generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 0
207 lines (178 loc) · 6.77 KB
/
oracle-observer-image-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
name: "Oracle: AWS Image Build for Data Guard Observer"
on:
workflow_dispatch:
push:
branches:
- main
- "DBA-834"
paths:
- docker/oracle-observer/**
- .github/workflows/oracle-observer-image-build.yml
# Commented out while spiking this work out
# pull_request:
# branches:
# - main
# types: [opened, edited, reopened, synchronize]
# paths:
# - docker/delius-ansible-aws/**
# - .github/workflows/ansible-aws-image-build.yml
# Allow permissions on repository and docker image and OIDC token
permissions:
contents: read
packages: read
id-token: write
# We split the build into 2 jobs, one to download the Oracle client software
# and one to run the docker image build. This is because these require
# different runner contains - downloading the software requires an OIDC ID token
# to access the AWS S3 dependencies bucket, but this image cannot run
# Docker to build the image, so with start a new runner for this. The software
# is passed between the 2 jobs as a build artifact.
jobs:
download-client-software:
runs-on: ubuntu-latest
environment: delius-core-dev-preapproved
container:
image: ghcr.io/ministryofjustice/hmpps-delius-operational-automation:0.78.0
timeout-minutes: 1440
continue-on-error: false
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure AWS Credentials
id: login-aws
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
role-duration-seconds: 3600
aws-region: "eu-west-2"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "hmpps-delius-operational-automation-${{ github.run_number }}"
aws-region: "eu-west-2"
- name: Copy Oracle Client ZIP file from S3
run: |
aws s3 cp s3://mod-platform-image-artefact-bucket20230203091453221500000001/dependencies/oracle/rdbms/LINUX.X64_193000_client.zip /tmp/LINUX.X64_193000_client.zip
- name: Upload Oracle Client ZIP as Artifact for the Build
uses: actions/upload-artifact@v4
with:
name: oracle-client-zip
path: /tmp/LINUX.X64_193000_client.zip
build-observer-image:
runs-on: ubuntu-22.04
needs: download-client-software
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download Oracle Client ZIP File
uses: actions/download-artifact@v4
with:
name: oracle-client-zip
path: ./docker/oracle-observer/LINUX.X64_193000_client.zip
- name: Set up Docker Buildx
id: setup_buildx
uses: docker/setup-buildx-action@v3
- name: Build and push to ghcr
id: build_publish
uses: docker/build-push-action@v6
with:
context: ./docker/oracle-observer
file: ./docker/oracle-observer/Dockerfile
platforms: linux/amd64
push: false
tags: delius-core-oracle-observer:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: type=docker,dest=/tmp/oracle-observer-image.tar
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: oracle-observer-image
path: /tmp/oracle-observer-image.tar
retention-days: 1
scan-observer-image:
name: Scan Image
needs: build-observer-image
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: oracle-observer-image
path: /tmp
- name: Load image
run: |
docker load --input /tmp/oracle-observer-image.tar
# - name: Trivy scan
# uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
# with:
# format: 'sarif'
# severity: 'CRITICAL,HIGH'
# limit-severities-for-sarif: 'true'
# image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}'
# exit-code: '1'
# scan-type: 'image'
# trivyignores: 'docker/oracle-observer/.trivyignore'
# ignore-unfixed: 'true'
# output: 'trivy-results.sarif'
# - name: Upload artifact
# uses: actions/upload-artifact@v4
# if: failure() # If Trivy found vulnerabilities
# with:
# name: trivy-file
# path: trivy-results.sarif
# retention-days: 1
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# if: failure() # If Trivy found vulnerabilities
# with:
# sarif_file: 'trivy-results.sarif'
publish-observer-image:
name: Publish image
needs: [build-observer-image, scan-observer-image]
permissions:
contents: read
packages: write
id-token: write
environment: delius-core-dev-preapproved
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/modernisation-platform-oidc-cicd"
role-session-name: "hmpps-delius-operational-automation-oracle-observer-${{ github.run_number }}"
aws-region: eu-west-2
- name: Download Artifact
uses: actions/download-artifact@v4
with:
name: oracle-observer-image
path: /tmp
- name: Load and retag image for publish
run: |
docker load --input /tmp/oracle-observer-image.tar
docker tag delius-core-oracle-observer:${{ github.sha }} 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-oracle-observer:latest
- name: Login to ECR
run: aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin 374269020027.dkr.ecr.eu-west-2.amazonaws.com
- name: Publish image
run: docker push 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-oracle-observer:latest