Skip to content

Federated authentication experiment #4741

Federated authentication experiment

Federated authentication experiment #4741

Workflow file for this run

name: Build and Deploy
on:
workflow_dispatch:
pull_request:
push:
branches: [master]
permissions:
contents: write
deployments: write
issues: write
packages: write
pull-requests: write
env:
code-coverage-artifact-name: code_coverage_${{github.run_number}}_${{github.run_attempt}}
unit-tests-artifact-name: unit_tests_${{github.run_number}}_${{github.run_attempt}}
rubocop-artifact-name: rubocop_results_${{github.run_number}}_${{github.run_attempt}}
cucumber-tests-artifact-name: cucumber_tests_${{github.run_number}}_${{github.run_attempt}}
selenium-cucumber-tests-artifact-name: selenium_cucumber_tests_${{github.run_number}}_${{github.run_attempt}}
DOCKER_BUILD_RECORD_UPLOAD: false
jobs:
build:
name: Build
runs-on: ubuntu-latest
outputs:
DOCKER_IMAGE: ${{ steps.docker.outputs.DOCKER_IMAGE }}
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
- name: Fetch slack web hook
if: failure() && github.ref == 'refs/heads/master'
uses: azure/CLI@v2
id: slack-web-hook
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Lint Dockerfile
uses: brpaz/hadolint-action@master
with:
dockerfile: "Dockerfile"
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Get Short SHA
id: sha
run: echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT
- name: Set DOCKER_IMAGE environment variable
id: docker
run: |
if [ "${{github.ref}}" == "refs/heads/master" ]
then
echo "DOCKER_IMAGE=${{ env.DOCKER_REPOSITORY }}:sha-${{ steps.sha.outputs.short }}" >> $GITHUB_OUTPUT
echo "DOCKER_MASTER=${{ env.DOCKER_REPOSITORY }}:master" >> $GITHUB_OUTPUT
else
echo "DOCKER_IMAGE=${{ env.DOCKER_REPOSITORY }}:review-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT
echo "DOCKER_MASTER=${{ env.DOCKER_REPOSITORY }}:PR-${{ github.event.number }}" >> $GITHUB_OUTPUT
fi
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push to GitHub Container Registry
uses: docker/build-push-action@v6
with:
cache-from: ${{ env.DOCKER_REPOSITORY }}:master
tags: |
${{ steps.docker.outputs.DOCKER_IMAGE }}
${{ steps.docker.outputs.DOCKER_MASTER }}
push: true
build-args: SHA=${{ steps.sha.outputs.short }}
- name: Slack Notification
if: failure() && github.ref == 'refs/heads/master'
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_MESSAGE: "There has been a failure building the application"
SLACK_TITLE: "Failure Building Application"
SLACK_WEBHOOK: " ${{ steps.slack-web-hook.outputs.SLACK-WEBHOOK }} "
spec_tests:
name: Unit Tests
runs-on: ubuntu-latest
needs: [build]
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Bring up Docker compose Stack
run: docker compose -f docker-compose-ci.yml up -d
env:
IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}}
- name: Lint Ruby
run: docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{needs.build.outputs.DOCKER_IMAGE}} rubocop
- name: Keep Rubocop output
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.rubocop-artifact-name }}
path: ${{ github.workspace }}/out/rubocop-result.json
- name: Run Specs
run: docker compose -f docker-compose-ci.yml run --rm db-tasks rspec
env:
IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}}
- name: Keep Unit Tests Results
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.unit-tests-artifact-name }}
path: ${{ github.workspace }}/out/test-report.xml
- name: Keep Code Coverage Report
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.code-coverage-artifact-name }}
path: ${{ github.workspace }}/coverage/coverage.json
security_tests:
name: Security Tests
runs-on: ubuntu-latest
needs: [build]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Fetch synk token from key vault
uses: azure/CLI@v2
id: fetch-synk-token
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SNYK-TOKEN" --vault-name "${{ secrets.INF_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SNYK-TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ steps.fetch-synk-token.outputs.SNYK-TOKEN }}
with:
image: ${{needs.build.outputs.DOCKER_IMAGE}}
args: --severity-threshold=high --file=Dockerfile --exclude-app-vulns --policy-path=/.snyk
- name: Run Brakeman static security scanner
run: docker run -t --rm -e RAILS_ENV=test ${{needs.build.outputs.DOCKER_IMAGE}} brakeman
cucumber_tests:
name: Cucumber Tests
runs-on: ubuntu-latest
needs: [build]
strategy:
fail-fast: false
matrix:
node: [1, 2]
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Cucumber Tests
