Skip to content

Commit f5240ba

Browse files
timirelandgithub-actions[bot]
authored andcommitted
Drift from template
1 parent b9c5006 commit f5240ba

3 files changed

Lines changed: 130 additions & 5 deletions

File tree

.github/workflows/stage-4-acceptance.yaml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,6 @@ on:
3131
description: "Version of the software, set by the CI/CD pipeline workflow"
3232
required: true
3333
type: string
34-
target_environment:
35-
description: "Environment to run acceptance tests with"
36-
required: true
37-
type: string
3834

3935
jobs:
4036
environment-set-up:

LICENCE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# MIT Licence
22

3-
Copyright (c) 2026 Crown Copyright NHS England.
3+
Copyright (c) 2025 Crown Copyright NHS England.
44

55
Permission is hereby granted, free of charge, to any person obtaining a copy
66
of this software and associated documentation files (the "Software"), to deal
Lines changed: 129 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,129 @@
1+
#!/bin/bash
2+
3+
# Fail fast on errors, unset variables, and pipeline failures.
4+
set -euo pipefail
5+
6+
# Ensure build.sh is executable and build the lambda artifacts before producing the Docker image.
7+
chmod +x ./build.sh
8+
./build.sh
9+
10+
11+
# Parse arguments
12+
BASE_IMAGE=""
13+
while [[ $# -gt 0 ]]; do
14+
case $1 in
15+
--base-image)
16+
BASE_IMAGE="$2"
17+
shift 2
18+
;;
19+
*)
20+
echo "Unknown argument: $1" >&2
21+
exit 1
22+
;;
23+
esac
24+
done
25+
26+
if [[ -z "$BASE_IMAGE" ]]; then
27+
echo "Error: --base-image parameter is required." >&2
28+
exit 1
29+
fi
30+
31+
CSI="${PROJECT}-${ENVIRONMENT}-${COMPONENT}"
32+
ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}"
33+
GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}"
34+
GHCR_LOGIN_USER="${GITHUB_ACTOR}"
35+
LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$PWD")}"
36+
37+
## Set IMAGE_TAG_SUFFIX based on git tag or short SHA for unique lambda image tagging in ECR.
38+
#This ensures that each build produces a uniquely identifiable image, and tagged releases are easily traceable.
39+
echo "Checking if current commit is a tag..."
40+
GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)"
41+
if [ -n "$GIT_TAG" ]; then
42+
TAGGED="tag-$GIT_TAG"
43+
echo "On tag: $GIT_TAG, exporting IMAGE_TAG_SUFFIX as tag: $TAGGED"
44+
export IMAGE_TAG_SUFFIX="$TAGGED"
45+
46+
else
47+
SHORT_SHA="sha-$(git rev-parse --short HEAD)"
48+
echo "Not on a tag, exporting IMAGE_TAG_SUFFIX as short SHA: $SHORT_SHA"
49+
export IMAGE_TAG_SUFFIX="$SHORT_SHA"
50+
fi
51+
52+
## Check if we are running in the context of a Terraform apply or plan, and set PUBLISH_LAMBDA_IMAGE accordingly. We only want to push images to ECR on apply, not on plan.
53+
echo "Checking if ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..."
54+
if [ "$ACTION" = "apply" ]; then
55+
echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action"
56+
export PUBLISH_LAMBDA_IMAGE="true"
57+
else
58+
echo "Not setting PUBLISH_LAMBDA_IMAGE for action ($ACTION)"
59+
fi
60+
61+
# Ensure required AWS/ECR configuration is present.
62+
echo "BASE_IMAGE: ${BASE_IMAGE:-<unset>}"
63+
echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-<unset>}"
64+
echo "AWS_REGION: ${AWS_REGION:-<unset>}"
65+
echo "COMPONENT: ${COMPONENT:-<unset>}"
66+
echo "CSI: ${CSI:-<unset>}"
67+
echo "ECR_REPO: ${ECR_REPO:-<unset>}"
68+
echo "ENVIRONMENT: ${ENVIRONMENT:-<unset>}"
69+
echo "GHCR_LOGIN_TOKEN: ${GHCR_LOGIN_TOKEN:-<unset>}"
70+
echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-<unset>}"
71+
echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-<unset>}"
72+
echo "LAMBDA_NAME: ${LAMBDA_NAME:-<unset>}"
73+
74+
# Authenticate Docker with AWS ECR using an ephemeral login token.
75+
aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com
76+
77+
# Authenticate to GitHub Container Registry for base images.
78+
if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then
79+
echo "Attempting GHCR login as ${GHCR_LOGIN_USER}..."
80+
if echo "${GHCR_LOGIN_TOKEN}" | docker login ghcr.io --username "${GHCR_LOGIN_USER}" --password-stdin; then
81+
echo "GHCR login successful."
82+
else
83+
echo "GHCR login failed!" >&2
84+
fi
85+
fi
86+
87+
# Namespace tag by CSI and lambda name to avoid cross-environment collisions.
88+
IMAGE_TAG="${CSI}-${LAMBDA_NAME}"
89+
90+
# Compose the full ECR image references.
91+
ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}"
92+
93+
# Final tag names we will produce
94+
95+
IMAGE_TAG_LATEST="${ECR_REPO_URI}:${IMAGE_TAG}-latest"
96+
IMAGE_TAG_SUFFIXED="${ECR_REPO_URI}:${IMAGE_TAG}-${IMAGE_TAG_SUFFIX}"
97+
98+
echo "Will build and tag images:"
99+
echo " LATEST -> ${IMAGE_TAG_LATEST}"
100+
echo " SUFFIXED -> ${IMAGE_TAG_SUFFIXED}"
101+
102+
# Build and tag the Docker image for the lambda.
103+
# --load makes the built image available to the local docker daemon (single-platform).
104+
docker buildx build \
105+
-f docker/lambda/Dockerfile \
106+
--platform=linux/amd64 \
107+
--provenance=false \
108+
--sbom=false \
109+
--build-arg BASE_IMAGE="${BASE_IMAGE}" \
110+
-t "${IMAGE_TAG_LATEST}" \
111+
-t "${IMAGE_TAG_SUFFIXED}" \
112+
--load \
113+
.
114+
115+
# Push the image tag(s) to ECR on apply only. The Terraform configuration will reference image digest.
116+
if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then
117+
echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker images to ECR..."
118+
119+
120+
for TAG in "${IMAGE_TAG_LATEST}" "${IMAGE_TAG_SUFFIXED}"; do
121+
echo "Pushing ${TAG}..."
122+
docker push "${TAG}"
123+
done
124+
125+
echo "Push complete."
126+
else
127+
echo "PUBLISH_LAMBDA_IMAGE is not set to true (likely TF Plan). Skipping Docker push."
128+
exit 0
129+
fi

0 commit comments

Comments
 (0)