refactor workflows to allow migration from ecr to ghcr and onto gihthub hosted runner

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @ministryofjustice/analytical-platform

.github/workflows/dependency-review.yml

@@ -0,0 +1,31 @@
+---
+name: 🔍 Dependency Review
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - edited
+      - opened
+      - reopened
+      - synchronize
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Dependency Review
+        id: dependency_review
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          fail-on-severity: critical

.github/workflows/release.yml

@@ -0,0 +1,91 @@
+---
+name: 🔖 Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions: {}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Log in to GitHub Container Registry
+        id: ghcr_login
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push
+        id: build_and_push
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        with:
+          push: true
+          tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+
+      - name: Sign
+        id: sign
+        shell: bash
+        run: |
+          cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }}
+
+      - name: Generate SBOM
+        id: generate_sbom
+        uses: anchore/sbom-action@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
+        with:
+          image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+          format: cyclonedx-json
+          output-file: "sbom.cyclonedx.json"
+
+      - name: Attest
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build_and_push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
+        id: attest_sbom
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build_and_push.outputs.digest }}
+          sbom-path: sbom.cyclonedx.json
+          push-to-registry: true
+
+      - name: cosign Verify
+        id: cosign_verify
+        shell: bash
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity=https://github.com/${{ github.workflow_ref }} \
+            ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }}
+
+      - name: GitHub Attestation Verify
+        id: gh_attestation_verify
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh attestation verify oci://ghcr.io/${{ github.repository }}:${{ github.ref_name }} --repo ${{ github.repository }}

.github/workflows/scan.yml

@@ -0,0 +1,40 @@
+---
+name: 🩻 Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build
+        id: build
+        shell: bash
+        env:
+          IMAGE_NAME: ghcr.io/${{ github.repository }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          make build
+
+      - name: Scan
+        id: scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          severity: HIGH,CRITICAL
+          exit-code: 1

.github/workflows/test.yml

@@ -0,0 +1,35 @@
+name: Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    env:
+      LOGS_BUCKET_NAME: moj-analytics-s3-logs
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build image
+        id: build_image
+        run: make build
+        env:
+          NETWORK: host
+          IMAGE_TAG: ${{ github.sha }}
+
+      - name: Run Python tests 
+        id: test
+        run: make clean && make test
+        env:
+          NETWORK: default
+          IMAGE_TAG: ${{ github.sha }}

.trivyignore

@@ -0,0 +1,6 @@
+# Helm
+CVE-2024-34156  # stdlib - helm binary
+
+# Python
+
+CVE-2024-33663 # python-jose needs patching/replacing abandonware no fix

Dockerfile

@@ -12,7 +12,7 @@ RUN /node_modules/.bin/jest
 
 FROM public.ecr.aws/docker/library/python:3.12-alpine3.18 AS base
 
-ARG HELM_VERSION=3.14.1
+ARG HELM_VERSION=3.16.0
 ARG HELM_TARBALL=helm-v${HELM_VERSION}-linux-amd64.tar.gz
 ARG HELM_BASEURL=https://get.helm.sh
 
@@ -26,7 +26,7 @@ ENV DJANGO_SETTINGS_MODULE="controlpanel.settings" \
 RUN addgroup -g 1000 controlpanel \
     && adduser -G controlpanel -u 1000 controlpanel -D
 
-RUN apk update \
+RUN apk update && apk upgrade \
     && apk add --no-cache \
         postgresql-client \
         wget \

Makefile

@@ -1,48 +1,50 @@
 REPOSITORY?=controlpanel
 VIRTUAL_ENV ?= venv
 BIN=${VIRTUAL_ENV}/bin
-IMAGE_TAG ?= local
+IMAGE_TAG ?= latest
 DOCKER_BUILDKIT?=1
-REGISTRY?=593291632749.dkr.ecr.eu-west-1.amazonaws.com
 MAKEFLAGS += -j2
+IMAGE_NAME ?= ghcr.io/ministryofjustice/analytics-platform-control-panel
+
 
 include Makefile.local.mk
 export
 
+
 .PHONY: clean build help test test-python dev-up
 
 clean:
-	docker-compose down --volumes --remove-orphans
+	docker compose down --volumes --remove-orphans
 
 build:
-	@docker-compose build frontend
+	@docker compose build frontend
 
 test-python: DJANGO_SETTINGS_MODULE=controlpanel.settings.test
 test-python:
 	@echo
 	@echo "> Running Python Tests (In Docker)..."
-	@docker-compose run --rm -e KUBECONFIG=tests/kubeconfig \
-		frontend sh -c "pytest tests --color=yes"
+	@docker compose run --rm -e KUBECONFIG=tests/kubeconfig \
+		frontend sh -c "pytest -v --tb=line tests --color=yes"
 
 ## test: Run tests in Docker container
 test: test-python
 
 prepare-up:
-	@docker-compose up -d db
-	@docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done"
-	@docker-compose up migration
-	@docker-compose run --rm --no-deps frontend sh -c "do sleep 2;done"
+	@docker compose up -d db
+	@docker compose run --rm --no-deps frontend sh -c "do sleep 2;done"
+	@docker compose up migration
+	@docker compose run --rm --no-deps frontend sh -c "do sleep 2;done"
 
 up: prepare-up
-	@docker-compose up -d frontend
-	@docker-compose logs -f
+	@docker compose up -d frontend
+	@docker compose logs -f
 
 enter:
-	docker-compose run --rm --no-deps --entrypoint sh worker
+	docker compose run --rm --no-deps --entrypoint sh worker
 logs:
-	@docker-compose logs -f
+	@docker compose logs -f
 push:
-	docker-compose push frontend
+	docker compose push frontend
 
 help: Makefile
 	@echo