Merge pull request #3642 from DFE-Digital/fix-landing-page-title-alig… #13218
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy | |
on: | |
workflow_dispatch: | |
pull_request: | |
types: [assigned, opened, synchronize, reopened] | |
push: | |
branches: [ master ] | |
permissions: | |
contents: write | |
deployments: write | |
issues: write | |
packages: write | |
pull-requests: write | |
jobs: | |
build_base: | |
name: Build base image | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE_TEST: ${{ steps.docker.outputs.DOCKER_IMAGE_TEST }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
with: | |
version: v0.9.1 # More recent buildx versions generate an OCI manifest which is incompatible with Cloud Foundry | |
- name: Get Short SHA | |
id: sha | |
run: | | |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT | |
- name: Set docker images variables | |
id: docker | |
run: | | |
if [ "${{github.ref}}" == "refs/heads/master" ] | |
then | |
GIT_BRANCH=master | |
else | |
GIT_REF=${{ github.head_ref }} | |
GIT_BRANCH=${GIT_REF##*/} | |
fi | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE_TEST=${{ env.DOCKER_REPOSITORY }}:base-sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT | |
- name: Login to Docker registry | |
uses: docker/login-action@v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push base image | |
uses: docker/build-push-action@v5 | |
with: | |
target: base | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:base-sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
- uses: Azure/login@v1 | |
if: failure() && github.ref == 'refs/heads/master' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
if: failure() && github.ref == 'refs/heads/master' | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK | |
- name: Slack Notification | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_MESSAGE: 'There has been a failure building the application' | |
SLACK_TITLE: 'Failure Building Application' | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} | |
build_release: | |
name: Build release image | |
needs: [build_base] | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE: ${{ steps.docker.outputs.DOCKER_IMAGE }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
with: | |
version: v0.9.1 # More recent buildx versions generate an OCI manifest which is incompatible with Cloud Foundry | |
- name: Get Short SHA | |
id: sha | |
run: | | |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT | |
- name: Set docker images variables | |
id: docker | |
run: | | |
if [ "${{github.ref}}" == "refs/heads/master" ] | |
then | |
GIT_BRANCH=master | |
else | |
GIT_REF=${{ github.head_ref }} | |
GIT_BRANCH=${GIT_REF##*/} | |
fi | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE=${{ env.DOCKER_REPOSITORY }}:sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT | |
- name: Login to Docker registry | |
uses: docker/login-action@v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push release image | |
uses: docker/build-push-action@v5 | |
with: | |
target: release | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
SHA=${{ steps.sha.outputs.short }} | |
- name: Push release-build image | |
uses: docker/build-push-action@v5 | |
with: | |
target: release-build | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:release-build-sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
SHA=${{ steps.sha.outputs.short }} | |
- uses: Azure/login@v1 | |
if: failure() && github.ref == 'refs/heads/master' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
if: failure() && github.ref == 'refs/heads/master' | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK | |
- name: Slack Notification | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_MESSAGE: 'There has been a failure building the application' | |
SLACK_TITLE: 'Failure Building Application' | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} | |
linting: | |
name: Linting | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
if: github.ref != 'refs/heads/master' | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Lint SCSS | |
uses: actions-hub/stylelint@master | |
env: | |
PATTERN: "**/*.scss" | |
- name: Lint Ruby | |
run: |- | |
docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{env.DOCKER_IMAGE_TEST}} \ | |
rubocop --format json --out=/app/out/rubocop-result.json | |
- name: Keep Rubocop output | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: rubocop_results | |
path: ${{ github.workspace }}/out/rubocop-result.json | |
- name: Lint ERB Templates | |
run: |- | |
docker run -t --rm ${{env.DOCKER_IMAGE_TEST}} bundle exec erblint --lint-all | |
- name: Lint Markdown | |
run: |- | |
docker run -t --rm -v ${PWD}/out:/app/out ${{env.DOCKER_IMAGE_TEST}} sh -c "bundle exec mdl app/views/**/*.md | tee /app/out/mdl-result.txt" | |
- name: ESLint - JavaScript linting | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn js-lint" | |
javascript_tests: | |
name: Javascript Tests | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- name: Run Javascript Tests | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn spec" | |
