add workflows for pr and post merge

Author: kikidawson-gds

.github/workflows/backend-api-post-merge.yml

@@ -17,47 +17,20 @@ permissions:
   id-token: write
 
 jobs:
-  run-test-suite:
-    name: Run test suite
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_test-suite.yml@DCMAW-11654
-    with:
-      WORKING_DIRECTORY: backend-api
-
-  sonarqube-scan:
-    name: SonarQube Scan
-    needs: run-test-suite
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_sonarqube.yml@DCMAW-11654
-    with:
-      DOWNLOAD_TEST_COVERAGE: true
-      WORKING_DIRECTORY: backend-api
-    secrets: inherit
-
-  dev-post-merge:
-    name: Build and push image, build and upload artifact to S3 for dev
-    needs: run-test-suite
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/workflow_post-merge.yml@DCMAW-11654
-    with:
-      WORKING_DIRECTORY: backend-api
-    secrets:
-      ARTIFACT_BUCKET_NAME: ${{ secrets.TEST_RESOURCES_DEV_ARTIFACT_BUCKET }}
-      CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
-      GH_ACTIONS_ROLE_ARN: ${{ secrets.BACKEND_API_DEV_GH_ACTIONS_ROLE_ARN }}
-      SIGNING_PROFILE_NAME: ${{ secrets.DEV_SIGNING_PROFILE_NAME }}
-      TEST_IMAGE_REPOSITORY_URI: ${{ secrets.BACKEND_API_DEV_TEST_IMAGE_REPOSITORY }}
-
-  build-post-merge:
-    name: Build and push image, build and upload artifact to S3 for build
-    needs: dev-post-merge
+  post-merge:
+    name: Run tests, build and push image, build and upload artifact to S3 for dev and build
     uses:
       govuk-one-login/mobile-id-check-async/.github/workflows/workflow_post-merge.yml@DCMAW-11654
     with:
       WORKING_DIRECTORY: backend-api
     secrets:
-      ARTIFACT_BUCKET_NAME: ${{ secrets.TEST_RESOURCES_BUILD_ARTIFACT_BUCKET }}
-      CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
-      GH_ACTIONS_ROLE_ARN: ${{ secrets.BACKEND_API_BUILD_GH_ACTIONS_ROLE_ARN }}
-      SIGNING_PROFILE_NAME: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }}
-      TEST_IMAGE_REPOSITORY_URI: ${{ secrets.BACKEND_API_BUILD_TEST_IMAGE_REPOSITORY }}
+      DEV_ARTIFACT_BUCKET_NAME: ${{ secrets.BACKEND_API_DEV_ARTIFACT_BUCKET }}
+      DEV_CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
+      DEV_GH_ACTIONS_ROLE_ARN: ${{ secrets.BACKEND_API_DEV_GH_ACTIONS_ROLE_ARN }}
+      DEV_SIGNING_PROFILE_NAME: ${{ secrets.DEV_SIGNING_PROFILE_NAME }}
+      DEV_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.BACKEND_API_DEV_TEST_IMAGE_REPOSITORY }}
+      BUILD_ARTIFACT_BUCKET_NAME: ${{ secrets.BACKEND_API_BUILD_ARTIFACT_BUCKET }}
+      BUILD_CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
+      BUILD_GH_ACTIONS_ROLE_ARN: ${{ secrets.BACKEND_API_BUILD_GH_ACTIONS_ROLE_ARN }}
+      BUILD_SIGNING_PROFILE_NAME: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }}
+      BUILD_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.BACKEND_API_BUILD_TEST_IMAGE_REPOSITORY }}

.github/workflows/backend-api-pull-request.yml

@@ -17,31 +17,12 @@ on:
   workflow_dispatch:
 
 jobs:
-  ci-checks:
-    name: CI Checks
+  pull-request:
+    name: Run linters, test suite, and sonarQube
     if: github.event.pull_request.draft == false
     uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_ci-checks.yml@DCMAW-11654
+      govuk-one-login/mobile-id-check-async/.github/workflows/workflow_pull-request.yml@DCMAW-11654
     with:
-      GENERATE_PROXY_OPEN_API_SPEC: true
-      WORKING_DIRECTORY: backend-api
-    secrets: inherit
-
-  run-test-suite:
-    name: Run test suite
-    if: github.event.pull_request.draft == false
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_test-suite.yml@DCMAW-11654
-    with:
-      WORKING_DIRECTORY: backend-api
-        
-  sonarqube:
-    name: SonarQube
-    needs: run-test-suite
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_sonarqube.yml@DCMAW-11654
-    with:
-      DOWNLOAD_TEST_COVERAGE: true
-      RUN_SONARQUBE_QUALITY_GATE_CHECK: true
+      RUN_SONARQUBE_SCAN: true
       WORKING_DIRECTORY: backend-api
     secrets: inherit

