.github/workflows/secure-post-merge.yml

name: SecurePipeline Docker build, ECR push, template copy to S3
on:
  push:
    branches:
      - main

jobs:
  dockerBuildAndPush:
    name: Docker build and push
    runs-on: ubuntu-latest
    timeout-minutes: 15
    env:
      AWS_REGION: eu-west-2
    permissions:
      id-token: write
      contents: read
      packages: read
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: '0'

      - name: Set up AWS creds #push assets to S3
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.UPLOAD_ASSETS_GH_ACTIONS_ROLE_ARN }}
          aws-region: eu-west-2

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Setup .npmrc
        run: |
          cp .npmrc.template .npmrc && \
          sed -i s/TOKEN_WITH_READ_PACKAGE_PERMISSION/${{ secrets.GITHUB_TOKEN }}/ .npmrc

      - name: npm build assets, zip and sign
        uses: govuk-one-login/github-actions/govuk/upload-assets@main
        with:
          signing-key-arn: ${{ secrets.UPLOAD_ASSETS_ZIP_SIGNING_KEY }}
          stack-name: 'core-front'
          destination-bucket-name: ${{ secrets.UPLOAD_ASSETS_ARTIFACT_SOURCE_BUCKET_NAME }}

      - name: Set up AWS creds #push to ECR and  do sam deploy
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}
          aws-region: eu-west-2

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Login to GDS Dev Dynatrace Container Registry
        uses: docker/login-action@v3
        with:
          registry: khw46367.live.dynatrace.com
          username: khw46367
          password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}

      - name: Deploy SAM app to ECR
        uses: govuk-one-login/devplatform-upload-action-ecr@v1.3.0
        with:
          artifact-bucket-name: ${{ secrets.ARTIFACT_BUCKET_NAME }}
          container-sign-kms-key-arn: ${{ secrets.CONTAINER_SIGN_KMS_KEY }}
          working-directory: ./deploy
          docker-build-path: .
          template-file: template.yaml
          role-to-assume-arn: ${{ secrets.GH_ACTIONS_ROLE_ARN }}
          ecr-repo-name: ${{ secrets.ECR_REPOSITORY }}
          checkout-repo: false