run: |-
docker compose -f docker-compose-ci.yml run --rm \
-e RAILS_ENV \
-e DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL \
-e NODE \
-e NODE_COUNT \
db-tasks -p ${PROFILE} cucumber
env:
IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}}
PROFILE: continuous_integration
DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true
NODE: ${{ matrix.node }}
NODE_COUNT: 2
- name: Keep Unit Tests Results
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.cucumber-tests-artifact-name }}_${{ matrix.node }}
path: ${{ github.workspace }}/out
selenium_cucumber_tests:
name: Chrome Cucumber Tests
runs-on: ubuntu-latest
needs: [build]
strategy:
fail-fast: false
matrix:
node: [1, 2]
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Cucumber Tests
run: |-
docker compose -f docker-compose-ci.yml run --rm \
-e RAILS_ENV \
-e DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL \
-e NODE \
-e NODE_COUNT \
school-experience -p ${PROFILE} cucumber
env:
IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}}
PROFILE: selenium
RAILS_ENV: test
DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true
NODE: ${{ matrix.node }}
NODE_COUNT: 2
- name: Keep Unit Tests Results
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.selenium-cucumber-tests-artifact-name }}_${{ matrix.node }}
path: ${{ github.workspace }}/out
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
needs: [selenium_cucumber_tests, cucumber_tests, security_tests, spec_tests]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
- name: Download Test Artifacts
uses: actions/download-artifact@v4
with:
path: ${{ github.workspace }}/out/
- name: Fixup report file paths
run: sudo sed -i "s?/app/app?/github/workspace/app?" ${{ github.workspace }}/out/${{ env.code-coverage-artifact-name }}/coverage.json
- name: Fetch Sonar token from key vault
uses: azure/CLI@v2
id: fetch-sonar-token
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "${{ secrets.INF_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SONAR-TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ steps.fetch-sonar-token.outputs.SONAR-TOKEN }}
with:
args: >
-Dsonar.ruby.rubocop.reportPath=./out/${{ env.rubocop-artifact-name }}/rubocop-result.json
-Dsonar.ruby.coverage.reportPaths=./out/${{ env.code-coverage-artifact-name }}/coverage.json
prepare:
name: Configure Matrix Deployments
needs: [sonarcloud]
runs-on: ubuntu-latest
outputs:
matrix_environments: ${{ env.MATRIX_ENVIRONMENTS }}
release_tag: ${{steps.tag_version.outputs.pr_number}}
steps:
- name: Set matrix environments (Push to master)
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
run: |
echo "MATRIX_ENVIRONMENTS={\"environment\":[\"development\",\"staging\",\"production\"]}" >> $GITHUB_ENV
- name: Set matrix environments ( Review)
if: github.event_name == 'pull_request' && github.ref != 'refs/heads/master'
run: |
echo "MATRIX_ENVIRONMENTS={\"environment\":[\"review\"]}" >> $GITHUB_ENV
- name: Generate Tag from PR Number
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
id: tag_version
uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master
with:
sha: ${{github.sha}}
- name: Create a GitHub Release
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.tag_version.outputs.pr_found == 1
id: release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.tag_version.outputs.pr_number }}
body: ${{ steps.tag_version.outputs.pr_number }}
release_name: Release ${{ steps.tag_version.outputs.pr_number }}
commitish: ${{ github.sha}}
prerelease: false
- name: Copy PR Info to Release
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && steps.release.outputs.id
uses: DFE-Digital/github-actions/CopyPRtoRelease@master
with:
PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }}
RELEASE_ID: ${{ steps.release.outputs.id }}
TOKEN: ${{secrets.GITHUB_TOKEN}}
deployments:
name: Deployments
strategy:
max-parallel: 1
matrix: ${{fromJSON(needs.prepare.outputs.matrix_environments)}}
environment:
name: ${{matrix.environment}}
concurrency: ${{matrix.environment}}_${{github.event.number}}
needs: [prepare]
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch SECURE USERNAME
uses: azure/CLI@v2
id: fetch-username
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SECURE-USERNAME" --vault-name "${{ secrets.APP_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SECURE_USERNAME=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Fetch SECURE PASSWORD
uses: azure/CLI@v2
id: fetch-password
