Top tips for career progression #14031
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy | |
on: | |
workflow_dispatch: | |
pull_request: | |
types: [assigned, opened, synchronize, reopened] | |
push: | |
branches: [ master ] | |
permissions: | |
contents: write | |
deployments: write | |
issues: write | |
packages: write | |
pull-requests: write | |
env: | |
code-coverage-artifact-name: code_coverage_${{github.run_number}}_${{github.run_attempt}} | |
unit-tests-artifact-name: unit_tests_${{github.run_number}}_${{github.run_attempt}} | |
rubocop-artifact-name: rubocop_results_${{github.run_number}}_${{github.run_attempt}} | |
jobs: | |
build_base: | |
name: Build base image | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE_TEST: ${{ steps.docker.outputs.DOCKER_IMAGE_TEST }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
with: | |
version: v0.9.1 # More recent buildx versions generate an OCI manifest which is incompatible with Cloud Foundry | |
- name: Get Short SHA | |
id: sha | |
run: | | |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT | |
- name: Set docker images variables | |
id: docker | |
run: | | |
if [ "${{github.ref}}" == "refs/heads/master" ] | |
then | |
GIT_BRANCH=master | |
else | |
GIT_REF=${{ github.head_ref }} | |
GIT_BRANCH=${GIT_REF##*/} | |
fi | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE_TEST=${{ env.DOCKER_REPOSITORY }}:base-sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT | |
- name: Login to Docker registry | |
uses: docker/login-action@v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push base image | |
uses: docker/build-push-action@v5 | |
with: | |
target: base | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:base-sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
- uses: Azure/login@v1 | |
if: failure() && github.ref == 'refs/heads/master' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} | |
- name: Fetch secrets from key vault | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Slack Notification | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_MESSAGE: 'There has been a failure building the application' | |
SLACK_TITLE: 'Failure Building Application' | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
build_release: | |
name: Build release image | |
needs: [build_base] | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE: ${{ steps.docker.outputs.DOCKER_IMAGE }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
with: | |
version: v0.9.1 # More recent buildx versions generate an OCI manifest which is incompatible with Cloud Foundry | |
- name: Get Short SHA | |
id: sha | |
run: | | |
echo "short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT | |
- name: Set docker images variables | |
id: docker | |
run: | | |
if [ "${{github.ref}}" == "refs/heads/master" ] | |
then | |
GIT_BRANCH=master | |
else | |
GIT_REF=${{ github.head_ref }} | |
GIT_BRANCH=${GIT_REF##*/} | |
fi | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "DOCKER_IMAGE=${{ env.DOCKER_REPOSITORY }}:sha-${{steps.sha.outputs.short }}" >> $GITHUB_OUTPUT | |
- name: Login to Docker registry | |
uses: docker/login-action@v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push release image | |
uses: docker/build-push-action@v5 | |
with: | |
target: release | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
SHA=${{ steps.sha.outputs.short }} | |
- name: Push release-build image | |
uses: docker/build-push-action@v5 | |
with: | |
target: release-build | |
context: . | |
cache-from: | | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:release-build-master | |
type=registry,ref=${{ env.DOCKER_REPOSITORY }}:base-${{ env.BRANCH_TAG }} | |
type=registry,ref=${{ env.DOCKER_REPOSITORY}}:base-master | |
tags: | | |
${{ env.DOCKER_REPOSITORY }}:release-build-${{ env.BRANCH_TAG }} | |
${{ env.DOCKER_REPOSITORY }}:release-build-sha-${{ steps.sha.outputs.short }} | |
push: true | |
build-args: | | |
BUILDKIT_INLINE_CACHE=1 | |
SHA=${{ steps.sha.outputs.short }} | |
- uses: Azure/login@v1 | |
if: failure() && github.ref == 'refs/heads/master' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} | |
- name: Fetch secrets from key vault | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Slack Notification | |
