Skip to content

Enable gcp wif in review env #1695

Enable gcp wif in review env

Enable gcp wif in review env #1695

name: Build and Deploy
concurrency: build_and_deploy_${{ github.ref_name }}
on:
push:
branches:
- main
pull_request:
branches:
- main
types: [opened, reopened, synchronize, labeled]
workflow_dispatch:
inputs:
environment:
description: "Environment"
required: true
type: choice
options:
- test
- preproduction
- production
permissions:
contents: write
deployments: write
packages: write
pull-requests: write
id-token: write
jobs:
build:
name: Build
env:
DOCKER_IMAGE: ghcr.io/dfe-digital/check-childrens-barred-list
outputs:
docker_image: ${{ env.DOCKER_IMAGE }}
image_tag: ${{ env.IMAGE_TAG }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
name: Checkout
- name: Set environment variables (push, workflow_dispatch)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
GIT_BRANCH=${GITHUB_REF##*/}
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main
echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV
- name: Set environment variables (pull_request)
if: github.event_name == 'pull_request'
run: |
GIT_BRANCH=${GITHUB_HEAD_REF##*/}
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
- name: Set KV environment variables
if: github.actor != 'dependabot[bot]'
run: |
# tag build to the review env for vars and secrets
tf_vars_file=terraform/aks/config/review.tfvars.json
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: azure/login@v2
if: github.actor != 'dependabot[bot]'
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
- uses: DFE-Digital/keyvault-yaml-secret@v1
if: github.actor != 'dependabot[bot]'
id: get-secret
with:
keyvault: ${{ env.KEY_VAULT_NAME }}
secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }}
key: SNYK_TOKEN
- name: Build Docker Image
uses: docker/build-push-action@v6
with:
tags: |
${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
push: false
load: true
cache-to: type=inline
cache-from: |
type=registry,ref=${{env.DOCKER_IMAGE}}:main
type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
build-args: COMMIT_SHA=${{ env.IMAGE_TAG }}
- name: Push ${{ env.DOCKER_IMAGE }} images for review
if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}
- name: Run Snyk to check Docker image for vulnerabilities
if: github.actor != 'dependabot[bot]'
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }}
with:
image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}
args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns
- name: Push ${{ env.DOCKER_IMAGE }} images
if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }}
run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}
deploy_review_app:
name: Deployment To Review
concurrency: deploy_review_${{ github.event.pull_request.number }}
if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Start review-${{ github.event.pull_request.number }} Deployment
uses: bobheadxi/deployments@v1
id: deployment
with:
env: review-${{ github.event.pull_request.number }}
ref: ${{ github.head_ref }}
step: start
token: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout
uses: actions/checkout@v4
- name: Deploy App to Review
id: deploy_review
uses: ./.github/actions/deploy/
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
environment: review
pr-number: ${{ github.event.pull_request.number }}
sha: ${{ needs.build.outputs.IMAGE_TAG }}
- name: Update review-${{ github.event.pull_request.number }} status
if: always()
uses: bobheadxi/deployments@v1
with:
env: review-${{ github.event.pull_request.number }}
ref: ${{ github.head_ref }}
step: finish
token: ${{ secrets.GITHUB_TOKEN }}
status: ${{ job.status }}
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
env_url: ${{ steps.deploy_review.outputs.deploy-url }}
set_matrix:
name: Set deployment matrix
runs-on: ubuntu-latest
needs: [build]
outputs:
deployment_matrix: ${{ steps.set_matrix.outputs.deployment_matrix }}
steps:
- id: set_matrix
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
DEPLOYMENT_MATRIX="{ 'environment': ['${{ github.event.inputs.environment }}'] }"
else
DEPLOYMENT_MATRIX="{ 'environment': ['test', 'preproduction'] }"
fi
echo "deployment_matrix=$DEPLOYMENT_MATRIX" >> $GITHUB_OUTPUT
deploy_nonprod:
name: Deploy to ${{ matrix.environment }} environment
runs-on: ubuntu-latest
needs: [build, set_matrix]
if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
concurrency: deploy_${{ matrix.environment }}
strategy:
fail-fast: false # this is necessary to prevent early terminiation of terraform deployments that will result in tfstate locks
max-parallel: 3
matrix: ${{ fromJson(needs.set_matrix.outputs.deployment_matrix) }}
environment:
name: ${{ matrix.environment }}
url: ${{ steps.deploy.outputs.url }}
outputs:
environment_name: ${{ matrix.environment }}
environment_url: ${{ steps.deploy.outputs.url }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/deploy/
id: deploy
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
environment: ${{ matrix.environment }}
sha: ${{ needs.build.outputs.IMAGE_TAG }}
deploy_production:
name: Deploy to production AKS environment
needs: [build, deploy_nonprod]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
environment:
name: production
url: ${{ steps.deploy.outputs.url }}
concurrency: deploy_production
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/deploy
id: deploy
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
environment: production
sha: ${{ needs.build.outputs.IMAGE_TAG }}
notify_slack_of_failures:
name: Notify Slack of failures
runs-on: ubuntu-latest
needs:
[build, deploy_review_app, set_matrix, deploy_nonprod, deploy_production]
environment: ${{ needs.deploy_nonprod.outputs.environment_name || 'test' }}
env:
ENVIRONMENT_NAME: ${{ needs.deploy_nonprod.outputs.environment_name || 'test' }}
if: failure()
steps:
- uses: actions/checkout@v4
- name: Set Environment variables
shell: bash
working-directory: terraform
run: |
if ${{ needs.build_image.result == 'failure' }}
then
job=build_image
elif ${{ needs.deploy_review_app.result == 'failure' }}
then
job=deploy_review_app
review=true
elif ${{ needs.set_matrix.result == 'failure' }}
then
job=set_matrix
elif ${{ needs.deploy_nonprod.result == 'failure' }}
then
job=deploy_nonprod
elif ${{ needs.deploy_production.result == 'failure' }}
then
job=deploy_production
fi
tf_vars_file=aks/config/${{ env.ENVIRONMENT_NAME }}.tfvars.json
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV
echo "JOB=${job}" >> $GITHUB_ENV
echo "REVIEW=${review}" >> $GITHUB_ENV
- uses: Azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- uses: DfE-Digital/keyvault-yaml-secret@v1
id: get_monitoring_secret
with:
keyvault: ${{ env.KEY_VAULT_NAME }}
secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }}
key: SLACK_WEBHOOK
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Notify Slack channel on job failure
uses: rtCamp/action-slack-notify@v2
env:
SLACK_USERNAME: CI Deployment
SLACK_TITLE: Deployment of check-the-childrens-barred-list ${{ env.REVIEW && 'review' }} failed
SLACK_MESSAGE: Job ${{ env.JOB }} failed
SLACK_WEBHOOK: ${{ steps.get_monitoring_secret.outputs.SLACK_WEBHOOK }}
SLACK_COLOR: failure
SLACK_FOOTER: Sent from Build and Deploy workflow