upgrade twig for improved security #4108
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "[Workflow] PR" | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| defaults: | |
| run: | |
| shell: bash | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| security-events: write | |
| pull-requests: read | |
| actions: none | |
| checks: none | |
| deployments: none | |
| issues: none | |
| packages: none | |
| repository-projects: none | |
| statuses: none | |
| jobs: | |
| workspace_name: | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/data-parse-workspace.yml@bd6ac6106a4adda64cecefa3632fb64ab0ddab4b # v1.36.0 | |
| set_variables: | |
| name: Generate image tags | |
| runs-on: ubuntu-latest | |
| outputs: | |
| short_sha: ${{ steps.short_sha.outputs.short_sha }} | |
| environment_terraform_version: ${{ steps.terraform_version_environment.outputs.version }} | |
| account_terraform_version: ${{ steps.terraform_version_account.outputs.version }} | |
| region_terraform_version: ${{ steps.terraform_version_region.outputs.version }} | |
| email_terraform_version: ${{ steps.terraform_version_email.outputs.version }} | |
| steps: | |
| - name: Set output to short SHA | |
| id: short_sha | |
| env: | |
| HEAD_GITHUB_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: echo "short_sha=${HEAD_GITHUB_SHA::7}" >> $GITHUB_OUTPUT | |
| - name: Set terraform version - environment | |
| id: terraform_version_environment | |
| uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v2.7.3 | |
| with: | |
| terraform_directory: "./terraform/environment" | |
| - name : Set terraform version - account | |
| id: terraform_version_account | |
| uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v2.7.3 | |
| with: | |
| terraform_directory: "./terraform/account" | |
| - name: Set terraform version - region | |
| id: terraform_version_region | |
| uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v2.7.3 | |
| with: | |
| terraform_directory: "./terraform/region" | |
| - name: Set terraform version - email | |
| id: terraform_version_email | |
| uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v2.7.3 | |
| with: | |
| terraform_directory: "./terraform/email" | |
| terraform_lint: | |
| name: TF - Lint | |
| needs: | |
| - set_variables | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/linting-infrastructure-terraform.yml@v3.1.0 | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.environment_terraform_version }} | |
| phpunit_tests: | |
| name: Run PHPUnit tests | |
| uses: ./.github/workflows/phpunit.yml | |
| secrets: inherit | |
| docker_build_scan_push: | |
| name: Docker Build, Scan and Push | |
| uses: ./.github/workflows/docker_job.yml | |
| needs: | |
| - set_variables | |
| with: | |
| tag: ${{ needs.set_variables.outputs.short_sha }} | |
| secrets: inherit | |
| terraform_account_development: | |
| name: TF Development - Account | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - workspace_name | |
| - terraform_lint | |
| - set_variables | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.account_terraform_version }} | |
| terraform_workspace: development | |
| is_ephemeral: false | |
| workspace_manager_aws_account_id: "050256574573" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: true | |
| terraform_directory: ./terraform/account | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_region_development: | |
| name: TF Development - Region | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - workspace_name | |
| - terraform_lint | |
| - set_variables | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.region_terraform_version }} | |
| terraform_workspace: development | |
| is_ephemeral: false | |
| workspace_manager_aws_account_id: "050256574573" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: true | |
| terraform_directory: ./terraform/region | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_email_development: | |
| name: TF Development - Email | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - workspace_name | |
| - terraform_lint | |
| - set_variables | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.email_terraform_version }} | |
| terraform_workspace: development | |
| is_ephemeral: false | |
| workspace_manager_aws_account_id: "050256574573" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: true | |
| terraform_directory: ./terraform/email | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_environment_development: | |
| name: TF Development - Environment | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - docker_build_scan_push | |
| - phpunit_tests | |
| - workspace_name | |
| - set_variables | |
| - terraform_email_development | |
| - terraform_account_development | |
| - terraform_region_development | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.environment_terraform_version }} | |
| use_ssh_private_key: true | |
| terraform_workspace: ${{ needs.workspace_name.outputs.name }} | |