if: failure() && github.ref == 'refs/heads/master' | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_MESSAGE: 'There has been a failure building the application' | |
SLACK_TITLE: 'Failure Building Application' | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} | |
linting: | |
name: Linting | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
if: github.ref != 'refs/heads/master' | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
# - name: Lint SCSS | |
# uses: actions-hub/stylelint@master | |
# env: | |
# PATTERN: "**/*.scss" | |
- name: Lint Ruby | |
run: |- | |
docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{env.DOCKER_IMAGE_TEST}} \ | |
rubocop --format json --out=/app/out/rubocop-result.json | |
- name: Keep Rubocop output | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.rubocop-artifact-name }} | |
path: ${{ github.workspace }}/out/rubocop-result.json | |
- name: Lint ERB Templates | |
run: |- | |
docker run -t --rm ${{env.DOCKER_IMAGE_TEST}} bundle exec erblint --lint-all | |
- name: Lint Markdown | |
run: |- | |
docker run -t --rm -v ${PWD}/out:/app/out ${{env.DOCKER_IMAGE_TEST}} sh -c "bundle exec mdl app/views/**/*.md | tee /app/out/mdl-result.txt" | |
- name: ESLint - JavaScript linting | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn js-lint" | |
javascript_tests: | |
name: Javascript Tests | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- name: Run Javascript Tests | |
run: |- | |
docker run -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true \ | |
${{env.DOCKER_IMAGE_TEST}} sh -c "yarn && yarn spec" | |
feature_tests: | |
name: Unit Tests | |
runs-on: ubuntu-latest | |
needs: [ build_base ] | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
strategy: | |
fail-fast: false | |
matrix: | |
ci_node_total: [6] | |
ci_node_index: [0, 1, 2, 3, 4, 5] | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
- name: Run Specs | |
run: |- | |
docker run --net=host -t --rm -v ${PWD}/out:/app/out -v ${PWD}/coverage/coverage-${{ matrix.ci_node_index }}:/app/coverage \ | |
-e CI_NODE_TOTAL -e CI_NODE_INDEX -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rake 'knapsack:rspec[--format RspecSonarqubeFormatter --out /app/out/test-report-${{ matrix.ci_node_index }}.xml --format progress]' spec | |
env: | |
CI_NODE_TOTAL: ${{ matrix.ci_node_total }} | |
CI_NODE_INDEX: ${{ matrix.ci_node_index }} | |
- name: Keep Code Coverage Report | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.code-coverage-artifact-name }}_${{ matrix.ci_node_index }} | |
path: ${{ github.workspace }}/coverage | |
- name: Keep Unit Tests Results | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.unit-tests-artifact-name }}_${{ matrix.ci_node_index }} | |
path: ${{ github.workspace }}/out/* | |
sonarscanner: | |
name: Sonar Scanner | |
runs-on: ubuntu-latest | |
needs: [ build_base, feature_tests ] | |
if: github.ref != 'refs/heads/master' | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SONAR_TOKEN=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) | |
echo "::add-mask::$SONAR_TOKEN" | |
echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_OUTPUT | |
- name: Setup sonarqube | |
uses: warchant/setup-sonar-scanner@v7 | |
- name: Download Artifacts | |
uses: actions/download-artifact@v4 | |
- name: Combine Coverage Reports | |
run: |- | |
# Copy files from separate artifacts into one directory | |
mkdir ${{github.workspace}}/code_coverage | |
cp -r ${{github.workspace}}/${{ env.code-coverage-artifact-name }}_*/ ${{github.workspace}}/code_coverage | |
docker run -t --rm -v ${{github.workspace}}/code_coverage:${COVERAGE_DIR} -e RAILS_ENV=test -e COVERAGE_DIR \ | |
${{env.DOCKER_IMAGE_TEST}} bundle exec rake coverage:collate | |
env: | |
COVERAGE_DIR: /app/coverage | |
- name: Fix report file paths | |
run: | | |
sudo sed -i "s?\"/app/?\"${PWD}/?" ${{github.workspace}}/code_coverage/coverage.json | |
- name: Run sonarqube | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: sonar-scanner | |
-Dsonar.login=${{ steps.keyvault-yaml-secret.outputs.SONAR_TOKEN }} | |
-Dsonar.organization=dfe-digital | |
-Dsonar.host.url=https://sonarcloud.io/ | |
