VIA-684 AJ Bump next from 15.5.7 to 15.5.9 to fix high severity CVEs #236
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI/CD publish" | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| env: | |
| AWS_REGION: eu-west-2 | |
| AWS_S3_ARTEFACTS_BUCKET: vita-${{ secrets.AWS_ACCOUNT_ID }}-artefacts-dev | |
| AWS_S3_RELEASES_BUCKET: vita-${{ secrets.AWS_ACCOUNT_ID }}-releases-dev | |
| jobs: | |
| metadata: | |
| name: "Set CI/CD metadata" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 1 | |
| outputs: | |
| build_datetime: ${{ steps.variables.outputs.build_datetime }} | |
| build_timestamp: ${{ steps.variables.outputs.build_timestamp }} | |
| build_epoch: ${{ steps.variables.outputs.build_epoch }} | |
| nodejs_version: ${{ steps.variables.outputs.nodejs_version }} | |
| python_version: ${{ steps.variables.outputs.python_version }} | |
| terraform_version: ${{ steps.variables.outputs.terraform_version }} | |
| version: ${{ steps.variables.outputs.version }} | |
| steps: | |
| - name: "Checkout code" | |
| uses: actions/checkout@v5 | |
| - name: "Set CI/CD variables" | |
| id: variables | |
| run: | | |
| datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') | |
| echo "build_datetime=$datetime" >> $GITHUB_OUTPUT | |
| echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT | |
| echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow | |
| echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT | |
| - name: "List variables" | |
| run: | | |
| export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}" | |
| export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}" | |
| export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}" | |
| export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}" | |
| export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}" | |
| export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}" | |
| export VERSION="${{ steps.variables.outputs.version }}" | |
| make list-variables | |
| publish: | |
| name: "Publish packages" | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: dev | |
| needs: [metadata] | |
| timeout-minutes: 3 | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: "Checkout code" | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: "Configure AWS credentials" | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-session-name: GitHubActionsSession | |
| role-to-assume: ${{ secrets.IAM_ROLE }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: "Copy artefact" | |
| id: copy-artefact | |
| run: | | |
| TAG=${{ github.ref_name }} | |
| SHA=${{ github.sha }} | |
| if aws s3 ls "s3://${AWS_S3_ARTEFACTS_BUCKET}/sha/$SHA/" | grep .; then | |
| aws s3 cp "s3://${AWS_S3_ARTEFACTS_BUCKET}/sha/$SHA" "s3://${AWS_S3_RELEASES_BUCKET}/tag/$TAG/" --recursive | |
| else | |
| echo "Error: No build found for SHA: $SHA" | |
| exit 1 | |
| fi | |
| - name: "Get commit history" | |
| id: commits | |
| run: | | |
| TAG="${{ github.ref_name }}" | |
| PREVIOUS_TAG=$(git describe --tags --abbrev=0 --first-parent "${TAG}^" 2>/dev/null || echo "") | |
| if [[ -z "$PREVIOUS_TAG" ]]; then | |
| echo "No previous tag found. Listing all commits." | |
| COMMIT_RANGE=$(git log --pretty=format:"- %s (%h)") | |
| else | |
| echo "Listing commits between $PREVIOUS_TAG and $TAG." | |
| COMMIT_RANGE=$(git log --pretty=format:"- %s (%h)" "${PREVIOUS_TAG}..${TAG}") | |
| fi | |
| echo "$COMMIT_RANGE" > commit_history.txt | |
| - name: "Create release" | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ github.ref_name }} | |
| name: Release ${{ github.ref_name }} | |
| body_path: commit_history.txt | |
| draft: false | |
| prerelease: false | |
| # TODO: commented till feature flags are implemented and we are ready for automatic promotions | |
| # promote-stage: | |
| # name: "Promote stage" | |
| # needs: [publish] | |
| # uses: ./.github/workflows/stage-6-promote.yaml | |
| # with: | |
| # environment: "preprod" | |
| # release_tag: ${{ github.ref_name }} | |
| # secrets: inherit |