diff --git a/.github/workflows/actions/deploy_v2/action.yml b/.github/workflows/actions/deploy_v2/action.yml index 4873fdfa1c..0f6b4d91bc 100644 --- a/.github/workflows/actions/deploy_v2/action.yml +++ b/.github/workflows/actions/deploy_v2/action.yml @@ -60,6 +60,6 @@ runs: run: | envval="${{ inputs.environment }}_aks" echo "envval is ${envval}" - make ci ${envval} terraform-plan-aks PR_NUMBER=${{ inputs.pr }} + make ci ${envval} terraform-apply-aks PR_NUMBER=${{ inputs.pr }} env: IMAGE_TAG: ${{ inputs.sha }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 202f594f4f..0e5daa2153 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,9 +1,8 @@ name: Build and Deploy on: workflow_dispatch: - pull_request: push: - branches: [ feature/1123457-workflow ] + branches: [ master ] permissions: contents: write @@ -91,255 +90,254 @@ jobs: SLACK_TITLE: 'Failure Building Application' SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} - # spec_tests: - # name: Unit Tests - # runs-on: ubuntu-latest - # needs: [ build ] - # steps: - # - name: Check out the repo - # uses: actions/checkout@v3 - - # - name: set-up-environment - # uses: DFE-Digital/github-actions/set-up-environment@master - - # - uses: Azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - - # - uses: DfE-Digital/keyvault-yaml-secret@v1 - # id: keyvault-yaml-secret - # with: - # keyvault: ${{ secrets.KEY_VAULT}} - # secret: SE-INFRA-SECRETS - # key: SLACK-WEBHOOK - # env: - # GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - # - name: Login to GitHub Container Registry - # uses: docker/login-action@v2 - # with: - # registry: ghcr.io - # username: ${{ github.repository_owner }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # - name: Bring up Docker compose Stack - # run: docker-compose -f docker-compose-paas.yml up -d - # env: - # IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} - - # - name: Lint Ruby - # run: docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{needs.build.outputs.DOCKER_IMAGE}} rubocop - - # - name: Keep Rubocop output - # if: always() - # uses: actions/upload-artifact@v3 - # with: - # name: Rubocop_results - # path: ${{ github.workspace }}/out/rubocop-result.json - - # - name: Run Specs - # run: docker-compose -f docker-compose-paas.yml run --rm db-tasks rspec - # env: - # IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} - - # - name: Keep Unit Tests Results - # if: always() - # uses: actions/upload-artifact@v3 - # with: - # name: unit_tests - # path: ${{ github.workspace }}/out/test-report.xml - - - # - name: Keep Code Coverage Report - # if: always() - # uses: actions/upload-artifact@v3 - # with: - # name: Code_Coverage - # path: ${{ github.workspace }}/coverage/coverage.json - - # security_tests: - # name: Security Tests - # runs-on: ubuntu-latest - # needs: [ build ] - # steps: - # - name: Checkout - # uses: actions/checkout@v3 - - # - name: set-up-environment - # uses: DFE-Digital/github-actions/set-up-environment@master - - # - uses: Azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - - # - uses: DfE-Digital/keyvault-yaml-secret@v1 - # id: keyvault-yaml-secret - # with: - # keyvault: ${{ secrets.KEY_VAULT}} - # secret: SE-INFRA-SECRETS - # key: SNYK-TOKEN - # env: - # GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - # - name: Login to GitHub Container Registry - # uses: docker/login-action@v2 - # with: - # registry: ghcr.io - # username: ${{ github.repository_owner }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # - name: Run Snyk to check Docker image for vulnerabilities - # uses: snyk/actions/docker@master - # env: - # SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK-TOKEN }} - # with: - # image: ${{needs.build.outputs.DOCKER_IMAGE}} - # args: --severity-threshold=high --file=Dockerfile --exclude-app-vulns --policy-path=/.snyk - - # - name: Run Brakeman static security scanner - # run: docker run -t --rm -e RAILS_ENV=test ${{needs.build.outputs.DOCKER_IMAGE}} brakeman - - # cucumber_tests: - # name: Cucumber Tests - # runs-on: ubuntu-latest - # needs: [ build ] - # strategy: - # fail-fast: false - # matrix: - # node: [1, 2] - # steps: - # - name: Check out the repo - # uses: actions/checkout@v3 - - # - name: set-up-environment - # uses: DFE-Digital/github-actions/set-up-environment@master - - # - uses: Azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - - # - name: Login to GitHub Container Registry - # uses: docker/login-action@v2 - # with: - # registry: ghcr.io - # username: ${{ github.repository_owner }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # - name: Run Cucumber Tests - # run: |- - # docker-compose -f docker-compose-paas.yml run --rm \ - # -e