@@ -122,6 +122,14 @@ jobs:
122122 echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
123123 echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
124124
125+ name : Cache npm dependencies
126+ uses : actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
127+ with :
128+ path : ./node_modules
129+ key : ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
130+ restore-keys : |
131+ ${{ runner.os }}-node-
132+
125133name : make install
126134 run : |
127135 make install
@@ -156,6 +164,58 @@ jobs:
156164 echo "uses_java=false" >> "$GITHUB_OUTPUT"
157165 fi
158166
167+ name : Check licenses (Makefile)
168+ run : |
169+ make check-licenses
170+
171+ name : Run code lint
172+ run : make lint
173+
174+ - name : actionlint
175+ uses : raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc
176+
177+ - name : Run ShellCheck
178+ uses : ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
179+ with :
180+ ignore_paths : >-
181+ *test*
182+ .venv
183+ node_modules
184+ .git
185+
186+ name : Run unit tests
187+ run : make test
188+
189+ - name : Generate and check SBOMs
190+ uses : NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06
191+
192+ - name : " check is SONAR_TOKEN exists"
193+ env :
194+ super_secret : ${{ secrets.SONAR_TOKEN }}
195+ if : ${{ env.super_secret != '' && inputs.run_sonar == true }}
196+ run : echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV"
197+
198+ - name : Run SonarQube analysis
199+ if : ${{ steps.check_java.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
200+ run : mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
201+
202+ - name : SonarCloud Scan
203+ uses : SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602
204+ if : ${{ steps.check_java.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
205+ env :
206+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
207+ SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
208+
209+ # CloudFormation validation (runs only if templates exist, ~3-5 minutes)
210+ cloudformation-validation :
211+ runs-on : ubuntu-22.04
212+ steps :
213+ - name : Checkout code
214+ uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
215+ with :
216+ ref : ${{ env.BRANCH_NAME }}
217+ fetch-depth : 0
218+
159219 - name : Check for SAM templates
160220 id : check_sam_templates
161221 run : |
@@ -201,34 +261,34 @@ jobs:
201261 echo "cdk_exists=false" >> "$GITHUB_OUTPUT"
202262 fi
203263
204- name : Check licenses (Makefile)
205- run : |
206- make check-licenses
207-
208- name : Run code lint
209- run : make lint
210-
211- - name : actionlint
212- uses : raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc
213-
214- - name : Run ShellCheck
215- uses : ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
216- with :
217- ignore_paths : >-
218- *test*
219- .venv
220- node_modules
221- .git
222-
223264name : Run cfn-lint
224265 if : steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true'
225266 run : |
226267 pip install cfn-lint
227268 cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
228269 cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
229270
230- name : Run unit tests
231- run : make test
271+ name : Cache npm dependencies
272+ if : steps.check_cdk.outputs.cdk_exists == 'true'
273+ uses : actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
274+ with :
275+ path : ~/.npm
276+ key : ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
277+ restore-keys : |
278+ ${{ runner.os }}-node-
279+
280+ name : Setting up .npmrc
281+ if : steps.check_cdk.outputs.cdk_exists == 'true'
282+ env :
283+ NODE_AUTH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
284+ run : |
285+ echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
286+ echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
287+
288+ name : make install NodeJS
289+ if : steps.check_cdk.outputs.cdk_exists == 'true'
290+ run : |
291+ make install-node && make compile
232292
233293name : Run cdk-synth
234294 if : steps.check_cdk.outputs.cdk_exists == 'true'
@@ -359,184 +419,3 @@ jobs:
359419 with :
360420 name : cfn_guard_output
361421 path : cfn_guard_output
362-
363- - name : Generate and check SBOMs
364- uses : NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06
365-
366- - name : " check is SONAR_TOKEN exists"
367- env :
368- super_secret : ${{ secrets.SONAR_TOKEN }}
369- if : ${{ env.super_secret != '' && inputs.run_sonar == true }}
370- run : echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV"
371-
372- - name : Run SonarQube analysis
373- if : ${{ steps.check_java.outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
374- run : mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
375-
376- - name : SonarCloud Scan
377- uses : SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602
378- if : ${{ steps.check_java.outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
379- env :
380- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
381- SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
382-
383- build_dev_container_x64 :
384- permissions :
385- id-token : write
386- runs-on : ubuntu-22.04
387- steps :
388- - name : Checkout code
389- uses : actions/checkout@v5
390- with :
391- fetch-depth : 0
392-
393- - name : Download check_ecr_image_scan_results.sh script
394- env :
395- SCRIPT_TAG : ${{ inputs.check_ecr_image_scan_results_script_tag }}
396- run : |
397- curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
398- chmod +x check_ecr_image_scan_results.sh
399- name : Build dev container
400- run : |
401- docker build -f .devcontainer/Dockerfile -t dev-container-image .
