govuk-one-login
diff --git a/‎.github/jobs/ci-checks.yml‎
Lines changed: 107 additions & 0 deletions b/‎.github/jobs/ci-checks.yml‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎.github/jobs/push-docker-image.yml‎
Lines changed: 88 additions & 0 deletions b/‎.github/jobs/push-docker-image.yml‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎.github/jobs/test-suite.yml‎
Lines changed: 118 additions & 0 deletions b/‎.github/jobs/test-suite.yml‎
Lines changed: 118 additions & 0 deletions
@@ -0,0 +1,107 @@
+name: CI Checks
+
+description: {
+  "name": "ci-checks",
+  "version": "v1.0.0",
+  "message":
+    "This update adds versioning to the ci-checks job."
+  }
+
+on:
+  workflow_call:
+    inputs:
+      RUN_FORMATTING:
+        description: Whether to run the `format:check` npm script
+        type: string
+        default: true
+      RUN_LINTER:
+        description: Whether to run the `lint` npm script
+        type: string
+        default: true
+      RUN_RAIN_FORMAT_VERIFY:
+        description: Whether to verify template format by running the `infra:format:verify` npm script
+        type: string
+        default: false
+      RUN_SAM_VALIDATE:
+        description: Whether to run SAM validate lint on templates
+        type: string
+        default: true
+      WORKING_DIRECTORY:
+        description: Path to working directory in repo
+        required: true
+        type: string
+      PRIVATE_PACKAGES_REQUIRED:
+        description: Whether private packages must be installed
+        type: string
+        default: false
+
+jobs:
+  ci-checks:
+    name: Run CI checks
+    runs-on: ubuntu-24.04
+    env:
+      SAM_CLI_TELEMETRY: 0
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ inputs.WORKING_DIRECTORY }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          submodules: true
+
+      - name: Setup nodeJS
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          cache: npm
+          cache-dependency-path: ${{ inputs.WORKING_DIRECTORY }}/package-lock.json
+          node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc
+
+      - name: Configure authentication for private packages in .npmrc
+        if: inputs.PRIVATE_PACKAGES_REQUIRED == 'true'
+        run: |
+          echo "engine-strict=true" > .npmrc
+          echo "@govuk-one-login:registry=https://npm.pkg.github.com/" >> .npmrc
+          echo "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN" >> .npmrc
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: npm clean-install
+
+      - name: Check formatting
+        if: inputs.RUN_FORMATTING == 'true'
+        run: npm run format:check
+
+      - name: Check linting
+        if: inputs.RUN_LINTER == 'true'
+        run: npm run lint
+
+      - name: Set up Homebrew
+        if: inputs.RUN_RAIN_FORMAT_VERIFY == 'true'
+        id: set-up-homebrew
+        run: |
+          # Suggestion found in Ubuntu-24.02 runner image README; https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
+          # The suggested command doesn't persist across steps: eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          # The following commands mimics the output from the suggested command. It may break for future runners.
+          echo "HOMEBREW_CELLAR=/home/linuxbrew/.linuxbrew/Cellar" >> $GITHUB_ENV
+          echo "HOMEBREW_REPOSITORY=/home/linuxbrew/.linuxbrew/Homebrew" >> $GITHUB_ENV
+          echo "/home/linuxbrew/.linuxbrew/sbin" >> $GITHUB_PATH
+          echo "/home/linuxbrew/.linuxbrew/bin" >> $GITHUB_PATH
+
+      - name: Install rain
+        if: inputs.RUN_RAIN_FORMAT_VERIFY == 'true'
+        run: brew install rain
+
+      - name: Verify template format using rain
+        if: inputs.RUN_RAIN_FORMAT_VERIFY == 'true'
+        run: npm run infra:format:verify
+
+      - name: Validate SAM template
+        if: inputs.RUN_SAM_VALIDATE == 'true'
+        run: |
+          TEMPLATES="$(find . -name "template*.yaml")"
+          for template in $TEMPLATES ; do
+            sam validate --lint --template-file $template
+          done
@@ -0,0 +1,88 @@
+name: Build, Push, Sign and Tag Test Image
+
+description: {
+  "name": "push-docker-image",
+  "version": "v1.0.0",
+  "message":
+    "This update adds versioning to the push-docker-image job."
+  }
+
+on:
+  workflow_call:
+    inputs:
+      AWS_REGION:
+        description: The AWS region
+        type: string
+        default: eu-west-2
+      IMAGE_TAG:
+        description: The docker image tag
+        type: string
+        default: latest
+      PRIVATE_PACKAGES_REQUIRED:
+        description: Whether private packages must be installed
+        type: string
+        default: false
+      WORKING_DIRECTORY:
+        description: Path to working directory in repo
+        required: true
+        type: string
+    secrets:
+      CONTAINER_SIGN_KMS_KEY:
+        description: KMS key for encrypting the test image
+        required: true
+      GH_ACTIONS_ROLE_ARN:
+        description: AWS Role for pushing the test image and AWS artifact to AWS
+        required: true
+      TEST_IMAGE_REPOSITORY_URI:
+        description: uri of the ECR for the test images
+        required: true
+
+jobs:
+  docker-build-push-sign:
+    name: "Build, Push, and Sign Test Image"
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ inputs.WORKING_DIRECTORY }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          submodules: true
+          fetch-depth: 0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 #v3.9.2
+        with:
+          cosign-release: 'v2.5.2'
+
+      - name: Configure Authentication for Private Packages in .npmrc
+        if: inputs.PRIVATE_PACKAGES_REQUIRED == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "engine-strict=true" > .npmrc
+          echo "@govuk-one-login:registry=https://npm.pkg.github.com/" >> .npmrc
+          echo "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN" >> .npmrc
+
+      - name: Authenticate with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
+        with:
+          aws-region: ${{ inputs.AWS_REGION }}
+          role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}
+
+      - name: Login to AWS ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1
+
+      - name: Build Image
+        run: |
+          docker build -t ${{ secrets.TEST_IMAGE_REPOSITORY_URI }}:${{ inputs.IMAGE_TAG }} .