.github/workflows/job_build-and-push-test-image.yml

@@ -61,4 +61,4 @@ jobs:
 
       - name: Sign image
         run: |
-          cosign sign --key awskms:///$CONTAINER_SIGN_KMS_KEY TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
+          cosign sign --key awskms:///$CONTAINER_SIGN_KMS_KEY $TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG

.github/workflows/job_build-and-upload-sam-app.yml

@@ -48,23 +48,27 @@ jobs:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}
 
-      # - name: Cache SAM builds
-      #   uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # pin@v4
-      #   with:
-      #     path: |
-      #       ./backend-api/.aws-sam/cache
-      #       ./backend-api/.aws-sam/deps
-      #       ./backend-api/.aws-sam/build.toml
-      #     key: sam-${{ inputs.WORKING_DIRECTORY }}
-
       - name: Sam validate
         run: |
           echo "SAM_CLI_TELEMETRY=0" >> $GITHUB_ENV
           sam validate --lint --template $TEMPLATE_NAME
 
-      - name: Build SAM artifact from template file
+      - name: Get cache key
+        id: get-cache-key
+        run: |
+          echo "cache-key=sam-$WORKING_DIRECTORY-${{ hashFiles('**/template.yaml') }}" >> "$GITHUB_OUTPUT"
+          echo "restore-keys=sam-$WORKING_DIRECTORY-" >> "$GITHUB_OUTPUT"
+
+      - name: Cache SAM dependencies
+        uses: actions/cache@v4
+        with:
+          key: ${{ steps.get-cache-key.outputs.cache-key }}
+          restore-keys: ${{ steps.get-cache-key.outputs.restore-keys }}
+          path: .aws-sam
+
+      - name: Build SAM artifact from template
         run: |
-          sam build --template $TEMPLATE_NAME
+          sam build --cached --template $TEMPLATE_NAME
 
       - name: Upload SAM artifact into the S3 artifact bucket
         uses: govuk-one-login/devplatform-upload-action@a3ea2d79b7ee95bc6ecea69aea6ec75f19faee41 #v3.9.3

.github/workflows/job_ci-checks.yml

@@ -3,16 +3,6 @@ name: CI Checks
 on:
   workflow_call:
     inputs:
-      GENERATE_PROXY_OPEN_API_SPEC:
-        description: Whether to run script to generate proxy openAPI spec
-        required: false
-        type: boolean
-        default: false
-      RUN_LINTER:
-        description: Whether to run a linter
-        required: false
-        type: boolean
-        default: true
       TEMPLATE_NAME:
         description: CloudFormation template name
         required: false
@@ -54,20 +44,18 @@ jobs:
         run: npm clean-install
 
       - name: Linting
-        if: ${{ inputs.RUN_LINTER }}
         run: npm run lint
 
-      - name: Check formatting
-        run: npm run format:check
-
-      # - name: Generate proxy open api spec
-      #   if: ${{ inputs.GENERATE_PROXY_OPEN_API_SPEC }}
-      #   run: npm run generate-proxy-open-api
-
       - name: Set up Homebrew
         if: ${{ inputs.VERIFY_TEMPLATE_RAIN }}
         id: set-up-homebrew
-        uses: Homebrew/actions/setup-homebrew@a7a36215df86859f163fbb774ebe0cecf9ec8547 
+        run: |
+          # The suggested command doesn't persist across steps: eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          # The following commands mimics the output from the suggested command. It may break for future runners.
+          echo "HOMEBREW_CELLAR=/home/linuxbrew/.linuxbrew/Cellar" >> $GITHUB_ENV
+          echo "HOMEBREW_REPOSITORY=/home/linuxbrew/.linuxbrew/Homebrew" >> $GITHUB_ENV
+          echo "/home/linuxbrew/.linuxbrew/sbin" >> $GITHUB_PATH
+          echo "/home/linuxbrew/.linuxbrew/bin" >> $GITHUB_PATH
 
       - name: Install rain
         if: ${{ inputs.VERIFY_TEMPLATE_RAIN }}

.github/workflows/job_sonarqube.yml

@@ -44,14 +44,14 @@ jobs:
         run: npm clean-install
 
       - name: Download coverage artifact
-        if: ${{ inputs.DOWNLOAD_TEST_COVERAGE }} == true
+        if: ${{ inputs.DOWNLOAD_TEST_COVERAGE }}
         uses: actions/download-artifact@v3
         with:
           name: test-coverage
           path: coverage/
 
       - name: Generate test coverage report for SonarQube Quality Gate Check
-        if: ${{ inputs.DOWNLOAD_TEST_COVERAGE }} == false
+        if: ${{ ! inputs.DOWNLOAD_TEST_COVERAGE }}
         run: npm run test:unit
 
       - name: Run SonarQube Scan

.github/workflows/job_test-suite.yml

@@ -3,6 +3,11 @@ name: Run Test Suite
 on:
   workflow_call:
     inputs:
+      RUN_SONARQUBE_SCAN:
+        description: Whether to run sonarQube scans
+        required: false
+        type: boolean
+        default: false
       WORKING_DIRECTORY:
         description: Working directory
         required: true
@@ -36,7 +41,8 @@ jobs:
       - name: Run all tests
         run: npm run test
 
-      - name: Upload coverage artifact
+      - name: Upload coverage artifact, if running SonarQube scan
+        if: ${{ inputs.RUN_SONARQUBE_SCAN }}
         uses: actions/upload-artifact@v3
         with:
           name: test-coverage

.github/workflows/test-resources-post-merge.yml

@@ -0,0 +1,36 @@
+name: test-resources post merge
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "test-resources/**"
+      - ".github/workflows/test-resources-post-merge.yml"
+      - "!test-resources/**/*.md"
+      - "!test-resources/**/*.png"
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  post-merge:
+    name: Run tests, build and push image, build and upload artifact to S3 for dev and build
+    uses:
+      govuk-one-login/mobile-id-check-async/.github/workflows/workflow_post-merge.yml@DCMAW-11654
+    with:
+      WORKING_DIRECTORY: test-resources
+    secrets:
+      DEV_ARTIFACT_BUCKET_NAME: ${{ secrets.TEST_RESOURCES_DEV_ARTIFACT_BUCKET }}
+      DEV_CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
+      DEV_GH_ACTIONS_ROLE_ARN: ${{ secrets.TEST_RESOURCES_DEV_GH_ACTIONS_ROLE_ARN }}
+      DEV_SIGNING_PROFILE_NAME: ${{ secrets.DEV_SIGNING_PROFILE_NAME }}
+      DEV_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.TEST_RESOURCES_DEV_TEST_IMAGE_REPOSITORY_URI }}
+      BUILD_ARTIFACT_BUCKET_NAME: ${{ secrets.TEST_RESOURCES_BUILD_ARTIFACT_BUCKET }}
+      BUILD_CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
+      BUILD_GH_ACTIONS_ROLE_ARN: ${{ secrets.TEST_RESOURCES_BUILD_GH_ACTIONS_ROLE_ARN }}
+      BUILD_SIGNING_PROFILE_NAME: ${{ secrets.BUILD_SIGNING_PROFILE_NAME }}
+      BUILD_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.TEST_RESOURCES_BUILD_TEST_IMAGE_REPOSITORY_URI }}

.github/workflows/test-resources-pull-request.yml

@@ -9,38 +9,20 @@ on:
       - ready_for_review
       - synchronize
     paths:
-      - "test-resources/**"
       - ".github/workflows/test-resources-pull-request.yml"
+      - "test-resources/**"
       - "!test-resources/**/*.md"
       - "!test-resources/**/*.png"
 
   workflow_dispatch:
 
 jobs:
-  ci-checks:
-    name: CI Checks
+  pull-request:
+    name: Run linters, test suite, and sonarQube
     if: github.event.pull_request.draft == false
     uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_ci-checks.yml@DCMAW-11654
+      govuk-one-login/mobile-id-check-async/.github/workflows/workflow_pull-request.yml@DCMAW-11654
     with:
+      RUN_SONARQUBE_SCAN: true
       WORKING_DIRECTORY: test-resources
     secrets: inherit
-
-  run-test-suite:
-    name: Run test suite
-    if: github.event.pull_request.draft == false
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_test-suite.yml@DCMAW-11654
-    with:
-      WORKING_DIRECTORY: test-resources
-
-  sonarqube:
-    name: SonarQube
-    needs: run-test-suite
-    uses:
-      govuk-one-login/mobile-id-check-async/.github/workflows/job_sonarqube.yml@DCMAW-11654
-    with:
-      DOWNLOAD_TEST_COVERAGE: true
-      RUN_SONARQUBE_QUALITY_GATE_CHECK: true
-      WORKING_DIRECTORY: test-resources
-    secrets: inherit