Build NRL Project on dev #449
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build NRL Project on Environment | |
| run-name: Build NRL Project on ${{ inputs.environment || 'dev' }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| on: | |
| schedule: | |
| - cron: "0 1 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| type: environment | |
| description: "The environment to deploy changes to" | |
| default: "dev" | |
| required: true | |
| env: | |
| SYFT_VERSION: "1.27.1" | |
| jobs: | |
| build: | |
| name: Build - ${{ github.ref }} | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Run Linting | |
| run: make lint | |
| - name: Run Unit Tests | |
| run: make test | |
| - name: Build Project | |
| run: make build | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment || 'dev' }}-${{ github.run_id }} | |
| - name: Add S3 Permissions to Lambda | |
| run: | | |
| account=$(echo '${{ inputs.environment || 'dev' }}' | cut -d '-' -f1) | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment || 'dev' }}) | |
| make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack} | |
| - name: Save Build Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: | | |
| dist/*.zip | |
| !dist/nrlf_permissions.zip | |
| - name: Save NRLF Permissions cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| sbom: | |
| name: Generate Software Bill of Materials - ${{ github.ref }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Set up terraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd | |
| with: | |
| terraform_version: "1.9.8" | |
| - name: Set architecture variable | |
| id: os-arch | |
| run: | | |
| case "${{ runner.arch }}" in | |
| X64) ARCH="amd64" ;; | |
| ARM64) ARCH="arm64" ;; | |
| esac | |
| echo "arch=${ARCH}" >> $GITHUB_OUTPUT | |
| - name: Download and setup Syft | |
| run: | | |
| DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz" | |
| echo "Downloading: ${DOWNLOAD_URL}" | |
| curl -L -o syft.tar.gz "${DOWNLOAD_URL}" | |
| tar -xzf syft.tar.gz | |
| chmod +x syft | |
| # Add to PATH for subsequent steps | |
| echo "$(pwd)" >> $GITHUB_PATH | |
| - name: Create SBOM | |
| run: bash scripts/sbom-create.sh terraform python | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-${{ github.sha }} | |
| path: sbom.spdx.json | |
| - name: Append SBOM inventory to summary | |
| if: always() | |
| shell: bash | |
| run: | | |
| cat > sbom_to_summary.jq <<'JQ' | |
| def clean: (.|tostring) | gsub("\\|"; "\\|") | gsub("\r?\n"; " "); | |
| def purl: ((.externalRefs[]? | select(.referenceType=="purl") | .referenceLocator) // ""); | |
| def license: (.licenseConcluded // .licenseDeclared // ""); | |
| def supplier: ((.supplier // "") | sub("^Person: *|^Organization: *";"")); | |
| if (has("spdxVersion") | not) then | |
| "### SBOM Inventory (SPDX)\n\nSBOM is not SPDX JSON." | |
| else | |
| .packages as $pkgs | |
| | "### SBOM Inventory (SPDX)\n\n" | |
| + "| Metric | Value |\n|---|---|\n" | |
| + "| Packages | " + ($pkgs|length|tostring) + " |\n\n" | |
| + "<details><summary>Full inventory</summary>\n\n" | |
| + "| Package | Version | Supplier | License | PURL |\n|---|---|---|---|---|\n" | |
| + ( | |
| $pkgs | |
| | map("| " | |
| + ((.name // .SPDXID) | clean) | |
| + " | " + ((.versionInfo // "") | clean) | |
| + " | " + (supplier | clean) | |
| + " | " + (license | clean) | |
| + " | " + (purl | clean) | |
| + " |") | |
| | join("\n") | |
| ) | |
| + "\n\n</details>\n" | |
| end | |
| JQ | |
| jq -r -f sbom_to_summary.jq sbom.spdx.json >> "$GITHUB_STEP_SUMMARY" |