Enable gcp wif in review env #1693
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy | |
concurrency: build_and_deploy_${{ github.ref_name }} | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
types: [opened, reopened, synchronize, labeled] | |
workflow_dispatch: | |
inputs: | |
environment: | |
description: "Environment" | |
required: true | |
type: choice | |
options: | |
- test | |
- preproduction | |
- production | |
permissions: | |
contents: write | |
deployments: write | |
packages: write | |
pull-requests: write | |
id-token: write | |
jobs: | |
build: | |
name: Build | |
env: | |
DOCKER_IMAGE: ghcr.io/dfe-digital/check-childrens-barred-list | |
outputs: | |
docker_image: ${{ env.DOCKER_IMAGE }} | |
image_tag: ${{ env.IMAGE_TAG }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
name: Checkout | |
- name: Set environment variables (push, workflow_dispatch) | |
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
run: | | |
GIT_BRANCH=${GITHUB_REF##*/} | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main | |
echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV | |
- name: Set environment variables (pull_request) | |
if: github.event_name == 'pull_request' | |
run: | | |
GIT_BRANCH=${GITHUB_HEAD_REF##*/} | |
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV | |
- name: Set KV environment variables | |
if: github.actor != 'dependabot[bot]' | |
run: | | |
# tag build to the review env for vars and secrets | |
tf_vars_file=terraform/aks/config/review.tfvars.json | |
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV | |
echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: azure/login@v2 | |
if: github.actor != 'dependabot[bot]' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
- uses: DFE-Digital/keyvault-yaml-secret@v1 | |
if: github.actor != 'dependabot[bot]' | |
id: get-secret | |
with: | |
keyvault: ${{ env.KEY_VAULT_NAME }} | |
secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }} | |
key: SNYK_TOKEN | |
- name: Build Docker Image | |
uses: docker/build-push-action@v6 | |
with: | |
tags: | | |
${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} | |
${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} | |
push: false | |
load: true | |
cache-to: type=inline | |
cache-from: | | |
type=registry,ref=${{env.DOCKER_IMAGE}}:main | |
type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} | |
type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} | |
build-args: COMMIT_SHA=${{ env.IMAGE_TAG }} | |
- name: Push ${{ env.DOCKER_IMAGE }} images for review | |
if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }} | |
run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} | |
- name: Run Snyk to check Docker image for vulnerabilities | |
if: github.actor != 'dependabot[bot]' | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }} | |
with: | |
image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }} | |
args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns | |
- name: Push ${{ env.DOCKER_IMAGE }} images | |
if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }} | |
run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} | |
deploy_review_app: | |
name: Deployment To Review | |
concurrency: deploy_review_${{ github.event.pull_request.number }} | |
if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }} | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Start review-${{ github.event.pull_request.number }} Deployment | |
uses: bobheadxi/deployments@v1 | |
id: deployment | |
with: | |
env: review-${{ github.event.pull_request.number }} | |
ref: ${{ github.head_ref }} | |
step: start | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Deploy App to Review | |
id: deploy_review | |
uses: ./.github/actions/deploy/ | |
with: | |
azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
environment: review | |
pr-number: ${{ github.event.pull_request.number }} | |
sha: ${{ needs.build.outputs.IMAGE_TAG }} | |
- name: Update review-${{ github.event.pull_request.number }} status | |
if: always() | |
uses: bobheadxi/deployments@v1 | |
with: | |
env: review-${{ github.event.pull_request.number }} | |