-Dsonar.projectKey=DFE-Digital_get-into-teaching-app | |
-Dsonar.testExecutionReportPaths=${{github.workspace}}/${{env.unit-tests-artifact-name}}_0/test-report-0.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_1/test-report-1.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_2/test-report-2.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_3/test-report-3.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_4/test-report-4.xml,\ | |
${{github.workspace}}/${{env.unit-tests-artifact-name}}_5/test-report-5.xml | |
-Dsonar.ruby.coverage.reportPaths=${{github.workspace}}/code_coverage/coverage.json | |
-Dsonar.ruby.rubocop.reportPaths=${{github.workspace}}/${{env.rubocop-artifact-name}}/rubocop-result.json | |
review_aks: | |
name: Review AKS Deployment Process | |
needs: [ build_release ] | |
if: github.ref != 'refs/heads/master' | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
concurrency: Review_aks_${{github.event.number}} | |
environment: | |
name: review_aks | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- name: Setup Environment Variables | |
if: github.actor == 'dependabot[bot]' | |
id: variables | |
shell: bash | |
run: | | |
secret_suffix="_AKS_REVIEW" | |
echo "SECRET_SUFFIX=$secret_suffix" >> $GITHUB_ENV | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Review AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: review_aks | |
sha: ${{ github.sha }} | |
pr: ${{github.event.number}} | |
AZURE_CREDENTIALS: ${{ secrets[format('AZURE_CREDENTIALS{0}', env.SECRET_SUFFIX)] }} | |
KEY_VAULT: ${{ secrets[format('KEY_VAULT{0}', env.SECRET_SUFFIX)] }} | |
ARM_ACCESS_KEY: ${{ secrets[format('ARM_ACCESS_KEY{0}', env.SECRET_SUFFIX)] }} | |
- name: Post sticky pull request comment | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
recreate: true | |
header: AKS | |
message: AKS Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.test.${{env.DOMAIN}} | |
- name: Add Review_v2 Label | |
if: contains(github.event.pull_request.user.login, 'dependabot') == false | |
uses: actions-ecosystem/action-add-labels@v1 | |
with: | |
labels: Review_v2 | |
development_aks: | |
name: Development AKS Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: Development_aks | |
runs-on: ubuntu-latest | |
environment: | |
name: development_aks | |
outputs: | |
release_tag: ${{steps.tag_version.outputs.pr_number}} | |
release_sha: ${{github.sha }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Development AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: development_aks | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Generate Tag from PR Number | |
id: tag_version | |
uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master | |
with: | |
sha: ${{github.sha}} | |
- name: Create a GitHub Release | |
id: release | |
if: steps.tag_version.outputs.pr_found == 1 | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ steps.tag_version.outputs.pr_number }} | |
body: ${{ steps.tag_version.outputs.pr_number }} | |
release_name: Release ${{ steps.tag_version.outputs.pr_number }} | |
commitish: ${{ github.sha}} | |
prerelease: false | |
- name: Copy PR Info to Release | |
if: steps.release.outputs.id | |
uses: DFE-Digital/github-actions/CopyPRtoRelease@master | |
with: | |
PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }} | |
RELEASE_ID: ${{ steps.release.outputs.id }} | |
TOKEN: ${{secrets.GITHUB_TOKEN}} | |
owasp_aks: | |
name: OWASP AKS Checks | |
needs: [ development_aks ] | |
runs-on: ubuntu-latest | |
environment: | |
name: development_aks | |
continue-on-error: true | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Vunerability Test | |
uses: ./.github/workflows/actions/owasp_v2 | |
id: deploy | |
with: | |
environment: development_aks | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
test_aks: | |
name: Test AKS Deployment | |
needs: [ feature_tests, javascript_tests, build_release ] | |
if: github.ref == 'refs/heads/master' | |
concurrency: test_aks | |
runs-on: ubuntu-latest | |
environment: | |
name: test_aks | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Deploy to Test AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: test_aks | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_ERROR}} | |
