Skip to content

Feature/eli 702 code signing for test env #641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TOEL2 wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Feature/eli 702 code signing for test env #641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3b38fa5
[ELI-702] naming error
TOEL2 Apr 14, 2026
8087ce8
[ELI-702] changing to on push trigger
TOEL2 Apr 14, 2026
c6692ba
[ELI-702] applying changes to the test workflow
TOEL2 Apr 15, 2026
aaf0ef5
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Apr 15, 2026
0718e13
[ELI-702] adding dependency to force the correct order
TOEL2 Apr 15, 2026
6041b2d
[ELI-702] amended path error
TOEL2 Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 124 additions & 10 deletions .github/workflows/cicd-3-test-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,132 @@ jobs:
echo "name=$TAG" >> $GITHUB_OUTPUT
echo "Resolved tag: $TAG"

sign-lambda-artifact:
name: "Sign lambda artifact for TEST"
runs-on: ubuntu-latest
needs: [metadata]
environment: test
timeout-minutes: 45
permissions:
id-token: write
contents: read
outputs:
bucket_name: ${{ steps.tf_output.outputs.bucket_name }}
steps:
- name: "Checkout same commit"
uses: actions/checkout@v6
with:
ref: ${{ github.event.workflow_run.head_sha }}

- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}

- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2

- name: "Download lambda artefact from dev workflow"
uses: actions/download-artifact@v7
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ github.token }}

- name: "Terraform Init (TEST api-layer)"
env:
ENVIRONMENT: test
WORKSPACE: "default"
run: |
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
working-directory: ./infrastructure

- name: "Extract Terraform outputs"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
PROFILE=$(terraform output -raw signing_profile_name)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer

- name: "Upload unsigned lambda artifact to S3"
run: |
aws s3 cp ./dist/lambda.zip \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
--region eu-west-2

- name: "Get uploaded source object version"
id: source_object
run: |
VERSION_ID=$(aws s3api head-object \
--bucket "${{ steps.tf_output.outputs.bucket_name }}" \
--key "artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip" \
--query 'VersionId' \
--output text \
--region eu-west-2)
echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT

- name: "Start signing job"
id: signing
env:
SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }}
run: |
JOB_ID=$(aws signer start-signing-job \
--source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \
--destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed-artifacts/${{ needs.metadata.outputs.tag }}/}" \
--profile-name "$SIGNING_PROFILE_NAME" \
--query 'jobId' \
--output text \
--region eu-west-2)
echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT

- name: "Wait for signing job"
run: |
aws signer wait successful-signing-job \
--job-id "${{ steps.signing.outputs.job_id }}" \
--region eu-west-2

- name: "Resolve signed artifact location"
id: signed_object
run: |
SIGNED_BUCKET=$(aws signer describe-signing-job \
--job-id "${{ steps.signing.outputs.job_id }}" \
--region eu-west-2 \
--query 'signedObject.s3.bucketName' \
--output text)

SIGNED_KEY=$(aws signer describe-signing-job \
--job-id "${{ steps.signing.outputs.job_id }}" \
--region eu-west-2 \
--query 'signedObject.s3.key' \
--output text)

echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT
echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT

- name: "Download signed lambda artifact"
run: |
aws s3 cp \
"s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \
./dist/lambda.zip \
--region eu-west-2

- name: "Upload signed lambda artifact for current workflow"
uses: actions/upload-artifact@v6
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist/lambda.zip

deploy:
name: "Deploy to TEST (approval required)"
runs-on: ubuntu-latest
needs: [metadata]
needs: [metadata, sign-lambda-artifact]
environment: test
timeout-minutes: 10080
permissions:
Expand Down Expand Up @@ -83,13 +205,11 @@ jobs:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2

- name: "Download lambda artefact from dev workflow"
- name: "Download signed lambda artefact"
uses: actions/download-artifact@v7
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ github.token }}

- name: "Terraform Apply (TEST)"
env:
Expand Down Expand Up @@ -127,12 +247,6 @@ jobs:
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer

- name: "Upload lambda artifact to S3"
run: |
aws s3 cp ./dist/lambda.zip \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
--region eu-west-2

regression-tests:
name: "Regression Tests"
needs: deploy
Expand Down
58 changes: 34 additions & 24 deletions .github/workflows/signing_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,20 @@
name: "signing-test"

on:
workflow_dispatch:
inputs:
ref:
description: "Branch, tag, or commit SHA to check out"
required: true
default: "feature/ELI-702-code-signing"
artifact_tag:
description: "Artifact tag to deploy, for example dev-20260410120000"
required: true
artifact_run_id:
description: "Workflow run ID that produced the lambda artifact"
required: true

concurrency:
group: test-deployments
cancel-in-progress: false
push:
branches:
- feature/ELI-702-code-signing

permissions:
contents: read
id-token: write
actions: read

env:
SELECTED_REF: feature/ELI-702-code-signing
SELECTED_ARTIFACT_TAG: dev-20260414083041
SELECTED_ARTIFACT_RUN_ID: 24389064472

jobs:
metadata:
name: "Resolve metadata"
Expand All @@ -34,18 +26,24 @@ jobs:
- name: "Checkout selected ref"
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
ref: ${{ env.SELECTED_REF }}

- name: "Show checked out commit"
run: |
git branch --show-current || true
git rev-parse HEAD
git log -1 --oneline

- name: "Set CI/CD variables"
id: vars
run: |
echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT

- name: "Use provided artifact tag"
- name: "Use static artifact tag"
id: tag
run: |
echo "name=${{ inputs.artifact_tag }}" >> $GITHUB_OUTPUT
echo "Resolved tag: ${{ inputs.artifact_tag }}"
echo "name=${{ env.SELECTED_ARTIFACT_TAG }}" >> $GITHUB_OUTPUT
echo "Resolved tag: ${{ env.SELECTED_ARTIFACT_TAG }}"

sign-lambda-artifact:
name: "Sign lambda artifact for TEST"
Expand All @@ -62,7 +60,13 @@ jobs:
- name: "Checkout selected ref"
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
ref: ${{ env.SELECTED_REF }}

- name: "Show checked out commit"
run: |
git branch --show-current || true
git rev-parse HEAD
git log -1 --oneline

- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
Expand All @@ -80,7 +84,7 @@ jobs:
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist
run-id: ${{ inputs.artifact_run_id }}
run-id: ${{ env.SELECTED_ARTIFACT_RUN_ID }}
github-token: ${{ github.token }}

- name: "Terraform Init (TEST api-layer)"
Expand All @@ -96,7 +100,7 @@ jobs:
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
PROFILE=$(terraform output -raw lambda_signing_profile_name)
PROFILE=$(terraform output -raw signing_profile_name)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer
Expand Down Expand Up @@ -182,7 +186,13 @@ jobs:
- name: "Checkout selected ref"
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}
ref: ${{ env.SELECTED_REF }}

- name: "Show checked out commit"
run: |
git branch --show-current || true
git rev-parse HEAD
git log -1 --oneline

- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
Expand Down
Loading