CCM-11029: configure install from github packages

Author: harrim91

.github/actions/acceptance-tests/action.yaml

@@ -29,8 +29,7 @@ runs:
         name: terraform-output-${{ inputs.targetComponent }}
     - name: "Repo setup"
       shell: bash
-      run: |
-        npm ci
+      run: make dependencies
 
     - name: Generate outputs file
       shell: bash

.github/workflows/pr_closed.yaml

@@ -104,11 +104,16 @@ jobs:
     needs: check-event-schemas-version-change
     if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/[email protected]
       - name: "Install dependencies"
-        run: npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Run provider contract tests"
         run: make test-contract-producer
 
@@ -134,7 +139,9 @@ jobs:
           registry-url: 'https://npm.pkg.github.com'
 
       - name: Install dependencies
-        run: npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish to GitHub Packages
         run: npm publish --workspace packages/event-schemas

.github/workflows/stage-1-commit.yaml

@@ -244,12 +244,15 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
 
       - name: Install dependencies
-        run: npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Re-generate schemas
         run: npm --workspace packages/event-schemas run generate-json-schemas

.github/workflows/stage-2-test.yaml

@@ -39,6 +39,7 @@ env:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read  # This is required for actions/checkout
+  packages: read  # This is required to install packages from GitHub package registry
 
 jobs:
   check-generated-dependencies:
@@ -49,8 +50,9 @@ jobs:
       - name: "Checkout code"
         uses: actions/[email protected]
       - name: "Repo setup"
-        run: |
-          npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
@@ -63,8 +65,9 @@ jobs:
       - name: "Checkout code"
         uses: actions/[email protected]
       - name: "Repo setup"
-        run: |
-          npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
@@ -92,8 +95,9 @@ jobs:
       - name: "Checkout code"
         uses: actions/[email protected]
       - name: "Repo setup"
-        run: |
-          npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
@@ -108,8 +112,9 @@ jobs:
       - name: "Checkout code"
         uses: actions/[email protected]
       - name: "Repo setup"
-        run: |
-          npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate dependencies"
         run: |
           npm run generate-dependencies --workspaces --if-present
@@ -137,7 +142,9 @@ jobs:
       - name: "Checkout code"
         uses: actions/[email protected]
       - name: "Install dependencies"
-        run: npm ci
+        run: make dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Run provider contract tests"
         run: make test-contract-producer
   perform-static-analysis:

Makefile

@@ -8,7 +8,8 @@ include scripts/init.mk
 # Example CI/CD targets are: dependencies, build, publish, deploy, clean, etc.
 
 dependencies: # Install dependencies needed to build and test the project @Pipeline
-	# TODO: Implement installation of your project dependencies
+	./scripts/set_github_token.sh
+	npm ci
 
 build: # Build the project artefact @Pipeline
 	# TODO: Implement the artefact build step

amplify.yml

@@ -8,6 +8,8 @@ applications:
             - cd ..
             - nvm install 20.13.1
             - nvm use 20.13.1
+            - export GITHUB_TOKEN=$(aws ssm get-parameter --name "$GITHUB_PAT_SSM_PARAM_NAME" --with-decryption --query Parameter.Value --output text)
+            - ./scripts/set_github_token.sh
             - npm ci --cache .npm --prefer-offline
             - npm run create-amplify-outputs env
             - npm run build