SLACK_TITLE: Failure in Post-Development Deploy | |
SLACK_MESSAGE: Failure with initialising AKS Test deployment for ${{env.APPLICATION}} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} | |
integration_aks: | |
name: Run Integration Tests on AKS test | |
runs-on: ubuntu-latest | |
needs: [ build_base, test_aks ] | |
environment: | |
name: test_aks | |
services: | |
postgres: | |
image: postgres:13.10 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DOCKER_IMAGE_TEST: ${{needs.build_base.outputs.DOCKER_IMAGE_TEST}} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
HTTP_USERNAME=$(az keyvault secret show --name "HTTP-USERNAME" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$HTTP_USERNAME" | |
echo "HTTP_USERNAME=$HTTP_USERNAME" >> $GITHUB_OUTPUT | |
HTTP_PASSWORD=$(az keyvault secret show --name "HTTP-PASSWORD" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$HTTP_PASSWORD" | |
echo "HTTP_PASSWORD=$HTTP_PASSWORD" >> $GITHUB_OUTPUT | |
MAILSAC_API_KEY=$(az keyvault secret show --name "MAILSAC-API-KEY" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$MAILSAC_API_KEY" | |
echo "MAILSAC_API_KEY=$MAILSAC_API_KEY" >> $GITHUB_OUTPUT | |
- name: Prepare DB | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e DATABASE_URL="postgresql://postgres:postgres@localhost" ${{ env.DOCKER_IMAGE_TEST }} \ | |
bundle exec rails db:prepare | |
- name: Run Integration Tests | |
run: |- | |
docker run --net=host -t --rm -e RAILS_ENV=test -e NODE_ENV=test -e CI=true -e HTTP_USERNAME -e HTTP_PASSWORD -e MAILSAC_API_KEY -e DATABASE_URL="postgresql://postgres:postgres@localhost" \ | |
${{env.DOCKER_IMAGE_TEST}} bundle exec rspec --tag integration | |
env: | |
HTTP_USERNAME: ${{ steps.keyvault-yaml-secret.outputs.HTTP_USERNAME }} | |
HTTP_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.HTTP_PASSWORD }} | |
MAILSAC_API_KEY: ${{ steps.keyvault-yaml-secret.outputs.MAILSAC_API_KEY }} | |
production_aks: | |
name: Production AKS Deployment | |
runs-on: ubuntu-latest | |
needs: [ integration_aks, development_aks ] | |
concurrency: production_aks | |
environment: | |
name: production_aks | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: set-up-environment | |
uses: DFE-Digital/github-actions/set-up-environment@master | |
with: | |
var_file: .github/common_environment_aks.yml | |
- uses: Azure/login@v1 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- name: Fetch secrets from key vault | |
uses: azure/CLI@v1 | |
id: keyvault-yaml-secret | |
with: | |
inlineScript: | | |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_WEBHOOK" | |
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
SLACK_RELEASE_NOTE_WEBHOOK=$(az keyvault secret show --name "SLACK-RELEASE-NOTE-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv) | |
echo "::add-mask::$SLACK_RELEASE_NOTE_WEBHOOK" | |
echo "SLACK_RELEASE_NOTE_WEBHOOK=$SLACK_RELEASE_NOTE_WEBHOOK" >> $GITHUB_OUTPUT | |
- name: Get Release Id from Tag | |
id: tag_id | |
uses: DFE-Digital/github-actions/DraftReleaseByTag@master | |
with: | |
TAG: ${{needs.development_aks.outputs.release_tag}} | |
TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish Release | |
if: steps.tag_id.outputs.release_id | |
uses: eregon/publish-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{steps.tag_id.outputs.release_id}} | |
- name: Deploy to Production AKS | |
uses: ./.github/workflows/actions/deploy_v2 | |
id: deploy_v2 | |
with: | |
environment: production_aks | |
sha: ${{ github.sha }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} | |
KEY_VAULT: ${{ secrets.KEY_VAULT }} | |
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
- name: Slack Release Notification | |
if: steps.tag_id.outputs.release_id | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_SUCCESS}} | |
SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" | |
SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_RELEASE_NOTE_WEBHOOK }} | |
MSG_MINIMAL: true | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@master | |
env: | |
SLACK_COLOR: ${{env.SLACK_FAILURE}} | |
SLACK_TITLE: Production Release ${{github.event.title}} | |
SLACK_MESSAGE: Failure deploying Production AKS release | |
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} |