From 577f479c336531f95dcf9afc371af4dcb539e550 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 28 Nov 2024 16:42:27 +0000 Subject: [PATCH 01/26] add new workflows to replace old build for migration from ecr to ghcr --- .github/workflows/CODEOWNERS | 1 + .github/workflows/dependency-review.yml | 31 ++++++ .github/workflows/release.yml | 102 ++++++++++++++++++ .github/workflows/scan.yml | 40 +++++++ .../workflows/test-and-push-docker-image.yaml | 77 ------------- .github/workflows/test.yml | 39 +++++++ Makefile | 4 +- 7 files changed, 216 insertions(+), 78 deletions(-) create mode 100644 .github/workflows/CODEOWNERS create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/scan.yml delete mode 100644 .github/workflows/test-and-push-docker-image.yaml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/CODEOWNERS b/.github/workflows/CODEOWNERS new file mode 100644 index 000000000..418e96728 --- /dev/null +++ b/.github/workflows/CODEOWNERS @@ -0,0 +1 @@ +* @ministryofjustice/analytical-platform \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..f84aeaad7 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,31 @@ +--- +name: 🔍 Dependency Review + +on: + pull_request: + branches: + - main + types: + - edited + - opened + - reopened + - synchronize + +permissions: {} + +jobs: + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Dependency Review + id: dependency_review + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + with: + fail-on-severity: critical \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..dc9e66eb9 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,102 @@ +--- +name: 🔖 Release + +on: + push: + tags: + - "*" + +permissions: {} + +jobs: + release: + name: Release + runs-on: ubuntu-latest + permissions: + actions: read + attestations: write + contents: write + id-token: write + packages: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set up Docker Context for Buildx + id: buildx-context + run: docker context use builders || docker context create builders + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 + with: + version: latest + endpoint: builders + + - name: Install cosign + id: install_cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + + - name: Log in to GitHub Container Registry + id: ghcr_login + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and Push + id: build_and_push + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + with: + push: true + tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }} + + - name: Sign + id: sign + shell: bash + run: | + cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }} + + - name: Generate SBOM + id: generate_sbom + uses: anchore/sbom-action@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8 + with: + image: ghcr.io/${{ github.repository }}:${{ github.ref_name }} + format: cyclonedx-json + output-file: "sbom.cyclonedx.json" + + - name: Attest + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 + id: attest + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build_and_push.outputs.digest }} + push-to-registry: true + + - name: Attest SBOM + uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1 + id: attest_sbom + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build_and_push.outputs.digest }} + sbom-path: sbom.cyclonedx.json + push-to-registry: true + + - name: cosign Verify + id: cosign_verify + shell: bash + run: | + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/${{ github.workflow_ref }} \ + ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }} + + - name: GitHub Attestation Verify + id: gh_attestation_verify + shell: bash + env: + GH_TOKEN: ${{ github.token }} + run: | + gh attestation verify oci://ghcr.io/${{ github.repository }}:${{ github.ref_name }} --repo ${{ github.repository }} \ No newline at end of file diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 000000000..4e39415af --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,40 @@ +--- +name: 🩻 Scan + +on: + pull_request: + branches: + - main + +permissions: {} + +jobs: + scan: + name: Scan + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Build + id: build + shell: bash + env: + IMAGE_NAME: ghcr.io/${{ github.repository }} + IMAGE_TAG: ${{ github.sha }} + run: | + make build + + - name: Scan + id: scan + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + with: + image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }} + severity: HIGH,CRITICAL + exit-code: 1 \ No newline at end of file diff --git a/.github/workflows/test-and-push-docker-image.yaml b/.github/workflows/test-and-push-docker-image.yaml deleted file mode 100644 index 4268b28a4..000000000 --- a/.github/workflows/test-and-push-docker-image.yaml +++ /dev/null @@ -1,77 +0,0 @@ -name: Run tests and push Docker image on success - -"on": - push: - branches: [main] - pull_request: - release: - types: [published] - -permissions: {} - -jobs: - test-and-push: - runs-on: [self-hosted, management-ecr] - env: - LOGS_BUCKET_NAME: moj-analytics-s3-logs - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Context for Buildx - id: buildx-context - run: docker context use builders || docker context create builders - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - endpoint: builders - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: eu-west-1 - role-to-assume: arn:aws:iam::593291632749:role/github-actions-management-ecr - role-duration-seconds: 1200 - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - with: - registries: 593291632749 - - - name: Prep Tags - id: prep - run: | - TAG=noop - if [[ $GITHUB_REF == refs/tags/* ]]; then - TAG=${GITHUB_REF#refs/tags/} - elif [[ $GITHUB_REF == refs/pull/* ]]; then - TAG="sha-${GITHUB_SHA::8}" - elif [ "${{ github.event_name }}" = "push" ]; then - TAG="sha-${GITHUB_SHA::8}" - fi - echo ::set-output name=tag::${TAG} - echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') - - - name: Build image - run: make build - env: - NETWORK: host - REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ steps.prep.outputs.tag }} - - - name: Run Python tests (docker-compose) - run: make clean && make test - env: - NETWORK: default - REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ steps.prep.outputs.tag }} - - - name: Push image - run: make push - env: - REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ steps.prep.outputs.tag }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..2d5d63ab2 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,39 @@ +--- +name: 🧪 Test + +on: + pull_request: + branches: + - main + +permissions: {} + +jobs: + test: + name: Test + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # - name: Set Up Container Structure Test + # id: setup_container_structure_test + # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 + + - name: Test + id: test + shell: bash + env: + IMAGE_TAG: ${{ github.sha }} + run: | + make test + + - name: Run Python tests (docker-compose) + run: make clean && make test + env: + NETWORK: default + IMAGE_NAME: ghcr.io/${{ github.repository }} + IMAGE_TAG: ${{ github.sha }} \ No newline at end of file diff --git a/Makefile b/Makefile index be7337459..89b8c154c 100644 --- a/Makefile +++ b/Makefile @@ -3,8 +3,10 @@ VIRTUAL_ENV ?