feat(EAV-280): enable ci cd pipleline

.github/workflows/delete-old-image.sh

@@ -0,0 +1,6 @@
+#!/bin/sh   
+REPO_NAME=$1
+IMAGE_DIGEST=$2  
+AWS_REGION=$3  
+echo "$IMAGE_DIGEST"
+aws ecr batch-delete-image --repository-name $REPO_NAME --image-ids imageDigest="$IMAGE_DIGEST" --region $AWS_REGION

.github/workflows/prerelease-libs.yml

@@ -10,7 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     timeout-minutes: 15
-
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -27,6 +30,20 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: ".node-version"
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: Login to CodeArtifact
+        run: |
+          aws codeartifact login --tool npm --repository selma-store --domain selma --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --region ${{ secrets.AWS_REGION }}
+      - name: Configure CodeArtifact Token
+        run: |
+          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain selma --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --region ${{ secrets.AWS_REGION }} --query authorizationToken --output text`
+          yarn config set npmRegistryServer "https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"
+          yarn config set 'npmRegistries["https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"].npmAuthToken' "${CODEARTIFACT_AUTH_TOKEN}"
+          yarn config set 'npmRegistries["https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"].npmAlwaysAuth' "true"
       - name: Prepare Environment
         run: |
           cd packages
@@ -45,7 +62,10 @@ jobs:
     name: Test Lib
     runs-on: ubuntu-latest
     timeout-minutes: 15
-
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -63,6 +83,20 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: Login to CodeArtifact
+        run: |
+          aws codeartifact login --tool npm --repository selma-store --domain selma --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --region ${{ secrets.AWS_REGION }}
+      - name: Configure CodeArtifact Token
+        run: |
+          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain selma --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --region ${{ secrets.AWS_REGION }} --query authorizationToken --output text`
+          yarn config set npmRegistryServer "https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"
+          yarn config set 'npmRegistries["https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"].npmAuthToken' "${CODEARTIFACT_AUTH_TOKEN}"
+          yarn config set 'npmRegistries["https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"].npmAlwaysAuth' "true"
       - name: Prepare Environment
         run: |
           cd packages
@@ -81,7 +115,10 @@ jobs:
     name: Prerelease Lib
     runs-on: ubuntu-latest
     timeout-minutes: 15
-
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     needs:
       - test-packages
 
@@ -96,12 +133,26 @@ jobs:
       - name: Check release is possible
         id: do-publish
         run: |
-          if [ -z "${{ secrets.NPM_TOKEN }}" ]; then
-            echo "No Token"
+          if [ -z "${{ secrets.AWS_ROLE_ARN }}" ]; then
+            echo "No Role ARN set, skipping publish"
           else
             echo "Publish prerelease"
             echo "publish=1" >> $GITHUB_OUTPUT
           fi
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: Login to CodeArtifact
+        run: |
+          aws codeartifact login --tool npm --repository selma-store --domain selma --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --region ${{ secrets.AWS_REGION }}
+      - name: Configure CodeArtifact Token
+        run: |
+          export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain selma --domain-owner ${{ secrets.AWS_ACCOUNT_ID }} --region ${{ secrets.AWS_REGION }} --query authorizationToken --output text`
+          yarn config set npmRegistryServer "https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"
+          yarn config set 'npmRegistries["https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"].npmAuthToken' "${CODEARTIFACT_AUTH_TOKEN}"
+          yarn config set 'npmRegistries["https://selma-${{ secrets.AWS_ACCOUNT_ID }}.d.codeartifact.${{ secrets.AWS_REGION }}.amazonaws.com/npm/selma-store/"].npmAlwaysAuth' "true"
       - name: Prepare Environment
         if: ${{ steps.do-publish.outputs.publish }}
         run: |
@@ -118,8 +169,8 @@ jobs:
           GIT_HASH=$(git rev-parse --short HEAD)
           PRERELEASE_TAG=nightly-$(echo "${{ github.ref_name }}" | sed -r 's/[^a-z0-9]+/-/gi')
 