infrastructure/terraform/components/app/README.md

@@ -12,8 +12,8 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_AMPLIFY_BASIC_AUTH_SECRET"></a> [AMPLIFY\_BASIC\_AUTH\_SECRET](#input\_AMPLIFY\_BASIC\_AUTH\_SECRET) | Secret key/password to use for Amplify Basic Auth - This is entended to be read from CI variables and not commited to any codebase | `string` | `"unset"` | no |
-| <a name="input_CSRF_SECRET"></a> [CSRF\_SECRET](#input\_CSRF\_SECRET) | Secure cryptographic key to be used for generating CSRF tokens - This is entended to be read from CI variables and not commited to any codebase | `string` | n/a | yes |
+| <a name="input_AMPLIFY_BASIC_AUTH_SECRET"></a> [AMPLIFY\_BASIC\_AUTH\_SECRET](#input\_AMPLIFY\_BASIC\_AUTH\_SECRET) | Secret key/password to use for Amplify Basic Auth - This is intended to be read from CI variables and not committed to any codebase | `string` | `"unset"` | no |
+| <a name="input_CSRF_SECRET"></a> [CSRF\_SECRET](#input\_CSRF\_SECRET) | Secure cryptographic key to be used for generating CSRF tokens - This is intended to be read from CI variables and not committed to any codebase | `string` | n/a | yes |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_aws_principal_org_id"></a> [aws\_principal\_org\_id](#input\_aws\_principal\_org\_id) | The AWS Org ID (numeric) | `string` | n/a | yes |
 | <a name="input_backup_report_recipient"></a> [backup\_report\_recipient](#input\_backup\_report\_recipient) | Primary recipient of the Backup reports | `string` | `""` | no |
@@ -26,15 +26,15 @@
 | <a name="input_data_plane_bus_arn"></a> [data\_plane\_bus\_arn](#input\_data\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_destination_vault_arn"></a> [destination\_vault\_arn](#input\_destination\_vault\_arn) | ARN of the backup vault in the destination account, if this environment should be backed up | `string` | `null` | no |
-| <a name="input_enable_amplify_basic_auth"></a> [enable\_amplify\_basic\_auth](#input\_enable\_amplify\_basic\_auth) | Enable a basic set of credentials in the form of a dynamicly generated username and password for the amplify app branches. Not intended for production use | `bool` | `true` | no |
+| <a name="input_enable_amplify_basic_auth"></a> [enable\_amplify\_basic\_auth](#input\_enable\_amplify\_basic\_auth) | Enable a basic set of credentials in the form of a dynamically generated username and password for the amplify app branches. Not intended for production use | `bool` | `true` | no |
 | <a name="input_enable_amplify_branch_auto_build"></a> [enable\_amplify\_branch\_auto\_build](#input\_enable\_amplify\_branch\_auto\_build) | Enable automatic building of branches | `bool` | `false` | no |
-| <a name="input_enable_cognito_built_in_idp"></a> [enable\_cognito\_built\_in\_idp](#input\_enable\_cognito\_built\_in\_idp) | Enable the use of Cognito as an IDP; CIS2 is prefered | `bool` | `false` | no |
+| <a name="input_enable_cognito_built_in_idp"></a> [enable\_cognito\_built\_in\_idp](#input\_enable\_cognito\_built\_in\_idp) | Enable the use of Cognito as an IDP; CIS2 is preferred | `bool` | `false` | no |
 | <a name="input_enable_event_caching"></a> [enable\_event\_caching](#input\_enable\_event\_caching) | Enable caching of events to an S3 bucket | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_event_delivery_logging"></a> [event\_delivery\_logging](#input\_event\_delivery\_logging) | Enable SNS Event Delivery logging | `bool` | `true` | no |
 | <a name="input_event_delivery_logging_success_sample_percentage"></a> [event\_delivery\_logging\_success\_sample\_percentage](#input\_event\_delivery\_logging\_success\_sample\_percentage) | Enable caching of events to an S3 bucket | `number` | `0` | no |
 | <a name="input_external_email_domain"></a> [external\_email\_domain](#input\_external\_email\_domain) | Externally managed domain used to create an SES identity for sending emails from. Validation DNS records will need to be manually configured in the DNS provider. | `string` | `null` | no |
-| <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    email_addresses  = list(string)<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |

infrastructure/terraform/components/app/amplify_app.tf

@@ -32,6 +32,7 @@ resource "aws_amplify_app" "main" {
     AMPLIFY_MONOREPO_APP_ROOT                = "frontend"
     API_BASE_URL                             = module.backend_api.api_base_url
     CSRF_SECRET                              = aws_ssm_parameter.csrf_secret.value
+    GITHUB_PAT_SSM_PARAM_NAME                = data.aws_ssm_parameter.github_pat_ssm_param_name.name
     NEXT_PUBLIC_PROMPT_SECONDS_BEFORE_LOGOUT = 120
     NEXT_PUBLIC_TIME_TILL_LOGOUT_SECONDS     = 900
     NOTIFY_ENVIRONMENT                       = var.environment

infrastructure/terraform/components/app/iam_role_amplify.tf

@@ -64,4 +64,17 @@ data "aws_iam_policy_document" "amplify" {
       "arn:aws:logs:${var.region}:${var.aws_account_id}:*"
     ]
   }
+
+  statement {
+    sid    = "SSMReadGitHubPAT"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+    ]
+
+    resources = [
+      data.aws_ssm_parameter.github_pat_ssm_param_name.arn
+    ]
+  }
 }

infrastructure/terraform/components/app/pre.sh

@@ -1,6 +1,6 @@
 echo "Running app pre.sh"
 
-npm ci
+make dependencies
 
 npm run generate-dependencies --workspaces --if-present