-
Notifications
You must be signed in to change notification settings - Fork 3
130 lines (116 loc) · 3.72 KB
/
base-python-service-jobs.yml
File metadata and controls
130 lines (116 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Base Python Services Build and Deploy
on:
workflow_call:
inputs:
environment:
type: string
default: dev
required: true
service:
type: string
required: true
is_deployment:
type: boolean
default: false
required: true
deploy_infra:
type: boolean
default: true
ecr_alias:
description: "ECR Repository Alias"
type: string
required: false
permissions:
pull-requests: write
id-token: write
contents: read
jobs:
run_tests:
name: Run Tests
runs-on: ubuntu-latest
defaults:
run:
working-directory: "./services/${{ inputs.service }}"
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: 3.14
- name: Run Unit tests
run: |
./tasks test_unit
build-and-publish-service:
environment: ${{ inputs.environment }}
runs-on: ubuntu-latest
needs: [run_tests]
defaults:
run:
working-directory: ./services/${{ inputs.service }}
steps:
- uses: actions/checkout@v6
- name: Set up Python 3.14
uses: actions/setup-python@v6
with:
python-version: 3.14
- name: Configure AWS credentials
id: auth
uses: aws-actions/configure-aws-credentials@v6
with:
mask-aws-account-id: true
role-to-assume: ${{ secrets.IAM_ROLE }}
role-skip-session-tagging: true
aws-region: ${{ vars.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Get ECR repository URI from SSM
id: ecr-repo
run: |
uri=$(aws ssm get-parameter \
--name "/repo/${{ vars.AWS_ENVIRONMENT }}/prm-deductions-ehr-repository/ecr/url/${{ inputs.service }}" \
--query "Parameter.Value" --output text)
echo "::add-mask::$uri"
echo "uri=$uri" >> $GITHUB_OUTPUT
- name: Build Docker Image
env:
ECR_URI: ${{ steps.ecr-repo.outputs.uri }}
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t "$ECR_URI:$IMAGE_TAG" --build-arg IMAGE_TAG="$IMAGE_TAG" --build-arg ENV=${{steps.auth.outputs.aws-account-id}} .
- name: Push Docker Image
if: ${{ inputs.is_deployment }}
env:
ECR_URI: ${{ steps.ecr-repo.outputs.uri }}
IMAGE_TAG: ${{ github.sha }}
run: |
docker push "$ECR_URI:$IMAGE_TAG"
- name: Generate SBOM for Docker Image
uses: anchore/sbom-action@v0
if: ${{ inputs.environment == 'development' }}
with:
image: ${{ steps.ecr-repo.outputs.uri }}:${{ github.sha }}
format: cyclonedx-json
output-file: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
- name: Scan SBOM for Docker Image
uses: anchore/scan-action@v7
if: ${{ inputs.environment == 'development' }}
with:
sbom: sbom-image-${{ github.event.repository.name }}--${{ github.sha }}.cdx.json
fail-build: true
severity-cutoff: low
only-fixed: true
output-format: table
deploy_infra:
if: ${{ inputs.deploy_infra && inputs.is_deployment }}
name: Deploy Infrastructure
needs: [build-and-publish-service]
uses: NHSDigital/orphaned-record-continuity-infrastructure/.github/workflows/deploy-stack.yml@v3
with:
stack: ${{ inputs.service }}
environment: ${{ inputs.environment }}
is_deployment: ${{ inputs.is_deployment }}
ecr_alias: ${{ inputs.ecr_alias }}
git_ref: refs/tags/v3
secrets: inherit