402-
403- name : Configure AWS Credentials
404- uses : aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
405- id : connect-aws-deploy
406- with :
407- aws-region : eu-west-2
408- role-to-assume : ${{ secrets.PUSH_IMAGE_ROLE }}
409- role-session-name : dev-container-build-x64
410- output-credentials : true
411-
412- - name : Retrieve AWS Account ID
413- id : retrieve-deploy-account-id
414- run : |
415- ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
416- echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
417-
418- name : Login to Amazon ECR
419- run : |
420- aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
421-
422- name : Push x64 image to Amazon ECR
423- env :
424- ECR_REPOSITORY : ${{ inputs.dev_container_ecr }}
425- IMAGE_TAG : ${{ inputs.dev_container_image_tag }}
426- ACCOUNT_ID : ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
427- run : |
428- docker tag "dev-container-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
429- docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
430- name : Check dev container scan results
431- env :
432- REPOSITORY_NAME : ${{ inputs.dev_container_ecr }}
433- IMAGE_TAG : ${{ inputs.dev_container_image_tag }}-amd64
434- ACCOUNT_ID : ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
435- run : |
436- sleep 30
437- ./check_ecr_image_scan_results.sh
438-
439- build_dev_container_arm64 :
440- permissions :
441- id-token : write
442- runs-on : ubuntu-22.04-arm
443- steps :
444- - name : Checkout code
445- uses : actions/checkout@v5
446- with :
447- fetch-depth : 0
448-
449- - name : Download check_ecr_image_scan_results.sh script
450- env :
451- SCRIPT_TAG : ${{ inputs.check_ecr_image_scan_results_script_tag }}
452- run : |
453- curl -L "https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o check_ecr_image_scan_results.sh
454- chmod +x check_ecr_image_scan_results.sh
455-
456- name : Build dev container
457- run : |
458- docker build -f .devcontainer/Dockerfile -t dev-container-image-arm .
459-
460- name : Configure AWS Credentials
461- uses : aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
462- id : connect-aws-deploy
463- with :
464- aws-region : eu-west-2
465- role-to-assume : ${{ secrets.PUSH_IMAGE_ROLE }}
466- role-session-name : dev-container-build-arm64
467- output-credentials : true
468-
469- - name : Retrieve AWS Account ID
470- id : retrieve-deploy-account-id
471- run : |
472- ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
473- echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
474-
475- name : Login to Amazon ECR
476- run : |
477- aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
478-
479- name : Push ARM64 image to Amazon ECR
480- env :
481- ECR_REPOSITORY : ${{ inputs.dev_container_ecr }}
482- IMAGE_TAG : ${{ inputs.dev_container_image_tag }}
483- ACCOUNT_ID : ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
484- run : |
485- docker tag "dev-container-image-arm" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
486- docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
487- name : Check dev container scan results
488- env :
489- REPOSITORY_NAME : ${{ inputs.dev_container_ecr }}
490- IMAGE_TAG : ${{ inputs.dev_container_image_tag }}-arm64
491- ACCOUNT_ID : ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
492- run : |
493- # Wait a moment for ECR to process the new manifest
494- sleep 30
495- ./check_ecr_image_scan_results.sh
496-
497- create_multi_arch_manifest :
498- permissions :
499- id-token : write
500- runs-on : ubuntu-22.04
501- needs : [build_dev_container_x64, build_dev_container_arm64]
502- steps :
503- - name : Set up Docker Buildx
504- uses : docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
505-
506- - name : Configure AWS Credentials
507- uses : aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
508- with :
509- aws-region : eu-west-2
510- role-to-assume : ${{ secrets.PUSH_IMAGE_ROLE }}
511- role-session-name : multi-arch-manifest
512- output-credentials : true
513-
514- - name : Retrieve AWS Account ID
515- id : retrieve-deploy-account-id
516- run : |
517- ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
518- echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
519-
520- name : Login to Amazon ECR
521- run : |
522- aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
523-
524- name : Create and push multi-architecture manifest for tag
525- env :
526- ECR_REPOSITORY : ${{ inputs.dev_container_ecr }}
527- IMAGE_TAG : ${{ inputs.dev_container_image_tag }}
528- ACCOUNT_ID : ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
529- run : |
530- # Create manifest list combining both architectures
531- docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}" \
532- "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
533- "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
534-
535- name : Verify multi-architecture manifest
536- env :
537- ECR_REPOSITORY : ${{ inputs.dev_container_ecr }}
538- IMAGE_TAG : ${{ inputs.dev_container_image_tag }}
539- ACCOUNT_ID : ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
540- run : |
541- echo "=== Verifying multi-architecture manifest ==="
542- docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"
0 commit comments