Test, lint and build PHP base Image on Shared Core ECR #37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test, lint and build PHP base Image on Shared Core ECR | |
| run-name: Test, lint and build PHP base Image on Shared Core ECR | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| php-base-image-build: | |
| runs-on: ubuntu-latest | |
| env: | |
| AWS_REGION : ${{ secrets.DEV_AWS_REGION }} #Change to reflect your Region | |
| AWS_ACCOUNT_ID: ${{ secrets.DEV_AWS_ACCOUNT }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Lint check on dockerfile | |
| run: | | |
| jq -c '.[]' build.json | while read -r results; do | |
| build=$(echo "$results" | jq -r '.build') | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| dockerFile=$(echo "$results" | jq -r '.dockerFile') | |
| if [ "$build" == "true" ]; then | |
| docker run --rm --privileged -v `pwd`:/root/ projectatomic/dockerfile-lint dockerfile_lint -f build/$repoName/$dockerFile | |
| else | |
| echo "Not linting - $repoName, build parameter equal to false" | |
| fi | |
| done | |
| - name: Configure AWS credentials from Test account | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.DEV_AWS_ROLE }} | |
| aws-region: ${{vars.DVSA_AWS_REGION}} | |
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
| - name: Login to Shared Core ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| mask-password: 'true' | |
| - name: Install snyk cli | |
| run: | | |
| npm install -g snyk | |
| - name: Build the Docker image | |
| run: | | |
| bash scripts/docker-build.sh | |
| - name: snyk scan api image | |
| run: | | |
| SHA=$(git rev-parse --short HEAD) | |
| # Iterate over JSON objects in build.json | |
| jq -c '.[]' build.json | while read -r results; do | |
| repoName=$(echo "$results" | jq -r '.repoName') | |
| tag=$(echo "$results" | jq -r '.tag') | |
| build=$(echo "$results" | jq -r '.build') | |
| if [ "$build" == "true" ]; then | |
| snyk container test $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$repoName:$tag-$SHA --severity-threshold=critical | |
| else | |
| echo "Not scanning - $repoName, build parameter equal to false" | |
| fi | |
| done | |
| continue-on-error: true | |