Bump semver from 6.3.0 to 6.3.1 in /modules/cloudfront-logs/lambda #180
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD Pipeline | |
permissions: | |
contents: read | |
security-events: write | |
id-token: write | |
actions: write | |
on: | |
push: | |
pull_request: | |
branches: | |
- main | |
types: [opened, synchronize, reopened] | |
jobs: | |
get-metadata: | |
name: "Get Metadata" | |
runs-on: ubuntu-latest | |
outputs: | |
build_datetime: ${{ steps.metadata.outputs.build_datetime }} | |
build_timestamp: ${{ steps.metadata.outputs.build_timestamp }} | |
build_epoch: ${{ steps.metadata.outputs.build_epoch }} | |
terraform_version: ${{ steps.metadata.outputs.terraform_version }} | |
steps: | |
- uses: actions/checkout@v3 | |
- id: metadata | |
name: Get Metadata | |
uses: ./.github/actions/get-metadata | |
- id: cloc | |
name: Get Lines of Code | |
uses: ./.github/actions/cloc-repository | |
formatting-checks: | |
needs: [get-metadata] | |
runs-on: ubuntu-latest | |
name: Formatting Checks | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Check File Format | |
uses: ./.github/actions/check-file-format | |
- name: Check Markdown Format | |
uses: ./.github/actions/check-markdown-format | |
- name: Check Terraform Format | |
uses: ./.github/actions/check-terraform-format | |
security-scan: | |
needs: [get-metadata] | |
runs-on: ubuntu-latest | |
name: Security Scanning | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Scan Dependencies | |
uses: ./.github/actions/scan-dependencies | |
- name: Scan Secrets | |
uses: ./.github/actions/scan-secrets | |
checkov: | |
name: Checkov | |
runs-on: ubuntu-latest | |
needs: [formatting-checks, security-scan] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Install Latest Checkov | |
id: install-checkov | |
run: pip install --user checkov | |
- name: Run Checkov | |
id: run-checkov | |
run: checkov --directory . -o sarif -s --quiet | |
- name: Upload SARIF File | |
uses: github/codeql-action/upload-sarif@v2 | |
if: always() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
with: | |
sarif_file: results.sarif | |
tflint: | |
name: TFLint | |
runs-on: ubuntu-latest | |
needs: [formatting-checks, security-scan] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Setup TFLint Cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/.tflint.d/plugins | |
key: tflint-${{ hashFiles('.tflint.hcl') }} | |
- name: Setup TFLint | |
uses: terraform-linters/setup-tflint@v3 | |
with: | |
tflint_version: v0.47.0 | |
- name: Init TFLint | |
run: tflint --init | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
- name: Run TFLint | |
run: tflint -f compact | |
build-example-app: | |
name: Build Example App | |
runs-on: ubuntu-latest | |
needs: [tflint, checkov] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install asdf & tools | |
uses: asdf-vm/actions/install@v2 | |
- name: Install Example Dependencies | |
run: make example-install | |
- name: Build Example App | |
run: make example-build | |
- name: Zip OpenNext Deployment Assets | |
run: cd example/.open-next && zip -r ../../open-next.zip . -q | |
- name: Store Build Artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: example-app-opennext-build | |
path: open-next.zip | |
deploy: | |
name: Deploy Example App | |
runs-on: ubuntu-latest | |
needs: [build-example-app] | |
if: success() && github.ref_name == 'main' | |
concurrency: example-deploy | |
environment: | |
name: Example Application | |
url: https://terraform-aws-opennext.tools.engineering.england.nhs.uk/ | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install asdf & tools | |
uses: asdf-vm/actions/install@v2 | |
- id: aws-credentials | |
name: Setup AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: ${{ secrets.DEPLOYMENT_IAM_ROLE }} | |
aws-region: eu-west-2 | |
- name: Get Current Identity | |
run: aws sts get-caller-identity | |
- name: Download Build Artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: example-app-opennext-build | |
- name: Unzip Build Artifacts to .open-next folder | |
run: unzip -q -d example/.open-next open-next.zip | |
- name: Run Terraform Init | |
run: terraform -chdir=example/terraform init | |
- name: Run Terraform Plan | |
run: terraform -chdir=example/terraform plan -out example-app.tfplan | |
- name: Store Terraform Plan Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: example-app-tfplan-output | |
path: example/terraform/example-app.tfplan | |
- name: Run Terraform Apply | |
run: terraform -chdir=example/terraform apply example-app.tfplan | |
- name: Get CloudFront Distribution ID | |
id: get_distribution_id | |
run: echo "distribution_id=$(terraform -chdir=example/terraform output -raw cloudfront_distribution_id)" >> "$GITHUB_OUTPUT" | |
- name: Trigger CloudFront Cache Invalidation | |
id: trigger_invalidation | |
run: echo "invalidation_id=$(aws cloudfront create-invalidation --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --paths '/*' --output text --query Invalidation.Id)" >> "$GITHUB_OUTPUT" | |
- name: Wait for Invalidation | |
run: aws cloudfront wait invalidation-completed --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --id ${{ steps.trigger_invalidation.outputs.invalidation_id }} |