= venv BIN=${VIRTUAL_ENV}/bin IMAGE_TAG ?= local DOCKER_BUILDKIT?=1 -REGISTRY?=593291632749.dkr.ecr.eu-west-1.amazonaws.com +# REGISTRY?=593291632749.dkr.ecr.eu-west-1.amazonaws.com MAKEFLAGS += -j2 +IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-control-panel + include Makefile.local.mk export From fc335f9baa627010100e38c9cc01fb27ab7f2bdc Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 28 Nov 2024 17:12:25 +0000 Subject: [PATCH 02/26] amend docker compose build --- .github/workflows/scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 4e39415af..3d5fca818 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -19,14 +19,17 @@ jobs: id: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Build with Docker Compose id: build shell: bash env: IMAGE_NAME: ghcr.io/${{ github.repository }} IMAGE_TAG: ${{ github.sha }} run: | - make build + docker compose build - name: Scan id: scan From 73dc2dd129d75a2a27db52b336f2e4c41f257f99 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 28 Nov 2024 17:17:46 +0000 Subject: [PATCH 03/26] amend for Image_Name --- docker-compose.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 20e8ad2b6..d5576b22c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,7 +18,7 @@ services: command: sh -c "exec redis-server --requirepass \"$${REDIS_PASSWORD}\"" migration: - image: ${REGISTRY}/${REPOSITORY}:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}:${IMAGE_TAG:-latest} depends_on: db: condition: service_healthy @@ -35,7 +35,7 @@ services: command: sh -c "./manage.py migrate" worker: - image: ${REGISTRY}/${REPOSITORY}_eks:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}_eks:${IMAGE_TAG:-latest} depends_on: redis: condition: service_started @@ -62,7 +62,7 @@ services: frontend: # Apologies to future devops. Naming is hard. - image: ${REGISTRY}/${REPOSITORY}_eks:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}_eks:${IMAGE_TAG:-latest} build: context: . # network: ${NETWORK:-default} From a0de990635da4b5d9255734260127b20a4df25bc Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 28 Nov 2024 17:27:28 +0000 Subject: [PATCH 04/26] debug --- .github/workflows/scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 3d5fca818..b964cc0ef 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -26,7 +26,7 @@ jobs: id: build shell: bash env: - IMAGE_NAME: ghcr.io/${{ github.repository }} + IMAGE_NAME: ${{ github.repository }} IMAGE_TAG: ${{ github.sha }} run: | docker compose build @@ -38,6 +38,6 @@ jobs: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 with: - image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }} + image-ref: ${{ github.repository }}:${{ github.sha }} severity: HIGH,CRITICAL exit-code: 1 \ No newline at end of file From e43eedd8434cd44cb55abee68031a4032ad57522 Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 09:32:32 +0000 Subject: [PATCH 05/26] debug --- Makefile | 3 ++- docker-compose.dev.yaml | 6 +++--- docker-compose.yaml | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 89b8c154c..15033436a 100644 --- a/Makefile +++ b/Makefile @@ -5,12 +5,13 @@ IMAGE_TAG ?= local DOCKER_BUILDKIT?=1 # REGISTRY?=593291632749.dkr.ecr.eu-west-1.amazonaws.com MAKEFLAGS += -j2 -IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-control-panel +IMAGE_NAME ?= ghcr.io/ministryofjustice/analytics-platform-control-panel include Makefile.local.mk export + .PHONY: clean build help test test-python dev-up clean: diff --git a/docker-compose.dev.yaml b/docker-compose.dev.yaml index 863cf5675..a023fb528 100644 --- a/docker-compose.dev.yaml +++ b/docker-compose.dev.yaml @@ -2,7 +2,7 @@ version: "3" services: frontend: - image: ${REGISTRY}/${REPOSITORY}:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}:${IMAGE_TAG-latest} stdin_open: true tty: true command: ["python", "manage.py", "runserver", "0.0.0.0:8000"] @@ -11,11 +11,11 @@ services: ./tests:/home/controlpanel/tests ] migration: - image: ${REGISTRY}/${REPOSITORY}:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}:${IMAGE_TAG} volumes: [./controlpanel:/home/controlpanel/controlpanel] command: "python manage.py migrate" worker: - image: ${REGISTRY}/${REPOSITORY}:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}:${IMAGE_TAG:-latest} stdin_open: true tty: true volumes: [./controlpanel:/home/controlpanel/controlpanel] diff --git a/docker-compose.yaml b/docker-compose.yaml index d5576b22c..2197c70a2 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,7 +18,7 @@ services: command: sh -c "exec redis-server --requirepass \"$${REDIS_PASSWORD}\"" migration: - image: ${IMAGE_NAME}:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}:${IMAGE_TAG} depends_on: db: condition: service_healthy @@ -35,7 +35,7 @@ services: command: sh -c "./manage.py migrate" worker: - image: ${IMAGE_NAME}_eks:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}_eks:${IMAGE_TAG} depends_on: redis: condition: service_started @@ -62,7 +62,7 @@ services: frontend: # Apologies to future devops. Naming is hard. - image: ${IMAGE_NAME}_eks:${IMAGE_TAG:-latest} + image: ${IMAGE_NAME}_eks:${IMAGE_TAG} build: context: . # network: ${NETWORK:-default} From 47c36e213f874933bf233dc0aed620ecd992f23a Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 11:26:57 +0000 Subject: [PATCH 06/26] test-change --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index b964cc0ef..0bf49acb6 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -38,6 +38,6 @@ jobs: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 with: - image-ref: ${{ github.repository }}:${{ github.sha }} + image-ref: ${{ github.repository }}_eks:${{ github.sha }} severity: HIGH,CRITICAL exit-code: 1 \ No newline at end of file From 84bccaa314c5f35f3be73d1078ee9ed462036bdc Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 12:24:51 +0000 Subject: [PATCH 07/26] remove test workflow --- .github/workflows/test.