Skip to content

ukraine and refugee expanders on domestic pages #17783

ukraine and refugee expanders on domestic pages

ukraine and refugee expanders on domestic pages #17783

Workflow file for this run

name: Build and Deploy
on:
workflow_dispatch:
pull_request:
types: [assigned, opened, synchronize, reopened]
push:
branches: [ master ]
permissions:
contents: write
deployments: write
issues: write
packages: write
pull-requests: write
env:
code-coverage-artifact-name: code_coverage_${{github.run_number}}_${{github.run_attempt}}
unit-tests-artifact-name: unit_tests_${{github.run_number}}_${{github.run_attempt}}
rubocop-artifact-name: rubocop_results_${{github.run_number}}_${{github.run_attempt}}
jobs:
build_base:
name: Build base image
runs-on: ubuntu-latest
outputs:
DOCKER_IMAGE_TEST: ${{ steps.docker.outputs.DOCKER_IMAGE_TEST }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Get Short SHA
id: sha
run: |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT
- name: Set docker images variables
id: docker
run: |
if [ "${{github.ref}}" == "refs/heads/master" ]
then
GIT_BRANCH=master
else
GIT_REF=${{ github.head_ref }}
GIT_BRANCH=${GIT_REF##*/}
fi
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
echo "DOCKER_IMAGE_TEST=${{ env.DOCKER_REPOSITORY }}:base-sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT
- name: Login to Docker registry
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push base image
uses: docker/build-push-action@v6
with:
target: base
context: .
cache-from: |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }}
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master
tags: |
${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }}
${{ env.DOCKER_REPOSITORY }}:base-sha-${{ steps.sha.outputs.short }}
push: true
build-args: |
BUILDKIT_INLINE_CACHE=1
env:
DOCKER_BUILD_RECORD_UPLOAD: false
- uses: Azure/login@v2
if: failure() && github.ref == 'refs/heads/master'
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
- name: Fetch secrets from key vault
if: failure() && github.ref == 'refs/heads/master'
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Slack Notification
if: failure() && github.ref == 'refs/heads/master'
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_MESSAGE: 'There has been a failure building the application'
SLACK_TITLE: 'Failure Building Application'
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
build_release:
name: Build release image
needs: [build_base]
runs-on: ubuntu-latest
outputs:
DOCKER_IMAGE: ${{ steps.docker.outputs.DOCKER_IMAGE }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Get Short SHA
id: sha
run: |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT
- name: Set docker images variables
id: docker
run: |
if [ "${{github.ref}}" == "refs/heads/master" ]
then
GIT_BRANCH=master
else
GIT_REF=${{ github.head_ref }}
GIT_BRANCH=${GIT_REF##*/}
fi
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
echo "DOCKER_IMAGE=${{ env.DOCKER_REPOSITORY }}:sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT
- name: Login to Docker registry
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push release image
uses: docker/build-push-action@v6
with:
target: release
context: .
cache-from: |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }}
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }}
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }}
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:master
tags: |
${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }}
${{ env.DOCKER_REPOSITORY }}:sha-${{ steps.sha.outputs.short }}
push: true
build-args: |
BUILDKIT_INLINE_CACHE=1
SHA=${{ steps.sha.outputs.short }}
env:
DOCKER_BUILD_RECORD_UPLOAD: false
- name: Push release-build image
uses: docker/build-push-action@v6
with:
target: release-build
context: .
