-
Notifications
You must be signed in to change notification settings - Fork 10
296 lines (290 loc) · 14.3 KB
/
bf-review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
name: (BF) Build & Review & Acceptance tests
on:
pull_request:
paths:
- "backend/benefit/**"
- "frontend/benefit/**"
- "frontend/shared/**"
- "frontend/*"
- ".github/workflows/bf-review.yml"
- '!frontend/**/__tests__'
- '!**/README.md'
workflow_dispatch:
inputs:
build_required:
description: "Build images (true/false)"
required: true
default: "false"
pr_number:
description: "Pull request number (if redeploy without build) or own number for environment"
required: true
env:
CONTAINER_REGISTRY: ghcr.io
CONTAINER_REGISTRY_USER: ${{ secrets.GHCR_CONTAINER_REGISTRY_USER }}
CONTAINER_REGISTRY_PASSWORD: ${{ secrets.GHCR_TOKEN }}
CONTAINER_REGISTRY_REPO: ghcr.io/city-of-helsinki/${{ github.event.repository.name }}
REPO_NAME: ${{ github.event.repository.name }}
KUBECONFIG_RAW: ${{ secrets.KUBECONFIG_RAW }}
BUILD_ARTIFACT_FOLDER: "build_artifacts"
SERVICE_ARTIFACT_FOLDER: "service_artifacts"
BASE_DOMAIN: ${{ secrets.BASE_DOMAIN_STAGING }}
DATABASE_USER: user
DATABASE_PASSWORD: testing-password
K8S_REQUEST_CPU: 5m
K8S_REQUEST_RAM: 256Mi
K8S_LIMIT_CPU: 500m
K8S_LIMIT_RAM: 428Mi
K8S_PROBE_FAILURE_THRESHOLD: 30
K8S_PROBE_PERIOD: 20
HELM_BUFFER_TIME: 300
APPLICANT_URL: https://helsinkibenefit-bf-appl-${{ github.event.pull_request.number }}.${{ secrets.BASE_DOMAIN_STAGING }}
HANDLER_URL: https://helsinkibenefit-bf-hndl-${{ github.event.pull_request.number }}.${{ secrets.BASE_DOMAIN_STAGING }}
NEXT_PUBLIC_BACKEND_URL: https://helsinkibenefit-bf-bknd-${{ github.event.pull_request.number }}.${{ secrets.BASE_DOMAIN_STAGING }}
NEXT_PUBLIC_MOCK_FLAG: 1
CORS_ALLOW_ALL_ORIGINS: 1
jobs:
build:
# No building for dependabot PRs
# See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#handling-pull_request-events
if: ${{ github.actor != 'dependabot[bot]' }}
strategy:
fail-fast: false
matrix:
service: ["bf-bknd", "bf-appl", "bf-hdlr"]
include:
- service: bf-bknd
context: ./backend
dockerfile: ./backend/docker/benefit.Dockerfile
port: 8000
- service: bf-appl
context: ./frontend
dockerfile: ./frontend/Dockerfile
project: benefit
folder: applicant
port: 3000
- service: bf-hdlr
context: ./frontend
dockerfile: ./frontend/Dockerfile
project: benefit
folder: handler
port: 3100
concurrency:
group: ${{ github.event.pull_request.number }}-${{ matrix.service }}
cancel-in-progress: false
runs-on: ubuntu-latest
name: Build
steps:
- uses: actions/checkout@v3
- name: Build ${{ matrix.service }}
if: github.event_name == 'pull_request' || github.event.inputs.build_required == 'true'
# uses: andersinno/kolga-build-action@v2 temporary disabled due to build problem
# https://helsinkisolutionoffice.atlassian.net/browse/DEVOPS-424
uses: docker://ghcr.io/andersinno/kolga:2c6028bb7f478301d53928b0a72d5e87f58c0ac8-production
with:
entrypoint: /app/devops
args: create_images
env:
# Don't need to lint / typecheck for e2e, they're done in another workflow
DOCKER_BUILD_ARG_NEXTJS_IGNORE_ESLINT: true