-          git config --global user.email "info@superfly.tv"
-          git config --global user.name "superflytvab"
+          git config --global user.email "chandrashekar.nallamilli@tv2.no"
+          git config --global user.name "chandrashekar-nallamilli"
 
           yarn set-version-and-commit prerelease --preid $PRERELEASE_TAG-$COMMIT_DATE-$GIT_HASH
         env:
@@ -131,7 +182,6 @@ jobs:
           yarn build
         env:
           CI: true
-
       - name: Build OpenAPI client library
         if: ${{ steps.do-publish.outputs.publish }}
         run: |
@@ -141,14 +191,14 @@ jobs:
           CI: true
       - name: Modify dependencies to use npm packages
         run: node scripts/prepublish.js
-      - name: Publish to NPM
+      - name: Reset .yarnrc.yml
+        run: |
+          git checkout -- .yarnrc.yml
+      - name: Publish to CodeArtifact
         id: publish-npm
         if: ${{ steps.do-publish.outputs.publish }}
         run: |
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc
-
           cd packages
-
           yarn lerna publish from-package --tag-version-prefix='' --dist-tag nightly --yes --no-verify-access
 
           NEW_VERSION=$(node -p "require('./lerna.json').version")

.github/workflows/prune-container-images.yml

@@ -1,22 +1,52 @@
-name: "Prune container images"
+name: cleanup-ecr
 
 on:
-  workflow_dispatch:
   schedule:
-    - cron: '12 14 * * *'
+    - cron: "0 10 * * 3"
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
-  prune-container-images:
-    if: ${{ github.repository_owner == 'nrkno' }}
-
-    uses: nrkno/sofie-github-workflows/.github/workflows/prune-container-images.yml@main
-    strategy:
-      max-parallel: 1
-      matrix:
-        repo: [ server-core, playout-gateway, mos-gateway ]
-    with:
-      dry-run: false
-      prune-untagged: true
-      package-name: sofie-core-${{ matrix.repo }}
-    secrets:
-      prune-token: ${{ secrets.GHCR_PRUNE_TOKEN }}
+  cleanup:
+    runs-on: ubuntu-latest
+    env:
+      REPOSITORY_NAMES: "sofie-core live-status-gateway playout-gateway" # Accept multiple input repositories
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Grant execute permission for delete-old-image.sh script
+        run: chmod +x ./.github/workflows/delete-old-image.sh
+
+      - name: Clean up Untagged ECR images
+        run: |
+          for REPO in $REPOSITORY_NAMES ; do
+              echo "Cleaning untagged  images from repository: ${REPO}"
+              UNTAGGED_IMAGES=$(aws ecr list-images --region ${{ secrets.AWS_REGION }} --repository-name ${REPO} --query "imageIds[?type(imageTag)!=\`string\`].[imageDigest]" --output text)              
+
+              if [ -n "$UNTAGGED_IMAGES" ]; then  
+              echo "Untagged Images Found in ${REPO}.. Logging"
+                for IMAGE in $UNTAGGED_IMAGES; do 
+                  sh ./.github/workflows/delete-old-image.sh $REPO $IMAGE ${{ secrets.AWS_REGION }}
+                done        
+              else 
+                echo "No Untageed images found in ${REPO}"
+              fi
+           done

.github/workflows/prune-tags.yml

@@ -10,22 +10,21 @@ on:
         description: Regex of tags to ignore
       simulation:
         type: boolean
-        description: Simulate a run (don't delete tags)  
+        description: Simulate a run (don't delete tags)
   schedule:
-    - cron: '0 0 * * 0'
+    - cron: "0 0 * * 0"
 
 jobs:
   prune-tags:
     if: ${{ github.repository_owner == 'nrkno' }}
-
     name: Prune tags
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
       - name: Checkout repo with all tags
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0    
+          fetch-depth: 0
 
