Skip to content

Tidy workflow by pushing common steps into composite actions #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JonJagger merged 1 commit into from
May 28, 2026
Merged

Tidy workflow by pushing common steps into composite actions #390

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
141 changes: 40 additions & 101 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,39 +31,33 @@ jobs:
service_name: ${{ steps.vars.outputs.service_name }}
image_tag: ${{ steps.vars.outputs.image_tag }}
image_name: ${{ steps.vars.outputs.image_name }}
kosli_flow: ${{ steps.vars.outputs.kosli_flow }}
kosli_trail: ${{ steps.vars.outputs.kosli_trail }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- uses: actions/checkout@v6
with:
fetch-depth: 1
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/pinned-checkout@main

- name: Prepare outputs for workflow jobs
id: vars
run: |
ECR_REGISTRY="${AWS_ECR_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
IMAGE_TAG=${GITHUB_SHA:0:7}
IMAGE_NAME="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG}"
ECR_REGISTRY="${AWS_ECR_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
IMAGE_TAG=${GITHUB_SHA:0:7}
IMAGE_NAME="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG}"
{
echo "aws_account_id_beta=${AWS_ACCOUNT_ID_BETA}"
echo "ecr_registry=${ECR_REGISTRY}"
echo "aws_region=${AWS_REGION}"
echo "gh_actions_iam_role_name=gh_actions_services"
echo "service_name=${{ env.SERVICE_NAME }}"
echo "image_tag=${IMAGE_TAG}"
echo "image_name=${IMAGE_NAME}"
echo "kosli_trail=${KOSLI_TRAIL}"
} > ${GITHUB_OUTPUT}
echo "aws_account_id_beta=${AWS_ACCOUNT_ID_BETA}"
echo "ecr_registry=${ECR_REGISTRY}"
echo "aws_region=${AWS_REGION}"
echo "gh_actions_iam_role_name=gh_actions_services"
echo "service_name=${{ env.SERVICE_NAME }}"
echo "image_tag=${IMAGE_TAG}"
echo "image_name=${IMAGE_NAME}"
echo "kosli_flow=${KOSLI_FLOW}"
echo "kosli_trail=${KOSLI_TRAIL}"
} > ${GITHUB_OUTPUT}

- name: Begin Kosli Trail
if: ${{ github.ref == 'refs/heads/main' }}
uses: cyber-dojo/kosli-begin-trail@main
with:
cli_version: "${{ vars.KOSLI_CLI_VERSION }}"
flow_description: "Diff files from two traffic-lights"


Expand All @@ -76,19 +70,9 @@ jobs:
contents: read
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- uses: actions/checkout@v6
with:
fetch-depth: 1

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v3
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/pinned-checkout@main
- uses: cyber-dojo/setup-kosli-cli@main

- name: Attest pull-request evidence to Kosli
run:
Expand All @@ -101,25 +85,14 @@ jobs:
runs-on: ubuntu-latest
needs: [setup]
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- uses: actions/checkout@v6
with:
fetch-depth: 1
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/pinned-checkout@main
- uses: cyber-dojo/setup-kosli-cli@main

- name: Run Rubocop linter on source
run:
make rubocop_lint

- name: Setup Kosli CLI
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
uses: kosli-dev/setup-cli-action@v3
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Attest evidence to Kosli
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
run:
Expand All @@ -139,7 +112,7 @@ jobs:
image_tag: ${{ needs.setup.outputs.image_tag }}
image_build_args: |
COMMIT_SHA=${{ github.sha }}
kosli_flow: ${{ vars.KOSLI_FLOW }}
kosli_flow: ${{ needs.setup.outputs.kosli_flow }}
kosli_trail: ${{ needs.setup.outputs.kosli_trail }}
kosli_reference_name: ${{ needs.setup.outputs.service_name }}
attest_to_kosli: ${{ github.ref == 'refs/heads/main' }}
Expand All @@ -148,12 +121,13 @@ jobs:


snyk-container-scan:
needs: [build-image]
if: ${{ github.ref == 'refs/heads/main' }}
needs: [setup, build-image]
uses: cyber-dojo/snyk-scanning/.github/workflows/artifact_snyk_test.yml@main
with:
artifact_name: ${{ needs.build-image.outputs.tagged_image_name }}
kosli_flow: ${{ vars.KOSLI_FLOW }}
kosli_trail: ${{ github.sha }}
kosli_flow: ${{ needs.setup.outputs.kosli_flow }}
kosli_trail: ${{ needs.setup.outputs.kosli_trail }}
kosli_attestation_name: differ.snyk-container-scan
secrets:
snyk_token: ${{ secrets.SNYK_TOKEN }}
Expand All @@ -166,30 +140,19 @@ jobs:
env:
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/pinned-checkout@main
- uses: cyber-dojo/setup-kosli-cli@main

- name: Download docker image
uses: cyber-dojo/download-artifact@main
with:
image_digest: ${{ needs.build-image.outputs.digest }}

- uses: actions/checkout@v6
with:
fetch-depth: 1

- name: Run unit tests with metrics checks
run:
make test_server metrics_test_server metrics_coverage_server

- name: Setup Kosli CLI
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
uses: kosli-dev/setup-cli-action@v3
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Attest junit test evidence to Kosli
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
run:
Expand Down Expand Up @@ -220,30 +183,19 @@ jobs:
env:
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/pinned-checkout@main
- uses: cyber-dojo/setup-kosli-cli@main

- name: Download docker image
uses: cyber-dojo/download-artifact@main
with:
image_digest: ${{ needs.build-image.outputs.digest }}

- uses: actions/checkout@v6
with:
fetch-depth: 1

- name: Run integration tests with metrics checks
run:
make image_client test_client metrics_test_client metrics_coverage_client

- name: Setup Kosli CLI
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
uses: kosli-dev/setup-cli-action@v3
with:
version: ${{ vars.KOSLI_CLI_VERSION }}

- name: Attest junit test evidence to Kosli
if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
run:
Expand Down Expand Up @@ -274,14 +226,8 @@ jobs:
env:
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/pinned-checkout@main

- name: Run SonarCloud scan - report results to Kosli (in Kosli webhook)
env:
Expand All @@ -300,31 +246,24 @@ jobs:
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
needs:
- build-image
- pull-request
- rubocop-lint
- build-image
- unit-tests
- integration-tests
- sonarcloud-scan
- snyk-container-scan
env:
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v3
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- uses: cyber-dojo/harden-runner@main
- uses: cyber-dojo/setup-kosli-cli@main

- name: Display current compliance
run:
kosli get trail "${KOSLI_TRAIL}"

- name: Kosli SDLC gate to short-circuit the workflow
env:
KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
run:
kosli assert artifact
--environment=${KOSLI_AWS_BETA}
Expand Down
Loading