# TODO we need separate typecheck to bf-*-frontend-test.yml workflow
DOCKER_BUILD_ARG_NEXTJS_IGNORE_TYPECHECK: false
DOCKER_BUILD_ARG_NEXT_DISABLE_SOURCEMAPS: true
DOCKER_BUILD_ARG_NEXT_TELEMETRY_DISABLED: true
DOCKER_BUILD_ARG_NEXTJS_SENTRY_UPLOAD_DRY_RUN: true
DOCKER_BUILD_ARG_NEXT_PUBLIC_BACKEND_URL: ${{ env.NEXT_PUBLIC_BACKEND_URL }}
DOCKER_BUILD_ARG_NEXT_PUBLIC_MOCK_FLAG: ${{ env.NEXT_PUBLIC_MOCK_FLAG }}
DOCKER_BUILD_ARG_NEXTJS_DISABLE_SENTRY: true
DOCKER_BUILD_ARG_NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.NEXT_PUBLIC_SENTRY_DSN }}
DOCKER_BUILD_ARG_NEXT_PUBLIC_SENTRY_ENVIRONMENT: ${{ secrets.NEXT_PUBLIC_SENTRY_ENVIRONMENT }}
DOCKER_BUILD_ARG_NEXT_PUBLIC_SENTRY_TRACE_SAMPLE_RATE: 1.0
DOCKER_BUILD_ARG_PROJECT: ${{ matrix.project }}
DOCKER_BUILD_ARG_FOLDER: ${{ matrix.folder }}
DOCKER_BUILD_ARG_PORT: ${{ matrix.port }}
DOCKER_BUILD_SOURCE: ${{ matrix.dockerfile }}
DOCKER_BUILD_CONTEXT: ${{ matrix.context }}
DOCKER_IMAGE_NAME: ${{ matrix.service }}
SERVICE_PORT: ${{ matrix.port }}
BUILDKIT_CACHE_DISABLE: true
review:
strategy:
fail-fast: false
matrix:
service: ["bf-bknd", "bf-appl", "bf-hdlr"]
include:
- service: bf-bknd
context: ./backend
dockerfile: ./backend/docker/benefit.Dockerfile
database: true
port: 8000
- service: bf-appl
context: ./frontend
dockerfile: ./frontend/Dockerfile
database: false
project: benefit
folder: applicant
port: 3000
- service: bf-hdlr
context: ./frontend
dockerfile: ./frontend/Dockerfile
database: false
project: benefit
folder: handler
port: 3100
concurrency:
group: ${{ github.event.pull_request.number }}-${{ matrix.service }}
cancel-in-progress: false
runs-on: ubuntu-latest
needs: build
name: Review
steps:
- uses: actions/checkout@v3
- uses: andersinno/kolga-setup-action@v2
with:
pr_number: ${{ github.event.inputs.pr_number }}
- name: Backend variables
if: matrix.database
env:
SECRET_KEY: ${{ secrets.K8S_SECRET_SECRET_KEY_REVIEW }}
K8S_SECRET_ENCRYPTION_KEY: ${{ secrets.K8S_SECRET_ENCRYPTION_KEY_REVIEW }}
K8S_SECRET_SOCIAL_SECURITY_NUMBER_HASH_KEY: ${{ secrets.K8S_SECRET_SOCIAL_SECURITY_NUMBER_HASH_KEY_REVIEW }}
K8S_SECRET_PREVIOUS_BENEFITS_SOCIAL_SECURITY_NUMBER_HASH_KEY: ${{ secrets.K8S_SECRET_SOCIAL_SECURITY_NUMBER_HASH_KEY_REVIEW }}
run: |
echo "K8S_SECRET_LOGOUT_REDIRECT_URL=${{ env.APPLICANT_URL }}/login?logout=true" >> $GITHUB_ENV
echo "K8S_SECRET_ALLOWED_HOSTS=*" >> $GITHUB_ENV
echo "K8S_SECRET_CREATE_SUPERUSER=${{ secrets.K8S_SECRET_CREATE_SUPERUSER_REVIEW }}" >> $GITHUB_ENV
echo "K8S_SECRET_ADMIN_USER_PASSWORD=${{ secrets.K8S_SECRET_ADMIN_USER_PASSWORD_REVIEW }}" >> $GITHUB_ENV
echo "K8S_SECRET_SECRET_KEY=$SECRET_KEY" >> $GITHUB_ENV
echo "K8S_SECRET_CSRF_COOKIE_DOMAIN=.test.kuva.hel.ninja" >> $GITHUB_ENV
echo "K8S_SECRET_CORS_ALLOWED_ORIGINS=${{ env.APPLICANT_URL }},${{ env.HANDLER_URL }}" >> $GITHUB_ENV
echo "K8S_SECRET_CSRF_TRUSTED_ORIGINS=.test.kuva.hel.ninja" >> $GITHUB_ENV
echo "K8S_SECRET_LOGIN_REDIRECT_URL=${{ env.APPLICANT_URL }}" >> $GITHUB_ENV
echo "K8S_SECRET_LOGIN_REDIRECT_URL_FAILURE=${{ env.APPLICANT_URL }}/login?error=true" >> $GITHUB_ENV
