eq-cir-fastapi/cloudbuild-dev.yaml at main · ONSdigital/eq-cir-fastapi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
steps:
  - name: python:3.13
    id: "pytest unit tests + lint"
    entrypoint: sh
    args:
      - "-c"
      - |
        pip install --upgrade pip --user
        pip install uv
        uv sync
        make lint
        make unit-tests

  - name: gcr.io/cloud-builders/docker
    id: "Build and push docker image"
    entrypoint: sh
    args:
      - "-c"
      - |
        docker build -t "europe-west2-docker.pkg.dev/${PROJECT_ID}/cir/cir:${SHORT_SHA}" -t "europe-west2-docker.pkg.dev/${PROJECT_ID}/cir/cir:latest" .
        docker push "europe-west2-docker.pkg.dev/${PROJECT_ID}/cir/cir:${SHORT_SHA}"
        docker push "europe-west2-docker.pkg.dev/${PROJECT_ID}/cir/cir:latest"

  - name: "gcr.io/cloud-builders/gcloud"
    id: "Show image vulnerabilities (ons-sds-dev only)"
    entrypoint: bash
    args:
      - "-c"
      - |
        if [ ${PROJECT_ID} == "ons-sds-dev" ]
        then
          gcloud artifacts vulnerabilities list europe-west2-docker.pkg.dev/${PROJECT_ID}/cir/cir:latest \
            --format=json > /workspace/vulnerability_report
        else
          echo "Step not run for ${PROJECT_ID}"
        fi

  - name: "gcr.io/cloud-builders/gcloud"
    id: "Check for critical vulnerabilities (ons-sds-dev only)"
    entrypoint: bash
    args:
      - "-c"
      - |
        if [ ${PROJECT_ID} == "ons-sds-dev" ]
        then
          apt-get -y update && apt-get install -y jq
          if jq -e '.[] | select( .vulnerability.effectiveSeverity == "CRITICAL")' /workspace/vulnerability_report > /dev/null; then
            echo "Error: Critical vulnerability found with image"
            exit 1
          fi
        else
          echo "Step not run for ${PROJECT_ID}"
        fi

  - name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
    id: "Deploy docker image to cloud run"
    entrypoint: gcloud
    args:
      [
        "run",
        "deploy",
        "cir",
        "--no-invoker-iam-check",
        "--image",
        "europe-west2-docker.pkg.dev/${PROJECT_ID}/cir/cir:${SHORT_SHA}",
        "--region",
        "europe-west2",
        "--allow-unauthenticated",
        "--ingress",
        "internal-and-cloud-load-balancing",
        "--update-env-vars",
        "CIR_APPLICATION_VERSION=development",
      ]

  - name: python:3.13
    id: "pytest integration tests"
    entrypoint: sh
    args:
      - "-c"
      - |
        export INT_DEFAULT_HOSTNAME=${_SSL_CERTIFICATE_DOMAIN}
        export INT_FIRESTORE_DB_NAME=${_FIRESTORE_DB_NAME}
        export INT_CI_STORAGE_BUCKET_NAME=${_CI_STORAGE_BUCKET_NAME}
        export INT_PROJECT_ID=${PROJECT_ID}
        export INT_PUBLISH_CI_TOPIC_ID=${_PUBLISH_CI_TOPIC_ID}
        export INT_URL_SCHEME=https
        export SECRET_ID=iap-secret
        pip install --upgrade pip --user
        pip install uv
        uv sync
        make integration-tests-cloudbuild
options:
  logging: CLOUD_LOGGING_ONLY