Add act workflow #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # name: ZAP API Active Scan | |
| # on: | |
| # # schedule: | |
| # # - cron: "0 3 * * *" # nightly 3am | |
| # workflow_dispatch: | |
| # inputs: | |
| # target_env_oas: | |
| # description: "Target proxygen environment OAS" | |
| # required: true | |
| # default: "internal-dev" | |
| # # kid_name: | |
| # # description: "KID name for JWT authentication" | |
| # # required: true | |
| # # default: "int-dev-1" | |
| # jobs: | |
| # metadata: | |
| # name: "Set CI/CD metadata" | |
| # runs-on: ubuntu-latest | |
| # timeout-minutes: 1 | |
| # outputs: | |
| # build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }} | |
| # build_datetime: ${{ steps.variables.outputs.build_datetime }} | |
| # build_timestamp: ${{ steps.variables.outputs.build_timestamp }} | |
| # build_epoch: ${{ steps.variables.outputs.build_epoch }} | |
| # nodejs_version: ${{ steps.variables.outputs.nodejs_version }} | |
| # python_version: ${{ steps.variables.outputs.python_version }} | |
| # terraform_version: ${{ steps.variables.outputs.terraform_version }} | |
| # version: ${{ steps.variables.outputs.version }} | |
| # is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }} | |
| # steps: | |
| # - name: "Checkout code" | |
| # uses: actions/checkout@v5 | |
| # - name: "Set CI/CD variables" | |
| # id: variables | |
| # run: | | |
| # datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') | |
| # version=$(head -n 1 .version 2> /dev/null || echo unknown) | |
| # echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT | |
| # echo "build_datetime=$datetime" >> $GITHUB_OUTPUT | |
| # echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| # echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT | |
| # echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| # echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| # echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| # echo "version=$(echo $version)" >> $GITHUB_OUTPUT | |
| # echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT | |
| # - name: "List variables" | |
| # run: | | |
| # export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}" | |
| # export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}" | |
| # export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}" | |
| # export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}" | |
| # export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}" | |
| # export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}" | |
| # export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}" | |
| # export VERSION="${{ steps.variables.outputs.version }}" | |
| # export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}" | |
| # make list-variables | |
| # # - name: "Build OAS spec" | |
| # # uses: ./.github/actions/build-oas-spec | |
| # # with: | |
| # # version: "${{ inputs.version }}" | |
| # # apimEnv: "${{ matrix.apimEnv }}" | |
| # # buildSandbox: false | |
| # # nodejs_version: ${{ inputs.nodejs_version }} | |
| # # NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} | |
| # zap-api-scan: | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Checkout | |
| # uses: actions/checkout@v4 | |
| # - name: Setup Node | |
| # uses: actions/setup-node@v4 | |
| # with: | |
| # node-version: 22 | |
| # registry-url: "https://npm.pkg.github.com" | |
| # scope: "@nhsdigital" | |
| # always-auth: true | |
| # - name: Npm install | |
| # working-directory: . | |
| # env: | |
| # NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} | |
| # run: npm ci | |
| # shell: bash | |
| # - name: Set up dependencies | |
| # working-directory: . | |
| # shell: bash | |
| # run: | | |
| # apt-get update && apt-get -y install gettext-base | |
| # - name: Build OAS File | |
| # working-directory: . | |
| # shell: bash | |
| # run: | | |
| # echo "Building env specific JSON OAS spec" | |
| # make build-json-oas-spec APIM_ENV=${{ inputs.target_env_oas }} | |
| # # jq 'del(.servers[] | select(.url == "http://127.0.0.1:9000")) | .servers += [{ "url": "https://internal-dev.api.service.nhs.uk/nhs-notify-supplier"}]' build/notify-supplier.json > build/notify-supplier.json | |
| # # - name: "Setup ASDF" | |
| # # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 | |
| # # - name: Install python | |
| # # run: | | |
| # # asdf install python || true | |
| # # echo "Installed python version:" | |
| # # python --version | |
| # # - name: Configure AWS Credentials | |
| # # uses: aws-actions/configure-aws-credentials@v5 | |
| # # with: | |
| # # role-to-assume: arn:aws:iam::${{ secrets.SUPPLIERS_DEV_AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }} | |
| # # role-session-name: ${{ github.run_id }} | |
| # # aws-region: eu-west-2 | |
| # # role-skip-session-tagging: true | |
| # # - name: Fetch private key from SSM (parameter store) and save to file | |
| # # id: fetch_key | |
| # # run: | | |
| # # aws ssm get-parameter --name "/jwt/kids/${KID_NAME}" --with-decryption --query "Parameter.Value" --output text > "${KID_NAME}.pem" | |
| # # chmod 600 "${KID_NAME}.pem" | |
| # # env: | |
| # # KID_NAME: ${{ env.KID_NAME }} | |
| # # - name: Get JWT bearer token (run your Python script) | |
| # # id: get_token | |
| # # run: | | |
| # # python ./scripts/JWT/get_bearer_token.py --kid "${KID_NAME}.pem" --env "int" --appid "${{ secrets.APIGEE_APPKEY }}" > jwt_output.json | |
| # # ACCESS_TOKEN=$(jq -r '.access_token // empty' jwt_output.json || true) | |
| # # echo "token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT | |
| # # env: | |
| # # KID_NAME: ${{ env.KID_NAME }} | |
| # # APIGEE_APPKEY: ${{ secrets.APIGEE_APPKEY }} | |
| # # - name: Install Proxygen client | |
| # # shell: bash | |
| # # run: | | |
| # # # Install proxygen cli | |
| # # pip install pipx | |
| # # pipx install proxygen-cli | |
| # # # Setup proxygen auth and settings | |
| # # mkdir -p ${HOME}/.proxygen | |
| # # echo -n $PROXYGEN_PRIVATE_KEY | base64 --decode > ${HOME}/.proxygen/key | |
| # # envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml | |
| # # envsubst < ./.github/proxygen-credentials-template.yaml | cat | |
| # # envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml | |
| # # envsubst < ./.github/proxygen-settings.yaml | cat | |
| # # - name: Obtain OAS from target via Proxygen | |
| # # run: | | |
| # # proxygen instance get ${{ env.TARGET_ENV }} nhs-notify-supplier | |
| # - name: Run ZAP API Scan (active) | |
| # uses: zaproxy/action-api-scan@v0.10.0 | |
| # env: | |
| # # Set the Authorization header value for ZAP | |
| # ZAP_AUTH_HEADER_VALUE: "Bearer ${{ secrets.TEMP_ACCESS_TOKEN }}" | |
| # with: | |
| # target: "build/notify-supplier.json" | |
| # format: openapi | |
| # fail_action: true | |
| # cmd_options: > | |
| # -d | |
| # -a | |
| # -J zap-report.json | |
| # -r zap-report.html | |
| # - name: Upload ZAP HTML report | |
| # if: always() | |
| # uses: actions/upload-artifact@v4 | |
| # with: | |
| # name: zap-report | |
| # path: zap-report.html | |
| # - name: Upload ZAP JSON report | |
| # if: always() | |
| # uses: actions/upload-artifact@v4 | |
| # with: | |
| # name: zap-report-json | |
| # path: zap-report.json |