dev_on_push_workflow_main.yml

name: "1 [on_push] Initiate workflow"

on:
  push:
    branches:
      - master
      - "maint/**"

permissions: write-all

jobs:
  pcapi-init-job:
    name: "pcapi init job"
    runs-on: ubuntu-22.04
    outputs:
      api-changed: ${{ steps.check-api-changes.outputs.any_modified }}
      api-documentation-changed: ${{ steps.check-api-documentation-changes.outputs.any_modified }}
      pro-changed: ${{ steps.check-pro-changes.outputs.any_modified }}
      dependencies-changed: ${{ steps.check-dependencies-changes.outputs.any_modified }}
      push-tags: ${{ steps.pcapi-tags.outputs.push-tags }}
      checksum-tag: ${{ steps.pcapi-tags.outputs.checksum-tag }}
      checksum-tag-exists: ${{ steps.check-checksum-tag.outputs.tag-exists }}
      checksum-console-tag-exists: ${{ steps.check-console-checksum-tag.outputs.tag-exists }}
    steps:
      - uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: false
      - name: "Check api folder changes"
        id: check-api-changes
        uses: tj-actions/changed-files@v45
        with:
          files: |
            api/**
            !api/documentation/**
            !api/src/pcapi/scripts/**/main.py
            !api/src/pcapi/scripts/**/main.sql
      - name: "Check api documentation folder changes"
        id: check-api-documentation-changes
        uses: tj-actions/changed-files@v45
        with:
          files: api/documentation/**
      - name: "Check pro folder changes"
        id: check-pro-changes
        uses: tj-actions/changed-files@v45
        with:
          files: pro/**
      - name: "Check changes in dependencies (frontend + backend)"
        id: check-dependencies-changes
        uses: tj-actions/changed-files@v45
        with:
          files: |
            api/poetry.lock
            pro/yarn.lock
      - name: "Define pcapi image tags."
        id: pcapi-tags
        run: |
          DOCKER_IMAGE="${{ env.docker_registry }}/pcapi"
          API_CHECKSUM=`tar --sort=name --owner=0 --group=0 --mtime='UTC 2019-01-01' -cf - api | sha1sum | awk '{ print $1 }'`
          PUSH_TAGS="push-tags=$DOCKER_IMAGE:${{ github.sha }},$DOCKER_IMAGE:$API_CHECKSUM,$DOCKER_IMAGE:latest"
          API_TAG="checksum-tag=$API_CHECKSUM"
          echo "PUSH_TAGS=$PUSH_TAGS"
          echo "API_TAG=$API_TAG"
          echo $PUSH_TAGS >> "$GITHUB_OUTPUT"
          echo $API_TAG >> "$GITHUB_OUTPUT"
      - name: "Authentification to Google"
        uses: "google-github-actions/auth@v2"
        with:
          workload_identity_provider: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      - name: "Get Secret"
        id: "secrets"
        uses: "google-github-actions/get-secretmanager-secrets@v2"
        with:
          secrets: |-
            ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER:passculture-metier-ehp/passculture-main-gcp-workload-identity-provider
            ARTIFACT_REGISTRY_SERVICE_ACCOUNT:passculture-metier-ehp/passculture-main-artifact-registry-service-account
      - name: "OpenID Connect Authentication"
        id: "openid-auth"
        uses: "google-github-actions/auth@v2"
        with:
          create_credentials_file: false
          token_format: "access_token"
          workload_identity_provider: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_SERVICE_ACCOUNT }}
      - name: "Docker login"
        id: "docker-login"
        uses: "docker/login-action@v3"
        with:
          registry: "europe-west1-docker.pkg.dev"
          username: "oauth2accesstoken"
          password: "${{ steps.openid-auth.outputs.access_token }}"
      - name: "pcapi"
        id: check-checksum-tag
        run: ./.github/workflows/scripts/check-image-tag-exists.sh
        env:
          image: pcapi
          tag: ${{ steps.pcapi-tags.outputs.checksum-tag }}
          token: ${{ steps.openid-auth.outputs.access_token }}
      - name: "pcapi-console"
        id: check-console-checksum-tag
        run: ./.github/workflows/scripts/check-image-tag-exists.sh
        env:
          image: pcapi-console
          tag: ${{ steps.pcapi-tags.outputs.checksum-tag }}
          token: ${{ steps.openid-auth.outputs.access_token }}
      - name: "Summary"
        run: |
          echo "[api] folder changed : ${{ steps.check-api-changes.outputs.any_modified }}"
          echo "[pcapi] push-tags : ${{ steps.pcapi-tags.outputs.push-tags }}"
          echo "[pcapi] checksum-tag : ${{ steps.pcapi-tags.outputs.checksum-tag }}"
          echo "[pcapi] image tag ${{ steps.pcapi-tags.outputs.checksum-tag }} exists : ${{ steps.check-checksum-tag.outputs.tag-exists }}"
          echo "[pcapi-console] image tag ${{ steps.pcapi-tags.outputs.checksum-tag }} exists : ${{ steps.check-console-checksum-tag.outputs.tag-exists }}"

