Add SNYK scan to build image

.github/workflows/build-and-deploy.yml

@@ -27,16 +27,20 @@ jobs:
     name: Image build and push
     runs-on: ubuntu-latest
     outputs:
-      image_name_tag: ${{ steps.build_image.outputs.ghcr_image_name_tag }}
+      docker-image-tag: ${{ steps.build-image.outputs.tag }}
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ./.github/actions/build-image
-        id: build_image
+      - name: Build and push docker image
+        id: build-image
+        uses: DFE-Digital/github-actions/build-docker-image@master
         with:
-          github_username: ${{ github.actor }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          docker-repository: ghcr.io/dfe-digital/access-your-teaching-qualifications
+          max-cache: true
+          reuse-cache: true
+          snyk-token: ${{ secrets.SNYK_TOKEN }}
 
   deploy_review_app:
     name: Deploy to review environment
@@ -58,7 +62,7 @@ jobs:
         id: deploy
         with:
           environment: review
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
           pull-request-number: ${{ github.event.number }}
 
@@ -113,7 +117,7 @@ jobs:
         id: deploy
         with:
           environment: ${{ matrix.environment }}
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
   deploy_production:
@@ -135,5 +139,5 @@ jobs:
         id: deploy
         with:
           environment: production
-          image-tag: ${{ github.sha }}
+          image-tag: ${{ needs.build_image.outputs.docker-image-tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}

.github/workflows/build-nocache.yml

@@ -0,0 +1,41 @@
+name: Build No Cache
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 12 * * 0'
+    # Will run once a week on Sunday afternoon
+
+jobs:
+  build-no-cache:
+    env:
+      DOCKER_REPOSITORY: ghcr.io/dfe-digital/access-your-teaching-qualifications
+    outputs:
+      docker-image-tag: ${{ steps.build-image.outputs.tag }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout
+
+      - name: Build without cache and push docker image
+        id: build-image
+        uses: DFE-Digital/github-actions/build-docker-image@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          docker-repository: ${{ env.DOCKER_REPOSITORY }}
+          max-cache: true
+          reuse-cache: false
+          snyk-token: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Notify slack on failure
+        uses: rtCamp/action-slack-notify@master
+        if: ${{ failure() }}
+        with:
+          SLACK_USERNAME: CI Deployment
+          SLACK_COLOR: failure
+          SLACK_ICON_EMOJI: ':github-logo:'
+          SLACK_TITLE: 'Build failure'
+          SLACK_MESSAGE: ':alert: Rebuild docker cache failure :sadparrot:'
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

Dockerfile

@@ -3,7 +3,7 @@
 # production: runs the actual app
 
 # Build builder image
-FROM ruby:3.3.0-alpine as builder
+FROM ruby:3.3.0-alpine AS builder
 
 # RUN apk -U upgrade && \
 #     apk add --update --no-cache gcc git libc6-compat libc-dev make nodejs \
@@ -62,16 +62,16 @@ RUN rm -rf node_modules log/* tmp/* /tmp && \
     find /usr/local/bundle/gems -name "*.html" -delete
 
 # Build runtime image
-FROM ruby:3.3.0-alpine as production
+FROM ruby:3.3.0-alpine AS production
 
 # The application runs from /app
 WORKDIR /app
 
 ENV RAILS_ENV=production
 
 # Add the commit sha to the env
-ARG GIT_SHA
-ENV GIT_SHA=$GIT_SHA
+ARG COMMIT_SHA
+ENV GIT_SHA=$COMMIT_SHA
 ENV SHA=$GIT_SHA
 
 # Add the timezone (prod image) as it's not configured by default in Alpine