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2d5d63ab2..66cf8c455 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,11 +29,4 @@ jobs: env: IMAGE_TAG: ${{ github.sha }} run: | - make test - - - name: Run Python tests (docker-compose) - run: make clean && make test - env: - NETWORK: default - IMAGE_NAME: ghcr.io/${{ github.repository }} - IMAGE_TAG: ${{ github.sha }} \ No newline at end of file + make test \ No newline at end of file From 3808146c3f98cdf68492489a5166b929e3326bec Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 12:48:19 +0000 Subject: [PATCH 08/26] debug test --- .github/workflows/test.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 66cf8c455..98974931e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,10 +23,14 @@ jobs: # id: setup_container_structure_test # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 - - name: Test - id: test + - name: Install Docker Compose + id: docker-compose-test shell: bash env: IMAGE_TAG: ${{ github.sha }} run: | - make test \ No newline at end of file + sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + docker-compose --version + - name: Run tests + run: make test-python \ No newline at end of file From d75971caabe3c2a161296d4511245a78e622c655 Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 14:55:28 +0000 Subject: [PATCH 09/26] change to latest tag --- .github/workflows/test.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 98974931e..9db9aacbf 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,10 +24,7 @@ jobs: # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 - name: Install Docker Compose - id: docker-compose-test - shell: bash - env: - IMAGE_TAG: ${{ github.sha }} + run: | sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose From f95741db59d3a66aac00070196330ad6284f57cf Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 16:08:04 +0000 Subject: [PATCH 10/26] debug --- Makefile | 2 +- docker-compose.dev.yaml | 2 +- docker-compose.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 15033436a..4bfcc3e80 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ REPOSITORY?=controlpanel VIRTUAL_ENV ?= venv BIN=${VIRTUAL_ENV}/bin -IMAGE_TAG ?= local +IMAGE_TAG ?= latest DOCKER_BUILDKIT?=1 # REGISTRY?=593291632749.dkr.ecr.eu-west-1.amazonaws.com MAKEFLAGS += -j2 diff --git a/docker-compose.dev.yaml b/docker-compose.dev.yaml index a023fb528..43e6a94bc 100644 --- a/docker-compose.dev.yaml +++ b/docker-compose.dev.yaml @@ -11,7 +11,7 @@ services: ./tests:/home/controlpanel/tests ] migration: - image: ${IMAGE_NAME}:${IMAGE_TAG} + image: ${IMAGE_NAME}:${IMAGE_TAG-latest} volumes: [./controlpanel:/home/controlpanel/controlpanel] command: "python manage.py migrate" worker: diff --git a/docker-compose.yaml b/docker-compose.yaml index 2197c70a2..4bdccc6b4 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,7 +18,7 @@ services: command: sh -c "exec redis-server --requirepass \"$${REDIS_PASSWORD}\"" migration: - image: ${IMAGE_NAME}:${IMAGE_TAG} + image: ${IMAGE_NAME}_eks:${IMAGE_TAG} depends_on: db: condition: service_healthy From 704b1d64ad68e41523023ac52b4c9278c3264360 Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 3 Dec 2024 16:27:35 +0000 Subject: [PATCH 11/26] add build step --- .github/workflows/build-and-test.yml | 81 +++++++++++++++++++++++++ .github/workflows/test.yml | 89 +++++++++++++++++++--------- Makefile | 3 +- docker-compose.yaml | 6 +- 4 files changed, 147 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/build-and-test.yml diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml new file mode 100644 index 000000000..3c9a562af --- /dev/null +++ b/.github/workflows/build-and-test.yml @@ -0,0 +1,81 @@ +name: Run tests and push Docker image on success + +"on": + push: + branches: [main] + pull_request: + release: + types: [published] + +permissions: {} + +jobs: + test-and-push: + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + packages: write + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Set up Docker Context for Buildx + id: buildx-context + run: docker context use builders || docker context create builders + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + with: + version: latest + endpoint: builders + + - name: Log in to GitHub Container Registry + id: ghcr_login + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Docker Compose + id: docker-compose + shell: bash + env: + IMAGE_TAG: ${{ github.sha }} + run: | + sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + docker-compose --version + + - name: Prep Tags + id: prep + run: | + TAG=noop + if [[ $GITHUB_REF == refs/tags/* ]]; then + TAG=${GITHUB_REF#refs/tags/} + elif [[ $GITHUB_REF == refs/pull/* ]]; then + TAG="sha-${GITHUB_SHA::8}" + elif [ "${{ github.event_name }}" = "push" ]; then + TAG="sha-${GITHUB_SHA::8}" + fi + echo ::set-output name=tag::${TAG} + echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') + + - name: Build image + run: make build + env: + NETWORK: host + IMAGE_TAG: ${{ steps.prep.outputs.tag }} + + - name: Run Python tests (docker-compose) + run: make clean && make test + env: + NETWORK: default + IMAGE_TAG: ${{ steps.prep.outputs.tag }} + + - name: Push image + run: make push + env: + IMAGE_TAG: ${{ steps.prep.outputs.tag }} \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9db9aacbf..17d2587e6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,33 +1,68 @@ ---- -name: 🧪 Test +# --- +# name: 🧪 Test -on: - pull_request: - branches: - - main +# on: +# pull_request: +# branches: +# - main -permissions: {} +# permissions: {} -jobs: - test: - name: Test - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Checkout - id: checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# jobs: +# test: +# name: Test +# runs-on: ubuntu-latest +# permissions: +# contents: write +# id-token: write +# packages: write +# steps: +# - name: Checkout +# id: checkout +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - # - name: Set Up Container Structure Test - # id: setup_container_structure_test - # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 +# # - name: Set Up Container Structure Test +# # id: setup_container_structure_test +# # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 - - name: Install Docker Compose +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2 + +# - name: Install Docker Compose +# id: docker-compose +# shell: bash +# env: +# IMAGE_TAG: ${{ github.sha }} +# run: | +# sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose +# sudo chmod +x /usr/local/bin/docker-compose +# docker-compose --version - run: | - sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - sudo chmod +x /usr/local/bin/docker-compose - docker-compose --version - - name: Run tests - run: make test-python \ No newline at end of file +# - name: Build with Docker Compose +# id: build +# shell: bash +# env: +# IMAGE_TAG: ${{ github.sha }} +# run: | +# make build + +# - name: Log in to GitHub Container Registry +# id: ghcr_login +# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 +# with: +# registry: ghcr.io +# username: ${{ github.actor }} +# password: ${{ secrets.GITHUB_TOKEN }} + +# - name: Push +# id: push +# env: +# IMAGE_NAME: ghcr.io/ministryofjustice/analytics-platform-control-panel +# run: | +# docker push $IMAGE_NAME:${{ github.sha }} + +# - name: Run tests +# env: +# IMAGE_TAG: ${{ github.sha }} +# run: | +# make test-python \ No newline at end of file diff --git a/Makefile b/Makefile index 4bfcc3e80..74d48d62e 100644 --- a/Makefile +++ b/Makefile @@ -24,8 +24,7 @@ test-python: DJANGO_SETTINGS_MODULE=controlpanel.settings.test test-python: @echo @echo "> Running Python Tests (In Docker)..." - @docker-compose run --rm -e KUBECONFIG=tests/kubeconfig \ - frontend sh -c "pytest tests --color=yes" + @docker-compose run --rm -e KUBECONFIG=tests/kubeconfig frontend sh -c "pytest tests --color=yes" ## test: Run tests in Docker container test: test-python diff --git a/docker-compose.yaml b/docker-compose.yaml index 4bdccc6b4..e31758ac0 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,7 +18,7 @@ services: command: sh -c "exec redis-server --requirepass \"$${REDIS_PASSWORD}\"" migration: - image: ${IMAGE_NAME}_eks:${IMAGE_TAG} + image: ${IMAGE_NAME}:${IMAGE_TAG:-latest} depends_on: db: condition: service_healthy @@ -35,7 +35,7 @@ services: command: sh -c "./manage.py migrate" worker: - image: ${IMAGE_NAME}_eks:${IMAGE_TAG} + image: ${IMAGE_NAME}:${IMAGE_TAG:-latest} depends_on: redis: condition: service_started @@ -62,7 +62,7 @@ services: frontend: # Apologies to future devops. Naming is hard. - image: ${IMAGE_NAME}_eks:${IMAGE_TAG} + image: ${IMAGE_NAME}:${IMAGE_TAG:-latest} build: context: . # network: ${NETWORK:-default} From 182923b3583206e50787cd0b5fe504568cd365cd Mon Sep 17 00:00:00 2001 From: Emterry Date: Wed, 4 Dec 2024 16:12:42 +0000 Subject: [PATCH 12/26] refactor add credentials to debug --- .github/workflows/build-and-test.yml | 81 ------------------ .github/workflows/test.yml | 123 ++++++++++++++------------- Makefile | 25 +++--- 3 files changed, 77 insertions(+), 152 deletions(-) delete mode 100644 .github/workflows/build-and-test.yml diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml deleted file mode 100644 index 3c9a562af..000000000 --- a/.github/workflows/build-and-test.yml +++ /dev/null @@ -1,81 +0,0 @@ -name: Run tests and push Docker image on success - -"on": - push: - branches: [main] - pull_request: - release: - types: [published] - -permissions: {} - -jobs: - test-and-push: - runs-on: ubuntu-latest - permissions: - contents: write - id-token: write - packages: write - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Set up Docker Context for Buildx - id: buildx-context - run: docker context use builders || docker context create builders - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - version: latest - endpoint: builders - - - name: Log in to GitHub Container Registry - id: ghcr_login - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Install Docker Compose - id: docker-compose - shell: bash - env: - IMAGE_TAG: ${{ github.sha }} - run: | - sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - sudo chmod +x /usr/local/bin/docker-compose - docker-compose --version - - - name: Prep Tags - id: prep - run: | - TAG=noop - if [[ $GITHUB_REF == refs/tags/* ]]; then - TAG=${GITHUB_REF#refs/tags/} - elif [[ $GITHUB_REF == refs/pull/* ]]; then - TAG="sha-${GITHUB_SHA::8}" - elif [ "${{ github.event_name }}" = "push" ]; then - TAG="sha-${GITHUB_SHA::8}" - fi - echo ::set-output name=tag::${TAG} - echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') - - - name: Build image - run: make build - env: - NETWORK: host - IMAGE_TAG: ${{ steps.prep.outputs.tag }} - - - name: Run Python tests (docker-compose) - run: make clean && make test - env: - NETWORK: default - IMAGE_TAG: ${{ steps.prep.outputs.tag }} - - - name: Push image - run: make push - env: - IMAGE_TAG: ${{ steps.prep.outputs.tag }} \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 17d2587e6..543f769d5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,68 +1,75 @@ -# --- -# name: 🧪 Test +--- +name: 🧪 Test -# on: -# pull_request: -# branches: -# - main +on: + pull_request: + branches: + - main -# permissions: {} +permissions: {} -# jobs: -# test: -# name: Test -# runs-on: ubuntu-latest -# permissions: -# contents: write -# id-token: write -# packages: write -# steps: -# - name: Checkout -# id: checkout -# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +jobs: + test: + name: Test + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + packages: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 -# # - name: Set Up Container Structure Test -# # id: setup_container_structure_test -# # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 + # - name: Set Up Container Structure Test + # id: setup_container_structure_test + # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 -# - name: Install Docker Compose -# id: docker-compose -# shell: bash -# env: -# IMAGE_TAG: ${{ github.sha }} -# run: | -# sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose -# sudo chmod +x /usr/local/bin/docker-compose -# docker-compose --version + - name: Install Docker Compose + id: docker-compose + shell: bash + env: + IMAGE_TAG: ${{ github.sha }} + run: | + sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + docker-compose --version -# - name: Build with Docker Compose -# id: build -# shell: bash -# env: -# IMAGE_TAG: ${{ github.sha }} -# run: | -# make build + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: eu-west-1 + role-to-assume: arn:aws:iam::593291632749:role/github-actions-management-ecr + role-duration-seconds: 1200 + + - name: Build with Docker Compose + id: build + shell: bash + env: + IMAGE_TAG: ${{ github.sha }} + run: | + make build -# - name: Log in to GitHub Container Registry -# id: ghcr_login -# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 -# with: -# registry: ghcr.io -# username: ${{ github.actor }} -# password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to GitHub Container Registry + id: ghcr_login + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} -# - name: Push -# id: push -# env: -# IMAGE_NAME: ghcr.io/ministryofjustice/analytics-platform-control-panel -# run: | -# docker push $IMAGE_NAME:${{ github.sha }} + - name: Push + id: push + env: + IMAGE_NAME: ghcr.io/ministryofjustice/analytics-platform-control-panel + run: | + docker push $IMAGE_NAME:${{ github.sha }} -# - name: Run tests -# env: -# IMAGE_TAG: ${{ github.sha }} -# run: | -# make test-python \ No newline at end of file + - name: Run tests + env: + IMAGE_TAG: ${{ github.sha }} + run: | + make test-python \ No newline at end of file diff --git a/Makefile b/Makefile index 74d48d62e..62e0bf0f2 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,6 @@ VIRTUAL_ENV ?= venv BIN=${VIRTUAL_ENV}/bin IMAGE_TAG ?= latest DOCKER_BUILDKIT?=1 -# REGISTRY?=593291632749.dkr.ecr.eu-west-1.amazonaws.com MAKEFLAGS += -j2 IMAGE_NAME ?= ghcr.io/ministryofjustice/analytics-platform-control-panel @@ -15,36 +14,36 @@ export .PHONY: clean build help test test-python dev-up clean: - docker-compose down --volumes --remove-orphans + docker compose down --volumes --remove-orphans build: - @docker-compose build frontend + @docker compose build frontend test-python: DJANGO_SETTINGS_MODULE=controlpanel.settings.test test-python: @echo @echo "> Running Python Tests (In Docker)..." - @docker-compose run --rm -e KUBECONFIG=tests/kubeconfig frontend sh -c "pytest tests --color=yes" + @docker compose run --rm -e KUBECONFIG=tests/kubeconfig frontend sh -c "pytest tests --color=yes" ## test: Run tests in Docker container test: test-python prepare-up: - @docker-compose up -d db - @docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done" - @docker-compose up migration - @docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done" + @docker compose up -d db + @docker compose run --rm --no-deps frontend sh -c "do sleep 2;done" + @docker compose up migration + @docker compose run --rm --no-deps frontend sh -c "do sleep 2;done" up: prepare-up - @docker-compose up -d frontend - @docker-compose logs -f + @docker compose up -d frontend + @docker compose logs -f enter: - docker-compose run --rm --no-deps --entrypoint sh worker + docker compose run --rm --no-deps --entrypoint sh worker logs: - @docker-compose logs -f + @docker compose logs -f push: - docker-compose push frontend + docker compose push frontend help: Makefile @echo From 4958252bee8004636cca078cbf3cf3ed82f80d32 Mon Sep 17 00:00:00 2001 From: Emterry Date: Wed, 4 Dec 2024 16:21:38 +0000 Subject: [PATCH 13/26] test something --- .github/workflows/test.yml | 69 ++++++++++++-------------------------- Makefile | 21 ++++++------ docker-compose.yaml | 4 +-- 3 files changed, 34 insertions(+), 60 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 543f769d5..f91c47413 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,4 @@ ---- -name: 🧪 Test +name: Run tests on: pull_request: @@ -10,23 +9,12 @@ permissions: {} jobs: test: - name: Test runs-on: ubuntu-latest - permissions: - contents: write - id-token: write - packages: write + env: + LOGS_BUCKET_NAME: moj-analytics-s3-logs steps: - name: Checkout - id: checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # - name: Set Up Container Structure Test - # id: setup_container_structure_test - # uses: ministryofjustice/github-actions/setup-container-structure-test@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: actions/checkout@v2 - name: Install Docker Compose id: docker-compose @@ -37,39 +25,24 @@ jobs: sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose docker-compose --version + + # - name: Set up Docker Context for Buildx + # id: buildx-context + # run: docker context use builders || docker context create builders - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-region: eu-west-1 - role-to-assume: arn:aws:iam::593291632749:role/github-actions-management-ecr - role-duration-seconds: 1200 + # - name: Set up Docker Buildx + # id: buildx + # uses: docker/setup-buildx-action@v1 + # with: + # version: latest + # endpoint: builders - - name: Build with Docker Compose - id: build - shell: bash + - name: Build image + run: make build env: - IMAGE_TAG: ${{ github.sha }} - run: | - make build - - - name: Log in to GitHub Container Registry - id: ghcr_login - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push - id: push + NETWORK: host + + - name: Run Python tests (docker-compose) + run: make clean && make test env: - IMAGE_NAME: ghcr.io/ministryofjustice/analytics-platform-control-panel - run: | - docker push $IMAGE_NAME:${{ github.sha }} - - - name: Run tests - env: - IMAGE_TAG: ${{ github.sha }} - run: | - make test-python \ No newline at end of file + NETWORK: default \ No newline at end of file diff --git a/Makefile b/Makefile index 62e0bf0f2..6706965c9 100644 --- a/Makefile +++ b/Makefile @@ -23,27 +23,28 @@ test-python: DJANGO_SETTINGS_MODULE=controlpanel.settings.test test-python: @echo @echo "> Running Python Tests (In Docker)..." - @docker compose run --rm -e KUBECONFIG=tests/kubeconfig frontend sh -c "pytest tests --color=yes" + @docker compose run --rm -e KUBECONFIG=tests/kubeconfig \ + frontend sh -c "pytest -v --tb=line tests --color=yes" ## test: Run tests in Docker container test: test-python prepare-up: - @docker compose up -d db - @docker compose run --rm --no-deps frontend sh -c "do sleep 2;done" - @docker compose up migration - @docker compose run --rm --no-deps frontend sh -c "do sleep 2;done" + @docker-compose up -d db + @docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done" + @docker-compose up migration + @docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done" up: prepare-up - @docker compose up -d frontend - @docker compose logs -f + @docker-compose up -d frontend + @docker-compose logs -f enter: - docker compose run --rm --no-deps --entrypoint sh worker + docker-compose run --rm --no-deps --entrypoint sh worker logs: - @docker compose logs -f + @docker-compose logs -f push: - docker compose push frontend + docker-compose