ No newline at end of file From b81efa7b2a1accb249cc2a46818d0e3e2dbc12e4 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:45:36 +0000 Subject: [PATCH 06/20] DCMAW-11057: fix working directory --- .github/workflows/sts-mock-push-to-main.yml | 36 ++++++++------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 35002b7df..16e5c7fa1 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -10,21 +10,19 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -env: - APPLICATION_DIRECTORY: sts-mock - permissions: contents: read id-token: write +defaults: + run: + shell: bash + working-directory: sts-mock + jobs: sonar-scan: name: Run tests and Sonar scan runs-on: ubuntu-22.04 - defaults: - run: - shell: bash - working-directory: ${{ env.APPLICATION_DIRECTORY }} steps: - name: Check out repository code uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main @@ -37,7 +35,7 @@ jobs: with: node-version: 20 cache: npm - cache-dependency-path: ${{ env.APPLICATION_DIRECTORY }}/package-lock.json + cache-dependency-path: sts-mock/package-lock.json - name: Install dependencies run: npm install @@ -52,14 +50,14 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: - projectBaseDir: ${{ env.APPLICATION_DIRECTORY }} + projectBaseDir: sts-mock test-image-dev: name: build and push test image to dev uses: ./.github/workflows/shared-build-and-push-test-image.yml with: - WORKING_DIRECTORY: ${{ env.APPLICATION_DIRECTORY }} + WORKING_DIRECTORY: sts-mock GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} @@ -68,10 +66,6 @@ jobs: name: Validate & upload S3 artifact to dev runs-on: ubuntu-22.04 needs: test-image-dev - defaults: - run: - shell: bash - working-directory: ${{ env.APPLICATION_DIRECTORY }} steps: - name: Check out repository code uses: actions/checkout@v4 @@ -83,7 +77,7 @@ jobs: with: node-version-file: '.nvmrc' cache: npm - cache-dependency-path: ${{ env.APPLICATION_DIRECTORY }}/package-lock.json + cache-dependency-path: sts-mock/package-lock.json - name: Setup SAM CLI uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main @@ -112,14 +106,14 @@ jobs: artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} template-file: .aws-sam/build/template.yaml - working-directory: ${{ env.APPLICATION_DIRECTORY }} + working-directory: sts-mock test-image-build: name: build and push test image to build uses: ./.github/workflows/shared-build-and-push-test-image.yml with: - WORKING_DIRECTORY: ${{ env.APPLICATION_DIRECTORY }} + WORKING_DIRECTORY: sts-mock GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} @@ -128,10 +122,6 @@ jobs: name: Validate & upload S3 artifact to Build runs-on: ubuntu-22.04 needs: test-image-build - defaults: - run: - shell: bash - working-directory: ${{ env.APPLICATION_DIRECTORY }} steps: - name: Check out repository code uses: actions/checkout@v4 @@ -143,7 +133,7 @@ jobs: with: node-version-file: '.nvmrc' cache: npm - cache-dependency-path: ${{ env.APPLICATION_DIRECTORY }}/package-lock.json + cache-dependency-path: sts-mock/package-lock.json - name: Setup SAM CLI uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main @@ -172,4 +162,4 @@ jobs: artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} template-file: .aws-sam/build/template.yaml - working-directory: ${{ env.APPLICATION_DIRECTORY }} \ No newline at end of file + working-directory: sts-mock \ No newline at end of file From f36a7d352fce05a5612fd84ee59e0c295e14f18b Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 19:00:06 +0000 Subject: [PATCH 07/20] DCMAW-11057: try secrets --- .../workflows/shared-build-and-push-test-image.yml | 12 +++++------- .github/workflows/sts-mock-push-to-main.yml | 2 ++ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/shared-build-and-push-test-image.yml b/.github/workflows/shared-build-and-push-test-image.yml index ce4f20dd5..56ed84980 100644 --- a/.github/workflows/shared-build-and-push-test-image.yml +++ b/.github/workflows/shared-build-and-push-test-image.yml @@ -6,15 +6,13 @@ on: WORKING_DIRECTORY: required: true type: string + secrets: GH_ACTIONS_ROLE_ARN: required: true - type: string TEST_IMAGE_REPOSITORY: required: true - type: string CONTAINER_SIGN_KMS_KEY: required: true - type: string jobs: build-and-push: @@ -56,19 +54,19 @@ jobs: uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2 with: aws-region: eu-west-2 - role-to-assume: ${{ inputs.GH_ACTIONS_ROLE_ARN }} + role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }} - name: Login to AWS ECR uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1 - name: Build image run: | - docker build -t ${{ inputs.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . + docker build -t ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . - name: Push image run: | - docker push ${{ inputs.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + docker push ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG - name: Sign image run: | - cosign sign --key awskms:///${{ inputs.CONTAINER_SIGN_KMS_KEY }} ${{ inputs.