Skip to content

Add SNYK scan to build image #3747

Add SNYK scan to build image

Add SNYK scan to build image #3747

name: Build and Deploy
on:
push:
branches:
- main
pull_request:
branches:
- main
types:
- labeled
- synchronize
- reopened
- opened
- converted_to_draft
workflow_dispatch:
inputs:
environment:
description: "Environment"
required: true
type: choice
options:
- production
jobs:
build_image:
name: Image build and push
runs-on: ubuntu-latest
outputs:
docker-image-tag: ${{ steps.build-image.outputs.tag }}
steps:
- uses: actions/checkout@v4
- name: Build and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
max-cache: true
reuse-cache: true
snyk-token: ${{ secrets.SNYK_TOKEN }}
deploy_review_app:
name: Deploy to review environment
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'deploy')
concurrency: deploy_review_${{ github.event.pull_request.number }}
needs: [build_image]
environment:
name: review
permissions:
pull-requests: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Deploy to AKS
uses: ./.github/actions/deploy-environment
id: deploy
with:
environment: review
image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
pull-request-number: ${{ github.event.number }}
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set kubelogin environment
uses: DFE-Digital/github-actions/set-kubelogin-environment@master
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Seed role codes
shell: bash
run: |
make ci review get-cluster-credentials PR_NUMBER=123
kubectl exec -n tra-development deployment/access-your-teaching-qualifications-pr-${{ github.event.number }} -- /bin/sh -c "cd /app && bundle exec rake db:seed_role_codes"
- name: Post comment to Pull Request ${{ github.event.number }}
uses: marocchino/sticky-pull-request-comment@v2
with:
header: aks
message: |
### Deployments
| App | URL |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------|
| Access Your Teaching Qualifications | <https://access-your-teaching-qualifications-pr-${{ github.event.number }}.test.teacherservices.cloud> |
| Check A Teacher's Record | <https://check-a-teachers-record-pr-${{ github.event.number }}.test.teacherservices.cloud> |
deploy:
name: Deploy to ${{ matrix.environment }} environment
runs-on: ubuntu-latest
if: github.event_name == 'push'
concurrency: deploy_${{ matrix.environment }}
needs: [build_image]
strategy:
max-parallel: 1
matrix:
environment: [test, preprod]
environment:
name: ${{ matrix.environment }}
url: ${{ steps.deploy.outputs.environment_url }}
permissions:
id-token: write
steps:
- uses: actions/checkout@v4
- name: Deploy to AKS
uses: ./.github/actions/deploy-environment
id: deploy
with:
environment: ${{ matrix.environment }}
image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
deploy_production:
name: Deploy to production environment
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
needs: [build_image, deploy]
environment:
name: production
url: ${{ steps.deploy.outputs.environment_url }}
permissions:
id-token: write
steps:
- uses: actions/checkout@v4
- name: Deploy to AKS
uses: ./.github/actions/deploy-environment
id: deploy
with:
environment: production
image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}