push frontend help: Makefile @echo diff --git a/docker-compose.yaml b/docker-compose.yaml index e31758ac0..d90adde87 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,4 +1,4 @@ -version: "3" +version: "3.8" services: db: image: "postgres:13.3" @@ -85,7 +85,7 @@ services: ALLOWED_HOSTS: "localhost 127.0.0.1 0.0.0.0" AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID} AWS_DATA_ACCOUNT_ID: ${AWS_DATA_ACCOUNT_ID} - AWS_DEFAULT_REGION: + AWS_DEFAULT_REGION: ${AWS_REGION:-eu-west-1} AWS_REGION: ${AWS_REGION:-eu-west-1} AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY} AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN} From 6fab6dc796670eb0ae1b0d3e5bf605c513efae9a Mon Sep 17 00:00:00 2001 From: Emterry Date: Wed, 4 Dec 2024 18:35:02 +0000 Subject: [PATCH 14/26] push to ghcr --- .github/workflows/test.yml | 33 +++++++++++++++++++++------------ Makefile | 18 +++++++++--------- Makefile.local.mk | 12 ++++++------ 3 files changed, 36 insertions(+), 27 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f91c47413..6ab57c397 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,6 +12,12 @@ jobs: runs-on: ubuntu-latest env: LOGS_BUCKET_NAME: moj-analytics-s3-logs + permissions: + actions: read + attestations: write + contents: write + id-token: write + packages: write steps: - name: Checkout uses: actions/checkout@v2 @@ -25,24 +31,27 @@ jobs: sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose docker-compose --version - - # - name: Set up Docker Context for Buildx - # id: buildx-context - # run: docker context use builders || docker context create builders - - # - name: Set up Docker Buildx - # id: buildx - # uses: docker/setup-buildx-action@v1 - # with: - # version: latest - # endpoint: builders - name: Build image run: make build env: NETWORK: host + IMAGE_TAG: ${{ github.sha }} - name: Run Python tests (docker-compose) run: make clean && make test env: - NETWORK: default \ No newline at end of file + NETWORK: default + IMAGE_TAG: ${{ github.sha }} + + - name: Log in to GitHub Container Registry + id: ghcr_login + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push + run: | + docker push ghcr.io/${{ github.repository }}:${{ github.sha }} \ No newline at end of file diff --git a/Makefile b/Makefile index 6706965c9..d8d4643b1 100644 --- a/Makefile +++ b/Makefile @@ -30,21 +30,21 @@ test-python: test: test-python prepare-up: - @docker-compose up -d db - @docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done" - @docker-compose up migration - @docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done" + @docker compose up -d db + @docker compose run --rm --no-deps frontend sh -c "do sleep 2;done" + @docker compose up migration + @docker compose run --rm --no-deps frontend sh -c "do sleep 2;done" up: prepare-up - @docker-compose up -d frontend - @docker-compose logs -f + @docker compose up -d frontend + @docker compose logs -f enter: - docker-compose run --rm --no-deps --entrypoint sh worker + docker compose run --rm --no-deps --entrypoint sh worker logs: - @docker-compose logs -f + @docker compose logs -f push: - docker-compose push frontend + docker compose push frontend help: Makefile @echo diff --git a/Makefile.local.mk b/Makefile.local.mk index ffd8b60b9..dc528081b 100644 --- a/Makefile.local.mk +++ b/Makefile.local.mk @@ -2,15 +2,15 @@ all: help ## dev-prepare-up: Run migration before doing up dev-prepare-up: - docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml run migration + docker compose -f docker-compose.yaml -f docker-compose.dev.yaml run migration ## dev-daemon: Startup with docker process in background (to stop afterwards use make clean) dev-daemon: dev-prepare-up - docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml up -d frontend + docker compose -f docker-compose.yaml -f docker-compose.dev.yaml up -d frontend ## dev-fg: Startup with docker process in foreground dev-fg: dev-prepare-up - docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml up frontend + docker compose -f docker-compose.yaml -f docker-compose.dev.yaml up frontend ## dev-debug: Startup clean docker process in background, and docker attach to foreground for debugging dev-debug: clean dev-daemon @@ -22,15 +22,15 @@ dev-attach: ## dev-py: Start django shell (in the dev-packages context) in new container dev-py: - docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml run frontend sh -c "dev-packages/bin/python manage.py shell" + docker compose -f docker-compose.yaml -f docker-compose.dev.yaml run frontend sh -c "dev-packages/bin/python manage.py shell" ## dev-run: Start shell in new copy of container dev-run: - docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml run --rm frontend bash + docker compose -f docker-compose.yaml -f docker-compose.dev.yaml run --rm frontend bash ## dev-exec: Exec into shell of existing container dev-exec: - docker-compose -f docker-compose.yaml -f docker-compose.dev.yaml exec frontend bash + docker compose -f docker-compose.yaml -f docker-compose.dev.yaml exec frontend bash test-wip: DJANGO_SETTINGS_MODULE=controlpanel.settings.test test-wip: From 207151a069ef793a50248f7bfe2a62658e9a11fa Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 5 Dec 2024 14:18:21 +0000 Subject: [PATCH 15/26] update apline base --- .github/workflows/scan.yml | 2 +- Dockerfile | 4 ++-- requirements.txt | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 0bf49acb6..a0b49d4f7 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -40,4 +40,4 @@ jobs: with: image-ref: ${{ github.repository }}_eks:${{ github.sha }} severity: HIGH,CRITICAL - exit-code: 1 \ No newline at end of file + exit-code: 1 diff --git a/Dockerfile b/Dockerfile index 122442d86..494f571f9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ RUN /node_modules/.bin/jest FROM public.ecr.aws/docker/library/python:3.12-alpine3.18 AS base -ARG HELM_VERSION=3.14.1 +ARG HELM_VERSION=3.16.0 ARG HELM_TARBALL=helm-v${HELM_VERSION}-linux-amd64.tar.gz ARG HELM_BASEURL=https://get.helm.sh @@ -26,7 +26,7 @@ ENV DJANGO_SETTINGS_MODULE="controlpanel.settings" \ RUN addgroup -g 1000 controlpanel \ && adduser -G controlpanel -u 1000 controlpanel -D -RUN apk update \ +RUN apk update && apk upgrade \ && apk add --no-cache \ postgresql-client \ wget \ diff --git a/requirements.txt b/requirements.txt index 5a579bc70..a78e230b1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,10 +31,11 @@ PyNaCl==1.5.0 pytest==8.0.0 pytest-django==4.8.0 