Merge pull request #272 from guardian/add-github-action-ci

Add Continuous Integration (CI) as GitHub Action

.github/workflows/ci.yml

@@ -0,0 +1,27 @@
+name: CI
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+jobs:
+  CI:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Needed to interact with GitHub's OIDC Token endpoint
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+      - uses: aws-actions/configure-aws-credentials@v1 # Needed for S3 read access for the tests!
+        with:
+          # The AWS role is configured as a GitHub Repo secret, the value is the cloudformation-output of the
+          # 'Facia-Scala-Client-CI-Role-Provider' cloudformation stack.
+          role-to-assume: ${{ secrets.AWS_ROLE_FOR_TESTS }}
+          aws-region: eu-west-1
+      - uses: coursier/cache-action@v6
+      - uses: olafurpg/setup-scala@v13
+        with:
+          java-version: [email protected]
+      - name: Build and Test
+        run: sbt test

cdk/.gitignore

@@ -0,0 +1,11 @@
+*.js
+!jest.config.js
+!jest.setup.js
+!.eslintrc.js
+*.d.ts
+node_modules
+dist
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

cdk/README.md

@@ -0,0 +1,5 @@
+# Infrastructure
+
+This directory defines the components to be deployed to AWS.
+
+See [`package.json`](./package.json) for a list of available scripts.

cdk/bin/cdk.ts

@@ -0,0 +1,9 @@
+import 'source-map-support/register';
+import { App } from 'aws-cdk-lib';
+import { FaciaScalaClientTesting } from '../lib/facia-scala-client-testing';
+
+const app = new App();
+new FaciaScalaClientTesting(app, 'FaciaScalaClientTesting-INFRA', {
+	stack: 'facia-scala-client',
+	stage: 'INFRA',
+});

cdk/cdk.json

@@ -0,0 +1,7 @@
+{
+  "app": "npx ts-node bin/cdk.ts",
+  "context": {
+    "aws-cdk:enableDiffNoFail": "true",
+    "@aws-cdk/core:stackRelativeExports": "true"
+  }
+}

cdk/lib/facia-scala-client-testing.ts

@@ -0,0 +1,32 @@
+import type {GuStackProps} from '@guardian/cdk/lib/constructs/core';
+import {GuStack} from '@guardian/cdk/lib/constructs/core';
+import type {App} from 'aws-cdk-lib';
+import {GuGithubActionsRole} from "@guardian/cdk/lib/constructs/iam";
+import {GuAllowPolicy} from "@guardian/cdk/lib/constructs/iam/policies/base-policy";
+
+export class FaciaScalaClientTesting extends GuStack {
+    constructor(scope: App, id: string, props: GuStackProps) {
+        super(scope, id, props);
+        let fapiBucketArn = "arn:aws:s3:::facia-tool-store"
+        new GuGithubActionsRole(this, {
+            policies: [new GuAllowPolicy(
+                this,
+                "fapi-s3-bucket-access",
+                {
+                    actions: [
+                        "s3:GetObject", // required by FAPI to download files
+                        "s3:ListBucket" // avoiding S3 AccessDenied errors when FAPI tries to get nonexistent objects
+                    ],
+                    resources: [
+                        `${fapiBucketArn}/DEV/*`, // object resource specified for s3:GetObject
+                        fapiBucketArn // bucket resource specified for s3:ListBucket
+                    ]
+                }
+            )],
+            condition: {
+                githubOrganisation: "guardian",
+                repositories: "facia-scala-client:*"
+            }
+        })
+    }
+}