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 16e5c7fa1..7d870bbd3 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -58,6 +58,7 @@ jobs: ./.github/workflows/shared-build-and-push-test-image.yml with: WORKING_DIRECTORY: sts-mock + secrets: GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} @@ -114,6 +115,7 @@ jobs: ./.github/workflows/shared-build-and-push-test-image.yml with: WORKING_DIRECTORY: sts-mock + secrets: GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} From f8d1cd9c293a579a98e82f8a9393fd5ac272c195 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 19:03:15 +0000 Subject: [PATCH 08/20] DCMAW-11057: fix cosign ref --- .github/workflows/shared-build-and-push-test-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-build-and-push-test-image.yml b/.github/workflows/shared-build-and-push-test-image.yml index 56ed84980..d2f6168c1 100644 --- a/.github/workflows/shared-build-and-push-test-image.yml +++ b/.github/workflows/shared-build-and-push-test-image.yml @@ -37,7 +37,7 @@ jobs: node-version-file: '.nvmrc' - name: Install Cosign - uses: sigstore/cosign-installer@9a4cfe1aae777984c07ce373d97a65428bbff734 #v2.4.1 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 with: cosign-release: 'v1.9.0' From 80b3a594c0712799554d7748075b1fe53ed7eeda Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 19:04:01 +0000 Subject: [PATCH 09/20] DCMAW-11057: uncomment for testing --- .github/workflows/sts-mock-push-to-main.yml | 242 ++++++++++---------- 1 file changed, 121 insertions(+), 121 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 7d870bbd3..7c774c98d 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -20,37 +20,37 @@ defaults: working-directory: sts-mock jobs: - sonar-scan: - name: Run tests and Sonar scan - runs-on: ubuntu-22.04 - steps: - - name: Check out repository code - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main - with: - submodules: true - fetch-depth: 0 - - - name: Setup nodeJS v20 - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main - with: - node-version: 20 - cache: npm - cache-dependency-path: sts-mock/package-lock.json - - - name: Install dependencies - run: npm install - - # Generate test coverage report for Sonar main branch analysis - - name: Run Tests - run: npm run test:unit - - - name: Run SonarCloud Scan - uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - projectBaseDir: sts-mock + # sonar-scan: + # name: Run tests and Sonar scan + # runs-on: ubuntu-22.04 + # steps: + # - name: Check out repository code + # uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main + # with: + # submodules: true + # fetch-depth: 0 + + # - name: Setup nodeJS v20 + # uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main + # with: + # node-version: 20 + # cache: npm + # cache-dependency-path: sts-mock/package-lock.json + + # - name: Install dependencies + # run: npm install + + # # Generate test coverage report for Sonar main branch analysis + # - name: Run Tests + # run: npm run test:unit + + # - name: Run SonarCloud Scan + # uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # with: + # projectBaseDir: sts-mock test-image-dev: name: build and push test image to dev @@ -63,51 +63,51 @@ jobs: TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} - build-and-upload-sam-artifact-to-dev: - name: Validate & upload S3 artifact to dev - runs-on: ubuntu-22.04 - needs: test-image-dev - steps: - - name: Check out repository code - uses: actions/checkout@v4 - with: - submodules: true - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version-file: '.nvmrc' - cache: npm - cache-dependency-path: sts-mock/package-lock.json - - - name: Setup SAM CLI - uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - with: - use-installer: true - version: 1.123.0 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} - - - name: Sam Validate - run: | - echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - sam validate --lint - - - name: Sam Build - run: | - sam build --cached - - - name: Upload SAM artifact into the DEV artifact bucket - uses: govuk-one-login/devplatform-upload-action@v3.9.2 - with: - artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} - signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} - template-file: .aws-sam/build/template.yaml - working-directory: sts-mock + # build-and-upload-sam-artifact-to-dev: + # name: Validate & upload S3 artifact to dev + # runs-on: ubuntu-22.04 + # needs: test-image-dev + # steps: + # - name: Check out repository code + # uses: actions/checkout@v4 + # with: + # submodules: true + + # - name: Setup Node + # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + # with: + # node-version-file: '.nvmrc' + # cache: npm + # cache-dependency-path: sts-mock/package-lock.json + + # - name: Setup SAM CLI + # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + # with: + # use-installer: true + # version: 1.123.0 + + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + # with: + # aws-region: eu-west-2 + # role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} + + # - name: Sam Validate + # run: | + # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + # sam validate --lint + + # - name: Sam Build + # run: | + # sam build --cached + + # - name: Upload SAM artifact into the DEV artifact bucket + # uses: govuk-one-login/devplatform-upload-action@v3.9.2 + # with: + # artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} + # signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} + # template-file: .aws-sam/build/template.yaml + # working-directory: sts-mock test-image-build: name: build and push test image to build @@ -120,48 +120,48 @@ jobs: TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} - build-and-upload-sam-artifact-to-build: - name: Validate & upload S3 artifact to Build - runs-on: ubuntu-22.04 - needs: test-image-build - steps: - - name: Check out repository code - uses: actions/checkout@v4 - with: - submodules: true - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version-file: '.nvmrc' - cache: npm - cache-dependency-path: sts-mock/package-lock.json - - - name: Setup SAM CLI - uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - with: - use-installer: true - version: 1.123.0 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - - - name: Sam Validate - run: | - echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - sam validate --lint - - - name: Sam Build - run: | - sam build --cached - - - name: Upload SAM artifact into the BUILD artifact bucket - uses: govuk-one-login/devplatform-upload-action@v3.9.2 - with: - artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} - signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} - template-file: .aws-sam/build/template.yaml - working-directory: sts-mock \ No newline at end of file + # build-and-upload-sam-artifact-to-build: + # name: Validate & upload S3 artifact to Build + # runs-on: ubuntu-22.04 + # needs: test-image-build + # steps: + # - name: Check out repository code + # uses: actions/checkout@v4 + # with: + # submodules: true + + # - name: Setup Node + # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + # with: + # node-version-file: '.nvmrc' + # cache: npm + # cache-dependency-path: sts-mock/package-lock.json + + # - name: Setup SAM CLI + # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + # with: + # use-installer: true + # version: 1.123.0 + + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + # with: + # aws-region: eu-west-2 + # role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + + # - name: Sam Validate + # run: | + # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + # sam validate --lint + + # - name: Sam Build + # run: | + # sam build --cached + + # - name: Upload SAM artifact into the BUILD artifact bucket + # uses: govuk-one-login/devplatform-upload-action@v3.9.2 + # with: + # artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} + # signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} + # template-file: .aws-sam/build/template.yaml + # working-directory: sts-mock \ No newline at end of file From 911a81443064e1832b10ece3e12f8fcde85484b9 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Wed, 15 Jan 2025 19:06:34 +0000 Subject: [PATCH 10/20] DCMAW-11057: fix nvmrc dir --- .github/workflows/shared-build-and-push-test-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-build-and-push-test-image.yml b/.github/workflows/shared-build-and-push-test-image.yml index d2f6168c1..3c06db020 100644 --- a/.github/workflows/shared-build-and-push-test-image.yml +++ b/.github/workflows/shared-build-and-push-test-image.yml @@ -34,7 +34,7 @@ jobs: - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 with: - node-version-file: '.nvmrc' + node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc - name: Install Cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 From b5a94f726393aa068184eba4194e5e02f72b16e5 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Thu, 16 Jan 2025 13:33:45 +0000 Subject: [PATCH 11/20] DCMAW-11057: add containerised test suite --- sts-mock/Dockerfile | 23 +++++++++++++++++++++++ sts-mock/run-tests-locally.sh | 35 +++++++++++++++++++++++++++++++++++ sts-mock/run-tests.sh | 17 +++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 sts-mock/Dockerfile create mode 100755 sts-mock/run-tests-locally.sh create mode 100644 sts-mock/run-tests.sh diff --git a/sts-mock/Dockerfile b/sts-mock/Dockerfile new file mode 100644 index 000000000..d07fbac31 --- /dev/null +++ b/sts-mock/Dockerfile @@ -0,0 +1,23 @@ +FROM node:iron-alpine AS builder + +COPY package.json package-lock.json / +RUN npm install --ignore-scripts + +FROM node:iron-alpine AS final + +RUN adduser --disabled-password test +RUN chown test . + +RUN apk upgrade && apk update; apk add --no-cache bash aws-cli && aws --version + +COPY --from=builder package.json sts-mock/ +COPY --from=builder node_modules sts-mock/node_modules + +COPY tests/ sts-mock/tests/ +COPY jest.config.ts tsconfig.json sts-mock/ + +COPY run-tests.sh / +RUN chmod 005 /run-tests.sh +USER test + +ENTRYPOINT ["/run-tests.sh"] diff --git a/sts-mock/run-tests-locally.sh b/sts-mock/run-tests-locally.sh new file mode 100755 index 000000000..1b9e0e78a --- /dev/null +++ b/sts-mock/run-tests-locally.sh @@ -0,0 +1,35 @@ +#!/bin/bash +set -eu + +stack_name=${1:-mob-sts-mock} + +echo "Running test against ${stack_name}" + +rm -rf docker-vars.env + +export AWS_DEFAULT_REGION="eu-west-2" +TEST_REPORT_DIR="results" +ENVIRONMENT="dev" + +aws cloudformation describe-stacks \ + --stack-name "$stack_name" \ + --query 'Stacks[0].Outputs[].{key: OutputKey, value: OutputValue}' \ + --output text >cf-output.txt + +eval $(awk '{ printf("export CFN_%s=\"%s\"\n", $1, $2) }' cf-output.txt) +awk '{ printf("CFN_%s=\"%s\"\n", $1, $2) }' cf-output.txt >>docker-vars.env + +{ + echo TEST_REPORT_DIR="$TEST_REPORT_DIR" + echo TEST_REPORT_ABSOLUTE_DIR="/results" + echo TEST_ENVIRONMENT="$ENVIRONMENT" + echo SAM_STACK_NAME="$stack_name" +} >>docker-vars.env + +docker build --tag testcontainer . + +docker run --rm --interactive --tty \ + --user root \ + --env-file docker-vars.env \ + --volume "$(pwd):/results" \ + testcontainer diff --git a/sts-mock/run-tests.sh b/sts-mock/run-tests.sh new file mode 100644 index 000000000..e53464ceb --- /dev/null +++ b/sts-mock/run-tests.