DCMAW-11057: Push STS test image to dev and build #338
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| name: Build, Sign, Push and Tag test image | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| WORKING_DIRECTORY: | ||
| required: true | ||
| type: string | ||
| secrets: | ||
| GH_ACTIONS_ROLE_ARN: | ||
| required: true | ||
| TEST_IMAGE_REPOSITORY: | ||
| required: true | ||
| CONTAINER_SIGN_KMS_KEY: | ||
| required: true | ||
|
Comment on lines
+9
to
+15
There was a problem hiding this comment. These aren't strictly secrets; however, I had issues passing these through as inputs. I would prefer to keep these as secrets in this template, to help understand provenance and maintain consistency. There was a problem hiding this comment. Keeping them as secrets for the moment matches the other pipelines. I'm happy with this atm. There was a problem hiding this comment. to clarify: I had technical issues, not moral ones 😀 |
||
|
|
||
| jobs: | ||
| build-and-push: | ||
| name: build-and-push | ||
| runs-on: ubuntu-24.04 | ||
|
There was a problem hiding this comment. Note this is a later version than what we use elsewhere (ubuntu-22) |
||
| env: | ||
| IMAGE_TAG: latest | ||
| defaults: | ||
| run: | ||
| shell: bash | ||
| working-directory: ${{ inputs.WORKING_DIRECTORY }} | ||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 | ||
| with: | ||
| submodules: true | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 | ||
| with: | ||
| node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc | ||
|
|
||
| - name: Install Cosign | ||
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 | ||
| with: | ||
| cosign-release: 'v1.9.0' | ||
|
|
||
| - name: Install SAM CLI | ||
| uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2 #v2 | ||
|
|
||
| with: | ||
| use-installer: true | ||
| version: 1.132.0 | ||
|
|
||
| - name: Install npm packages | ||
| run: npm install | ||
|
There was a problem hiding this comment. note: also enforces the use of npm. This is a programme standard now and is preferred to yarn. There was a problem hiding this comment. could we just install --dev-dependencies There was a problem hiding this comment. npm clean-install (alias for npm ci) |
||
|
|
||
| - name: Authenticate with AWS | ||
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2 | ||
| with: | ||
| aws-region: eu-west-2 | ||
| role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }} | ||
|
|
||
| - name: Login to AWS ECR | ||
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1 | ||
|
|
||
| - name: Build image | ||
| run: | | ||
| docker build -t ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG . | ||
|
|
||
| - name: Push image | ||
| run: | | ||
| docker push ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG | ||
|
|
||
| - name: Sign image | ||
| run: | | ||
| cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITORY }}:$IMAGE_TAG | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
annoyingly - I don't think you can have sub-directories for workflows. Happy for naming suggestions to make this file stand out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A cheeky prefix?
_name.ymlor
action-${name}.yamlThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or potentially
job-{name}.yamlThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(ideas for tomorrow me)