Skip to content

Commit 37557cc

Browse files
Ian-HodgesIan-Hodges
committed
CCM-12614: add github package manager authentication
1 parent 43f0214 commit 37557cc

8 files changed

Lines changed: 91 additions & 19 deletions

File tree

.github/actions/build-docs/action.yml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,21 @@ inputs:
44
version:
55
description: "Version number"
66
required: true
7+
node-version:
8+
description: 'Node.js version'
9+
required: true
10+
GITHUB_TOKEN:
11+
description: "Token for access to github package registry"
12+
required: true
713
runs:
814
using: "composite"
915
steps:
1016
- name: Checkout
1117
uses: actions/checkout@v5
12-
- uses: actions/setup-node@v6
18+
- uses: ./.github/actions/node-install
1319
with:
14-
node-version: 24
20+
node-version: ${{ inputs.node-version }}
21+
GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
1522
- name: Npm cli install
1623
working-directory: ./docs
1724
run: npm ci

.github/actions/node-install/action.yaml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
name: 'Node install and setup'
2+
description: 'Setup node and authenticate github package repository'
3+
4+
inputs:
5+
node-version:
6+
description: 'Node.js version'
7+
required: true
8+
GITHUB_TOKEN:
9+
description: "Token for access to github package registry"
10+
required: true
11+
12+
runs:
13+
using: 'composite'
14+
steps:
15+
- name: 'Use Node.js'
16+
uses: actions/setup-node@v6
17+
with:
18+
node-version: '${{ inputs.node-version }}'
19+
20+
- name: "Configure npm for GitHub Packages"
21+
shell: bash
22+
env:
23+
GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
24+
run: |
25+
scripts/set-github-token.sh

.github/workflows/cicd-1-pull-request.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,15 @@ on:
1515
permissions:
1616
id-token: write
1717
contents: write
18+
packages: read
1819

1920
jobs:
2021
metadata:
2122
name: "Set CI/CD metadata"
2223
runs-on: ubuntu-latest
2324
timeout-minutes: 1
25+
permissions:
26+
contents: read
2427
outputs:
2528
build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
2629
build_datetime: ${{ steps.variables.outputs.build_datetime }}
@@ -152,6 +155,9 @@ jobs:
152155
name: Trigger dynamic environment creation
153156
needs: [metadata, build-stage]
154157
runs-on: ubuntu-latest
158+
permissions:
159+
contents: read
160+
id-token: write
155161
if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
156162
steps:
157163
- uses: actions/checkout@v5.0.0

.github/workflows/stage-1-commit.yaml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -152,12 +152,15 @@ jobs:
152152
uses: ./.github/actions/lint-terraform
153153
trivy-iac:
154154
name: "Trivy IaC Scan"
155-
permissions:
156-
contents: read
157155
runs-on: ubuntu-latest
158156
timeout-minutes: 10
159157
needs: detect-terraform-changes
160158
if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
159+
permissions:
160+
contents: read
161+
packages: read
162+
env:
163+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
161164
steps:
162165
- name: "Checkout code"
163166
uses: actions/checkout@v4
@@ -170,10 +173,13 @@ jobs:
170173
trivy-package:
171174
if: ${{ !inputs.skip_trivy_package }}
172175
name: "Trivy Package Scan"
173-
permissions:
174-
contents: read
175176
runs-on: ubuntu-latest
176177
timeout-minutes: 10
178+
permissions:
179+
contents: read
180+
packages: read
181+
env:
182+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
177183
steps:
178184
- name: "Checkout code"
179185
uses: actions/checkout@v4

.github/workflows/stage-2-test.yaml

Lines changed: 28 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -40,21 +40,21 @@ env:
4040
AWS_REGION: eu-west-2
4141
TERM: xterm-256color
4242

