diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 9c17a45e..357ac851 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -16,96 +16,32 @@ permissions: packages: write pull-requests: write +env: + TF_VERSION_PATH: terraform/aks/terraform.tf + jobs: build: name: Build env: DOCKER_IMAGE: ghcr.io/dfe-digital/international-teacher-relocation-payment outputs: - docker_image: ${{ env.DOCKER_IMAGE }} - image_tag: ${{ env.IMAGE_TAG }} + docker-image-tag: ${{ steps.build-image.outputs.tag }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 name: Checkout - - name: Set environment variables (push) - if: github.event_name == 'push' - run: | - GIT_BRANCH=${GITHUB_REF##*/} - echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main - echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV - - - name: Set environment variables (pull_request) - if: github.event_name == 'pull_request' - run: | - GIT_BRANCH=${GITHUB_HEAD_REF##*/} - echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV - echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV - - - name: Set KV environment variables - if: github.actor != 'dependabot[bot]' - run: | - # tag build to the review env for vars and secrets - tf_vars_file=terraform/aks/config/review.tfvars.json - echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV - echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - uses: azure/login@v2 - if: github.actor != 'dependabot[bot]' - with: - creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} - - - uses: DFE-Digital/keyvault-yaml-secret@v1 - if: github.actor != 'dependabot[bot]' - id: get-secret - with: - keyvault: ${{ env.KEY_VAULT_NAME }} - secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }} - key: SNYK_TOKEN - - - name: Build Docker Image - uses: docker/build-push-action@v6 + - name: Build and push docker image + id: build-image + uses: DFE-Digital/github-actions/build-docker-image@master with: - tags: | - ${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} - ${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} - push: false - load: true - cache-to: type=inline - cache-from: | - type=registry,ref=${{env.DOCKER_IMAGE}}:main - type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} - type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} - build-args: | - COMMIT_SHA=${{ env.IMAGE_TAG }} - GOVUK_NOTIFY_API_KEY=${{ secrets.GOVUK_NOTIFY_API_KEY }} - GOVUK_NOTIFY_GENERIC_EMAIL_TEMPLATE_ID=${{ secrets.GOVUK_NOTIFY_GENERIC_EMAIL_TEMPLATE_ID }} - - - name: Push ${{ env.DOCKER_IMAGE }} images for review - if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }} - run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} - - - name: Run Snyk to check Docker image for vulnerabilities - if: github.actor != 'dependabot[bot]' - uses: snyk/actions/docker@master - env: - SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }} - with: - image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }} - args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns - - - name: Push ${{ env.DOCKER_IMAGE }} images - if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }} - run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} + github-token: ${{ secrets.GITHUB_TOKEN }} + context: . + docker-repository: ${{ env.DOCKER_IMAGE }} + max-cache: true + reuse-cache: true +# snyk-token: ${{ secrets.SNYK_TOKEN }} deploy-review-app: name: Deployment To Review @@ -128,12 +64,19 @@ jobs: - name: Deploy App to Review id: deploy_review - uses: ./.github/actions/deploy/ + uses: DFE-Digital/github-actions/deploy-to-aks@2088-create-github-workflow-templates with: azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} environment: review pr-number: ${{ github.event.pull_request.number }} - sha: ${{ needs.build.outputs.IMAGE_TAG }} + review-prefix: teacher-relocation-payment-pr + review-namespace: tra-development + sha: ${{ needs.build.outputs.docker-image-tag }} + tf-version-path: ${{ env.TF_VERSION_PATH }} + # seed-cmd: + # slack-webhook: + # smoketest-cmd: + # tf-url-output: - name: Update review-${{ github.event.pull_request.number }} status if: always() @@ -147,46 +90,46 @@ jobs: deployment_id: ${{ steps.deployment.outputs.deployment_id }} env_url: ${{ steps.deploy_review.outputs.deploy-url }} - deploy-before-production: - name: Parallel deployment before production - environment: - name: ${{ matrix.environment }} - url: ${{ steps.deploy_app_before_production.outputs.deploy-url }} - if: ${{ success() && github.ref == 'refs/heads/main' }} - needs: [build] - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - environment: [qa,staging] - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Deploy app to ${{ matrix.environment }} - id: deploy_app_before_production - uses: ./.github/actions/deploy/ - with: - azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }} - environment: ${{ matrix.environment }} - sha: ${{ github.sha }} - - deploy-production: - name: Production deployment - environment: - name: production - url: ${{ steps.deploy_production.outputs.deploy-url }} - if: ${{ success() && github.ref == 'refs/heads/main' }} - needs: [deploy-before-production] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Deploy app to production - id: deploy_production - uses: ./.github/actions/deploy/ - with: - azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION }} - environment: production - sha: ${{ github.sha }} + # deploy-before-production: + # name: Parallel deployment before production + # environment: + # name: ${{ matrix.environment }} + # url: ${{ steps.deploy_app_before_production.outputs.deploy-url }} + # if: ${{ success() && github.ref == 'refs/heads/main' }} + # needs: [build] + # runs-on: ubuntu-latest + # strategy: + # fail-fast: false + # matrix: + # environment: [qa,staging] + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + + # - name: Deploy app to ${{ matrix.environment }} + # id: deploy_app_before_production + # uses: ./.github/actions/deploy/ + # with: + # azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }} + # environment: ${{ matrix.environment }} + # sha: ${{ github.sha }} + + # deploy-production: + # name: Production deployment + # environment: + # name: production + # url: ${{ steps.deploy_production.outputs.deploy-url }} + # if: ${{ success() && github.ref == 'refs/heads/main' }} + # needs: [deploy-before-production] + # runs-on: ubuntu-latest + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + + # - name: Deploy app to production + # id: deploy_production + # uses: ./.github/actions/deploy/ + # with: + # azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION }} + # environment: production + # sha: ${{ github.sha }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff32b3c3..b6900b48 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,8 +63,8 @@ jobs: ruby-version: 3.2.3 bundler-cache: true # Add or replace any other lints here - - name: Security audit dependencies - run: bin/bundler-audit --update + # - name: Security audit dependencies + # run: bin/bundler-audit --update - name: Security audit application code run: bin/brakeman -q -w2 - name: Lint Ruby files diff --git a/Makefile b/Makefile index ed9bb0fa..3652b364 100644 --- a/Makefile +++ b/Makefile @@ -17,9 +17,10 @@ install-fetch-config: || true review: - $(if $(APP_NAME), , $(error Missing environment variable "APP_NAME", Please specify a pr number for your review app)) + $(if $(PR_NUMBER), , $(error Missing environment variable "PR_NUMBER", Please specify a pr number for your review app)) $(eval include global_config/review.sh) $(eval DEPLOY_ENV=review) + $(eval APP_NAME=pr-${PR_NUMBER}) $(eval export TF_VAR_app_name=$(APP_NAME)) echo https://teacher-relocation-payment-$(APP_NAME).test.teacherservices.cloud will be created in aks