ukraine and refugee expanders on domestic pages #17783
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy | |
on: | |
workflow_dispatch: | |
pull_request: | |
types: [assigned, opened, synchronize, reopened] | |
push: | |
branches: [ master ] | |
permissions: | |
contents: write | |
deployments: write | |
issues: write | |
packages: write | |
pull-requests: write | |
env: | |
code-coverage-artifact-name: code_coverage_${{github.run_number}}_${{github.run_attempt}} | |
unit-tests-artifact-name: unit_tests_${{github.run_number}}_${{github.run_attempt}} | |
rubocop-artifact-name: rubocop_results_${{github.run_number}}_${{github.run_attempt}} | |
jobs: | |
build_base: | |
name: Build base image | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE_TEST: ${{ steps.docker.outputs.DOCKER_IMAGE_TEST }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
- name: Get Short SHA | |
id: sha | |
run: | | |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT | |
- name: Set docker images variables | |
id: docker | |
run: | | |
if [ "${{github.ref}}" == "refs/heads/master" ] | |
then | |
GIT_BRANCH=master | |
else | |
GIT_REF=${{ github.head_ref }} | |
GIT_BRANCH=${GIT_REF##*/} | |
fi | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE_TEST=${{ env.DOCKER_REPOSITORY }}:base-sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT | |
- name: Login to Docker registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push base image | |
uses: docker/build-push-action@v6 | |
with: | |
target: base | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:base-sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
env: | |
DOCKER_BUILD_RECORD_UPLOAD: false | |
- uses: Azure/login@v2 | |
if: failure() && github.ref == 'refs/heads/master' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
- name: Fetch secrets from key vault | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Slack Notification | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_MESSAGE: 'There has been a failure building the application' | |
SLACK_TITLE: 'Failure Building Application' | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
build_release: | |
name: Build release image | |
needs: [build_base] | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE: ${{ steps.docker.outputs.DOCKER_IMAGE }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
- name: Get Short SHA | |
id: sha | |
run: | | |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT | |
- name: Set docker images variables | |
id: docker | |
run: | | |
if [ "${{github.ref}}" == "refs/heads/master" ] | |
then | |
GIT_BRANCH=master | |
else | |
GIT_REF=${{ github.head_ref }} | |
GIT_BRANCH=${GIT_REF##*/} | |
fi | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE=${{ env.DOCKER_REPOSITORY }}:sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT | |
- name: Login to Docker registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push release image | |
uses: docker/build-push-action@v6 | |
with: | |
target: release | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
SHA=${{ steps.sha.outputs.short }} | |
env: | |
DOCKER_BUILD_RECORD_UPLOAD: false | |
- name: Push release-build image | |
uses: docker/build-push-action@v6 | |
with: | |
target: release-build | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:release-build-sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
SHA=${{ steps.sha.outputs.short }} | |
env: | |
DOCKER_BUILD_RECORD_UPLOAD: false | |
- uses: Azure/login@v2 | |
if: failure() && github.ref == 'refs/heads/master' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
- name: Fetch secrets from key vault | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Slack Notification | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_MESSAGE: 'There has been a failure building the application' | |
SLACK_TITLE: 'Failure Building Application' | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
linting: | |
name: Linting | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
if: github.ref != 'refs/heads/master' | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
- name: Lint SCSS | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e PATTERN="**/*.scss" \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn scss-lint" | |
- name: Lint Ruby | |
run: |- | |
docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{env.DOCKER_IMAGE_TEST}} \ | |
rubocop --format json --out=/app/out/rubocop-result.json | |
- name: Keep Rubocop output | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.rubocop-artifact-name }} | |
path: ${{ github.workspace }}/out/rubocop-result.json | |
- name: Lint ERB Templates | |
run: |- | |
docker run -t --rm ${{env.DOCKER_IMAGE_TEST}} bundle exec erblint --lint-all | |
- name: Lint Markdown | |
run: |- | |
docker run -t --rm -v ${PWD}/out:/app/out ${{env.DOCKER_IMAGE_TEST}} sh -c "bundle exec mdl app/views/**/*.md | tee /app/out/mdl-result.txt" | |
- name: ESLint - JavaScript linting | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn js-lint" | |
- name: Fetch secrets from key vault | |
if: failure() | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
javascript_tests: | |