cache-from: |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }}
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }}
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master
tags: |
${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }}
${{ env.DOCKER_REPOSITORY }}:release-build-sha-${{ steps.sha.outputs.short }}
push: true
build-args: |
BUILDKIT_INLINE_CACHE=1
SHA=${{ steps.sha.outputs.short }}
env:
DOCKER_BUILD_RECORD_UPLOAD: false
- uses: Azure/login@v2
if: failure() && github.ref == 'refs/heads/master'
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
- name: Fetch secrets from key vault
if: failure() && github.ref == 'refs/heads/master'
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Slack Notification
if: failure() && github.ref == 'refs/heads/master'
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_MESSAGE: 'There has been a failure building the application'
SLACK_TITLE: 'Failure Building Application'
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
linting:
name: Linting
runs-on: ubuntu-latest
needs: [ build_base ]
if: github.ref != 'refs/heads/master'
env:
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
- name: Lint SCSS
run: |-
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e PATTERN="**/*.scss" \
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn scss-lint"
- name: Lint Ruby
run: |-
docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{env.DOCKER_IMAGE_TEST}} \
rubocop --format json --out=/app/out/rubocop-result.json
- name: Keep Rubocop output
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.rubocop-artifact-name }}
path: ${{ github.workspace }}/out/rubocop-result.json
- name: Lint ERB Templates
run: |-
docker run -t --rm ${{env.DOCKER_IMAGE_TEST}} bundle exec erblint --lint-all
- name: Lint Markdown
run: |-
docker run -t --rm -v ${PWD}/out:/app/out ${{env.DOCKER_IMAGE_TEST}} sh -c "bundle exec mdl app/views/**/*.md | tee /app/out/mdl-result.txt"
- name: ESLint - JavaScript linting
run: |-
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn js-lint"
- name: Fetch secrets from key vault
if: failure()
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
javascript_tests:
name: Javascript Tests
runs-on: ubuntu-latest
needs: [ build_base ]
env:
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Run Javascript Tests
run: |-
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn spec"
feature_tests:
name: Unit Tests
runs-on: ubuntu-latest
needs: [ build_base ]
services:
postgres:
image: postgres:13.10
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
env:
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}}
strategy:
fail-fast: false
matrix:
ci_node_total: [10]
ci_node_index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Prepare DB
run: |-
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \
bundle exec rails db:prepare
- name: Run Specs
run: |-
docker run --net=host -t --rm -v ${PWD}/out:/app/out -v ${PWD}/coverage/coverage-${{ matrix.ci_node_index }}:/app/coverage \
-e CI_NODE_TOTAL -e CI_NODE_INDEX -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \
bundle exec rake 'knapsack:rspec[--format RspecSonarqubeFormatter --out /app/out/test-report-${{ matrix.ci_node_index }}.xml --format progress]' spec
env:
CI_NODE_TOTAL: ${{ matrix.ci_node_total }}
CI_NODE_INDEX: ${{ matrix.ci_node_index }}
- name: Keep Code Coverage Report
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.code-coverage-artifact-name }}_${{ matrix.ci_node_index }}
path: ${{ github.workspace }}/coverage
include-hidden-files: true
- name: Keep Unit Tests Results
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.unit-tests-artifact-name }}_${{ matrix.ci_node_index }}
path: ${{ github.workspace }}/out/*
include-hidden-files: true
sonarscanner:
name: Sonar Scanner
runs-on: ubuntu-latest
needs: [ build_base, feature_tests ]
if: github.ref != 'refs/heads/master'
env:
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SONAR_TOKEN=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
echo "::add-mask::$SONAR_TOKEN"
echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_OUTPUT
- name: Setup sonarqube
uses: warchant/setup-sonar-scanner@v8
- name: Download Artifacts
uses: actions/download-artifact@v4
- name: Combine Coverage Reports
run: |-
# Copy files from separate artifacts into one directory
mkdir ${{github.workspace}}/code_coverage