python-dotenv==1.0.1 -python-jose==3.3.0 +python-jose==3.2.0 pyyaml==6.0.1 rules==3.3 sentry-sdk==2.17.0 slackclient==2.9.4 urllib3==2.2.3 uvicorn[standard]==0.28.0 +setuptools==70.0.0 \ No newline at end of file From 6efcde5ffda4fb22067cc7e5d6945d6242f45d01 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 5 Dec 2024 19:30:59 +0000 Subject: [PATCH 16/26] trivy --- .trivyignore | 9 +++++++++ requirements.txt | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 000000000..317b818a0 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,9 @@ +# Helm +CVE-2024-34156 # stdlib - helm binary + +# Python + +CVE-2024-33663 # python-jose needs patching/replacing abandonware no fix + + + diff --git a/requirements.txt b/requirements.txt index a78e230b1..53f9eba04 100644 --- a/requirements.txt +++ b/requirements.txt @@ -31,7 +31,7 @@ PyNaCl==1.5.0 pytest==8.0.0 pytest-django==4.8.0 python-dotenv==1.0.1 -python-jose==3.2.0 +python-jose==3.3.0 pyyaml==6.0.1 rules==3.3 sentry-sdk==2.17.0 From e7cedf3603b9224550ab9318621d44544b902f7d Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 5 Dec 2024 19:39:57 +0000 Subject: [PATCH 17/26] gitleaks --- docker-compose.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index d90adde87..443417fca 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -4,7 +4,7 @@ services: image: "postgres:13.3" environment: POSTGRES_DB: "controlpanel" - POSTGRES_PASSWORD: "password" + POSTGRES_PASSWORD: "password" # gitleaks:allow POSTGRES_USER: "controlpanel" healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] @@ -14,7 +14,7 @@ services: redis: image: "redis" environment: - REDIS_PASSWORD: "controlpanel" + REDIS_PASSWORD: "controlpanel" # gitleaks:allow command: sh -c "exec redis-server --requirepass \"$${REDIS_PASSWORD}\"" migration: @@ -25,7 +25,7 @@ services: environment: DB_HOST: "db" DB_NAME: "controlpanel" - DB_PASSWORD: "password" + DB_PASSWORD: "password" # gitleaks:allow DB_PORT: 5432 DB_USER: "controlpanel" DEBUG: "True" @@ -47,7 +47,7 @@ services: environment: DB_HOST: "db" DB_NAME: controlpanel - DB_PASSWORD: password + DB_PASSWORD: password DB_PORT: 5432 DB_USER: controlpanel DJANGO_SETTINGS_MODULE: ${DJANGO_SETTINGS_MODULE} @@ -55,7 +55,7 @@ services: OIDC_DOMAIN: dev-analytics-moj.eu.auth0.com PYTHONUNBUFFERED: "1" REDIS_HOST: "redis" - REDIS_PASSWORD: "controlpanel" + REDIS_PASSWORD: "controlpanel" # gitleaks:allow SECRET_KEY: "1234567890" SLACK_API_TOKEN: "dummy" defaultRegion: eu-west-1 @@ -91,7 +91,7 @@ services: AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN} DB_HOST: "db" DB_NAME: controlpanel - DB_PASSWORD: password + DB_PASSWORD: password DB_PORT: 5432 DB_USER: controlpanel DEBUG: "True" @@ -114,7 +114,7 @@ services: OIDC_RP_SIGN_ALGO: "RS256" PYTHONUNBUFFERED: "1" REDIS_HOST: "redis" - REDIS_PASSWORD: "controlpanel" + REDIS_PASSWORD: "controlpanel" # gitleaks:allow RSTUDIO_AUTH_CLIENT_ID: ${RSTUDIO_AUTH_CLIENT_ID} RSTUDIO_AUTH_CLIENT_SECRET: ${RSTUDIO_AUTH_CLIENT_SECRET} OIDC_EKS_PROVIDER: ${OIDC_EKS_PROVIDER} From 856b2a29cd326c44c60b2e37d3d12da3711c1e19 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 5 Dec 2024 20:05:35 +0000 Subject: [PATCH 18/26] fix scan --- .github/workflows/scan.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index a0b49d4f7..303cd9d97 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -19,17 +19,14 @@ jobs: id: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build with Docker Compose + - name: Build id: build shell: bash env: - IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME: ghcr.io/${{ github.repository }} IMAGE_TAG: ${{ github.sha }} run: | - docker compose build + make build - name: Scan id: scan @@ -38,6 +35,6 @@ jobs: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 with: - image-ref: ${{ github.repository }}_eks:${{ github.sha }} + image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }} severity: HIGH,CRITICAL exit-code: 1 From 5b6c5811824dd5a32bc664c9ab71fec09e7c2379 Mon Sep 17 00:00:00 2001 From: Emterry Date: Fri, 6 Dec 2024 13:33:03 +0000 Subject: [PATCH 19/26] pr review suggestions --- .github/{workflows => }/CODEOWNERS | 0 .github/workflows/release.yml | 14 ++----------- .github/workflows/test.yml | 33 ++++++++++-------------------- 3 files changed, 13 insertions(+), 34 deletions(-) rename .github/{workflows => }/CODEOWNERS (100%) diff --git a/.github/workflows/CODEOWNERS b/.github/CODEOWNERS similarity index 100% rename from .github/workflows/CODEOWNERS rename to .github/CODEOWNERS diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dc9e66eb9..785b00ea4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,17 +23,6 @@ jobs: id: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up Docker Context for Buildx - id: buildx-context - run: docker context use builders || docker context create builders - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 - with: - version: latest - endpoint: builders - - name: Install cosign id: install_cosign uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 @@ -99,4 +88,5 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - gh attestation verify oci://ghcr.io/${{ github.repository }}:${{ github.ref_name }} --repo ${{ github.repository }} \ No newline at end of file + gh attestation verify oci://ghcr.io/${{ github.repository }}:${{ github.ref_name }} --repo ${{ github.repository }} + \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6ab57c397..9d2452857 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,15 +22,15 @@ jobs: - name: Checkout uses: actions/checkout@v2 - - name: Install Docker Compose - id: docker-compose - shell: bash - env: - IMAGE_TAG: ${{ github.sha }} - run: | - sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - sudo chmod +x /usr/local/bin/docker-compose - docker-compose --version + # - name: Install Docker Compose + # id: docker-compose + # shell: bash + # env: + # IMAGE_TAG: ${{ github.sha }} + # run: | + # sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + # sudo chmod +x /usr/local/bin/docker-compose + # docker compose version - name: Build image run: make build @@ -38,20 +38,9 @@ jobs: NETWORK: host IMAGE_TAG: ${{ github.sha }} - - name: Run Python tests (docker-compose) + - name: Run Python tests (docker compose) run: make clean && make test env: NETWORK: default IMAGE_TAG: ${{ github.sha }} - - - name: Log in to GitHub Container Registry - id: ghcr_login - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push - run: | - docker push ghcr.io/${{ github.repository }}:${{ github.sha }} \ No newline at end of file + \ No newline at end of file From cdfd11d9a1172d90d57df701fe110ad3ebe777c3 Mon Sep 17 00:00:00 2001 From: Emterry Date: Fri, 6 Dec 2024 14:07:36 +0000 Subject: [PATCH 20/26] newlines --- .github/CODEOWNERS | 2 +- .github/workflows/dependency-review.yml | 3 ++- .trivyignore | 3 --- requirements.txt | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 418e96728..1138e8347 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @ministryofjustice/analytical-platform \ No newline at end of file +* @ministryofjustice/analytical-platform diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f84aeaad7..f35096423 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -28,4 +28,5 @@ jobs: id: dependency_review uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: - fail-on-severity: critical \ No newline at end of file + fail-on-severity: critical + \ No newline at end of file diff --git a/.trivyignore b/.trivyignore index 317b818a0..ba6a50762 100644 --- a/.trivyignore +++ b/.trivyignore @@ -4,6 +4,3 @@ CVE-2024-34156 # stdlib - helm binary # Python CVE-2024-33663 # python-jose needs patching/replacing abandonware no fix - - - diff --git a/requirements.txt b/requirements.txt index 53f9eba04..c5083132d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -38,4 +38,4 @@ sentry-sdk==2.17.0 slackclient==2.9.4 urllib3==2.2.3 uvicorn[standard]==0.28.0 -setuptools==70.0.0 \ No newline at end of file +setuptools==70.0.0 From 7da7bd85b3e62752da685efbf41c04f6e3011f70 Mon Sep 17 00:00:00 2001 From: Emterry Date: Fri, 6 Dec 2024 14:35:33 +0000 Subject: [PATCH 21/26] newlines --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/release.yml | 1 - .github/workflows/test.yml | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f35096423..796f4612e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,4 +29,4 @@ jobs: uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: fail-on-severity: critical - \ No newline at end of file + \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 785b00ea4..f19722bca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -89,4 +89,3 @@ jobs: GH_TOKEN: ${{ github.token }} run: | gh attestation verify oci://ghcr.io/${{ github.repository }}:${{ github.ref_name }} --repo ${{ github.repository }} - \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9d2452857..fa8ba7a25 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -43,4 +43,3 @@ jobs: env: NETWORK: default IMAGE_TAG: ${{ github.sha }} - \ No newline at end of file From db82931f1af20ac7ed9cad9e38bdeb5bcc627aab Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 10 Dec 2024 09:41:27 +0000 Subject: [PATCH 22/26] pr changes --- .github/workflows/dependency-review.yml | 1 - .github/workflows/test.yml | 28 +++++++------------------ 2 files changed, 8 insertions(+), 21 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 796f4612e..e53cb3f96 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,4 +29,3 @@ jobs: uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: fail-on-severity: critical - \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fa8ba7a25..34dfc1dc0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,4 @@ -name: Run tests +name: Test on: pull_request: @@ -10,35 +10,23 @@ permissions: {} jobs: test: runs-on: ubuntu-latest - env: - LOGS_BUCKET_NAME: moj-analytics-s3-logs permissions: - actions: read - attestations: write - contents: write - id-token: write - packages: write + contents: read + steps: - name: Checkout - uses: actions/checkout@v2 - - # - name: Install Docker Compose - # id: docker-compose - # shell: bash - # env: - # IMAGE_TAG: ${{ github.sha }} - # run: | - # sudo curl -L "https://github.com/docker/compose/releases/download/v2.21.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - # sudo chmod +x /usr/local/bin/docker-compose - # docker compose version + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build image + id: build_image run: make build env: NETWORK: host IMAGE_TAG: ${{ github.sha }} - - name: Run Python tests (docker compose) + - name: Run Python tests + id: test run: make clean && make test env: NETWORK: default From 5d14c5913b0de7d783ec092c68e2f0fd68c99993 Mon Sep 17 00:00:00 2001 From: Emterry Date: Tue, 10 Dec 2024 09:50:21 +0000 Subject: [PATCH 23/26] pr changes and trivy --- .github/workflows/test.yml | 2 ++ requirements.txt | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 34dfc1dc0..1d059768d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,8 @@ permissions: {} jobs: test: runs-on: ubuntu-latest + env: + LOGS_BUCKET_NAME: moj-analytics-s3-logs permissions: contents: read diff --git a/requirements.txt b/requirements.txt index c5083132d..5fc4ec4df 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,7 @@ celery[sqs]==5.3.6 channels==4.1.0 channels-redis==4.2.0 daphne==4.1.2 -Django==5.1.2 +Django==5.1.4 django-crequest==2018.5.11 django-extensions==3.2.3 django-filter==24.3 From 6c7b3e79b7d0eebfbe3bd56b406e6a6387c203e9 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 12 Dec 2024 09:24:57 +0000 Subject: [PATCH 24/26] test remove dependancy --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 5fc4ec4df..63a846838 100644 --- a/requirements.txt +++ b/requirements.txt @@ -38,4 +38,4 @@ sentry-sdk==2.17.0 slackclient==2.9.4 urllib3==2.2.3 uvicorn[standard]==0.28.0 -setuptools==70.0.0 + From cb8149c4815d382978fd59d154c9683322e3fd99 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 12 Dec 2024 11:47:01 +0000 Subject: [PATCH 25/26] add setuptool dependancy to resolve trivy --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index 5a2075bcd..866e904ec 100644 --- a/requirements.txt +++ b/requirements.txt @@ -38,3 +38,4 @@ sentry-sdk==2.19.2 slackclient==2.9.4 urllib3==2.2.3 uvicorn[standard]==0.32.1 +setuptools==75.6.0 \ No newline at end of file From f2565487daa4b52ec92dec23e5250bb75ab38071 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 12 Dec 2024 12:03:34 +0000 Subject: [PATCH 26/26] trivy --- .trivyignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.trivyignore b/.trivyignore index ba6a50762..3e959f7ee 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,6 +1,11 @@ # Helm CVE-2024-34156 # stdlib - helm binary +CVE-2024-45337 # golang.org/x/crypto # Python CVE-2024-33663 # python-jose needs patching/replacing abandonware no fix + + + +CVE-2024-45337 # golang.org/x/crypto