echo "K8S_SECRET_APPLICANT_URL=${{ env.APPLICANT_URL }}" >> $GITHUB_ENV
echo "K8S_SECRET_HANDLER_URL=${{ env.HANDLER_URL }}" >> $GITHUB_ENV
echo "K8S_SECRET_NEXT_PUBLIC_MOCK_FLAG=${{ env.NEXT_PUBLIC_MOCK_FLAG }}" >> $GITHUB_ENV
echo "K8S_SECRET_DATABASE_DB=${{ github.event.repository.name }}-${{ matrix.service }}-${{ github.event.pull_request.number }}" >> $GITHUB_ENV
echo "K8S_SECRET_DATABASE_HOST=${{ secrets.K8S_SECRET_DATABASE_HOST_REVIEW }}" >> $GITHUB_ENV
echo "K8S_SECRET_DATABASE_PORT=${{ secrets.K8S_SECRET_DATABASE_PORT_REVIEW }}" >> $GITHUB_ENV
echo "K8S_SECRET_DATABASE_USERNAME=${{ secrets.K8S_SECRET_DATABASE_USERNAME_REVIEW }}" >> $GITHUB_ENV
echo "K8S_SECRET_DATABASE_PASSWORD=${{ secrets.K8S_SECRET_DATABASE_PASSWORD_REVIEW }}" >> $GITHUB_ENV
echo "K8S_SECRET_DATABASE_URL=postgresql://${{ secrets.K8S_SECRET_DATABASE_USERNAME_REVIEW }}:${{ secrets.K8S_SECRET_DATABASE_PASSWORD_REVIEW }}@${{ secrets.K8S_SECRET_DATABASE_HOST_REVIEW}}:${{ secrets.K8S_SECRET_DATABASE_PORT_REVIEW }}/${{ github.event.repository.name }}-${{ matrix.service }}-${{ github.event.pull_request.number }}" >> $GITHUB_ENV
- name: Review-Services
if: matrix.database
uses: City-of-Helsinki/review-services-action@main
with:
database: ${{ github.event.repository.name }}-${{ matrix.service }}-${{ github.event.pull_request.number }}
namespace: ${{ env.K8S_NAMESPACE }}
action: create
db_user: ${{ secrets.K8S_SECRET_DATABASE_ADMIN_USERNAME_REVIEW }}
db_password: ${{ secrets.K8S_SECRET_DATABASE_ADMIN_PASSWORD_REVIEW}}
db_host: ${{ secrets.K8S_SECRET_DATABASE_HOST_REVIEW }}
db_port: ${{ secrets.K8S_SECRET_DATABASE_PORT_REVIEW }}
kubeconfig: ${{ secrets.KUBECONFIG_RAW }}
- name: Service with ingress
run: |
echo "ENVIRONMENT_URL=https://helsinkibenefit-${{ matrix.service }}-${{ github.event.pull_request.number }}.${{ env.BASE_DOMAIN }}" >> $GITHUB_ENV
- name: Deploy
uses: andersinno/kolga-deploy-action@v2
env:
DOCKER_BUILD_SOURCE: ${{ matrix.dockerfile }}
DOCKER_BUILD_CONTEXT: ./${{ matrix.context }}
DOCKER_IMAGE_NAME: ${{ matrix.service }}
PROJECT_NAME: ${{ github.event.repository.name }}-${{ matrix.service }}
K8S_SECRET_VERSION: ${{ github.sha }}
VAULT_JWT_PRIVATE_KEY: ${{ secrets.VAULT_ACCESS_PRIVATE_KEY_REVIEW }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
VAULT_KV_VERSION: "2"
VAULT_JWT_AUTH_PATH: ${{ github.event.repository.name }}-${{ matrix.service }}-review
VAULT_KV_SECRET_MOUNT_POINT: review
SERVICE_PORT: ${{ matrix.port }}
K8S_SECRET_ALLOWED_HOSTS: "*"
APP_MIGRATE_COMMAND: ${{ matrix.database == 'true' && '/app/.prod/on_deploy.sh' || ''}}
CORS_ALLOWED_ORIGINS: ${{ env.ENVIRONMENT_URL }}
CSRF_TRUSTED_ORIGINS: ${{ env.ENVIRONMENT_URL }}
LOGOUT_REDIRECT_URL: ${{ env.APPLICANT_URL }}/login?logout=true
- name: Create PR comment for helsinkibenefit-V${{ matrix.service }}
uses: marocchino/sticky-pull-request-comment@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: deployment-helsinkibenefit-${{ matrix.service }}
message: |
**Helsinkibenefit-${{ matrix.service }} is deployed to: ${{ env.ENVIRONMENT_URL }}** :rocket::rocket::rocket:
acceptance-tests:
