Skip to content
PR check

LIME-2144: Pass permissions boundary to nested oauth stack #258

Sign in to view logs

LIME-2144: Pass permissions boundary to nested oauth stack

LIME-2144: Pass permissions boundary to nested oauth stack #258

Workflow file for this run

.github/workflows/pr-check.yml at 5236683
name: PR check
on: pull_request
permissions: {}
jobs:
pre-commit:
name: Run pre-commit
runs-on: ubuntu-latest
concurrency:
group: pre-commit-${{ github.event.pull_request.number }}
cancel-in-progress: true
steps:
- name: Run pre-commit
uses: govuk-one-login/github-actions/code-quality/run-pre-commit@4c76410195b5fcb1804fc7c183ed20704252830f
with:
all-files: true
install-dependencies: 'true'
node-version-file: '.nvmrc'
unit-tests:
name: Run unit tests
runs-on: ubuntu-latest
concurrency:
group: unit-tests-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: read
steps:
- name: Setup Node
uses: govuk-one-login/github-actions/node/install-dependencies@4c76410195b5fcb1804fc7c183ed20704252830f
- name: Unit tests
run: npm run test:coverage
- name: Upload coverage report
uses: actions/upload-artifact@v7
with:
name: coverage
path: coverage/
retention-days: 1
scan-repo:
name: CodeQL and Sonar scans
permissions:
security-events: write
needs: unit-tests
uses: ./.github/workflows/scan-repo.yml
secrets:
sonar_token: ${{ secrets.SONAR_TOKEN }}
with:
coverage-artifact: coverage
coverage-run-id: ${{ github.run_id }}
# pact test placeholder
# infra test placholder
deploy-preview:
name: Deploy preview stack
permissions:
id-token: write
contents: read
uses: ./.github/workflows/deploy-preview.yml
secrets:
role_arn: ${{ secrets.DEV_GHA_PREVIEW_ROLE_ARN }}
bucket_name: ${{ secrets.DEV_PREVIEW_ARTIFACT_BUCKET }}
api-tests:
name: Run api tests
permissions:
id-token: write
contents: read
concurrency:
group: api-tests-${{ github.event.pull_request.number }}
needs: deploy-preview
timeout-minutes: 15
runs-on: ubuntu-latest
steps:
- name: Setup Node
uses: govuk-one-login/github-actions/node/install-dependencies@4c76410195b5fcb1804fc7c183ed20704252830f
- name: Assume AWS Role
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
role-to-assume: ${{ secrets.DEV_GHA_PREVIEW_ROLE_ARN }}
aws-region: ${{ needs.deploy-preview.outputs.aws-region }}
- name: Run tests
env:
STACK_NAME: ${{ needs.deploy-preview.outputs.stack-name }}
AWS_REGION: ${{ needs.deploy-preview.outputs.aws-region }}
run: |
API_GATEWAY_ID_PRIVATE=$(aws cloudformation describe-stacks --stack-name $STACK_NAME | jq -r '.Stacks[].Outputs[] | select(.OutputKey == "PrivateApiGatewayId").OutputValue')
API_GATEWAY_ID_PUBLIC=$(aws cloudformation describe-stacks --stack-name $STACK_NAME | jq -r '.Stacks[].Outputs[] | select(.OutputKey == "PublicApiGatewayId").OutputValue')
export API_GATEWAY_ID_PRIVATE=$API_GATEWAY_ID_PRIVATE
export API_GATEWAY_ID_PUBLIC=$API_GATEWAY_ID_PUBLIC
npm run test:api
- name: Delete preview test stack
if: always()
run: |
aws cloudformation delete-stack --region eu-west-2 --stack-name ${{ needs.deploy-preview.outputs.stack-name }}
merge-status:
name: Merge status
runs-on: ubuntu-latest
concurrency:
group: merge-status-${{ github.event.pull_request.number }}
cancel-in-progress: true
needs:
- pre-commit
- unit-tests
- api-tests
if: always()
steps:
- run: |
failed=()
[[ "${{ needs.pre-commit.result }}" != "success" ]] && failed+=("pre-commit")
[[ "${{ needs.unit-tests.result }}" != "success" ]] && failed+=("unit-tests")
[[ "${{ needs.api-tests.result }}" != "success" ]] && failed+=("api-tests")
if [[ ${#failed[@]} -gt 0 ]]; then
echo "The following jobs failed: ${failed[*]}"
exit 1
fi