Skip to content

Commit

Permalink
add role verification over post activations
Browse files Browse the repository at this point in the history
  • Loading branch information
@petretiandrea
petretiandrea committed Nov 20, 2024
2 parents fa51894 + 0619313 commit c7a2ee9
Show file tree
Hide file tree
Showing 21 changed files with 1,106 additions and 69 deletions.
11 changes: 6 additions & 5 deletions .github/workflows/build-n-push-main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Build, push and update
name: Deploy from branch to DEV

on:
workflow_dispatch:
Expand Down Expand Up @@ -33,7 +33,7 @@ jobs:
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
password: ${{ secrets.GIT_PAT }}

- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
Expand All @@ -42,13 +42,14 @@ jobs:
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

- name: Build the app image
id: image
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
push: true
context: .
file: src/main/docker/Dockerfile
platforms: linux/amd64
tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC
tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ github.ref_name }}
secrets: |
"gh_token=${{ secrets.GIT_PAT }}"
Expand All @@ -63,5 +64,5 @@ jobs:
ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
run: |
terraform init -backend-config="env/dev/backend.tfvars" -reconfigure
terraform apply -var-file="env/dev/terraform.tfvars" -var="rtp_activator_image=${{ steps.build_image.outputs.image }}" -auto-approve -lock-timeout=300s
terraform init -backend-config="env/cstar-d-weu-rtp/backend.tfvars" -reconfigure
terraform apply -var-file="env/cstar-d-weu-rtp/terraform.tfvars" -var="rtp_activator_image=ghcr.io/${{ github.repository }}:${{ github.ref_name }}@${{ steps.image.outputs.digest }}" -auto-approve -lock-timeout=300s
68 changes: 68 additions & 0 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Deploy
run-name: Deploy to ${{ inputs.environment }}

on:
workflow_dispatch:
inputs:
environment:
type: environment
description: Environment where to deploy
image-hash:
type: string
required: false
default: ''
description: SHA256 of the image to deploy
image-tag:
type: string
required: false
default: 'latest'
description: Tag of the image to deploy

jobs:
deploy:
runs-on: ubuntu-22.04

environment: ${{ inputs.environment }}

permissions:
id-token: write

steps:
#
# Setup Terraform
#
- name: Setup Terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: 1.9.7

#
# Checkout the source code
#
- name: Checkout the source code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2

#
# Terraform
#
- name: Terraform
shell: bash
working-directory: src/main/terraform
env:
IMAGE_HASH: "${{ inputs.image-hash }}"
IMAGE_TAG: "${{ inputs.image-tag }}"
ENVIRONMENT: "${{ inputs.environment }}"
ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
run: |
if [ -n "$IMAGE_HASH" ]; then
IMAGE="ghcr.io/${{ github.repository }}:$IMAGE_TAG@sha256:$IMAGE_HASH"
else
IMAGE="ghcr.io/${{ github.repository }}:$IMAGE_TAG"
fi
echo "[$IMAGE] will be deployed."
terraform init -backend-config="env/$ENVIRONMENT/backend.tfvars" -reconfigure
terraform apply -var-file="env/$ENVIRONMENT/terraform.tfvars" -var="rtp_activator_image=$IMAGE" -auto-approve -lock-timeout=300s
90 changes: 42 additions & 48 deletions .github/workflows/post-merge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,20 @@ name: Post-merge/release workflow

on:
workflow_dispatch:
pull_request:
types:
- closed
push:
branches:
- main

jobs:
post_merge:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'

runs-on: ubuntu-22.04

environment: cstar-d-weu-rtp

permissions:
id-token: write # Get OIDC token to authenticate to Azure.
packages: write # Push container imaged to GHCR.
contents: write # Create a new release.

outputs:
new_release_published: ${{ steps.semantic.outputs.new_release_published }}
image: ${{ steps.stable_image.outputs.image }}
new_version: ${{ steps.semantic.outputs.new_release_version }}

steps:
#
Expand All @@ -32,14 +24,13 @@ jobs:
- name: Checkout the source code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
with:
token: ${{ secrets.GIT_PAT }}
fetch-depth: 0