43-
permissions:
44-
id-token: write # This is required for requesting the JWT
45-
contents: read # This is required for actions/checkout
46-
4743
jobs:
4844
check-generated-dependencies:
4945
name: "Check generated dependencies"
5046
runs-on: ubuntu-latest
5147
timeout-minutes: 5
48+
permissions:
49+
contents: read
50+
packages: read
5251
steps:
5352
- name: "Checkout code"
5453
uses: actions/checkout@v5
55-
- uses: actions/setup-node@v6
54+
- uses: ./.github/actions/node-install
5655
with:
57-
node-version: 24.10.0
56+
node-version: ${{ inputs.nodejs_version }}
57+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
5858
- name: "Repo setup"
5959
run: |
6060
npm ci
@@ -66,12 +66,16 @@ jobs:
6666
name: "Unit tests"
6767
runs-on: ubuntu-latest
6868
timeout-minutes: 5
69+
permissions:
70+
contents: read
71+
packages: read
6972
steps:
7073
- name: "Checkout code"
7174
uses: actions/checkout@v5
72-
- uses: actions/setup-node@v6
75+
- uses: ./.github/actions/node-install
7376
with:
74-
node-version: 24.10.0
77+
node-version: ${{ inputs.nodejs_version }}
78+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7579
- uses: actions/setup-python@v6
7680
with:
7781
python-version: '3.14'
@@ -99,25 +103,35 @@ jobs:
99103
name: "Linting"
100104
runs-on: ubuntu-latest
101105
timeout-minutes: 5
106+
permissions:
107+
contents: read
108+
packages: read
102109
steps:
103110
- name: "Checkout code"
104111
uses: actions/checkout@v5
105-
- uses: actions/setup-node@v6
112+
- uses: ./.github/actions/node-install
106113
with:
107-
node-version: 24.10.0
114+
node-version: ${{ inputs.nodejs_version }}
115+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
108116
- name: "Run linting"
109117
run: |
110118
make test-lint
111119
test-typecheck:
112120
name: "Typecheck"
113121
runs-on: ubuntu-latest
114122
timeout-minutes: 5
123+
permissions:
124+
contents: read
125+
packages: read
126+
env:
127+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
115128
steps:
116129
- name: "Checkout code"
117130
uses: actions/checkout@v5
118-
- uses: actions/setup-node@v6
131+
- uses: ./.github/actions/node-install
119132
with:
120-
node-version: 24.10.0
133+
node-version: ${{ inputs.nodejs_version }}
134+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
121135
- name: "Run typecheck"
122136
run: |
123137
make test-typecheck
@@ -126,6 +140,8 @@ jobs:
126140
needs: [test-unit]
127141
runs-on: ubuntu-latest
128142
timeout-minutes: 5
143+
permissions:
144+
contents: read
129145
steps:
130146
- name: "Checkout code"
131147
uses: actions/checkout@v5

.github/workflows/stage-3-build.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,3 +44,5 @@ jobs:
4444
uses: ./.github/actions/build-docs
4545
with:
4646
version: "${{ inputs.version }}"
47+
node-version: ${{ inputs.nodejs_version }}
48+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

infrastructure/terraform/components/dl/pre.sh

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,16 @@
44
# It ensures all Node.js dependencies are installed, generates any required dependencies,
55
# and builds all Lambda functions in the workspace before Terraform provisions infrastructure.
66

7+
echo "Running Pre.sh"
8+
9+
ROOT_DIR="$(git rev-parse --show-toplevel)"
10+
11+
echo "Running set-github-token.sh"
12+
13+
$ROOT_DIR/scripts/set-github-token.sh
14+
15+
echo "Completed."
16+
717
npm ci
818

919
npm run generate-dependencies

scripts/set-github-token.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ set -euo pipefail
44

55
npm config ls -l | grep '/npm.pkg.github.com/:_authToken' -q && echo "Github token already exists" && exit 0
66

7-
if [ -z "${GITHUB_TOKEN:-}" ]; then
7+
if [[ -z "${GITHUB_TOKEN:-}" ]]; then
88
read -p "Enter GitHub token: " GITHUB_TOKEN
99
export GITHUB_TOKEN
1010
fi

0 commit comments

Comments
 (0)