Build No Cache #176

Summary
Jobs
- build
- Audit
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/build-nocache.yml at 27c3362

	name: Build No Cache

	on:
	workflow_dispatch:

	schedule:
	- cron: '30 12 * * 0'

	jobs:
	build:
	runs-on: ubuntu-latest
	outputs:
	image_tag: ${{ env.IMAGE_TAG }}
	docker_image: ${{ env.DOCKER_IMAGE }}
	env:
	DOCKER_IMAGE: ghcr.io/dfe-digital/register-trainee-teachers

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set Environment variable
	run: \|
	GIT_BRANCH=${GITHUB_REF##*/}
	echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
	echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV
	# tag build to the review env for vars and secrets
	tf_vars_file=terraform/aks/workspace-variables/review.tfvars.json
	echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
	echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV

	- uses: azure/login@v2
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}

	- name: Validate Azure Key Vault secrets
	uses: DFE-Digital/github-actions/validate-key-vault-secrets@master
	with:
	KEY_VAULT: ${{ env.KEY_VAULT_NAME }}
	SECRETS: \|
	${{ env.KEY_VAULT_INFRA_SECRET_NAME }}

	- uses: DFE-Digital/keyvault-yaml-secret@v1
	id: get-secret
	with:
	keyvault: ${{ env.KEY_VAULT_NAME }}
	secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }}
	key: SNYK_TOKEN

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build Docker Image
	uses: docker/build-push-action@v6
	with:
	tags: \|
	${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
	${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
	load: true
	cache-to: type=inline
	push: false
	build-args: COMMIT_SHA=${{ github.sha }}

	- name: Run Snyk to check Docker image for vulnerabilities
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }}
	with:
	image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}
	args: --file=Dockerfile --exclude-app-vulns

	- name: Push ${{ env.DOCKER_IMAGE }} images
	if: ${{ success() }}
	run: \|
	docker push ${{ env.DOCKER_IMAGE }}:${{env.IMAGE_TAG}}
	docker push ${{ env.DOCKER_IMAGE }}:${{env.BRANCH_TAG}}

	- name: Check for Failure
	uses: ./.github/actions/send-slack-notification/
	if: failure()
	with:
	slack-title: 'Build failure on weekly rebuild cache workflow'
	slack-message: ':alert: Build failure :sadparrot:'
	slack-webhook: ${{ secrets.SLACK_WEBHOOK }}

	audit:
	name: Audit
	needs: [build]
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set environment variables
	run: \|
	echo "IMAGE_TAG=${{ needs.build.outputs.image_tag }}" >> $GITHUB_ENV

	- name: Pull docker images
	run: docker pull ${{ needs.build.outputs.docker_image }}:$IMAGE_TAG

	- name: Bring images up
	run: \|
	docker compose up --no-build -d

	- name: Install git
	run: docker compose exec -T web /bin/sh -c 'apk add git'

	- name: Bundle audit
	run: docker compose exec -T web /bin/sh -c 'bundle-audit check --update'

	- name: Check for Failure
	uses: ./.github/actions/send-slack-notification/
	if: ${{ failure() }}
	with:
	slack-icon-emoji: ':lock:'
	slack-title: Audit Failure
	slack-message: ':alert: Audit failure on ${{ github.event.inputs.environment }} :sadparrot:'
	slack-webhook: ${{ secrets.SLACK_WEBHOOK }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build No Cache #176

Workflow file

Build No Cache #176

Jobs

Run details

Workflow file for this run