name: Javascript Tests | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Run Javascript Tests | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn spec" | |
feature_tests: | |
name: Unit Tests | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
strategy: | |
fail-fast: false | |
matrix: | |
ci_node_total: [10] | |
ci_node_index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9] | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
- name: Run Specs | |
run: |- | |
docker run --net=host -t --rm -v ${PWD}/out:/app/out -v ${PWD}/coverage/coverage-${{ matrix.ci_node_index }}:/app/coverage \ | |
-e CI_NODE_TOTAL -e CI_NODE_INDEX -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rake 'knapsack:rspec[--format RspecSonarqubeFormatter --out /app/out/test-report-${{ matrix.ci_node_index }}.xml --format progress]' spec | |
env: | |
CI_NODE_TOTAL: ${{ matrix.ci_node_total }} | |
CI_NODE_INDEX: ${{ matrix.ci_node_index }} | |
- name: Keep Code Coverage Report | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.code-coverage-artifact-name }}_${{ matrix.ci_node_index }} | |
path: ${{ github.workspace }}/coverage | |
include-hidden-files: true | |
- name: Keep Unit Tests Results | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.unit-tests-artifact-name }}_${{ matrix.ci_node_index }} | |
path: ${{ github.workspace }}/out/* | |
include-hidden-files: true | |
sonarscanner: | |
name: Sonar Scanner | |
runs-on: ubuntu-latest | |
needs: [ build_base, feature_tests ] | |
if: github.ref != 'refs/heads/master' | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SONAR_TOKEN=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SONAR_TOKEN" | |
echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_OUTPUT | |
- name: Setup sonarqube | |
uses: warchant/setup-sonar-scanner@v8 | |
- name: Download Artifacts | |
uses: actions/download-artifact@v4 | |
- name: Combine Coverage Reports | |
run: |- | |
# Copy files from separate artifacts into one directory | |
mkdir ${{github.workspace}}/code_coverage | |
cp -r ${{github.workspace}}/${{ env.code-coverage-artifact-name }}_*/ ${{github.workspace}}/code_coverage | |
docker run -t --rm -v ${{github.workspace}}/code_coverage:${COVERAGE_DIR} -e RAILS_ENV=test -e COVERAGE_DIR \ | |
${{env.DOCKER_IMAGE_TEST}} bundle exec rake coverage:collate | |
env: | |
COVERAGE_DIR: /app/coverage | |
- name: Fix report file paths | |
run: | | |
sudo sed -i "s?\"/app/?\"${PWD}/?" ${{github.workspace}}/code_coverage/coverage.json | |
- name: Run sonarqube | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: sonar-scanner | |
-Dsonar.login=${{ steps.keyvault-yaml-secret.outputs.SONAR_TOKEN }} | |
-Dsonar.organization=dfe-digital | |
-Dsonar.host.url=https://sonarcloud.io/ | |
-Dsonar.projectKey=DFE-Digital_get-into-teaching-app | |
-Dsonar.testExecutionReportPaths=${{github.workspace}}/${{env.unit-tests-artifact-name}}_0/test-report-0.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_1/test-report-1.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_2/test-report-2.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_3/test-report-3.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_4/test-report-4.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_5/test-report-5.xml | |
-Dsonar.ruby.coverage.reportPaths=${{github.workspace}}/code_coverage/coverage.json | |
-Dsonar.ruby.rubocop.reportPaths=${{github.workspace}}/${{env.rubocop-artifact-name}}/rubocop-result.json | |
review: | |
name: Review Deployment Process | |
needs: [ build_release ] | |
if: github.ref != 'refs/heads/master' | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
concurrency: Review_${{github.event.number}} | |
permissions: | |
id-token: write | |
pull-requests: write | |
environment: | |
name: review | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Setup Environment Variables | |
if: github.actor == 'dependabot[bot]' | |
id: variables | |
shell: bash | |
run: | | |
secret_suffix="_REVIEW" | |
echo "SECRET_SUFFIX=$secret_suffix" >> $GITHUB_ENV | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Review | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: review | |
sha: ${{ github.sha }} | |
pr: ${{github.event.number}} | |
AZURE_CREDENTIALS: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }} | |
KEY_VAULT: ${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }} | |
- name: Post sticky pull request comment | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
recreate: true | |
header: AKS | |
message: Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.test.${{env.DOMAIN}} | |
- name: Add Review Label | |
if: contains(github.event.pull_request.user.login, 'dependabot') == false | |
uses: actions-ecosystem/action-add-labels@v1 | |
with: | |
labels: Review | |
development: | |
name: Development Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: Development | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
environment: | |
name: development | |
outputs: | |
release_tag: ${{steps.tag_version.outputs.pr_number}} | |
release_sha: ${{github.sha }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Development | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: development | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