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -eu + +cd /sts-mock + +remove_quotes() { + echo "$1" | tr -d '"' +} + +export STS_MOCK_API_URL=$(remove_quotes "$CFN_StsMockApiUrl") + +if npm run test:api; then + cp -rf results "$TEST_REPORT_ABSOLUTE_DIR" +else + cp -rf results "$TEST_REPORT_ABSOLUTE_DIR" + exit 1 +fi From 1b11f75e0d4f2075f44eeac0c6970206d2bf161d Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:26:48 +0000 Subject: [PATCH 12/20] DCMAW-11057: re-enable the rest of the workflow post testing --- .github/workflows/sts-mock-push-to-main.yml | 242 ++++++++++---------- 1 file changed, 121 insertions(+), 121 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 7c774c98d..7d870bbd3 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -20,37 +20,37 @@ defaults: working-directory: sts-mock jobs: - # sonar-scan: - # name: Run tests and Sonar scan - # runs-on: ubuntu-22.04 - # steps: - # - name: Check out repository code - # uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main - # with: - # submodules: true - # fetch-depth: 0 - - # - name: Setup nodeJS v20 - # uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main - # with: - # node-version: 20 - # cache: npm - # cache-dependency-path: sts-mock/package-lock.json - - # - name: Install dependencies - # run: npm install - - # # Generate test coverage report for Sonar main branch analysis - # - name: Run Tests - # run: npm run test:unit - - # - name: Run SonarCloud Scan - # uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # with: - # projectBaseDir: sts-mock + sonar-scan: + name: Run tests and Sonar scan + runs-on: ubuntu-22.04 + steps: + - name: Check out repository code + uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main + with: + submodules: true + fetch-depth: 0 + + - name: Setup nodeJS v20 + uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main + with: + node-version: 20 + cache: npm + cache-dependency-path: sts-mock/package-lock.json + + - name: Install dependencies + run: npm install + + # Generate test coverage report for Sonar main branch analysis + - name: Run Tests + run: npm run test:unit + + - name: Run SonarCloud Scan + uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + projectBaseDir: sts-mock test-image-dev: name: build and push test image to dev @@ -63,51 +63,51 @@ jobs: TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} - # build-and-upload-sam-artifact-to-dev: - # name: Validate & upload S3 artifact to dev - # runs-on: ubuntu-22.04 - # needs: test-image-dev - # steps: - # - name: Check out repository code - # uses: actions/checkout@v4 - # with: - # submodules: true - - # - name: Setup Node - # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - # with: - # node-version-file: '.nvmrc' - # cache: npm - # cache-dependency-path: sts-mock/package-lock.json - - # - name: Setup SAM CLI - # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - # with: - # use-installer: true - # version: 1.123.0 - - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - # with: - # aws-region: eu-west-2 - # role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} - - # - name: Sam Validate - # run: | - # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - # sam validate --lint - - # - name: Sam Build - # run: | - # sam build --cached - - # - name: Upload SAM artifact into the DEV artifact bucket - # uses: govuk-one-login/devplatform-upload-action@v3.9.2 - # with: - # artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} - # signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} - # template-file: .aws-sam/build/template.yaml - # working-directory: sts-mock + build-and-upload-sam-artifact-to-dev: + name: Validate & upload S3 artifact to dev + runs-on: ubuntu-22.04 + needs: test-image-dev + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + submodules: true + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version-file: '.nvmrc' + cache: npm + cache-dependency-path: sts-mock/package-lock.json + + - name: Setup SAM CLI + uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + with: + use-installer: true + version: 1.123.0 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} + + - name: Sam Validate + run: | + echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + sam validate --lint + + - name: Sam Build + run: | + sam build --cached + + - name: Upload SAM artifact into the DEV artifact bucket + uses: govuk-one-login/devplatform-upload-action@v3.9.2 + with: + artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} + signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} + template-file: .aws-sam/build/template.yaml + working-directory: sts-mock test-image-build: name: build and push test image to build @@ -120,48 +120,48 @@ jobs: TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} - # build-and-upload-sam-artifact-to-build: - # name: Validate & upload S3 artifact to Build - # runs-on: ubuntu-22.04 - # needs: test-image-build - # steps: - # - name: Check out repository code - # uses: actions/checkout@v4 - # with: - # submodules: true - - # - name: Setup Node - # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - # with: - # node-version-file: '.nvmrc' - # cache: npm - # cache-dependency-path: sts-mock/package-lock.json - - # - name: Setup SAM CLI - # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - # with: - # use-installer: true - # version: 1.123.0 - - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - # with: - # aws-region: eu-west-2 - # role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - - # - name: Sam Validate - # run: | - # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - # sam validate --lint - - # - name: Sam Build - # run: | - # sam build --cached - - # - name: Upload SAM artifact into the BUILD artifact bucket - # uses: govuk-one-login/devplatform-upload-action@v3.9.2 - # with: - # artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} - # signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} - # template-file: .aws-sam/build/template.yaml - # working-directory: sts-mock \ No newline at end of file + build-and-upload-sam-artifact-to-build: + name: Validate & upload S3 artifact to Build + runs-on: ubuntu-22.04 + needs: test-image-build + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + submodules: true + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version-file: '.nvmrc' + cache: npm + cache-dependency-path: sts-mock/package-lock.json + + - name: Setup SAM CLI + uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + with: + use-installer: true + version: 1.123.0 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + + - name: Sam Validate + run: | + echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + sam validate --lint + + - name: Sam Build + run: | + sam build --cached + + - name: Upload SAM artifact into the BUILD artifact bucket + uses: govuk-one-login/devplatform-upload-action@v3.9.2 + with: + artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} + signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} + template-file: .aws-sam/build/template.yaml + working-directory: sts-mock \ No newline at end of file From 2af04baa8605ece48827960a3f3313e0d83f8715 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:34:46 +0000 Subject: [PATCH 13/20] DCMAW-11057: rename workflow file --- ...-push-test-image.yml => job-build-and-push-test-image.yml} | 0 .github/workflows/sts-mock-push-to-main.yml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename .github/workflows/{shared-build-and-push-test-image.yml => job-build-and-push-test-image.yml} (100%) diff --git a/.github/workflows/shared-build-and-push-test-image.yml b/.github/workflows/job-build-and-push-test-image.yml similarity index 100% rename from .github/workflows/shared-build-and-push-test-image.yml rename to .github/workflows/job-build-and-push-test-image.yml diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 7d870bbd3..0161a6aee 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -55,7 +55,7 @@ jobs: test-image-dev: name: build and push test image to dev uses: - ./.github/workflows/shared-build-and-push-test-image.yml + ./.github/workflows/job-build-and-push-test-image.yml with: WORKING_DIRECTORY: sts-mock secrets: @@ -112,7 +112,7 @@ jobs: test-image-build: name: build and push test image to build uses: - ./.github/workflows/shared-build-and-push-test-image.yml + ./.github/workflows/job-build-and-push-test-image.yml with: WORKING_DIRECTORY: sts-mock secrets: From c5937f7bf6777ee7e5bdada6e2e15fdd3020bd41 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:37:29 +0000 Subject: [PATCH 14/20] DCMAW-11057: remove unneeded steps --- .github/workflows/job-build-and-push-test-image.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/job-build-and-push-test-image.yml b/.github/workflows/job-build-and-push-test-image.yml index 3c06db020..9708608ba 100644 --- a/.github/workflows/job-build-and-push-test-image.yml +++ b/.github/workflows/job-build-and-push-test-image.yml @@ -41,15 +41,6 @@ jobs: with: cosign-release: 'v1.9.0' - - name: Install SAM CLI - uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #v2 - with: - use-installer: true - version: 1.132.0 - - - name: Install npm packages - run: npm install - - name: Authenticate with AWS uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2 with: From 460d12cb3082eed15ee46c7f59b6697763a2ec20 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:51:45 +0000 Subject: [PATCH 15/20] DCMAW-11057: clean up dockerfile --- sts-mock/Dockerfile | 17 +++++++---------- sts-mock/run-tests.sh | 2 -- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/sts-mock/Dockerfile b/sts-mock/Dockerfile index d07fbac31..80e1c17c1 100644 --- a/sts-mock/Dockerfile +++ b/sts-mock/Dockerfile @@ -1,20 +1,17 @@ -FROM node:iron-alpine AS builder - -COPY package.json package-lock.json / -RUN npm install --ignore-scripts - -FROM node:iron-alpine AS final +FROM node:iron-alpine RUN adduser --disabled-password test RUN chown test . RUN apk upgrade && apk update; apk add --no-cache bash aws-cli && aws --version -COPY --from=builder package.json sts-mock/ -COPY --from=builder node_modules sts-mock/node_modules +WORKDIR /sts-mock + +COPY package.json package-lock.json ./ +RUN npm clean-install --no-scripts -COPY tests/ sts-mock/tests/ -COPY jest.config.ts tsconfig.json sts-mock/ +COPY tests/ ./tests/ +COPY jest.config.ts tsconfig.json ./ COPY run-tests.sh / RUN chmod 005 /run-tests.sh diff --git a/sts-mock/run-tests.sh b/sts-mock/run-tests.sh index e53464ceb..e2c2f5e95 100644 --- a/sts-mock/run-tests.sh +++ b/sts-mock/run-tests.sh @@ -1,8 +1,6 @@ #!/bin/bash set -eu -cd /sts-mock - remove_quotes() { echo "$1" | tr -d '"' } From 6b334112e1e874728b488e086eb3ddd1dcf48507 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:52:44 +0000 Subject: [PATCH 16/20] DCMAW-11057: testing --- .github/workflows/sts-mock-push-to-main.yml | 266 ++++++++++---------- 1 file changed, 133 insertions(+), 133 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 0161a6aee..824c2be43 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -20,37 +20,37 @@ defaults: working-directory: sts-mock jobs: - sonar-scan: - name: Run tests and Sonar scan - runs-on: ubuntu-22.04 - steps: - - name: Check out repository code - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main - with: - submodules: true - fetch-depth: 0 - - - name: Setup nodeJS v20 - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main - with: - node-version: 20 - cache: npm - cache-dependency-path: sts-mock/package-lock.json - - - name: Install dependencies - run: npm install - - # Generate test coverage report for Sonar main branch analysis - - name: Run Tests - run: npm run test:unit - - - name: Run SonarCloud Scan - uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - projectBaseDir: sts-mock + # sonar-scan: + # name: Run tests and Sonar scan + # runs-on: ubuntu-22.04 + # steps: + # - name: Check