#
# Install Node.
#
- name: Install Node
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
with:
node-version: "20.18.0"

Expand All @@ -59,24 +50,33 @@ jobs:
@semantic-release/git@10.0.1 # 3e934d45f97fd07a63617c0fc098c9ed3e67d97a
dry_run: true

dev_deployment:
needs: post_merge
if: needs.post_merge.outputs.new_release_published == 'true'
runs-on: ubuntu-22.04
environment: cstar-d-weu-rtp

permissions:
id-token: write # Get OIDC token to authenticate to Azure.
packages: write # Push container imaged to GHCR.
contents: write # Create a new release.

outputs:
digest: ${{ steps.stable-image.outputs.digest }}

steps:
#
# Setup Java
# Checkout the source code.
#
- name: Setup Java
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
with:
distribution: ‘corretto’
java-version: ‘21’
cache: ‘gradle’
- name: Checkout the source code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2

#
# RELEASE CANDIDATE - Update of pom.xml and openapi.yaml with the RC new version.
# RELEASE CANDIDATE - Update of gradle.properties with the RC new version.
#
- name: RELEASE CANDIDATE - Update of pom.xml and openapi.yaml with the new version
if: steps.semantic.outputs.new_release_published == 'true'
- name: RELEASE CANDIDATE - Update of gradle.properties with the new version
run: |
yq -i ".info.version = \"${{ steps.semantic.outputs.new_release_version }}-RC\"" "src/main/resources/META-INF/openapi.yaml"
sed -i -e "s/version=.*/version=${{ steps.semantic.outputs.new_release_version }}-RC/g" gradle.properties
sed -i -e "s/version=.*/version=${{ needs.post_merge.outputs.new_version }}-RC/g" gradle.properties
# todo sonar
#
Expand All @@ -87,7 +87,7 @@ jobs:
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
password: ${{ secrets.GIT_PAT }}

- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
Expand All @@ -96,21 +96,21 @@ jobs:
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

- name: Build the app image
id: rc-image
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
push: true
context: .
file: src/main/docker/Dockerfile
platforms: linux/amd64
tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC
tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ needs.post_merge.outputs.new_version }}-RC
secrets: |
"gh_token=${{ secrets.GIT_PAT }}"
#
# Setup Terraform
#
- name: Setup Terraform
if: steps.semantic.outputs.new_release_published == 'true'
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: 1.9.7
Expand All @@ -119,16 +119,15 @@ jobs:
# RELEASE CANDIDATE - Update Container App.
#
- name: RELEASE CANDIDATE - Update Container App
if: steps.semantic.outputs.new_release_published == 'true'
shell: bash
working-directory: src/main/terraform
env:
ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
run: |
terraform init -backend-config="env/dev/backend.tfvars" -reconfigure
terraform apply -var-file="env/dev/terraform.tfvars" -var="rtp_activator_image=${{ steps.rc_image.outputs.image }}" -auto-approve -lock-timeout=300s
terraform init -backend-config="env/cstar-d-weu-rtp/backend.tfvars" -reconfigure
terraform apply -var-file="env/cstar-d-weu-rtp/terraform.tfvars" -var="rtp_activator_image=ghcr.io/${{ github.repository }}:${{ needs.post_merge.outputs.new_version }}-RC@${{ steps.rc-image.outputs.digest }}" -auto-approve -lock-timeout=300s
# #
# # Install Newman.
Expand All @@ -151,25 +150,21 @@ jobs:
# --env-var "clientSecretForMilDebtPosition=${{ secrets.NEWMAN_IT__CLIENTSECRETFORMILDEBTPOSITION }}"