feature_tests: | |
name: Unit Tests | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
strategy: | |
fail-fast: false | |
matrix: | |
ci_node_total: [6] | |
ci_node_index: [0, 1, 2, 3, 4, 5] | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
- name: Run Specs | |
run: |- | |
docker run --net=host -t --rm -v ${PWD}/out:/app/out -v ${PWD}/coverage/coverage-${{ matrix.ci_node_index }}:/app/coverage \ | |
-e CI_NODE_TOTAL -e CI_NODE_INDEX -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rake 'knapsack:rspec[--format RspecSonarqubeFormatter --out /app/out/test-report-${{ matrix.ci_node_index }}.xml --format progress]' spec | |
env: | |
CI_NODE_TOTAL: ${{ matrix.ci_node_total }} | |
CI_NODE_INDEX: ${{ matrix.ci_node_index }} | |
- name: Keep Code Coverage Report | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: code_coverage | |
path: ${{ github.workspace }}/coverage | |
- name: Keep Unit Tests Results | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unit_tests | |
path: ${{ github.workspace }}/out/* | |
sonarscanner: | |
name: Sonar Scanner | |
runs-on: ubuntu-latest | |
needs: [ build_base, feature_tests ] | |
if: github.ref != 'refs/heads/master' | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SONAR-TOKEN | |
- name: Setup sonarqube | |
uses: warchant/setup-sonar-scanner@v7 | |
- name: Download Artifacts | |
uses: actions/download-artifact@v3 | |
- name: Combine Coverage Reports | |
run: |- | |
docker run -t --rm -v ${{github.workspace}}/code_coverage:/app/coverage -e RAILS_ENV=test -e COVERAGE_DIR \ | |
${{env.DOCKER_IMAGE_TEST}} bundle exec rake coverage:collate | |
env: | |
COVERAGE_DIR: /app/coverage | |
- name: Fix report file paths | |
run: | | |
sudo sed -i "s?\"/app/?\"${PWD}/?" ${{github.workspace}}/code_coverage/coverage.json | |
- name: Run sonarqube | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: sonar-scanner | |
-Dsonar.login=${{ steps.keyvault-yaml-secret.outputs.SONAR-TOKEN }} | |
-Dsonar.organization=dfe-digital | |
-Dsonar.host.url=https://sonarcloud.io/ | |
-Dsonar.projectKey=DFE-Digital_get-into-teaching-app | |
-Dsonar.testExecutionReportPaths=${{github.workspace}}/unit_tests/test-report-0.xml,\ | |
${{github.workspace}}/unit_tests/test-report-1.xml,\ | |
${{github.workspace}}/unit_tests/test-report-2.xml,\ | |
${{github.workspace}}/unit_tests/test-report-3.xml,\ | |
${{github.workspace}}/unit_tests/test-report-4.xml,\ | |
${{github.workspace}}/unit_tests/test-report-5.xml | |
-Dsonar.ruby.coverage.reportPaths=${{github.workspace}}/code_coverage/coverage.json | |
-Dsonar.ruby.rubocop.reportPaths=${{github.workspace}}/rubocop_results/rubocop-result.json | |
review: | |
name: Review Deployment Process | |
needs: [ build_release ] | |
if: github.ref != 'refs/heads/master' | |
runs-on: ubuntu-latest | |
concurrency: Review_${{github.event.number}} | |
environment: | |
name: Review | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK | |
- name: Deploy to Review | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: Review | |
sha: ${{ github.sha }} | |
pr: ${{github.event.number}} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Post sticky pull request comment | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
recreate: true | |
header: PAAS | |
message: Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.${{env.DOMAIN}} | |
- name: Add Review Label | |
if: contains(github.event.pull_request.user.login, 'dependabot') == false | |
uses: actions-ecosystem/action-add-labels@v1 | |
with: | |
labels: Review | |
review_aks: | |
name: Review AKS Deployment Process | |
needs: [ build_release ] | |
if: github.ref != 'refs/heads/master' | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
concurrency: Review_aks_${{github.event.number}} | |
environment: | |
name: review_aks | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- name: Setup Environment Variables | |
if: github.actor == 'dependabot[bot]' | |
id: variables | |
shell: bash | |
run: | | |
secret_suffix="_AKS_REVIEW" | |
echo "SECRET_SUFFIX=$secret_suffix" >> $GITHUB_ENV | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Review AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: review_aks | |
sha: ${{ github.sha }} | |
pr: ${{github.event.number}} | |
AZURE_CREDENTIALS: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }} | |
KEY_VAULT: ${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }} | |
ARM_ACCESS_KEY: ${{ secrets[format('ARM_ACCESS_KEY{0}', env.SECRET_SUFFIX)] }} | |
- name: Post sticky pull request comment | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
recreate: true | |
header: AKS | |
message: AKS Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.test.${{env.DOMAIN}} | |
- name: Add Review_v2 Label | |
if: contains(github.event.pull_request.user.login, 'dependabot') == false | |
uses: actions-ecosystem/action-add-labels@v1 | |
with: | |
labels: Review_v2 | |
development: | |
name: Development Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: Development | |