out repository code + # uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main + # with: + # submodules: true + # fetch-depth: 0 + + # - name: Setup nodeJS v20 + # uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main + # with: + # node-version: 20 + # cache: npm + # cache-dependency-path: sts-mock/package-lock.json + + # - name: Install dependencies + # run: npm install + + # # Generate test coverage report for Sonar main branch analysis + # - name: Run Tests + # run: npm run test:unit + + # - name: Run SonarCloud Scan + # uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # with: + # projectBaseDir: sts-mock test-image-dev: name: build and push test image to dev @@ -63,105 +63,105 @@ jobs: TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} - build-and-upload-sam-artifact-to-dev: - name: Validate & upload S3 artifact to dev - runs-on: ubuntu-22.04 - needs: test-image-dev - steps: - - name: Check out repository code - uses: actions/checkout@v4 - with: - submodules: true - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version-file: '.nvmrc' - cache: npm - cache-dependency-path: sts-mock/package-lock.json - - - name: Setup SAM CLI - uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - with: - use-installer: true - version: 1.123.0 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} - - - name: Sam Validate - run: | - echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - sam validate --lint - - - name: Sam Build - run: | - sam build --cached - - - name: Upload SAM artifact into the DEV artifact bucket - uses: govuk-one-login/devplatform-upload-action@v3.9.2 - with: - artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} - signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} - template-file: .aws-sam/build/template.yaml - working-directory: sts-mock - - test-image-build: - name: build and push test image to build - uses: - ./.github/workflows/job-build-and-push-test-image.yml - with: - WORKING_DIRECTORY: sts-mock - secrets: - GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} - CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} - - build-and-upload-sam-artifact-to-build: - name: Validate & upload S3 artifact to Build - runs-on: ubuntu-22.04 - needs: test-image-build - steps: - - name: Check out repository code - uses: actions/checkout@v4 - with: - submodules: true - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version-file: '.nvmrc' - cache: npm - cache-dependency-path: sts-mock/package-lock.json - - - name: Setup SAM CLI - uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - with: - use-installer: true - version: 1.123.0 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - - - name: Sam Validate - run: | - echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - sam validate --lint - - - name: Sam Build - run: | - sam build --cached - - - name: Upload SAM artifact into the BUILD artifact bucket - uses: govuk-one-login/devplatform-upload-action@v3.9.2 - with: - artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} - signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} - template-file: .aws-sam/build/template.yaml - working-directory: sts-mock \ No newline at end of file + # build-and-upload-sam-artifact-to-dev: + # name: Validate & upload S3 artifact to dev + # runs-on: ubuntu-22.04 + # needs: test-image-dev + # steps: + # - name: Check out repository code + # uses: actions/checkout@v4 + # with: + # submodules: true + + # - name: Setup Node + # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + # with: + # node-version-file: '.nvmrc' + # cache: npm + # cache-dependency-path: sts-mock/package-lock.json + + # - name: Setup SAM CLI + # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + # with: + # use-installer: true + # version: 1.123.0 + + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + # with: + # aws-region: eu-west-2 + # role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} + + # - name: Sam Validate + # run: | + # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + # sam validate --lint + + # - name: Sam Build + # run: | + # sam build --cached + + # - name: Upload SAM artifact into the DEV artifact bucket + # uses: govuk-one-login/devplatform-upload-action@v3.9.2 + # with: + # artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} + # signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} + # template-file: .aws-sam/build/template.yaml + # working-directory: sts-mock + + # test-image-build: + # name: build and push test image to build + # uses: + # ./.github/workflows/job-build-and-push-test-image.yml + # with: + # WORKING_DIRECTORY: sts-mock + # secrets: + # GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + # TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} + # CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} + + # build-and-upload-sam-artifact-to-build: + # name: Validate & upload S3 artifact to Build + # runs-on: ubuntu-22.04 + # needs: test-image-build + # steps: + # - name: Check out repository code + # uses: actions/checkout@v4 + # with: + # submodules: true + + # - name: Setup Node + # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + # with: + # node-version-file: '.nvmrc' + # cache: npm + # cache-dependency-path: sts-mock/package-lock.json + + # - name: Setup SAM CLI + # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + # with: + # use-installer: true + # version: 1.123.0 + + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + # with: + # aws-region: eu-west-2 + # role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + + # - name: Sam Validate + # run: | + # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + # sam validate --lint + + # - name: Sam Build + # run: | + # sam build --cached + + # - name: Upload SAM artifact into the BUILD artifact bucket + # uses: govuk-one-login/devplatform-upload-action@v3.9.2 + # with: + # artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} + # signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} + # template-file: .aws-sam/build/template.yaml + # working-directory: sts-mock \ No newline at end of file From 6374ffe1e7a68716cc6196d024a1eb1775ddd65a Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:56:36 +0000 Subject: [PATCH 17/20] DCMAW-11057: remove node setup --- .github/workflows/job-build-and-push-test-image.