#
# STABLE - Update of pom.xml and openapi.yaml with the new version.
# STABLE - Update of gradle.properties with the new version.
#
- name: STABLE - Update of pom.xml and openapi.yaml with the new version
if: steps.semantic.outputs.new_release_published == 'true'
- name: STABLE - Update of gradle.properties with the new version
run: |
${{ runner.temp }}/maven/bin/mvn versions:set -DnewVersion=${{ steps.semantic.outputs.new_release_version }} -s ${{ runner.temp }}/settings.xml --no-transfer-progress
yq -i ".info.version = \"${{ steps.semantic.outputs.new_release_version }}\"" "src/main/resources/META-INF/openapi.yaml"
sed -i -e "s/version=.*/version=${{ needs.post_merge.outputs.new_version }}/g" gradle.properties
git config user.name "GitHub Workflow"
git config user.email "<>"
git add pom.xml
git add src/main/resources/META-INF/openapi.yaml
git commit -m "Updated with new version ${{ steps.semantic.outputs.new_release_version }}"
git add gradle.properties
git commit -m "Updated with new version ${{ needs.post_merge.outputs.new_version }}"
git push origin main
#
# Calculation of the new version (again) with tagging + releasing + etc.
#
- name: Calculation of the new version (w/o dry_run) and put tag
if: steps.semantic.outputs.new_release_published == 'true'
uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # 4.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -189,7 +184,7 @@ jobs:
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
password: ${{ secrets.GIT_PAT }}

- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
Expand All @@ -198,34 +193,33 @@ jobs:
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

- name: Build the app image
id: stable-image
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
push: true
context: .
file: src/main/docker/Dockerfile
platforms: linux/amd64
tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ steps.semantic.outputs.new_release_version }}-RC
tags: ghcr.io/${{ github.repository }}:latest, ghcr.io/${{ github.repository }}:${{ needs.post_merge.outputs.new_version }}
secrets: |
"gh_token=${{ secrets.GIT_PAT }}"
#
# STABLE - Update Container App.
#
- name: STABLE - Update Container App
if: steps.semantic.outputs.new_release_published == 'true'
shell: bash
working-directory: src/main/terraform
env:
ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
run: |
terraform init -backend-config="env/dev/backend.tfvars" -reconfigure
terraform apply -var-file="env/dev/terraform.tfvars" -var="rtp_activator_image=${{ steps.stable_image.outputs.image }}" -auto-approve -lock-timeout=300s
terraform init -backend-config="env/cstar-d-weu-rtp/backend.tfvars" -reconfigure
terraform apply -var-file="env/cstar-d-weu-rtp/terraform.tfvars" -var="rtp_activator_image=ghcr.io/${{ github.repository }}:${{ needs.post_merge.outputs.new_version }}@${{ steps.stable-image.outputs.digest }}" -auto-approve -lock-timeout=300s
uat_deployment:
needs: post_merge
needs: [ post_merge, dev_deployment]

if: needs.post_merge.outputs.new_release_published == 'true'

Expand Down Expand Up @@ -262,5 +256,5 @@ jobs:
ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
run: |
terraform init -backend-config="env/uat/backend.tfvars" -reconfigure
terraform apply -var-file="env/uat/terraform.tfvars" -var="rtp_activator_image=${{ needs.post_merge.outputs.image }}" -auto-approve -lock-timeout=300s
terraform init -backend-config="env/cstar-u-weu-rtp/backend.tfvars" -reconfigure
terraform apply -var-file="env/cstar-u-weu-rtp/terraform.tfvars" -var="rtp_activator_image=ghcr.io/${{ github.repository }}:${{ needs.post_merge.outputs.new_version }}@${{ needs.dev_deployment.outputs.digest }}" -auto-approve -lock-timeout=300s
23 changes: 23 additions & 0 deletions .releaserc.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"branches": [
"main",
"master"
],
"ci": false,
"plugins": [
[
"@semantic-release/commit-analyzer",
{
"preset": "angular",
"releaseRules": [
{
"type": "breaking",
"release": "major"
}
]
}
],
"@semantic-release/release-notes-generator",
"@semantic-release/github"
]
}
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
# rtp-activator
[![Post-merge/release workflow](https://github.com/pagopa/rtp-activator/actions/workflows/post-merge.yml/badge.svg)](https://github.com/pagopa/rtp-activator/actions/workflows/post-merge.yml)

Web server responsible to activate a debtor to receive a Request To Pay
Loading

0 comments on commit c7a2ee9

Please sign in to comment.