  check-folders-changes:
    # Perform all changes checks at once to remove the need for multiple checkouts accross jobs
    name: "Check changes in folders"
    runs-on: ubuntu-22.04
    outputs:
      maintenance-site-changed: ${{ steps.check-maintenance-site-changes.outputs.any_modified }}
      db-migrations-changed: ${{ steps.check-db-migrations-changes.outputs.any_modified }}
    steps:
      - uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: false
      - name: "Check maintenance-site folder changes"
        id: check-maintenance-site-changes
        uses: tj-actions/changed-files@v45
        with:
          files: maintenance-site/**
      - name: "Check db migration folder changes"
        id: check-db-migrations-changes
        uses: tj-actions/changed-files@v45
        with:
          files: |-
            api/src/pcapi/alembic/versions/**
            api/src/pcapi/alembic/run_migrations.py

  build-pcapi:
    name: "[pcapi] build docker image."
    needs: [pcapi-init-job]
    if: needs.pcapi-init-job.outputs.api-changed == 'true'
    uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml
    with:
      ref: ${{ github.sha }}
      image: pcapi
      tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  build-pcapi-tests:
    name: "[pcapi-tests] build docker image."
    needs: [pcapi-init-job]
    if: needs.pcapi-init-job.outputs.api-changed == 'true'
    uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml
    with:
      ref: ${{ github.sha }}
      image: pcapi-tests
      tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  build-pcapi-console:
    name: "[pcapi-console] build docker image."
    needs: [pcapi-init-job]
    if: |
      ( needs.pcapi-init-job.outputs.api-changed == 'true' ||
      needs.pcapi-init-job.outputs.pro-changed == 'true' ) &&
      github.ref == 'refs/heads/master'
    uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml
    with:
      ref: ${{ github.sha }}
      image: pcapi-console
      tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  prepare-cache-master: # on "master" branch only
    name: "Reset cache on master on dependency update"
    needs: [build-pcapi]
    uses: ./.github/workflows/dev_on_workflow_update_api_client_template.yml
    if: github.ref == 'refs/heads/master'
    with:
      PCAPI_DOCKER_TAG: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
      TRIGGER_ONLY_ON_API_CHANGE: false
      TRIGGER_ONLY_ON_DEPENDENCY_CHANGE: true
      CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
      api-changed: ${{ needs.pcapi-init-job.outputs.api-changed }}
      dependencies-changed: ${{ needs.pcapi-init-job.outputs.dependencies-changed }}
    secrets:
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}

  test-api:
    name: "Test api"
    needs: [pcapi-init-job, build-pcapi-tests]
    uses: ./.github/workflows/dev_on_workflow_tests_api.yml
    with:
      tag: ${{ needs.build-pcapi-tests.result == 'skipped' && 'latest' || needs.pcapi-init-job.outputs.checksum-tag }}
    secrets:
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}