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/job-build-and-push-test-image.yml b/.github/workflows/job-build-and-push-test-image.yml index 9708608ba..fe9a0248d 100644 --- a/.github/workflows/job-build-and-push-test-image.yml +++ b/.github/workflows/job-build-and-push-test-image.yml @@ -31,11 +31,6 @@ jobs: submodules: true fetch-depth: 0 - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc - - name: Install Cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 with: From cc027f73db7e0eed816d3377268ca01f35a53c64 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 21:00:13 +0000 Subject: [PATCH 18/20] DCMAW-11057: undo testing changes --- .github/workflows/sts-mock-push-to-main.yml | 266 ++++++++++---------- 1 file changed, 133 insertions(+), 133 deletions(-) diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 824c2be43..0161a6aee 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -20,37 +20,37 @@ defaults: working-directory: sts-mock jobs: - # sonar-scan: - # name: Run tests and Sonar scan - # runs-on: ubuntu-22.04 - # steps: - # - name: Check out repository code - # uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main - # with: - # submodules: true - # fetch-depth: 0 - - # - name: Setup nodeJS v20 - # uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main - # with: - # node-version: 20 - # cache: npm - # cache-dependency-path: sts-mock/package-lock.json - - # - name: Install dependencies - # run: npm install - - # # Generate test coverage report for Sonar main branch analysis - # - name: Run Tests - # run: npm run test:unit - - # - name: Run SonarCloud Scan - # uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # with: - # projectBaseDir: sts-mock + sonar-scan: + name: Run tests and Sonar scan + runs-on: ubuntu-22.04 + steps: + - name: Check out repository code + uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main + with: + submodules: true + fetch-depth: 0 + + - name: Setup nodeJS v20 + uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace #main + with: + node-version: 20 + cache: npm + cache-dependency-path: sts-mock/package-lock.json + + - name: Install dependencies + run: npm install + + # Generate test coverage report for Sonar main branch analysis + - name: Run Tests + run: npm run test:unit + + - name: Run SonarCloud Scan + uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + projectBaseDir: sts-mock test-image-dev: name: build and push test image to dev @@ -63,105 +63,105 @@ jobs: TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} - # build-and-upload-sam-artifact-to-dev: - # name: Validate & upload S3 artifact to dev - # runs-on: ubuntu-22.04 - # needs: test-image-dev - # steps: - # - name: Check out repository code - # uses: actions/checkout@v4 - # with: - # submodules: true - - # - name: Setup Node - # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - # with: - # node-version-file: '.nvmrc' - # cache: npm - # cache-dependency-path: sts-mock/package-lock.json - - # - name: Setup SAM CLI - # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - # with: - # use-installer: true - # version: 1.123.0 - - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - # with: - # aws-region: eu-west-2 - # role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} - - # - name: Sam Validate - # run: | - # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - # sam validate --lint - - # - name: Sam Build - # run: | - # sam build --cached - - # - name: Upload SAM artifact into the DEV artifact bucket - # uses: govuk-one-login/devplatform-upload-action@v3.9.2 - # with: - # artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} - # signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} - # template-file: .aws-sam/build/template.yaml - # working-directory: sts-mock - - # test-image-build: - # name: build and push test image to build - # uses: - # ./.github/workflows/job-build-and-push-test-image.yml - # with: - # WORKING_DIRECTORY: sts-mock - # secrets: - # GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - # TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} - # CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} - - # build-and-upload-sam-artifact-to-build: - # name: Validate & upload S3 artifact to Build - # runs-on: ubuntu-22.04 - # needs: test-image-build - # steps: - # - name: Check out repository code - # uses: actions/checkout@v4 - # with: - # submodules: true - - # - name: Setup Node - # uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - # with: - # node-version-file: '.nvmrc' - # cache: npm - # cache-dependency-path: sts-mock/package-lock.json - - # - name: Setup SAM CLI - # uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main - # with: - # use-installer: true - # version: 1.123.0 - - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main - # with: - # aws-region: eu-west-2 - # role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - - # - name: Sam Validate - # run: | - # echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV - # sam validate --lint - - # - name: Sam Build - # run: | - # sam build --cached - - # - name: Upload SAM artifact into the BUILD artifact bucket - # uses: govuk-one-login/devplatform-upload-action@v3.9.2 - # with: - # artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} - # signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} - # template-file: .aws-sam/build/template.yaml - # working-directory: sts-mock \ No newline at end of file + build-and-upload-sam-artifact-to-dev: + name: Validate & upload S3 artifact to dev + runs-on: ubuntu-22.04 + needs: test-image-dev + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + submodules: true + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version-file: '.nvmrc' + cache: npm + cache-dependency-path: sts-mock/package-lock.json + + - name: Setup SAM CLI + uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + with: + use-installer: true + version: 1.123.0 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} + + - name: Sam Validate + run: | + echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + sam validate --lint + + - name: Sam Build + run: | + sam build --cached + + - name: Upload SAM artifact into the DEV artifact bucket + uses: govuk-one-login/devplatform-upload-action@v3.9.2 + with: + artifact-bucket-name: ${{ secrets.STS_MOCK_DEV_ARTIFACT_BUCKET }} + signing-profile-name: ${{ secrets.DEV_SIGNING_PROFILE_NAME }} + template-file: .aws-sam/build/template.yaml + working-directory: sts-mock + + test-image-build: + name: build and push test image to build + uses: + ./.github/workflows/job-build-and-push-test-image.yml + with: + WORKING_DIRECTORY: sts-mock + secrets: + GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} + CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} + + build-and-upload-sam-artifact-to-build: + name: Validate & upload S3 artifact to Build + runs-on: ubuntu-22.04 + needs: test-image-build + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + submodules: true + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version-file: '.nvmrc' + cache: npm + cache-dependency-path: sts-mock/package-lock.json + + - name: Setup SAM CLI + uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #main + with: + use-installer: true + version: 1.123.0 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} + + - name: Sam Validate + run: | + echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV + sam validate --lint + + - name: Sam Build + run: | + sam build --cached + + - name: Upload SAM artifact into the BUILD artifact bucket + uses: govuk-one-login/devplatform-upload-action@v3.9.2 + with: + artifact-bucket-name: ${{ secrets.STS_MOCK_BUILD_ARTIFACT_BUCKET }} + signing-profile-name: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }} + template-file: .aws-sam/build/template.yaml + working-directory: sts-mock \ No newline at end of file From b577597746361fd3f518056670c58256ce75d8df Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Mon, 20 Jan 2025 21:01:17 +0000 Subject: [PATCH 19/20] DCMAW-11057: grammar --- sts-mock/run-tests-locally.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sts-mock/run-tests-locally.sh b/sts-mock/run-tests-locally.sh index 1b9e0e78a..67f9c2358 100755 --- a/sts-mock/run-tests-locally.sh +++ b/sts-mock/run-tests-locally.sh @@ -3,7 +3,7 @@ set -eu stack_name=${1:-mob-sts-mock} -echo "Running test against ${stack_name}" +echo "Running tests against ${stack_name}" rm -rf docker-vars.env From c3eacd626b59498a350817096f27acd8121aad47 Mon Sep 17 00:00:00 2001 From: Sandy May <51717217+sandymay-dd@users.noreply.github.com> Date: Fri, 24 Jan 2025 09:26:48 +0000 Subject: [PATCH 20/20] DCMAW-11057: update ECR secret name to include URI --- .github/workflows/job-build-and-push-test-image.yml | 8 ++++---- .github/workflows/sts-mock-push-to-main.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/job-build-and-push-test-image.yml b/.github/workflows/job-build-and-push-test-image.yml index fe9a0248d..f56d33626 100644 --- a/.github/workflows/job-build-and-push-test-image.yml +++ b/.github/workflows/job-build-and-push-test-image.yml @@ -9,7 +9,7 @@ on: secrets: GH_ACTIONS_ROLE_ARN: required: true - TEST_IMAGE_REPOSITORY: + TEST_IMAGE_REPOSITOR_URI: required: true CONTAINER_SIGN_KMS_KEY: required: true @@ -47,12 +47,12 @@ jobs: - name: Build image run: | - docker build -t ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . + docker build -t ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG . - name: Push image run: | - docker push ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + docker push ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG - name: Sign image run: | - cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG + cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml index 0161a6aee..7a5591659 100644 --- a/.github/workflows/sts-mock-push-to-main.yml +++ b/.github/workflows/sts-mock-push-to-main.yml @@ -60,7 +60,7 @@ jobs: WORKING_DIRECTORY: sts-mock secrets: GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }} - TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} + TEST_IMAGE_REPOSITOR_URI: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }} build-and-upload-sam-artifact-to-dev: @@ -117,7 +117,7 @@ jobs: WORKING_DIRECTORY: sts-mock secrets: GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }} - TEST_IMAGE_REPOSITORY: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} + TEST_IMAGE_REPOSITOR_URI: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }} CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }} build-and-upload-sam-artifact-to-build: