@@ -46,6 +46,128 @@ jobs:
4646 echo "name=$TAG" >> $GITHUB_OUTPUT
4747 echo "Resolved tag: $TAG"
4848
49+ sign-lambda-artifact :
50+ name : " Sign lambda artifact for TEST"
51+ runs-on : ubuntu-latest
52+ needs : [metadata]
53+ environment : test
54+ timeout-minutes : 45
55+ permissions :
56+ id-token : write
57+ contents : read
58+ outputs :
59+ bucket_name : ${{ steps.tf_output.outputs.bucket_name }}
60+ steps :
61+ - name : " Checkout same commit"
62+ uses : actions/checkout@v6
63+ with :
64+ ref : ${{ github.event.workflow_run.head_sha }}
65+
66+ - name : " Setup Terraform"
67+ uses : hashicorp/setup-terraform@v3
68+ with :
69+ terraform_version : ${{ needs.metadata.outputs.terraform_version }}
70+
71+ - name : " Configure AWS Credentials"
72+ uses : aws-actions/configure-aws-credentials@v6
73+ with :
74+ role-to-assume : arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
75+ aws-region : eu-west-2
76+
77+ - name : " Download lambda artefact from dev workflow"
78+ uses : actions/download-artifact@v7
79+ with :
80+ name : lambda-${{ needs.metadata.outputs.tag }}
81+ path : ./dist
82+ run-id : ${{ github.event.workflow_run.id }}
83+ github-token : ${{ github.token }}
84+
85+ - name : " Terraform Init (TEST api-layer)"
86+ env :
87+ ENVIRONMENT : test
88+ WORKSPACE : " default"
89+ run : |
90+ echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
91+ make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
92+ working-directory : ./infrastructure
93+
94+ - name : " Extract Terraform outputs"
95+ id : tf_output
96+ run : |
97+ BUCKET=$(terraform output -raw lambda_artifact_bucket)
98+ PROFILE=$(terraform output -raw signing_profile_name)
99+ echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
100+ echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT
101+ working-directory : ./infrastructure/stacks/api-layer
102+
103+ - name : " Upload unsigned lambda artifact to S3"
104+ run : |
105+ aws s3 cp ./dist/lambda.zip \
106+ s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
107+ --region eu-west-2
108+
109+ name : " Get uploaded source object version"
110+ id : source_object
111+ run : |
112+ VERSION_ID=$(aws s3api head-object \
113+ --bucket "${{ steps.tf_output.outputs.bucket_name }}" \
114+ --key "unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip" \
115+ --query 'VersionId' \
116+ --output text \
117+ --region eu-west-2)
118+ echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT
119+
120+ name : " Start signing job"
121+ id : signing
122+ env :
123+ SIGNING_PROFILE_NAME : ${{ steps.tf_output.outputs.signing_profile_name }}
124+ run : |
125+ JOB_ID=$(aws signer start-signing-job \
126+ --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \
127+ --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed-artifacts/${{ needs.metadata.outputs.tag }}/}" \
128+ --profile-name "$SIGNING_PROFILE_NAME" \
129+ --query 'jobId' \
130+ --output text \
131+ --region eu-west-2)
132+ echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT
133+
134+ name : " Wait for signing job"
135+ run : |
136+ aws signer wait successful-signing-job \
137+ --job-id "${{ steps.signing.outputs.job_id }}" \
138+ --region eu-west-2
139+
140+ name : " Resolve signed artifact location"
141+ id : signed_object
142+ run : |
143+ SIGNED_BUCKET=$(aws signer describe-signing-job \
144+ --job-id "${{ steps.signing.outputs.job_id }}" \
145+ --region eu-west-2 \
146+ --query 'signedObject.s3.bucketName' \
147+ --output text)
148+
149+ SIGNED_KEY=$(aws signer describe-signing-job \
150+ --job-id "${{ steps.signing.outputs.job_id }}" \
151+ --region eu-west-2 \
152+ --query 'signedObject.s3.key' \
153+ --output text)
154+
155+ echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT
156+ echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT
157+
158+ name : " Download signed lambda artifact"
159+ run : |
160+ aws s3 cp \
161+ "s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \
162+ ./dist/lambda.zip \
163+ --region eu-west-2
164+
165+ name : " Upload signed lambda artifact for current workflow"
166+ uses : actions/upload-artifact@v6
167+ with :
168+ name : lambda-${{ needs.metadata.outputs.tag }}
169+ path : ./dist/lambda.zip
170+
49171 deploy :
50172 name : " Deploy to TEST (approval required)"
51173 runs-on : ubuntu-latest
@@ -83,13 +205,11 @@ jobs:
83205 role-to-assume : arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
84206 aws-region : eu-west-2
85207
86- - name : " Download lambda artefact from dev workflow "
208+ - name : " Download signed lambda artefact"
87209 uses : actions/download-artifact@v7
88210 with :
89211 name : lambda-${{ needs.metadata.outputs.tag }}
90212 path : ./dist
91- run-id : ${{ github.event.workflow_run.id }}
92- github-token : ${{ github.token }}
93213
94214 - name : " Terraform Apply (TEST)"
95215 env :
@@ -127,12 +247,6 @@ jobs:
127247 echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
128248working-directory : ./infrastructure/stacks/api-layer
129249
130- - name : " Upload lambda artifact to S3"
131- run : |
132- aws s3 cp ./dist/lambda.zip \
133- s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
134- --region eu-west-2
135-
136250 regression-tests :
137251 name : " Regression Tests"
138252 needs : deploy
0 commit comments