+
+      - name: Push Image
+        run: |
+          docker push ${{ secrets.TEST_IMAGE_REPOSITORY_URI }}:${{ inputs.IMAGE_TAG }}
+
+      - name: Sign Image
+        run: |
+          cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITORY_URI }}:${{ inputs.IMAGE_TAG }}
@@ -0,0 +1,118 @@
+name: Run Test Suite
+
+description: {
+  "name": "test-suite",
+  "version": "v1.0.0",
+  "message":
+    "This update adds versioning to the test-suite job."
+  }
+
+on:
+  workflow_call:
+    inputs:
+      RUN_INFRA_TESTS:
+        description: Whether to run infra tests using `test:infra` npm script
+        type: string
+        default: true
+      RUN_SONARQUBE:
+        description: Whether to run SonarQube checks. Needs RUN_UNIT_TESTS to be true.
+        type: string
+        default: true
+      RUN_UNIT_TESTS:
+        description: Whether to run unit tests using `test:unit` npm script
+        type: string
+        default: true
+      SONARQUBE_CONTINUE_ON_ERROR:
+        description: Whether to continue running the workflow if SonarQube quality gate fails
+        type: string
+        default: false
+      WORKING_DIRECTORY:
+        description: Path to working directory in repo
+        required: true
+        type: string
+      PRIVATE_PACKAGES_REQUIRED:
+        description: Whether private packages must be installed
+        type: string
+        default: false
+      RUN_PACT_TESTS:
+        description: Whether to run pact tests using `test:pact:ci` npm script
+        type: string
+        default: false
+    secrets:
+      SONAR_TOKEN:
+        description: The token used for secure access to the SonarQube platform
+        required: false
+
+jobs:
+  run-test-suite:
+    name: Run test suite and SonarQube
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ inputs.WORKING_DIRECTORY }}
+    env:
+      CONTINUE_ON_ERROR: ${{ inputs.SONARQUBE_CONTINUE_ON_ERROR }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Setup NodeJS
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          cache: npm
+          cache-dependency-path: ${{ inputs.WORKING_DIRECTORY }}/package-lock.json
+          node-version-file: ${{ inputs.WORKING_DIRECTORY }}/.nvmrc
+
+      - name: Configure Authentication for Private Packages in .npmrc
+        if: inputs.GENERATE_OPEN_PROXY_API_SPEC == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "engine-strict=true" > .npmrc
+          echo "@govuk-one-login:registry=https://npm.pkg.github.com/" >> .npmrc
+          echo "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN" >> .npmrc
+
+      - name: Install Dependencies
+        run: npm clean-install
+
+      - name: Run Unit Tests
+        if: inputs.RUN_UNIT_TESTS == 'true'
+        run: npm run test:unit
+
+      - name: Run Infra Tests
+        if: inputs.RUN_INFRA_TESTS == 'true'
+        run: npm run test:infra
+
+      - name: Run Pact Tests
+        if: inputs.RUN_PACT_TESTS == 'true'
+        continue-on-error: true # Pact tests are currently failing - remove step once fixed
+        env:
+          PACT_BROKER_URL: "https://pactbroker-onelogin.account.gov.uk"
+          PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }}
+          PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }}
+          PACT_BROKER_SOURCE_SECRET: ${{ secrets.PACT_BROKER_SOURCE_SECRET }}
+          PUBLISH_PACT_VERIFICATION_RESULTS: "false"
+        run: npm run test:pact:ci
+
+      - name: Run SonarQube Scan
+        if: inputs.RUN_SONARQUBE == 'true'
+        uses: sonarsource/sonarqube-scan-action@8c71dc039c2dd71d3821e89a2b58ecc7fee6ced9 #v5.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          projectBaseDir: ${{ inputs.WORKING_DIRECTORY }}
+
+      - name: Run SonarQube Quality Gate Check
+        if: inputs.RUN_SONARQUBE == 'true'
+        uses: Sonarsource/sonarqube-quality-gate-action@8406f4f1edaffef38e9fb9c53eb292fc1d7684fa #master
+        continue-on-error: ${{ fromJSON(env.CONTINUE_ON_ERROR) }}
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          scanMetadataReportFile: ${{ inputs.WORKING_DIRECTORY }}/.scannerwork/report-task.txt