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SECURE-PASSWORD" --vault-name "${{ secrets.APP_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SECURE_PASSWORD=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Fetch slack token
uses: azure/CLI@v2
id: fetch-slack-secret
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Trigger Deployment to ${{matrix.environment}}
id: deploy
uses: ./.github/workflows/actions/deploy
with:
environment: ${{matrix.environment}}
sha: ${{ github.sha }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
pr: ${{github.event.number}}
secure-username: ${{ steps.fetch-username.outputs.SECURE_USERNAME}}
secure-password: ${{ steps.fetch-password.outputs.SECURE_PASSWORD}}
- name: Determine DfE Sign In Message
if: matrix.environment == 'Review'
uses: haya14busa/action-cond@v1
id: dsiMessage
with:
cond: ${{ steps.deploy.outputs.dsi-hostname != '' }}
if_true: ":white_check_mark: DfE sign in route obtained: https://${{ steps.deploy.outputs.dsi-hostname }}"
if_false: ":warning: **DfE sign in route pool exhausted (close some open PRs!)**"
- name: Post sticky pull request comment
if: matrix.environment == 'Review'
uses: marocchino/sticky-pull-request-comment@v2
with:
recreate: true
header: PR
message: |
Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.${{env.REVIEW_DOMAIN}}
${{ steps.dsiMessage.outputs.value }}
- name: Add Review Label
if: matrix.environment == 'Review' && contains(github.event.pull_request.user.login, 'dependabot') == false
uses: actions-ecosystem/action-add-labels@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
labels: Review
- name: Get Release Id from Tag
id: tag_id
uses: DFE-Digital/github-actions/DraftReleaseByTag@master
with:
TAG: ${{needs.prepare.outputs.release_tag}}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish Release
if: matrix.environment == 'Production' && steps.tag_id.outputs.release_id
uses: eregon/publish-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{steps.tag_id.outputs.release_id}}
- name: Slack Release Notification
if: matrix.environment == 'Production' && steps.tag_id.outputs.release_id
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_SUCCESS}}
SLACK_MESSAGE: ${{ fromJson(steps.tag_id.outputs.release_body) }}
SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}"
SLACK_WEBHOOK: "${{steps.fetch-slack-secret.outputs.SLACK-WEBHOOK}}"
MSG_MINIMAL: true
- name: Slack Notification
if: failure() && matrix.environment == 'Production'
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_ERROR}}
SLACK_TITLE: Failure in Post-Development Deploy
SLACK_MESSAGE: Failure with initialising ${{matrix.environment}} deployment for ${{env.APPLICATION}}
SLACK_WEBHOOK: "${{steps.fetch-slack-secret.outputs.SLACK-WEBHOOK}}"
owasp:
name: "OWASP Test"
runs-on: ubuntu-latest
needs: [deployments]
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: set-up-environment
uses: DFE-Digital/github-actions/set-up-environment@master
- uses: Azure/login@v2
with:
creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
- name: Fetch SECURE USERNAME
uses: azure/CLI@v2
id: fetch-username
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SECURE-USERNAME" --vault-name "${{ secrets.APP_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SECURE_USERNAME=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Fetch SECURE PASSWORD
uses: azure/CLI@v2
id: fetch-password
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SECURE-PASSWORD" --vault-name "${{ secrets.APP_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SECURE_PASSWORD=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.11.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: "ghcr.io/zaproxy/zaproxy:stable"
target: "https://${{ steps.fetch-username.outputs.SECURE_USERNAME}}:${{ steps.fetch-password.outputs.SECURE_PASSWORD }}@${{env.APPLICATION_NAME}}-development.${{env.REVIEW_DOMAIN}}"
rules_file_name: ".zap/rules.tsv"
cmd_options: "-a"
- name: Fetch secrets from key vault
if: failure()
uses: azure/CLI@v2
id: fetch-slack-secret
with:
inlineScript: |
SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT}}" --query "value" -o tsv)
echo "::add-mask::$SECRET_VALUE"
echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{env.SLACK_FAILURE}}
SLACK_MESSAGE: "Pipeline Failure carrying out OWASP Testing on https://${{env.APPLICATION_NAME}}-development.${{env.REVIEW_DOMAIN}}/"
SLACK_TITLE: "Failure: OWSAP Testing has failed on Development"
SLACK_WEBHOOK: "${{ steps.fetch-slack-secret.outputs.SLACK-WEBHOOK}}"