| is_ephemeral: true | |
| workspace_manager_aws_account_id: "050256574573" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: true | |
| terraform_directory: ./terraform/environment | |
| terraform_variables: "-var container_version=${{ needs.set_variables.outputs.short_sha }}" | |
| persist_artifacts: true | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_account_preproduction: | |
| name: TF Preproduction Plan - Account | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - workspace_name | |
| - set_variables | |
| - terraform_lint | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.account_terraform_version }} | |
| terraform_workspace: preproduction | |
| is_ephemeral: false | |
| workspace_manager_aws_account_id: "987830934591" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: false | |
| terraform_directory: ./terraform/account | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_region_preproduction: | |
| name: TF Preproduction Plan - Region | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - workspace_name | |
| - set_variables | |
| - terraform_lint | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.region_terraform_version }} | |
| terraform_workspace: preproduction | |
| is_ephemeral: false | |
| workspace_manager_aws_account_id: "987830934591" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: false | |
| terraform_directory: ./terraform/region | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_environment_preproduction: | |
| name: TF Preproduction Plan - Environment | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/build-infrastructure-terraform.yml@v3.1.0 | |
| needs: | |
| - workspace_name | |
| - set_variables | |
| - terraform_lint | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.environment_terraform_version }} | |
| use_ssh_private_key: true | |
| terraform_workspace: preproduction | |
| is_ephemeral: false | |
| workspace_manager_aws_account_id: "987830934591" | |
| workspace_manager_aws_iam_role: opg-lpa-ci | |
| terraform_apply: false | |
| terraform_directory: ./terraform/environment | |
| terraform_variables: "-var container_version=${{ needs.set_variables.outputs.short_sha }}" | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| run_dev_seed_db_task: | |
| name: Run development DB seeding | |
| uses: ./.github/workflows/workflow_start_task.yml | |
| with: | |
| account_id: "050256574573" | |
| task_name: "seeding" | |
| needs: | |
| - terraform_environment_development | |
| secrets: inherit | |
| terraform_outputs: | |
| name: Render terraform outputs | |
| runs-on: ubuntu-latest | |
| needs: | |
| - run_dev_seed_db_task | |
| - terraform_environment_development | |
| outputs: | |
| admin_fqdn: ${{ steps.admin_fqdn.outputs.value }} | |
| front_fqdn: ${{ steps.front_fqdn.outputs.value }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Download Terraform Task definition | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # tag=v3.0.2 | |
| with: | |
| name: terraform-artifact | |
| path: /tmp/ | |
| - name: Set environment variable | |
| id: set_var | |
| run: | | |
| content=$(cat /tmp/environment_pipeline_tasks_config.json) | |
| content="${content//'%'/'%25'}" | |
| content="${content//$'\n'/'%0A'}" | |
| content="${content//$'\r'/'%0D'}" | |
| echo "configJson=${content}" >> $GITHUB_OUTPUT | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| aws-region: eu-west-1 | |
| role-to-assume: arn:aws:iam::050256574573:role/opg-lpa-ci | |
| role-duration-seconds: 900 | |
| role-session-name: OPGLPABuildPipeline | |
| - name: Extract Admin FQDN from JSON | |
| id: admin_fqdn | |
| env: | |
| configJson: ${{steps.set_var.outputs.configJson}} | |
| run: | | |
| echo "value=${{ fromJson(env.configJson).admin_fqdn }}" >> $GITHUB_OUTPUT | |
| - name: Extract Front FQDN from JSON | |
| id: front_fqdn | |
| run: | | |
| echo "value=${{ fromJson(steps.set_var.outputs.configJson).front_fqdn }}" >> $GITHUB_OUTPUT | |
| post_deployment_slack_msg: | |
| name: Post-Deployment Slack message | |
| runs-on: ubuntu-latest | |
| outputs: | |
| ts: ${{ steps.slack.outputs.ts }} | |
| needs: | |
| - terraform_outputs | |
| - set_variables | |
| env: | |
| FRONT_URL: ${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| ADMIN_URL: ${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| steps: | |
| - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 | |
| id: slack | |
| with: | |
| channel-id: "CAMB46M6Y" | |
| payload: | | |
| { | |
| "icon_emoji": ":robot_face:", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Development Environment Deployment", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Status:*\nDeployed (Tests running)" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Started by:*\n ${{ github.triggering_actor }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Commit:*\n <https://github.com/ministryofjustice/opg-lpa/commit/${{ github.sha }}|${{ needs.set_variables.outputs.short_sha }}>" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "<https://github.com/ministryofjustice/opg-lpa/actions/runs/${{github.run_id}}|View workflow>" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Front URL:* https://${{ env.FRONT_URL }}/home\n*Admin URL:* https://${{ env.ADMIN_URL }}" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| cypress_tests_Signup_StichedPF: | |