- name: Generate Tag from PR Number | |
id: tag_version | |
uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master | |
with: | |
sha: ${{github.sha}} | |
- name: Create a GitHub Release | |
id: release | |
if: steps.tag_version.outputs.pr_found == 1 | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.tag_version.outputs.pr_number }} | |
body: ${{ steps.tag_version.outputs.pr_number }} | |
release_name: Release ${{ steps.tag_version.outputs.pr_number }} | |
commitish: ${{ github.sha}} | |
prerelease: false | |
- name: Copy PR Info to Release | |
if: steps.release.outputs.id | |
uses: DFE-Digital/github-actions/CopyPRtoRelease@master | |
with: | |
PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }} | |
RELEASE_ID: ${{ steps.release.outputs.id }} | |
TOKEN: ${{secrets.GITHUB_TOKEN}} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_TITLE: Failure in Deploy to Development | |
SLACK_MESSAGE: Error deploying to development for ${{env.APPLICATION}} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
owasp: | |
name: OWASP Checks | |
needs: [ development ] | |
runs-on: ubuntu-latest | |
environment: | |
name: development | |
continue-on-error: true | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Vunerability Test | |
uses: ./.github/workflows/actions/owasp | |
id: deploy | |
with: | |
environment: development | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_TITLE: Failure in OWASP Checks | |
SLACK_MESSAGE: Error running OWASP test for ${{env.APPLICATION}} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
test: | |
name: Test Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: test | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
environment: | |
name: test | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Test | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: test | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_TITLE: Failure in Post-Development Deploy | |
SLACK_MESSAGE: Failure with initialising Test deployment for ${{env.APPLICATION}} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
integration: | |
name: Run Integration Tests on test | |
runs-on: ubuntu-latest | |
needs: [ build_base, test ] | |
environment: | |
name: test | |
permissions: | |
id-token: write | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: slack-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
HTTP_USERNAME=$(az keyvault secret show --name "HTTP-USERNAME" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$HTTP_USERNAME" | |
echo "HTTP_USERNAME=$HTTP_USERNAME" >> $GITHUB_OUTPUT | |
HTTP_PASSWORD=$(az keyvault secret show --name "HTTP-PASSWORD" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$HTTP_PASSWORD" | |
echo "HTTP_PASSWORD=$HTTP_PASSWORD" >> $GITHUB_OUTPUT | |
MAILSAC_API_KEY=$(az keyvault secret show --name "MAILSAC-API-KEY" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$MAILSAC_API_KEY" | |
echo "MAILSAC_API_KEY=$MAILSAC_API_KEY" >> $GITHUB_OUTPUT | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
- name: Run Integration Tests | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e HTTP_USERNAME -e HTTP_PASSWORD -e MAILSAC_API_KEY -e DATABASE_URL="postgresql://postgres:postgres@localhost" \ | |
${{env.DOCKER_IMAGE_TEST}} bundle exec rspec --tag integration | |
env: | |
HTTP_USERNAME: ${{ steps.keyvault-yaml-secret.outputs.HTTP_USERNAME }} | |
HTTP_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.HTTP_PASSWORD }} | |
MAILSAC_API_KEY: ${{ steps.keyvault-yaml-secret.outputs.MAILSAC_API_KEY }} | |
production: | |
name: Production Deployment | |
runs-on: ubuntu-latest | |
needs: [ integration, development ] | |
concurrency: production | |
permissions: | |
id-token: write | |
environment: | |
name: production | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v2 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
SLACK_RELEASE_NOTE_WEBHOOK=$(az keyvault secret show --name "SLACK-RELEASE-NOTE-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_RELEASE_NOTE_WEBHOOK" | |
echo "SLACK_RELEASE_NOTE_WEBHOOK=$SLACK_RELEASE_NOTE_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Get Release Id from Tag | |
id: tag_id | |
uses: DFE-Digital/github-actions/DraftReleaseByTag@master | |
with: | |
TAG: ${{needs.development.outputs.release_tag}} | |
TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish Release | |
if: steps.tag_id.outputs.release_id | |
uses: eregon/publish-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{steps.tag_id.outputs.release_id}} | |
- name: Deploy to Production | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: production | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
- name: Slack Release Notification | |
if: steps.tag_id.outputs.release_id | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_SUCCESS}} | |
SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" | |
SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_RELEASE_NOTE_WEBHOOK }} | |
MSG_MINIMAL: true | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_FAILURE}} | |
SLACK_TITLE: Production Release ${{github.event.title}} | |
SLACK_MESSAGE: Failure deploying Production release | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} |