       - name: Prune tags (scheduled)
         if: github.event_name == 'schedule'
@@ -41,4 +40,4 @@ jobs:
         with:
           older-than: ${{ github.event.inputs.older-than }}
           ignore: ${{ github.event.inputs.ignore }}
-          simulation: ${{ github.event.inputs.simulation }}       
+          simulation: ${{ github.event.inputs.simulation }}

.github/workflows/sonar.yaml

@@ -14,7 +14,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'nrkno' && !github.event.pull_request.head.repo.fork }}
     timeout-minutes: 15
-
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/trivy.yml

@@ -2,108 +2,68 @@ name: Scheduled Trivy Scan
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 10 * * 1'
+    - cron: "0 10 * * 1"
 
 jobs:
   trivy:
-    if: ${{ github.repository_owner == 'nrkno' }}
-
     name: Trivy scan
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        image: ["server-core", "playout-gateway", "mos-gateway"]
+        image: ["sofie-core", "playout-gateway", "mos-gateway"]
     timeout-minutes: 15
-
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+      - name: Pull Docker Images for Scanning
+        run: |
+          BRANCH_NAME=$(echo ${{ github.ref }} | sed 's@refs/heads/@@')
+          IMAGE_URI=${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ matrix.image }}:${{ github.ref_name }}
+          docker pull $IMAGE_URI
       - name: Run Trivy vulnerability scanner (json)
         uses: aquasecurity/trivy-action@0.24.0
         env:
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
-          image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
+          image-ref: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ matrix.image }}:${{ github.ref_name }}
           format: json
-          output: '${{ matrix.image }}-trivy-scan-results.json'
+          output: "${{ matrix.image }}-trivy-scan-results.json"
 
       - name: Run Trivy vulnerability scanner (table)
         uses: aquasecurity/trivy-action@0.24.0
         env:
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
-          image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
-          output: '${{ matrix.image }}-trivy-scan-results.txt'
+          image-ref: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ matrix.image }}:${{ github.ref_name }}
+          output: "${{ matrix.image }}-trivy-scan-results.txt"
 
       - name: Post all scan results to Github Summary as a table
         env:
           CODE_BLOCK: "```"
         run: |
-          echo "# Trivy scan results ~ sofie-core-${{ matrix.image}}:latest" >> $GITHUB_STEP_SUMMARY
+          echo "# Trivy scan results ~ ${{ matrix.image}}:latest" >> $GITHUB_STEP_SUMMARY
 
           echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
           cat ${{ matrix.image }}-trivy-scan-results.txt >> $GITHUB_STEP_SUMMARY
           echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
 
-      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
-        uses: aquasecurity/trivy-action@0.24.0
-        env:
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
-        with:
-          format: 'github'
-          output: 'dependency-results-${{ matrix.image }}.sbom.json'
-          image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
-          github-pat: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Create summary of Trivy issues
         run: |
           summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' ${{ matrix.image }}-trivy-scan-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
-          if [ -z "$summary" ]
-          then
+          if [ -z "$summary" ]; then
             summary="0 Issues"
           fi
           echo "SUMMARY=$summary" >> $GITHUB_ENV
-          echo ${{ env.SUMMARY }}
 
-      - name: Send Slack Notification
-        uses: slackapi/slack-github-action@v1.27.0
-        with:
-          payload: |
-            {
-              "text": "Trivy scan results",
-              "blocks": [
-                {
-                  "type": "header",
-                  "text": {
-                    "type": "plain_text",
-                    "text": "Trivy scan results for sofie-core-${{ matrix.image }}:latest"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": ":thisisfine: ${{ env.SUMMARY }}"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Read the full scan results on Github"
-                  },
-                  "accessory": {
-                    "type": "button",
-                    "text": {
-                        "type": "plain_text",
-                        "text": ":github: Scan results",
-                        "emoji": true
-                    },
-                    "value": "workflow_run",
-                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
-                    "action_id": "button-action"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+      - name: Print summary
+        run: echo "$SUMMARY"