name: BF Acceptance tests
runs-on: ubuntu-latest
needs: Review
defaults:
run:
working-directory: ./frontend
strategy:
fail-fast: false
matrix:
service: ["bf-appl"]
include:
- service: bf-appl
dir: benefit/applicant
steps:
- uses: actions/checkout@v3
- name: Setup kubectl
run: |
echo "${{ env.KUBECONFIG_RAW }}" > $(pwd)/kubeconfig
echo "KUBECONFIG=$(pwd)/kubeconfig" >> $GITHUB_ENV
shell: bash
- name: Setup Node.js environment
uses: actions/setup-node@v3
with:
node-version: "18"
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: echo "::set-output name=dir::$(yarn config get cacheFolder)"
- uses: actions/cache@v3
id: yarn-cache
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-yarn-
- name: Install dependencies
run: yarn --prefer-offline --frozen-lockfile --check-files --production=false
- name: Service with ingress
run: |
echo "ENVIRONMENT_URL=https://helsinkibenefit-${{ matrix.service }}-${{ github.event.pull_request.number }}.${{ env.BASE_DOMAIN }}" >> $GITHUB_ENV
- name: Run Acceptance Tests for ${{ matrix.service }}
id: testcafe
run: yarn --cwd ${{matrix.dir}} browser-test:ci -q attemptLimit=3,successThreshold=1
env:
GITHUB_WORKFLOW_NAME: ${{ github.workflow }}
GITHUB_WORKFLOW_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
FRONTEND_URL: ${{ env.ENVIRONMENT_URL }}
APPLICANT_URL: ${{ env.ENVIRONMENT_URL }}
NEXT_PUBLIC_BACKEND_URL: ${{ env.NEXT_PUBLIC_BACKEND_URL }}
NEXT_PUBLIC_MOCK_FLAG: ${{ env.NEXT_PUBLIC_MOCK_FLAG }}
- name: Upload Acceptance Test results for ${{ matrix.service }}
run: |
zip -r report.zip ${{matrix.dir}}/report > no_output 2>&1
curl -s -H "Content-Type: application/zip" -H "Authorization: Bearer ${{ secrets.NETLIFY_AUTH_TOKEN }}" --data-binary "@report.zip" https://api.netlify.com/api/v1/sites > response.json
echo "REPORT_URL=$(cat response.json|python -c "import sys, json; print('https://' + json.load(sys.stdin)['subdomain'] + '.netlify.com')")" >> $GITHUB_ENV
if: always() && steps.testcafe.outcome == 'failure'
- name: Create/update PR comment for Acceptance Test results
uses: marocchino/sticky-pull-request-comment@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: testcafe-results-${{ matrix.service }}
message: |
## TestCafe result is __${{ steps.testcafe.outcome }}__ for ${{ env.ENVIRONMENT_URL }}! ${{steps.testcafe.outcome == 'success' && ':laughing::tada::tada::tada:' || ':crying_cat_face::anger::boom::boom:' }}
if: always() && (steps.testcafe.outcome == 'success' || steps.testcafe.outcome == 'failure')
- name: Create/update PR comment for Acceptance Test results
uses: marocchino/sticky-pull-request-comment@v2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: testcafe-results-${{ matrix.service }}
append: true
message: |
**Check the report on: [${{ env.REPORT_URL }}](${{ env.REPORT_URL }})**
if: always() && steps.testcafe.outcome == 'failure'
- name: Upload screenshots and videos of failed tests to artifact
uses: actions/upload-artifact@v3
with:
name: report
path: ./frontend/${{matrix.dir}}/report
if: always() && steps.testcafe.outcome == 'failure'