ref: ${{ github.head_ref }} | |
step: finish | |
token: ${{ secrets.GITHUB_TOKEN }} | |
status: ${{ job.status }} | |
deployment_id: ${{ steps.deployment.outputs.deployment_id }} | |
env_url: ${{ steps.deploy_review.outputs.deploy-url }} | |
set_matrix: | |
name: Set deployment matrix | |
runs-on: ubuntu-latest | |
needs: [build] | |
outputs: | |
deployment_matrix: ${{ steps.set_matrix.outputs.deployment_matrix }} | |
steps: | |
- id: set_matrix | |
run: | | |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
DEPLOYMENT_MATRIX="{ 'environment': ['${{ github.event.inputs.environment }}'] }" | |
else | |
DEPLOYMENT_MATRIX="{ 'environment': ['test', 'preproduction'] }" | |
fi | |
echo "deployment_matrix=$DEPLOYMENT_MATRIX" >> $GITHUB_OUTPUT | |
deploy_nonprod: | |
name: Deploy to ${{ matrix.environment }} environment | |
runs-on: ubuntu-latest | |
needs: [build, set_matrix] | |
if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch' | |
concurrency: deploy_${{ matrix.environment }} | |
strategy: | |
fail-fast: false # this is necessary to prevent early terminiation of terraform deployments that will result in tfstate locks | |
max-parallel: 3 | |
matrix: ${{ fromJson(needs.set_matrix.outputs.deployment_matrix) }} | |
environment: | |
name: ${{ matrix.environment }} | |
url: ${{ steps.deploy.outputs.url }} | |
outputs: | |
environment_name: ${{ matrix.environment }} | |
environment_url: ${{ steps.deploy.outputs.url }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/deploy/ | |
id: deploy | |
with: | |
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
environment: ${{ matrix.environment }} | |
sha: ${{ needs.build.outputs.IMAGE_TAG }} | |
deploy_production: | |
name: Deploy to production AKS environment | |
needs: [build, deploy_nonprod] | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
environment: | |
name: production | |
url: ${{ steps.deploy.outputs.url }} | |
concurrency: deploy_production | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/deploy | |
id: deploy | |
with: | |
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
environment: production | |
sha: ${{ needs.build.outputs.IMAGE_TAG }} | |
notify_slack_of_failures: | |
name: Notify Slack of failures | |
runs-on: ubuntu-latest | |
needs: | |
[build, deploy_review_app, set_matrix, deploy_nonprod, deploy_production] | |
environment: ${{ needs.deploy_nonprod.outputs.environment_name || 'test' }} | |
env: | |
ENVIRONMENT_NAME: ${{ needs.deploy_nonprod.outputs.environment_name || 'test' }} | |
if: failure() | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set Environment variables | |
shell: bash | |
working-directory: terraform | |
run: | | |
if ${{ needs.build_image.result == 'failure' }} | |
then | |
job=build_image | |
elif ${{ needs.deploy_review_app.result == 'failure' }} | |
then | |
job=deploy_review_app | |
review=true | |
elif ${{ needs.set_matrix.result == 'failure' }} | |
then | |
job=set_matrix | |
elif ${{ needs.deploy_nonprod.result == 'failure' }} | |
then | |
job=deploy_nonprod | |
elif ${{ needs.deploy_production.result == 'failure' }} | |
then | |
job=deploy_production | |
fi | |
tf_vars_file=aks/config/${{ env.ENVIRONMENT_NAME }}.tfvars.json | |
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV | |
echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV | |
echo "JOB=${job}" >> $GITHUB_ENV | |
echo "REVIEW=${review}" >> $GITHUB_ENV | |
- uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
- uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: get_monitoring_secret | |
with: | |
keyvault: ${{ env.KEY_VAULT_NAME }} | |
secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }} | |
key: SLACK_WEBHOOK | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Notify Slack channel on job failure | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_USERNAME: CI Deployment | |
SLACK_TITLE: Deployment of check-the-childrens-barred-list ${{ env.REVIEW && 'review' }} failed | |
SLACK_MESSAGE: Job ${{ env.JOB }} failed | |
SLACK_WEBHOOK: ${{ steps.get_monitoring_secret.outputs.SLACK_WEBHOOK }} | |
SLACK_COLOR: failure | |
SLACK_FOOTER: Sent from Build and Deploy workflow |