-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbuildspec.yaml
More file actions
83 lines (68 loc) · 3.38 KB
/
buildspec.yaml
File metadata and controls
83 lines (68 loc) · 3.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Build specifications for AWS CodeBuild
# See: https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
# Each input artifact is extracted to its own directory by CodePipeline, the locations of which
# are stored in environment variables. The directory for the primary source artifact (this repo)
# is made available with $CODEBUILD_SRC_DIR. The directory for the DMPTool push artifacts is
# made available with $CODEBUILD_SRC_DIR_dmptool-commit.
# Do not change version. This is the version of aws buildspec, not the version of your buldspec file.
version: 0.2
phases:
install:
runtime-versions:
nodejs: 22
pre_build:
commands:
# Set some ENV variables here because CF only allows a limit of 1000 characters in the
# EnvironmentVariable config for the Pipeline action :(
- export AWS_VERSION=$(aws --version)
# Install trivy for vulnerability scanning
# - echo "Installing Trivy..."
# - wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
# - tar -zxvf "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
# - mv trivy /usr/local/bin/
- REGISTRY=$(echo $ECR_REPOSITORY_URI | cut -d'/' -f1)
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $REGISTRY
# Set the image tag to the Git commit ID if it exists, otherwise use the default value
- IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:-latest}
- IMAGE_TAG=${IMAGE_TAG:0:7}
- echo "Building with tag - ${IMAGE_TAG}"
build:
commands:
- echo "Running in ${NODE_ENV} - started on `date`"
- cd $CODEBUILD_SRC_DIR
# Ensure we're running in CI mode nd that it always installs the devDependencies for our tests
- CI=true
- echo "production=false" >> .npmrc
# CI deletes the node_modules folder and installs the dependencies as defined in package-lock.json
- echo "Installing dependencies..."
- npm ci
# Run NPM audit to check for vulnerabilities in the prod dependencies
- echo "Running NPM audit..."
- npm audit --omit=dev --audit-level=high
# Run the linter checks
- echo "Running linter checks"
- npm run lint
# Run the tests
- echo "Running tests"
- npm run test-no-db
# The code is good, so build the Docker image
- echo "Building the Docker image..."
- docker build -f Dockerfile.aws -t $ECR_REPOSITORY_URI:$IMAGE_TAG .
# Run Trivy on the new image to check for vulnerabilities
# - echo "Running Trivy vulnerability scanner on the new image..."
# - trivy image --exit-code 1 --severity HIGH,CRITICAL $REGISTRY:apollo-latest
post_build:
commands:
# Push the Docker image to the ECR repository. Fargate will pick it up an deploy automatically
- echo Build completed on `date`
- echo Pushing the Docker images...
- cd $CODEBUILD_SRC_DIR
- docker push $ECR_REPOSITORY_URI:$IMAGE_TAG
- echo Writing image definitions file...
- printf '[{"name":"%s","imageUri":"%s"}]' $TASK_DEFINITION_CONTAINER_NAME $ECR_REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json
- echo Writing environment variables for Shibboleth CodeBuild to source from
- echo "export BASE_IMAGE=$ECR_REPOSITORY_URI:$IMAGE_TAG" > build.env
artifacts:
files:
- imagedefinitions.json
- build.env