  test-api-documentation:
    name: "Tests API documentation"
    needs: [pcapi-init-job]
    if: needs.pcapi-init-job.outputs.api-documentation-changed == 'true'
    uses: ./.github/workflows/dev_on_workflow_tests_api_documentation.yml
    secrets:
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}

  test-pro:
    name: "Tests pro"
    needs: [pcapi-init-job]
    if: needs.pcapi-init-job.outputs.pro-changed == 'true'
    uses: ./.github/workflows/dev_on_workflow_tests_pro.yml
    with:
      CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  test-pro-e2e:
    name: "Tests pro E2E"
    needs: [pcapi-init-job, build-pcapi]
    uses: ./.github/workflows/dev_on_workflow_tests_pro_e2e.yml
    if: |
      always() &&
      !cancelled() &&
      needs.pcapi-init-job.outputs.api-changed == 'true' ||
      needs.pcapi-init-job.outputs.pro-changed == 'true'
    with:
      tag: ${{ needs.build-pcapi.result == 'skipped' && 'latest' || needs.pcapi-init-job.outputs.checksum-tag }}
      CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  merge-allure-reports:
    name: "Merge Allure Reports and Push to Allure Repository"
    needs: [test-pro]
    runs-on: ubuntu-22.04
    if: |
      always() &&
      !cancelled() && needs.test-pro.result != 'skipped'
    steps:
      - name: "Install Allure CLI via Yarn"
        run: yarn global add allure-commandline

      - name: "Download Allure results artifacts for pro"
        uses: actions/download-artifact@v4
        with:
          name: allure-results-pro-unit
          path: allure-results/pro-unit

      # - name: "Download Allure results artifacts for pro E2E"
      #   uses: actions/download-artifact@v4
      #   with:
      #     name: allure-results-pro-e2e
      #     path: allure-results/pro-e2e

      - name: "Merge Allure Results"
        run: |
          mkdir -p allure-results
          cp -r allure-results/pro-unit/* allure-results/

      - name: "Clone Allure Report Repository to Retrieve History"
        env:
          TOKEN: ${{ secrets.PAT_ALLURE_REPORTS_TEMP }}
        run: |
          git clone https://x-access-token:${TOKEN}@github.com/fseguin-pass/allure-reports-temp.git allure-report-temp
          mkdir -p allure-results/history
          if [ -d "allure-report-temp/history" ]; then
            cp -r allure-report-temp/history/* allure-results/history/
          fi

      - name: "Generate Allure Report with Updated History"
        run: allure generate allure-results --clean -o allure-report

      - name: "Push Updated Allure Report with History to Repository"
        run: |
          cd allure-report-temp
          rm -rf *
          cp -r ../allure-report/* .
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add .
          git commit -m "Update Allure Report with history"
          git push origin main

  deploy-storybook:
    name: "Deploy Storybook"
    needs: [pcapi-init-job]
    if: ${{ github.ref == 'refs/heads/master' && needs.pcapi-init-job.outputs.pro-changed == 'true' }}
    uses: ./.github/workflows/dev_on_workflow_deploy_storybook.yml

  push-pcapi:
    name: "Push pcapi docker image to registry"
    needs: [build-pcapi, pcapi-init-job, test-api]
    uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml
    with:
      image: pcapi
      commit-hash: ${{ github.sha }}
      checksum-tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
      tag-latest: true
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  push-pcapi-console:
    name: "Push pcapi-console docker image to registry"
    needs: [build-pcapi-console, pcapi-init-job, test-api]
    uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml
    with:
      image: pcapi-console
      commit-hash: ${{ github.sha }}
      checksum-tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
      tag-latest: true
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  deploy-to-testing:
    name: "Deploy to testing"
    needs: [test-api, test-pro, push-pcapi-console, push-pcapi]
    if: |
      always() &&
      github.ref == 'refs/heads/master' &&
      contains(fromJSON('["success", "skipped"]'), needs.test-api.result) &&
      contains(fromJSON('["success", "skipped"]'), needs.test-pro.result)
    uses: ./.github/workflows/dev_on_workflow_deploy.yml
    with:
      environment: testing
      app_version: ${{ github.sha }}
      cluster_scope: metier
      cluster_environment: ehp
      workload_identity_provider_secret_name: gcp_metier_ehp_workload_identity_provider
      deploy_api: ${{ needs.test-api.result == 'success' }}
      deploy_pro: ${{ needs.test-pro.result == 'success' }}
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  deploy-to-ops:
    name: "Deploy to ops"
    needs: [test-api, test-pro, push-pcapi-console, push-pcapi]
    if: |
      always() &&
      github.ref == 'refs/heads/master' &&
      contains(fromJSON('["success", "skipped"]'), needs.test-api.result) &&
      contains(fromJSON('["success", "skipped"]'), needs.test-pro.result) &&
      vars.DISABLE_PCAPI_OPS_DEPLOY == 'false'
    uses: ./.github/workflows/dev_on_workflow_deploy.yml
    with:
      environment: ops
      app_version: ${{ github.sha }}
      cluster_scope: metier
      cluster_environment: ops
      workload_identity_provider_secret_name: gcp_metier_ops_workload_identity_provider
      deploy_api: ${{ needs.test-api.result == 'success' }}
      deploy_pro: false
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  deploy-maintenance-site:
    name: "Deploy maintenance site"
    needs: check-folders-changes
    if: |
      always() &&
      github.ref == 'refs/heads/master' &&
      needs.check-folders-changes.outputs.maintenance-site-changed == 'true'
    uses: ./.github/workflows/dev_on_workflow_deploy_maintenance_site.yml
    secrets:
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}

  ping-data-team-on-slack:
    name: "Ping data team on slack"
    needs: check-folders-changes
    if: |
      always() &&
      github.ref == 'refs/heads/master' &&
      needs.check-folders-changes.outputs.db-migrations-changed == 'true'
    uses: ./.github/workflows/dev_on_workflow_ping_data_team.yml
    secrets:
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}

  update-jira-issue:
    name: "Update Jira issue"
    if: ${{ always() && github.ref == 'refs/heads/master' }}
    concurrency: update-jira-issue-${{ github.workflow }}-${{ github.ref }}
    uses: ./.github/workflows/dev_on_workflow_update_jira_issues.yml
    secrets:
      GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
      GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}

  slack-notify:
    name: "Slack notification"
    runs-on: ubuntu-22.04
    if: ${{ failure() && github.ref == 'refs/heads/master' }}
    needs: deploy-to-testing
    steps:
      - uses: technote-space/workflow-conclusion-action@v3
      - name: "Authentification to Google"
        uses: "google-github-actions/auth@v2"
        with:
          workload_identity_provider: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
      - name: "Get Secret"
        id: "secrets"
        uses: "google-github-actions/get-secretmanager-secrets@v2"
        with:
          secrets: |-
            SLACK_BOT_TOKEN:passculture-metier-ehp/passculture-ci-slack-bot-token
      - name: "Post to a Slack channel"
        uses: slackapi/slack-github-action@v1.27.0
        with:
          # channel #alertes-deploiement
          channel-id: "CQAMNFVPS"
          payload: |
            {
              "attachments": [
                {
                  "mrkdwn_in": ["text"],
                  "color": "#A30002",
                  "author_name": "${{github.actor}}",
                  "author_link": "https://github.com/${{github.actor}}",
                  "author_icon": "https://github.com/${{github.actor}}.png",
                  "title": "PCAPI Deployment",
                  "title_link": "https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}",
                  "text": "Le déploiement de la version `master` a échoué sur `testing` :boom:"
                }
              ],
              "unfurl_links": false,
              "unfurl_media": false
            }
        env:
          SLACK_BOT_TOKEN: ${{ steps.secrets.outputs.SLACK_BOT_TOKEN }}