Skip to content

Feature/eli 702 code signing test workflow #639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TOEL2 merged 31 commits into from
Apr 14, 2026
+202 −0
Merged

Feature/eli 702 code signing test workflow #639

Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
3b31922
[ELI-702] - adding the new signing resources and attaching to lambda
TOEL2 Mar 25, 2026
272126c
[ELI-702] - changing workflow to sign and upload first before deployment
TOEL2 Mar 25, 2026
f4e1924
[ELI-702] - expanding github role permissions with new policy
TOEL2 Mar 25, 2026
2153103
[ELI-702] - changing name to something valid
TOEL2 Mar 25, 2026
d55e992
[ELI-702] - excepting for dev
TOEL2 Mar 25, 2026
0fda371
[ELI-702] - adding permissions
TOEL2 Mar 25, 2026
358dc0c
[ELI-702] - adding permissions
TOEL2 Mar 25, 2026
3ad3203
[ELI-702] - restricting permissions
TOEL2 Mar 25, 2026
5fb9a3b
[ELI-702] - removing suppression
TOEL2 Mar 26, 2026
41eca6d
[ELI-702] - swapping env for workspace
TOEL2 Mar 26, 2026
2c460bd
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Mar 27, 2026
afa6788
[ELI-702] - swapping arn to all for config actions
TOEL2 Mar 27, 2026
a94fdc0
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Mar 30, 2026
a383695
[ELI-702] - disabling signing enforcement for now
TOEL2 Mar 30, 2026
c9d8c2a
[ELI-702] - checkov suppression
TOEL2 Mar 30, 2026
4e61c0c
[ELI-702] - removing workflow changes for now
TOEL2 Mar 30, 2026
cbba2ef
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Mar 30, 2026
9bf8b61
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Mar 31, 2026
a78a48f
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Apr 9, 2026
547344d
[ELI-702] Update resource name
TOEL2 Apr 9, 2026
6e8cba3
[ELI-702] pulling in main
TOEL2 Apr 11, 2026
59b54ca
[ELI-702] removing duplicate signer perm
TOEL2 Apr 11, 2026
f888da3
[ELI-702] slight name change
TOEL2 Apr 13, 2026
05685f5
[ELI-702] converting to manual to test
TOEL2 Apr 13, 2026
de5413b
[ELI-702] workflow name change
TOEL2 Apr 13, 2026
339738e
[ELI] formatting
TOEL2 Apr 14, 2026
a632668
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Apr 14, 2026
153f63c
[ELI-702] removing unnecessary deployment
TOEL2 Apr 14, 2026
fd9c9e0
[ELI-702] undoing anything not for the test
TOEL2 Apr 14, 2026
92a18d1
[ELI-702] undoing changes
TOEL2 Apr 14, 2026
522d468
Merge branch 'main' into feature/ELI-702-code-signing
TOEL2 Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
202 changes: 202 additions & 0 deletions .github/workflows/signing_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
name: "signing-test"

on:
workflow_dispatch:
inputs:
ref:
description: "Branch, tag, or commit SHA to check out"
required: true
default: "feature/ELI-702-code-signing"
artifact_tag:
description: "Artifact tag to deploy, for example dev-20260410120000"
required: true
artifact_run_id:
description: "Workflow run ID that produced the lambda artifact"
required: true

concurrency:
group: test-deployments
cancel-in-progress: false

permissions:
contents: read
id-token: write
actions: read

jobs:
metadata:
name: "Resolve metadata"
runs-on: ubuntu-latest
outputs:
terraform_version: ${{ steps.vars.outputs.terraform_version }}
tag: ${{ steps.tag.outputs.name }}
steps:
- name: "Checkout selected ref"
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}

- name: "Set CI/CD variables"
id: vars
run: |
echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT

- name: "Use provided artifact tag"
id: tag
run: |
echo "name=${{ inputs.artifact_tag }}" >> $GITHUB_OUTPUT
echo "Resolved tag: ${{ inputs.artifact_tag }}"

sign-lambda-artifact:
name: "Sign lambda artifact for TEST"
runs-on: ubuntu-latest
needs: [metadata]
environment: test
timeout-minutes: 45
permissions:
id-token: write
contents: read
outputs:
bucket_name: ${{ steps.tf_output.outputs.bucket_name }}
steps:
- name: "Checkout selected ref"
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}

- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}

- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2

- name: "Download lambda artefact from chosen workflow run"
uses: actions/download-artifact@v7
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist
run-id: ${{ inputs.artifact_run_id }}
github-token: ${{ github.token }}

- name: "Terraform Init (TEST api-layer)"
env:
ENVIRONMENT: test
WORKSPACE: "default"
run: |
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
working-directory: ./infrastructure

- name: "Extract Terraform outputs"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
PROFILE=$(terraform output -raw lambda_signing_profile_name)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer

- name: "Upload unsigned lambda artifact to S3"
run: |
aws s3 cp ./dist/lambda.zip \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
--region eu-west-2

- name: "Get uploaded source object version"
id: source_object
run: |
VERSION_ID=$(aws s3api head-object \
--bucket "${{ steps.tf_output.outputs.bucket_name }}" \
--key "artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip" \
--query 'VersionId' \
--output text \
--region eu-west-2)
echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT

- name: "Start signing job"
id: signing
env:
SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }}
run: |
JOB_ID=$(aws signer start-signing-job \
--source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \
--destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed-artifacts/${{ needs.metadata.outputs.tag }}/}" \
--profile-name "$SIGNING_PROFILE_NAME" \
--query 'jobId' \
--output text \
--region eu-west-2)
echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT

- name: "Wait for signing job"
run: |
aws signer wait successful-signing-job \
--job-id "${{ steps.signing.outputs.job_id }}" \
--region eu-west-2

- name: "Resolve signed artifact location"
id: signed_object
run: |
SIGNED_BUCKET=$(aws signer describe-signing-job \
--job-id "${{ steps.signing.outputs.job_id }}" \
--region eu-west-2 \
--query 'signedObject.s3.bucketName' \
--output text)

SIGNED_KEY=$(aws signer describe-signing-job \
--job-id "${{ steps.signing.outputs.job_id }}" \
--region eu-west-2 \
--query 'signedObject.s3.key' \
--output text)

echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT
echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT

- name: "Download signed lambda artifact"
run: |
aws s3 cp \
"s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \
./dist/lambda.zip \
--region eu-west-2

- name: "Upload signed lambda artifact for current workflow"
uses: actions/upload-artifact@v6
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist/lambda.zip

deploy:
name: "Deploy to TEST (approval required)"
runs-on: ubuntu-latest
needs: [metadata, sign-lambda-artifact]
environment: test
timeout-minutes: 10080
permissions:
id-token: write
contents: read
steps:
- name: "Checkout selected ref"
uses: actions/checkout@v6
with:
ref: ${{ inputs.ref }}

- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}

- name: "Download signed lambda artefact"
uses: actions/download-artifact@v7
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist

- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2
Loading