Skip to content

Merge master

Merge master #12771

Workflow file for this run

name: Test, Lint, Build & Push to ECR & Update Manifests
# IMPORTANT: REFACTOR BACK TO SEPARARATE JOBS AFTER K8s is merged to master and uncomment the deploy.yml
on:
pull_request:
branches:
- k8s
push:
branches:
- k8s
workflow_call:
workflow_dispatch:
workflow_run:
workflows: ["Code Checks"]
types: [completed]
permissions:
contents: read
checks: write
jobs:
linting_and_security:
name: Linting and Security
env:
BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
runs-on: ubuntu-16-cores-latest
steps:
- uses: actions/checkout@v4
# Lock back to an @v1-version once https://github.com/ruby/setup-ruby/pull/491 is merged
- uses: ruby/setup-ruby@v1
with:
bundler-cache: true
- name: Run bundle-audit (checks gems for CVE issues)
run: bundle exec bundle-audit check --update --ignore CVE-2024-27456
- name: Run Rubocop
run: bundle exec rubocop --parallel --format github
- name: Run Brakeman
run: bundle exec brakeman --ensure-latest --confidence-level=2 --format github
tests:
name: Test
env:
BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
CI: true
RAILS_ENV: test
TERM: xterm-256color
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
runs-on: ubuntu-16-cores-latest
steps:
- uses: actions/checkout@v4
- uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Setup Environment
run: |
echo "USER_ID=$(id -u)" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker Image
uses: docker/build-push-action@v4
with:
build-args: |
BUNDLE_ENTERPRISE__CONTRIBSYS__COM=${{ env.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
USER_ID=${{ env.USER_ID }}
context: .
push: false
load: true
tags: vets-api
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Setup Database
run: |
docker-compose run web bash \
-c "CI=true RAILS_ENV=test DISABLE_BOOTSNAP=true bundle exec parallel_test -n 13 -e 'bin/rails db:reset'"
- name: Run Specs
run: |
docker-compose run web bash \
-c "CI=true RAILS_ENV=test DISABLE_BOOTSNAP=true bundle exec parallel_rspec spec/ modules/ -n 8 -o '--color --tty'"
- name: Upload Coverage Report
uses: actions/upload-artifact@v4
if: always()
with:
name: Coverage Report
path: coverage
- name: Upload Test Results
uses: actions/upload-artifact@v4
if: always()
with:
name: Test Results
path: log/*.xml
if-no-files-found: ignore
publish_results:
name: Publish Results
if: always()
needs: [tests]
runs-on: ubuntu-16-cores-latest
steps:
- uses: actions/download-artifact@v4
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
check_name: Test Results
comment_mode: off
files: Test Results/*.xml
github_token: ${{ secrets.GITHUB_TOKEN }}
check_run_annotations_branch: master, k8s
- name: Fix up coverage report to work with coverage-check-action
run: sed -i 's/"line"/"covered_percent"/g' 'Coverage Report/.last_run.json'
- name: Publish Coverage Report
uses: devmasx/[email protected]
if: hashFiles('Coverage Report/.last_run.json') != ''
with:
type: simplecov
result_path: Coverage Report/.last_run.json
min_coverage: 90
token: ${{ secrets.GITHUB_TOKEN }}
build_and_push:
if: github.ref == 'refs/heads/k8s'
needs: [tests, linting_and_security]
name: Build and Push
env:
BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- name: Setup Environment
run: echo "VETS_API_USER_ID=$(id -u)" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build Docker Image
uses: docker/build-push-action@v5
with:
build-args: |
BUNDLE_ENTERPRISE__CONTRIBSYS__COM=${{ env.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
USER_ID=${{ env.VETS_API_USER_ID }}
RAILS_ENV=production
context: .
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/${{ secrets.ECR_REPOSITORY }}:${{ github.sha }}
cache-from: type=registry,ref=$ECR_REGISTRY/$ECR_REPOSITORY
cache-to: type=inline
deploy: # REMOVE THIS AFTER K8s is merged to master and uncomment the deploy.yml
if: github.ref == 'refs/heads/k8s'
needs: [tests, linting_and_security, build_and_push]
uses: department-of-veterans-affairs/vets-api/.github/workflows/deploy-template.yml@k8s #change to master after testing is successful
with:
ecr_repository: "vets-api"
manifests_directory: "vets-api"
auto_deploy_envs: "dev staging prod sandbox"
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
notify_on_failure:
runs-on: ubuntu-latest
if: failure() && github.ref == 'refs/heads/k8s'
needs: [tests, linting_and_security, build_and_push, deploy]
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: "us-gov-west-1"
- uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
with:
ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
env_variable_name: VA_VSP_BOT_GITHUB_TOKEN
- name: Checkout VSP actions
uses: actions/checkout@v2
with:
repository: department-of-veterans-affairs/vsp-github-actions
ref: refs/heads/main
token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
persist-credentials: false
path: ./.github/actions/vsp-github-actions
- uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
with:
ssm_parameter: /devops/github_actions_slack_socket_token
env_variable_name: SLACK_APP_TOKEN
- uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
with:
ssm_parameter: /devops/github_actions_slack_bot_user_token
env_variable_name: SLACK_BOT_TOKEN
- name: slack notify
uses: ./.github/actions/vsp-github-actions/slack-socket
with:
slack_app_token: ${{ env.SLACK_APP_TOKEN }}
slack_bot_token: ${{ env.SLACK_BOT_TOKEN }}
message: "A packer build of ${{ matrix.build_location }} just failed."
blocks: "[{\"type\": \"divider\"}, {\"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \":blob-disappointed: GitHub Action Runner Workflow ${{ matrix.build_location }} failed! :blob-disappointed:\n <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Workflow: ${{ github.workflow }} Run #${{ github.run_number }}>\"}}, {\"type\": \"divider\"}]"
channel_id: "C039HRTHXDH"