cp -r ${{github.workspace}}/${{ env.code-coverage-artifact-name }}_*/ ${{github.workspace}}/code_coverage
docker run -t --rm -v ${{github.workspace}}/code_coverage:${COVERAGE_DIR} -e RAILS_ENV=test -e COVERAGE_DIR \
${{env.DOCKER_IMAGE_TEST}} bundle exec rake coverage:collate
env:
COVERAGE_DIR: /app/coverage
- name: Fix report file paths
run: |
sudo sed -i "s?\"/app/?\"${PWD}/?" ${{github.workspace}}/code_coverage/coverage.json
- name: Run sonarqube
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: sonar-scanner
-Dsonar.login=${{ steps.keyvault-yaml-secret.outputs.SONAR_TOKEN }}
-Dsonar.organization=dfe-digital
-Dsonar.host.url=https://sonarcloud.io/
-Dsonar.projectKey=DFE-Digital_get-into-teaching-app
-Dsonar.testExecutionReportPaths=${{github.workspace}}/${{env.unit-tests-artifact-name}}_0/test-report-0.xml,\
${{github.workspace}}/${{env.unit-tests-artifact-name}}_1/test-report-1.xml,\
${{github.workspace}}/${{env.unit-tests-artifact-name}}_2/test-report-2.xml,\
${{github.workspace}}/${{env.unit-tests-artifact-name}}_3/test-report-3.xml,\
${{github.workspace}}/${{env.unit-tests-artifact-name}}_4/test-report-4.xml,\
${{github.workspace}}/${{env.unit-tests-artifact-name}}_5/test-report-5.xml
-Dsonar.ruby.coverage.reportPaths=${{github.workspace}}/code_coverage/coverage.json
-Dsonar.ruby.rubocop.reportPaths=${{github.workspace}}/${{env.rubocop-artifact-name}}/rubocop-result.json
review:
name: Review Deployment Process
needs: [ build_release ]
if: github.ref != 'refs/heads/master'
runs-on: ubuntu-latest
continue-on-error: true
concurrency: Review_${{github.event.number}}
permissions:
id-token: write
pull-requests: write
environment:
name: review
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Setup Environment Variables
if: github.actor == 'dependabot[bot]'
id: variables
shell: bash
run: |
secret_suffix="_REVIEW"
echo "SECRET_SUFFIX=$secret_suffix" >> $GITHUB_ENV
- uses: Azure/login@v2
with:
creds: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Deploy to Review
uses: ./.github/workflows/actions/deploy
id: deploy
with:
environment: review
sha: ${{ github.sha }}
pr: ${{github.event.number}}
AZURE_CREDENTIALS: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }}
KEY_VAULT: ${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }}
- name: Post sticky pull request comment
uses: marocchino/sticky-pull-request-comment@v2
with:
recreate: true
header: AKS
message: Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.test.${{env.DOMAIN}}
- name: Add Review Label
if: contains(github.event.pull_request.user.login, 'dependabot') == false
uses: actions-ecosystem/action-add-labels@v1
with:
labels: Review
development:
name: Development Deployment
needs: [ feature_tests, javascript_tests, build_release ]
if: github.ref == 'refs/heads/master'
concurrency: Development
runs-on: ubuntu-latest
permissions:
id-token: write
environment:
name: development
outputs:
release_tag: ${{steps.tag_version.outputs.pr_number}}
release_sha: ${{github.sha }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Deploy to Development
uses: ./.github/workflows/actions/deploy
id: deploy
with:
environment: development
sha: ${{ github.sha }}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
KEY_VAULT: ${{ secrets.KEY_VAULT }}
- name: Generate Tag from PR Number
id: tag_version
uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master
with:
sha: ${{github.sha}}
- name: Create a GitHub Release
id: release
if: steps.tag_version.outputs.pr_found == 1
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.tag_version.outputs.pr_number }}
body: ${{ steps.tag_version.outputs.pr_number }}
release_name: Release ${{ steps.tag_version.outputs.pr_number }}
commitish: ${{ github.sha}}
prerelease: false
- name: Copy PR Info to Release
if: steps.release.outputs.id
uses: DFE-Digital/github-actions/CopyPRtoRelease@master
with:
PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }}
RELEASE_ID: ${{ steps.release.outputs.id }}
TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_TITLE: Failure in Deploy to Development
SLACK_MESSAGE: Error deploying to development for ${{env.APPLICATION}}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
owasp:
name: OWASP Checks
needs: [ development ]
runs-on: ubuntu-latest
environment:
name: development
continue-on-error: true
steps:
- name: Check out the repo
uses: actions/checkout@v4
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Vunerability Test
uses: ./.github/workflows/actions/owasp
id: deploy
with:
environment: development
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
KEY_VAULT: ${{ secrets.KEY_VAULT }}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_TITLE: Failure in OWASP Checks
SLACK_MESSAGE: Error running OWASP test for ${{env.APPLICATION}}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
test:
name: Test Deployment
needs: [ feature_tests, javascript_tests, build_release ]
if: github.ref == 'refs/heads/master'
concurrency: test
runs-on: ubuntu-latest
permissions:
id-token: write
environment:
name: test
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Deploy to Test
uses: ./.github/workflows/actions/deploy
id: deploy
with:
environment: test
sha: ${{ github.sha }}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
KEY_VAULT: ${{ secrets.KEY_VAULT }}
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_TITLE: Failure in Post-Development Deploy
SLACK_MESSAGE: Failure with initialising Test deployment for ${{env.APPLICATION}}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
integration:
name: Run Integration Tests on test
runs-on: ubuntu-latest
needs: [ build_base, test ]
environment:
name: test
permissions:
id-token: write
services:
postgres:
image: postgres:13.10
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
env:
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: slack-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
HTTP_USERNAME=$(az keyvault secret show --name "HTTP-USERNAME" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$HTTP_USERNAME"
echo "HTTP_USERNAME=$HTTP_USERNAME" >> $GITHUB_OUTPUT
HTTP_PASSWORD=$(az keyvault secret show --name "HTTP-PASSWORD" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$HTTP_PASSWORD"
echo "HTTP_PASSWORD=$HTTP_PASSWORD" >> $GITHUB_OUTPUT
MAILSAC_API_KEY=$(az keyvault secret show --name "MAILSAC-API-KEY" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$MAILSAC_API_KEY"
echo "MAILSAC_API_KEY=$MAILSAC_API_KEY" >> $GITHUB_OUTPUT
- name: Prepare DB
run: |-
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \
bundle exec rails db:prepare
- name: Run Integration Tests
run: |-
docker run --net=host -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e HTTP_USERNAME -e HTTP_PASSWORD -e MAILSAC_API_KEY -e DATABASE_URL="postgresql://postgres:postgres@localhost" \
${{env.DOCKER_IMAGE_TEST}} bundle exec rspec --tag integration
env:
HTTP_USERNAME: ${{ steps.keyvault-yaml-secret.outputs.HTTP_USERNAME }}
HTTP_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.HTTP_PASSWORD }}
MAILSAC_API_KEY: ${{ steps.keyvault-yaml-secret.outputs.MAILSAC_API_KEY }}
production:
name: Production Deployment
runs-on: ubuntu-latest
needs: [ integration, development ]
concurrency: production
permissions:
id-token: write
environment:
name: production
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
SLACK_RELEASE_NOTE_WEBHOOK=$(az keyvault secret show --name "SLACK-RELEASE-NOTE-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SLACK_RELEASE_NOTE_WEBHOOK"
echo "SLACK_RELEASE_NOTE_WEBHOOK=$SLACK_RELEASE_NOTE_WEBHOOK" >> $GITHUB_OUTPUT
- name: Get Release Id from Tag
id: tag_id
uses: DFE-Digital/github-actions/DraftReleaseByTag@master
with:
TAG: ${{needs.development.outputs.release_tag}}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish Release
if: steps.tag_id.outputs.release_id
uses: eregon/publish-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{steps.tag_id.outputs.release_id}}
- name: Deploy to Production
uses: ./.github/workflows/actions/deploy
id: deploy
with:
environment: production
sha: ${{ github.sha }}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
KEY_VAULT: ${{ secrets.KEY_VAULT }}
- name: Slack Release Notification
if: steps.tag_id.outputs.release_id
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_SUCCESS}}
SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}"
SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_RELEASE_NOTE_WEBHOOK }}
MSG_MINIMAL: true
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_FAILURE}}
SLACK_TITLE: Production Release ${{github.event.title}}
SLACK_MESSAGE: Failure deploying Production release
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}