Skip to content

Revert "Owasp/add permissions policy header (#1707)" (#1754) #1048

Revert "Owasp/add permissions policy header (#1707)" (#1754)

Revert "Owasp/add permissions policy header (#1707)" (#1754) #1048

Workflow file for this run

name: Build, push to AWS ECR, and deploy
on:
push:
branches:
- main
env:
AWS_REGION: ca-central-1
DOCKER_ORG: public.ecr.aws/v6b8u5o6
DOCKER_SLUG: public.ecr.aws/v6b8u5o6/notify-admin
KUBECTL_VERSION: '1.18.0'
permissions:
id-token: write # This is required for requesting the OIDC JWT
contents: read # This is required for actions/checkout
jobs:
deploy:
runs-on: ubuntu-latest
name: Build and push
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install AWS CLI
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -q awscliv2.zip
sudo ./aws/install --update
aws --version
- name: Install kubectl
run: |
curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
kubectl version --client
mkdir -p $HOME/.kube
- name: Configure credentials to CDS public ECR using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::283582579564:role/notification-admin-apply
role-session-name: NotifyAdminGitHubActions
aws-region: "us-east-1"
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
with:
registry-type: public
- name: Build
run: |
docker pull $DOCKER_SLUG:latest
docker build \
--cache-from $DOCKER_SLUG:latest \
--build-arg GIT_SHA=${GITHUB_SHA::7} \
-t $DOCKER_SLUG:${GITHUB_SHA::7} \
-t $DOCKER_SLUG:latest \
-f ci/Dockerfile .
- name: Publish
run: |
docker push $DOCKER_SLUG:latest && docker push $DOCKER_SLUG:${GITHUB_SHA::7}
- name: Configure credentials to Notify account using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::239043911459:role/notification-admin-apply
role-session-name: NotifyAdminGitHubActions
aws-region: "ca-central-1"
- name: Get Kubernetes configuration
run: |
aws eks --region $AWS_REGION update-kubeconfig --name notification-canada-ca-staging-eks-cluster --kubeconfig $HOME/.kube/config
- name: Update image in staging
run: |
kubectl set image deployment.apps/admin admin=$DOCKER_SLUG:${GITHUB_SHA::7} -n=notification-canada-ca --kubeconfig=$HOME/.kube/config
- name: my-app-install token
id: notify-pr-bot
uses: getsentry/action-github-app-token@97c9e23528286821f97fba885c1b1123284b29cc # v2.0.0
with:
app_id: ${{ secrets.NOTIFY_PR_BOT_APP_ID }}
private_key: ${{ secrets.NOTIFY_PR_BOT_PRIVATE_KEY }}
- uses: cds-snc/notification-pr-bot@main
env:
TOKEN: ${{ steps.notify-pr-bot.outputs.token }}
- name: Docker generate SBOM
uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
with:
docker_image: "${{ env.DOCKER_SLUG }}:latest"
dockerfile_path: "ci/Dockerfile"
sbom_name: "notification-admin"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Notify Slack channel if this job failed
if: ${{ failure() }}
run: |
json="{'text':'<!here> CI is failing in <https://github.com/cds-snc/notification-admin/|notification-admin> !'}"
curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.SLACK_WEBHOOK }}