| name: Run Cypress tests - @Signup,@StitchedPF | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - terraform_outputs | |
| with: | |
| admin_url: https://${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| account_id: "050256574573" | |
| cypress_tags: "@Signup,@StitchedPF" | |
| secrets: inherit | |
| cypress_tests_Signup_StichedHW: | |
| name: Run Cypress tests - @Signup,@StitchedHW | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - terraform_outputs | |
| with: | |
| admin_url: https://${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| account_id: "050256574573" | |
| cypress_tags: "@Signup,@StitchedHW" | |
| secrets: inherit | |
| cypress_tests_Signup_StichedClone: | |
| name: Run Cypress tests - @Signup,@StitchedClone | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - terraform_outputs | |
| with: | |
| admin_url: https://${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| account_id: "050256574573" | |
| cypress_tags: "@Signup,@StitchedClone" | |
| secrets: inherit | |
| cypress_tests_SignupIncluded: | |
| name: Run Cypress tests - @SignupIncluded | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - terraform_outputs | |
| with: | |
| admin_url: https://${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| account_id: "050256574573" | |
| cypress_tags: "@SignupIncluded" | |
| secrets: inherit | |
| # Remaining tests should ultimately just exclude SignUp and anything already done as part of stitched run. | |
| # TODO CorrespondentReuse needs refactoring so that it can be included as part of the stitchedClone run. | |
| cypress_tests_Remaining: | |
| name: Run Cypress tests - Remaining | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - terraform_outputs | |
| with: | |
| admin_url: https://${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| account_id: "050256574573" | |
| cypress_tags: "@Signup,not @Signup and not @PartOfStitchedRun and not @StitchedHW and not @StitchedPF and not @StitchedClone and not @CorrespondentReuse and not @SignupIncluded and not @AdminSystemMessage and not @CheckoutPaymentGateway" | |
| secrets: inherit | |
| post_tests_slack_msg: | |
| name: Post-Tests Slack message | |
| runs-on: ubuntu-latest | |
| needs: | |
| - terraform_outputs | |
| - set_variables | |
| - post_deployment_slack_msg | |
| - cypress_tests_Remaining | |
| - cypress_tests_SignupIncluded | |
| - cypress_tests_Signup_StichedClone | |
| - cypress_tests_Signup_StichedHW | |
| - cypress_tests_Signup_StichedPF | |
| env: | |
| FRONT_URL: ${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| ADMIN_URL: ${{ needs.terraform_outputs.outputs.admin_fqdn }} | |
| steps: | |
| - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 | |
| with: | |
| channel-id: "CAMB46M6Y" | |
| update-ts: ${{ needs.post_deployment_slack_msg.outputs.ts }} | |
| payload: | | |
| { | |
| "icon_emoji": ":robot_face:", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Development Environment Deployment", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Status:*\nDeployed (Tests have passed!)" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Started by:*\n ${{ github.triggering_actor }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Commit:*\n <https://github.com/ministryofjustice/opg-lpa/commit/${{ github.sha }}|${{ needs.set_variables.outputs.short_sha }}>" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "<https://github.com/ministryofjustice/opg-lpa/actions/runs/${{github.run_id}}|View workflow>" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Front URL:* https://${{ env.FRONT_URL }}/home\n*Admin URL:* https://${{ env.ADMIN_URL }}" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| end_of_pr_workflow: | |
| name: End of PR Workflow | |
| if: github.ref != 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - cypress_tests_Remaining | |
| - cypress_tests_SignupIncluded | |
| - cypress_tests_Signup_StichedClone | |
| - cypress_tests_Signup_StichedHW | |
| - cypress_tests_Signup_StichedPF | |
| - workspace_name | |
| - terraform_outputs | |
| - set_variables | |
| environment: | |
| name: "dev_${{ needs.workspace_name.outputs.name }}" | |
| url: "https://${{ env.FRONT_URL }}/home" | |
| env: | |
| FRONT_URL: ${{ needs.terraform_outputs.outputs.front_fqdn }} | |
| steps: | |
| - name: End of PR Workflow | |
| run: | | |
| echo "${{ needs.workspace_name.outputs.name }} PR environment tested, built and deployed" | |
| echo "Tag Deployed: ${{ needs.set_variables.outputs.short_sha }}" | |
| echo "URL: https://${{ env.FRONT_URL }}/home" |