runs-on: ubuntu-latest | |
outputs: | |
release_tag: ${{steps.tag_version.outputs.pr_number}} | |
release_sha: ${{github.sha }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK | |
- name: Deploy to Development | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: Development | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Generate Tag from PR Number | |
id: tag_version | |
uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master | |
with: | |
sha: ${{github.sha}} | |
- name: Create a GitHub Release | |
id: release | |
if: steps.tag_version.outputs.pr_found == 1 | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.tag_version.outputs.pr_number }} | |
body: ${{ steps.tag_version.outputs.pr_number }} | |
release_name: Release ${{ steps.tag_version.outputs.pr_number }} | |
commitish: ${{ github.sha}} | |
prerelease: false | |
- name: Copy PR Info to Release | |
if: steps.release.outputs.id | |
uses: DFE-Digital/github-actions/CopyPRtoRelease@master | |
with: | |
PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }} | |
RELEASE_ID: ${{ steps.release.outputs.id }} | |
TOKEN: ${{secrets.GITHUB_TOKEN}} | |
development_aks: | |
name: Development AKS Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: Development_aks | |
continue-on-error: true | |
runs-on: ubuntu-latest | |
environment: | |
name: development_aks | |
outputs: | |
release_tag: ${{steps.tag_version.outputs.pr_number}} | |
release_sha: ${{github.sha }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Development AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: development_aks | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
# Uncomment below when PaaS dev deploy step is removed | |
# - name: Generate Tag from PR Number | |
# id: tag_version | |
# uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master | |
# with: | |
# sha: ${{github.sha}} | |
# - name: Create a GitHub Release | |
# id: release | |
# if: steps.tag_version.outputs.pr_found == 1 | |
# uses: actions/create-release@v1 | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# with: | |
# tag_name: ${{ steps.tag_version.outputs.pr_number }} | |
# body: ${{ steps.tag_version.outputs.pr_number }} | |
# release_name: Release ${{ steps.tag_version.outputs.pr_number }} | |
# commitish: ${{ github.sha}} | |
# prerelease: false | |
# - name: Copy PR Info to Release | |
# if: steps.release.outputs.id | |
# uses: DFE-Digital/github-actions/CopyPRtoRelease@master | |
# with: | |
# PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }} | |
# RELEASE_ID: ${{ steps.release.outputs.id }} | |
# TOKEN: ${{secrets.GITHUB_TOKEN}} | |
owasp: | |
name: OWASP Checks | |
needs: [ development ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Vunerability Test | |
uses: ./.github/workflows/actions/owasp | |
id: deploy | |
with: | |
environment: Development | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
owasp_aks: | |
name: OWASP AKS Checks | |
needs: [ development_aks ] | |
runs-on: ubuntu-latest | |
environment: | |
name: development_aks | |
continue-on-error: true | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Vunerability Test | |
uses: ./.github/workflows/actions/owasp_v2 | |
id: deploy | |
with: | |
environment: development_aks | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
qa: | |
name: Quality Assurance Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: QA | |
runs-on: ubuntu-latest | |
environment: | |
name: Test | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK | |
- name: Deploy to Test | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: Test | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_TITLE: Failure in Post-Development Deploy | |
SLACK_MESSAGE: Failure with initialising QA deployment for ${{env.APPLICATION}} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} | |
test_aks: | |
name: Test AKS Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: test_aks | |
continue-on-error: true | |
runs-on: ubuntu-latest | |
environment: | |
name: test_aks | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Test AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: test_aks | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_TITLE: Failure in Post-Development Deploy | |
SLACK_MESSAGE: Failure with initialising AKS Test deployment for ${{env.APPLICATION}} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} | |
integration: | |
name: Run Integration Tests on QA | |
runs-on: ubuntu-latest | |
needs: [ build_base, qa ] | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: HTTP-USERNAME, HTTP-PASSWORD, MAILSAC-API-KEY | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
- name: Run Integration Tests | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e HTTP_USERNAME -e HTTP_PASSWORD -e MAILSAC_API_KEY -e DATABASE_URL="postgresql://postgres:postgres@localhost" \ | |
${{env.DOCKER_IMAGE_TEST}} bundle exec rspec --tag integration | |
env: | |
HTTP_USERNAME: ${{ steps.keyvault-yaml-secret.outputs.HTTP-USERNAME }} | |
HTTP_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.HTTP-PASSWORD }} | |