RAILS_ENV \ - # -e DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL \ - # -e NODE \ - # -e NODE_COUNT \ - # db-tasks -p ${PROFILE} cucumber - # env: - # IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} - # PROFILE: continuous_integration - # DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true - # NODE: ${{ matrix.node }} - # NODE_COUNT: 2 - - # - name: Keep Unit Tests Results - # if: always() - # uses: actions/upload-artifact@v3 - # with: - # name: cucumber_tests - # path: ${{ github.workspace }}/out - - # selenium_cucumber_tests: - # name: Chrome Cucumber Tests - # runs-on: ubuntu-latest - # needs: [ build ] - # strategy: - # fail-fast: false - # matrix: - # node: [1, 2] - # steps: - # - name: Check out the repo - # uses: actions/checkout@v3 - - # - name: set-up-environment - # uses: DFE-Digital/github-actions/set-up-environment@master - - # - uses: Azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - - # - name: Login to GitHub Container Registry - # uses: docker/login-action@v2 - # with: - # registry: ghcr.io - # username: ${{ github.repository_owner }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # - name: Run Cucumber Tests - # run: |- - # docker-compose -f docker-compose-paas.yml run --rm \ - # -e RAILS_ENV \ - # -e DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL \ - # -e NODE \ - # -e NODE_COUNT \ - # school-experience -p ${PROFILE} cucumber - # env: - # IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} - # PROFILE: selenium - # RAILS_ENV: test - # DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true - # NODE: ${{ matrix.node }} - # NODE_COUNT: 2 - - # - name: Keep Unit Tests Results - # if: always() - # uses: actions/upload-artifact@v3 - # with: - # name: selenium_cucumber_tests - # path: ${{ github.workspace }}/out - - # sonarcloud: - # name: SonarCloud - # runs-on: ubuntu-latest - # needs: [ selenium_cucumber_tests, cucumber_tests , security_tests, spec_tests ] - # steps: - - # - uses: actions/checkout@v3 - # with: - # fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - # - name: set-up-environment - # uses: DFE-Digital/github-actions/set-up-environment@master - - # - uses: Azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - - # - uses: DfE-Digital/keyvault-yaml-secret@v1 - # id: keyvault-yaml-secret - # with: - # keyvault: ${{ secrets.KEY_VAULT}} - # secret: SE-INFRA-SECRETS - # key: SONAR-TOKEN - # env: - # GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - # - name: Download Test Artifacts - # uses: actions/download-artifact@v3 - # with: - # path: ${{ github.workspace }}/out/ - - # - name: Fixup report file paths - # run: sudo sed -i "s?/app/app?/github/workspace/app?" ${{ github.workspace }}/out/Code_Coverage/coverage.json - - # - name: SonarCloud Scan - # uses: SonarSource/sonarcloud-github-action@master - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # SONAR_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SONAR-TOKEN }} + spec_tests: + name: Unit Tests + runs-on: ubuntu-latest + needs: [ build ] + steps: + - name: Check out the repo + uses: actions/checkout@v3 + + - name: set-up-environment + uses: DFE-Digital/github-actions/set-up-environment@master + + - uses: Azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - uses: DfE-Digital/keyvault-yaml-secret@v1 + id: keyvault-yaml-secret + with: + keyvault: ${{ secrets.KEY_VAULT}} + secret: SE-INFRA-SECRETS + key: SLACK-WEBHOOK + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Bring up Docker compose Stack + run: docker-compose -f docker-compose-paas.yml up -d + env: + IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} + + - name: Lint Ruby + run: docker run -t --rm -v ${PWD}/out:/app/out -e RAILS_ENV=test ${{needs.build.outputs.DOCKER_IMAGE}} rubocop + + - name: Keep Rubocop output + if: always() + uses: actions/upload-artifact@v3 + with: + name: Rubocop_results + path: ${{ github.workspace }}/out/rubocop-result.json + + - name: Run Specs + run: docker-compose -f docker-compose-paas.yml run --rm db-tasks rspec + env: + IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} + + - name: Keep Unit Tests Results + if: always() + uses: actions/upload-artifact@v3 + with: + name: unit_tests + path: ${{ github.workspace }}/out/test-report.xml + + + - name: Keep Code Coverage Report + if: always() + uses: actions/upload-artifact@v3 + with: + name: Code_Coverage + path: ${{ github.workspace }}/coverage/coverage.json + + security_tests: + name: Security Tests + runs-on: ubuntu-latest + needs: [ build ] + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: set-up-environment + uses: DFE-Digital/github-actions/set-up-environment@master + + - uses: Azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - uses: DfE-Digital/keyvault-yaml-secret@v1 + id: keyvault-yaml-secret + with: + keyvault: ${{ secrets.KEY_VAULT}} + secret: SE-INFRA-SECRETS + key: SNYK-TOKEN + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Snyk to check Docker image for vulnerabilities + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK-TOKEN }} + with: + image: ${{needs.build.outputs.DOCKER_IMAGE}} + args: --severity-threshold=high --file=Dockerfile --exclude-app-vulns --policy-path=/.snyk + + - name: Run Brakeman static security scanner + run: docker run -t --rm -e RAILS_ENV=test ${{needs.build.outputs.DOCKER_IMAGE}} brakeman + + cucumber_tests: + name: Cucumber Tests + runs-on: ubuntu-latest + needs: [ build ] + strategy: + fail-fast: false + matrix: + node: [1, 2] + steps: + - name: Check out the repo + uses: actions/checkout@v3 + + - name: set-up-environment + uses: DFE-Digital/github-actions/set-up-environment@master + + - uses: Azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Cucumber Tests + run: |- + docker-compose -f docker-compose-paas.yml run --rm \ + -e RAILS_ENV \ + -e DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL \ + -e NODE \ + -e NODE_COUNT \ + db-tasks -p ${PROFILE} cucumber + env: + IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} + PROFILE: continuous_integration + DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true + NODE: ${{ matrix.node }} + NODE_COUNT: 2 + + - name: Keep Unit Tests Results + if: always() + uses: actions/upload-artifact@v3 + with: + name: cucumber_tests + path: ${{ github.workspace }}/out + + selenium_cucumber_tests: + name: Chrome Cucumber Tests + runs-on: ubuntu-latest + needs: [ build ] + strategy: + fail-fast: false + matrix: + node: [1, 2] + steps: + - name: Check out the repo + uses: actions/checkout@v3 + + - name: set-up-environment + uses: DFE-Digital/github-actions/set-up-environment@master + + - uses: Azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Cucumber Tests + run: |- + docker-compose -f docker-compose-paas.yml run --rm \ + -e RAILS_ENV \ + -e DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL \ + -e NODE \ + -e NODE_COUNT \ + school-experience -p ${PROFILE} cucumber + env: + IMAGE: ${{needs.build.outputs.DOCKER_IMAGE}} + PROFILE: selenium + RAILS_ENV: test + DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL: true + NODE: ${{ matrix.node }} + NODE_COUNT: 2 + + - name: Keep Unit Tests Results + if: always() + uses: actions/upload-artifact@v3 + with: + name: selenium_cucumber_tests + path: ${{ github.workspace }}/out + + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + needs: [ selenium_cucumber_tests, cucumber_tests , security_tests, spec_tests ] + steps: + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + + - name: set-up-environment + uses: DFE-Digital/github-actions/set-up-environment@master + + - uses: Azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - uses: DfE-Digital/keyvault-yaml-secret@v1 + id: keyvault-yaml-secret + with: + keyvault: ${{ secrets.KEY_VAULT}} + secret: SE-INFRA-SECRETS + key: SONAR-TOKEN + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Download Test Artifacts + uses: actions/download-artifact@v3 + with: + path: ${{ github.workspace }}/out/ + + - name: Fixup report file paths + run: sudo sed -i "s?/app/app?/github/workspace/app?" ${{ github.workspace }}/out/Code_Coverage/coverage.json + + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SONAR-TOKEN }} prepare: name: Configure Matrix Deployments - # needs: [ sonarcloud ] - needs: [ build ] + needs: [ sonarcloud ] runs-on: ubuntu-latest outputs: @@ -348,15 +346,13 @@ jobs: release_tag: ${{steps.tag_version.outputs.pr_number}} steps: - name: Set matrix environments (Push to master) - # if: github.event_name == 'push' && github.ref == 'refs/heads/master' - if: github.event_name == 'push' + if: github.event_name == 'push' && github.ref == 'refs/heads/master' run: | echo "MATRIX_ENVIRONMENTS={\"environment\":[\"Development\" , \"Staging\",\"Production\"]}" >> $GITHUB_ENV echo "MATRIX_AKS_ENVIRONMENTS={\"environment\":[\"development\"]}" >> $GITHUB_ENV - name: Set matrix environments ( Review) - # if: github.event_name == 'pull_request' && github.ref != 'refs/heads/master' - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' && github.ref != 'refs/heads/master' run: | echo "MATRIX_ENVIRONMENTS={\"environment\":[\"Review\"]}" >> $GITHUB_ENV echo "MATRIX_AKS_ENVIRONMENTS={\"environment\":[\"review\"]}" >> $GITHUB_ENV @@ -390,7 +386,6 @@ jobs: TOKEN: ${{secrets.GITHUB_TOKEN}} deployments: - if: github.event_name == 'push' && github.ref == 'refs/heads/master' name: Deployments strategy: max-parallel: 1