mobile-id-check-async/.github/workflows/job_upload-sam-artifact.yml at 79cbae809c55c5509a26cd8af96bfc7cea313007 · govuk-one-login/mobile-id-check-async · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Validate, Build, and Upload Artifact to S3

description: {
  "name": "upload-sam-artifact",
  "version": "v1.0.0",
  "message":
    "This update adds versioning to the upload-sam-artifact job."
  }

on:
  workflow_call:
    inputs:
      AWS_REGION:
        description: The AWS region
        type: string
        default: eu-west-2
      GENERATE_OPEN_PROXY_API_SPEC:
        description: Whether open proxy API spec needs to be generated
        type: string
        default: false
      TEMPLATE_NAME:
        description: The name of the SAM template to upload
        type: string
        default: template.yaml
      WORKING_DIRECTORY:
        description: Path to working directory in repo
        required: true
        type: string
    secrets:
      ARTIFACT_BUCKET:
        description: Artifact source bucket for Read ID Mock SAM artifact
        required: true
      GH_ACTIONS_ROLE_ARN:
        description: AWS role for pushing the test image and AWS artifact to AWS
        required: true
      SIGNING_PROFILE_NAME:
        description: Profile used to sign SAM artifact
        required: true

jobs:
  upload-artifact:
    name: "Validate and Upload Artifact"
    runs-on: ubuntu-24.04
    defaults:
      run:
        shell: bash
        working-directory: ${{ inputs.WORKING_DIRECTORY }}
    env:
      SAM_CLI_TELEMETRY: 0
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
        with:
          submodules: true
          fetch-depth: 0

      - name: Setup NodeJS
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          cache: npm
          cache-dependency-path: ${{ inputs.WORKING_DIRECTORY }}/package-lock.json
          node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc

      - name: Configure Authentication for Private Packages in .npmrc
        if: inputs.GENERATE_OPEN_PROXY_API_SPEC == 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "engine-strict=true" > .npmrc
          echo "@govuk-one-login:registry=https://npm.pkg.github.com/" >> .npmrc
          echo "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN" >> .npmrc

      - name: Install Dependencies
        if: inputs.GENERATE_OPEN_PROXY_API_SPEC == 'true'
        run: npm clean-install

      - name: Authenticate with AWS
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
        with:
          aws-region: ${{ inputs.AWS_REGION }}
          role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}

      - name: Generate Proxy OpenAPI Spec
        if: inputs.GENERATE_OPEN_PROXY_API_SPEC == 'true'
        run: |
          npm run generate-proxy-open-api

      - name: SAM Validate
        run: sam validate --lint --template ${{ inputs.TEMPLATE_NAME }}

      - name: SAM Build
        run: sam build --cached --template ${{ inputs.TEMPLATE_NAME }}

      - name: Upload SAM Artifact into the Artifact Bucket
        uses: govuk-one-login/devplatform-upload-action@v3.10.1
        with:
          artifact-bucket-name: ${{ secrets.ARTIFACT_BUCKET }}
          signing-profile-name: ${{ secrets.SIGNING_PROFILE_NAME }}
          template-file: .aws-sam/build/template.yaml
          working-directory: ${{ inputs.WORKING_DIRECTORY }}