MAILSAC_API_KEY: ${{ steps.keyvault-yaml-secret.outputs.MAILSAC-API-KEY }} | |
integration_aks: | |
name: Run Integration Tests on AKS test | |
runs-on: ubuntu-latest | |
needs: [ build_base, test_aks ] | |
environment: | |
name: test_aks | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
HTTP_USERNAME=$(az keyvault secret show --name "HTTP-USERNAME" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$HTTP_USERNAME" | |
echo "HTTP_USERNAME=$HTTP_USERNAME" >> $GITHUB_OUTPUT | |
HTTP_PASSWORD=$(az keyvault secret show --name "HTTP-PASSWORD" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$HTTP_PASSWORD" | |
echo "HTTP_PASSWORD=$HTTP_PASSWORD" >> $GITHUB_OUTPUT | |
MAILSAC_API_KEY=$(az keyvault secret show --name "MAILSAC-API-KEY" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$MAILSAC_API_KEY" | |
echo "MAILSAC_API_KEY=$MAILSAC_API_KEY" >> $GITHUB_OUTPUT | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
# Uncomment this step when test is migrated to AKS | |
# as need to update config.x.integration_host in config/environments/test.rb | |
# - name: Run Integration Tests | |
# run: |- | |
# docker run --net=host -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e HTTP_USERNAME -e HTTP_PASSWORD -e MAILSAC_API_KEY -e DATABASE_URL="postgresql://postgres:postgres@localhost" \ | |
# ${{env.DOCKER_IMAGE_TEST}} bundle exec rspec --tag integration | |
# env: | |
# HTTP_USERNAME: ${{ steps.keyvault-yaml-secret.outputs.HTTP_USERNAME }} | |
# HTTP_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.HTTP_PASSWORD }} | |
# MAILSAC_API_KEY: ${{ steps.keyvault-yaml-secret.outputs.MAILSAC_API_KEY }} | |
production: | |
name: Production Deployment | |
runs-on: ubuntu-latest | |
needs: [ integration, development ] | |
concurrency: Production | |
environment: | |
name: Production | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: keyvault-yaml-secret | |
with: | |
keyvault: ${{ secrets.KEY_VAULT}} | |
secret: INFRA-KEYS | |
key: SLACK-WEBHOOK, SLACK-RELEASE-NOTE-WEBHOOK | |
- name: Get Release Id from Tag | |
id: tag_id | |
uses: DFE-Digital/github-actions/DraftReleaseByTag@master | |
with: | |
TAG: ${{needs.development.outputs.release_tag}} | |
TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish Release | |
if: steps.tag_id.outputs.release_id | |
uses: eregon/publish-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{steps.tag_id.outputs.release_id}} | |
- name: Deploy to Production | |
uses: ./.github/workflows/actions/deploy | |
id: deploy | |
with: | |
environment: Production | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Slack Release Notification | |
if: steps.tag_id.outputs.release_id | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_SUCCESS}} | |
SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" | |
SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-RELEASE-NOTE-WEBHOOK }} | |
MSG_MINIMAL: true | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_FAILURE}} | |
SLACK_TITLE: Production Release ${{github.event.title}} | |
SLACK_MESSAGE: Failure deploying Production release | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} | |
production_aks: | |
name: Production AKS Deployment | |
runs-on: ubuntu-latest | |
needs: [ integration, development_aks ] | |
concurrency: production_aks | |
continue-on-error: true | |
environment: | |
name: production_aks | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
SLACK_RELEASE_NOTE_WEBHOOK=$(az keyvault secret show --name "SLACK-RELEASE-NOTE-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_RELEASE_NOTE_WEBHOOK" | |
echo "SLACK_RELEASE_NOTE_WEBHOOK=$SLACK_RELEASE_NOTE_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Get Release Id from Tag | |
id: tag_id | |
uses: DFE-Digital/github-actions/DraftReleaseByTag@master | |
with: | |
TAG: ${{needs.development_aks.outputs.release_tag}} | |
TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Uncomment when migrated from PaaS | |
# | |
# - name: Publish Release | |
# if: steps.tag_id.outputs.release_id | |
# uses: eregon/publish-release@v1 | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# with: | |
# release_id: ${{steps.tag_id.outputs.release_id}} | |
- name: Deploy to Production AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: production_aks | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
# Uncomment when migrated from PaaS | |
# | |
# - name: Slack Release Notification | |
# if: steps.tag_id.outputs.release_id | |
# uses: rtCamp/action-slack-notify@master | |
# env: | |
# SLACK_COLOR: ${{env.SLACK_SUCCESS}} | |
# SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" | |
# SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} | |
# SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-RELEASE-NOTE-WEBHOOK }} | |
# MSG_MINIMAL: true | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_FAILURE}} | |
SLACK_TITLE: Production Release ${{github.event.title}} | |
SLACK_MESSAGE: Failure deploying Production AKS release | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} |