-
Notifications
You must be signed in to change notification settings - Fork 3
147 lines (130 loc) · 4.22 KB
/
base-java-service-jobs.yml
File metadata and controls
147 lines (130 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Base Java Services Build and Deploy
on:
workflow_call:
inputs:
environment:
type: string
default: dev
required: true
service:
type: string
required: true
is_deployment:
type: boolean
default: false
required: true
requires_localstack:
type: boolean
default: false
java_version:
type: string
default: "25"
required: false
image_prefix:
type: string
default: "deductions/"
required: false
ecr_alias:
description: "ECR Repository Alias"
type: string
required: false
permissions:
pull-requests: write
id-token: write
contents: read
jobs:
run_tests:
name: Run Tests
runs-on: ubuntu-latest
defaults:
run:
working-directory: "./services/${{ inputs.service }}"
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up JDK ${{ inputs.java_version }}
uses: actions/setup-java@v5
with:
distribution: "temurin"
java-version: "${{ inputs.java_version }}"
cache: gradle
- name: Run Localstack on Docker
if: ${{ inputs.requires_localstack }}
run: docker compose -f docker-compose.localstack-local.yaml up -d
- name: Grant execute permission for gradlew
run: chmod +x ./gradlew
- name: Run All Tests
run: ./tasks test_all
build_and_publish:
name: Build & Publish
needs: [run_tests]
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
defaults:
run:
working-directory: "./services/${{ inputs.service }}"
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up JDK ${{ inputs.java_version }}
uses: actions/setup-java@v5
with:
distribution: "temurin"
java-version: "${{ inputs.java_version }}"
cache: gradle
- name: Configure AWS Credentials (Read/Write)
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.IAM_ROLE }}
aws-region: ${{ vars.AWS_REGION }}
mask-aws-account-id: true
role-skip-session-tagging: true
- name: Login to Amazon ECR
id: ecr-login
uses: aws-actions/amazon-ecr-login@v2
- name: Java Build
run: ./tasks build
- name: Docker Build and Tag
env:
REGISTRY: ${{ steps.ecr-login.outputs.registry }}
REPOSITORY: ${{inputs.image_prefix}}${{ inputs.service }}
IMAGE_TAG: ${{ github.sha }}
run: |
set -euo pipefail
docker build -t "$REGISTRY/$REPOSITORY:$IMAGE_TAG" --build-arg BUILD_TAG="$IMAGE_TAG" .
- name: Docker Publish
if: ${{ inputs.is_deployment }}
env:
REGISTRY: ${{ steps.ecr-login.outputs.registry }}
REPOSITORY: ${{ inputs.image_prefix }}${{ inputs.service }}
IMAGE_TAG: ${{ github.sha }}
run: |
set -euo pipefail
docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
- name: Generate SBOM for Docker Image
uses: anchore/sbom-action@v0
if: ${{ inputs.environment == 'development' }}
with:
image: ${{ steps.ecr-login.outputs.registry }}/${{ inputs.image_prefix }}${{ inputs.service }}:${{ github.sha }}
format: cyclonedx-json
output-file: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
- name: Scan SBOM for Docker Image
uses: anchore/scan-action@v7
if: ${{ inputs.environment == 'development' }}
with:
sbom: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
fail-build: true
severity-cutoff: low
only-fixed: true
output-format: table
deploy_infra:
name: Deploy Infrastructure
needs: [build_and_publish]
uses: NHSDigital/orphaned-record-continuity-infrastructure/.github/workflows/deploy-stack.yml@v3
with:
stack: ${{ inputs.service }}
environment: ${{ inputs.environment }}
is_deployment: ${{ inputs.is_deployment }}
ecr_alias: ${{ inputs.ecr_alias }}
git_ref: refs/tags/v3
secrets: inherit