Merge pull request #2265 from ministryofjustice/renovate-github-actions #643
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "[Workflow] Path to Live" | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| defaults: | |
| run: | |
| shell: bash | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "service-*/**" | |
| - "cypress/**" | |
| - "terraform/**" | |
| - "scripts/**" | |
| - "shared/**" | |
| - ".github/workflows/**" | |
| permissions: | |
| contents: write | |
| security-events: write | |
| pull-requests: read | |
| actions: none | |
| checks: none | |
| deployments: none | |
| issues: none | |
| packages: none | |
| repository-projects: none | |
| statuses: none | |
| jobs: | |
| set_variables: | |
| name: Set variables | |
| runs-on: ubuntu-latest | |
| outputs: | |
| short_sha: ${{ steps.short_sha.outputs.short_sha }} | |
| semver_tag: ${{ steps.semver_tag.outputs.created_tag }} | |
| environment_terraform_version: ${{ steps.terraform_version_environment.outputs.version }} | |
| account_terraform_version: ${{ steps.terraform_version_account.outputs.version }} | |
| region_terraform_version: ${{ steps.terraform_version_region.outputs.version }} | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
| with: | |
| fetch-depth: 2 | |
| - name: Set output to penultimate short SHA | |
| id: short_sha | |
| run: | | |
| echo "short_sha=$(git rev-list --no-merges -n 1 HEAD | cut -c1-7)" >> $GITHUB_OUTPUT | |
| - name: Set terraform version - environment | |
| id: terraform_version_environment | |
| uses: ministryofjustice/opg-github-actions/.github/actions/[email protected] | |
| with: | |
| terraform_directory: "./terraform/environment" | |
| - name : Set terraform version - account | |
| id: terraform_version_account | |
| uses: ministryofjustice/opg-github-actions/.github/actions/[email protected] | |
| with: | |
| terraform_directory: "./terraform/account" | |
| - name: Set terraform version - region | |
| id: terraform_version_region | |
| uses: ministryofjustice/opg-github-actions/.github/actions/[email protected] | |
| with: | |
| terraform_directory: "./terraform/region" | |
| - name: Bump version and push tag | |
| uses: ministryofjustice/opg-github-actions/.github/actions/[email protected] | |
| id: semver_tag | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| with_v: true | |
| default_bump: minor | |
| docker_build_scan_push: | |
| name: Docker Build, Scan and Push | |
| uses: ./.github/workflows/docker_job.yml | |
| needs: | |
| - set_variables | |
| with: | |
| tag: main-${{ needs.set_variables.outputs.semver_tag }} | |
| secrets: inherit | |
| terraform_account_preproduction: | |
| name: TF Preproduction - Account | |
| needs: | |
| - set_variables | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.account_terraform_version }} | |
| terraform_workspace: preproduction | |
| is_ephemeral: false | |
| terraform_apply: true | |
| terraform_directory: ./terraform/account | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_region_preproduction: | |
| name: TF Preproduction - Region | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| needs: | |
| - set_variables | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.environment_terraform_version }} | |
| terraform_workspace: preproduction | |
| is_ephemeral: false | |
| terraform_apply: true | |
| terraform_directory: ./terraform/region | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_environment_preproduction: | |
| name: TF Preproduction - Environment | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.environment_terraform_version }} | |
| terraform_workspace: preproduction | |
| is_ephemeral: false | |
| terraform_apply: true | |
| use_ssh_private_key: true | |
| terraform_directory: ./terraform/environment | |
| terraform_variables: "-var container_version=main-${{ needs.set_variables.outputs.semver_tag }}" | |
| persist_artifacts: true | |
| needs: | |
| - docker_build_scan_push | |
| - set_variables | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| run_preproduction_seed_db_task: | |
| name: Run preproduction DB seeding | |
| uses: ./.github/workflows/workflow_start_task.yml | |
| with: | |
| account_id: "987830934591" | |
| task_name: "seeding" | |
| needs: | |
| - terraform_environment_preproduction | |
| secrets: inherit | |
| preprod_terraform_outputs: | |
| name: Render terraform outputs | |
| runs-on: ubuntu-latest | |
| outputs: | |
| admin_fqdn: ${{ steps.admin_fqdn.outputs.value }} | |
| front_fqdn: ${{ steps.front_fqdn.outputs.value }} | |
| needs: | |
| - terraform_environment_preproduction | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Download Terraform Task definition | |
| uses: actions/[email protected] | |
| with: | |
| name: terraform-artifact | |
| path: /tmp/ | |
| - name: Terraform Outputs from JSON | |
| id: set_var | |
| run: | | |
| content=$(cat /tmp/environment_pipeline_tasks_config.json) | |
| content="${content//'%'/'%25'}" | |
| content="${content//$'\n'/'%0A'}" | |
| content="${content//$'\r'/'%0D'}" | |
| echo "configJson=${content}" >> $GITHUB_OUTPUT | |
| - name: Extract Admin FQDN from JSON | |
| id: admin_fqdn | |
| env: | |
| configJson: ${{steps.set_var.outputs.configJson}} | |
| run: | | |
| echo "value=${{ fromJson(env.configJson).admin_fqdn }}" >> $GITHUB_OUTPUT | |
| - name: Extract Front FQDN from JSON | |
| id: front_fqdn | |
| run: | | |
| echo "value=${{ fromJson(steps.set_var.outputs.configJson).front_fqdn }}" >> $GITHUB_OUTPUT | |
| cypress_tests_Signup_StichedPF: | |
| name: Run Cypress tests - @Signup,@StitchedPF | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - preprod_terraform_outputs | |
| - run_preproduction_seed_db_task | |
| with: | |
| admin_url: https://${{ needs.preprod_terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.preprod_terraform_outputs.outputs.front_fqdn }} | |
| account_id: "987830934591" | |
| cypress_tags: "@Signup,@StitchedPF" | |
| secrets: inherit | |
| cypress_tests_Signup_StichedHW: | |
| name: Run Cypress tests - @Signup,@StitchedHW | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - preprod_terraform_outputs | |
| - run_preproduction_seed_db_task | |
| with: | |
| admin_url: https://${{ needs.preprod_terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.preprod_terraform_outputs.outputs.front_fqdn }} | |
| account_id: "987830934591" | |
| cypress_tags: "@Signup,@StitchedHW" | |
| secrets: inherit | |
| cypress_tests_SignupIncluded: | |
| name: Run Cypress tests - @SignupIncluded | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - preprod_terraform_outputs | |
| - run_preproduction_seed_db_task | |
| with: | |
| admin_url: https://${{ needs.preprod_terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.preprod_terraform_outputs.outputs.front_fqdn }} | |
| account_id: "987830934591" | |
| cypress_tags: "@SignupIncluded" | |
| secrets: inherit | |
| # Remaining tests should ultimately just exclude SignUp and anything already done as part of stitched run. | |
| # TODO CorrespondentReuse needs refactoring so that it can be included as part of the stitchedClone run. | |
| cypress_tests_Remaining: | |
| name: Run Cypress tests - Remaining | |
| uses: ./.github/workflows/cypress_tests.yml | |
| needs: | |
| - preprod_terraform_outputs | |
| - run_preproduction_seed_db_task | |
| with: | |
| admin_url: https://${{ needs.preprod_terraform_outputs.outputs.admin_fqdn }} | |
| front_url: https://${{ needs.preprod_terraform_outputs.outputs.front_fqdn }} | |
| account_id: "987830934591" | |
| cypress_tags: "@Signup,not @Signup and not @PartOfStitchedRun and not @StitchedHW and not @StitchedPF and not @StitchedClone and not @CorrespondentReuse and not @SignupIncluded and not @AdminSystemMessage and not @CheckoutPaymentGateway" | |
| secrets: inherit | |
| locust_tests: | |
| name: Run locust tests | |
| uses: ./.github/workflows/locust_tests.yml | |
| needs: | |
| - preprod_terraform_outputs | |
| - run_preproduction_seed_db_task | |
| with: | |
| front_url: https://${{ needs.preprod_terraform_outputs.outputs.front_fqdn }} | |
| account_id: "987830934591" | |
| secrets: inherit | |
| slack_msg_production_deploy_begin: | |
| name: Annouce Production Deployment | |
| runs-on: ubuntu-latest | |
| outputs: | |
| ts: ${{ steps.slack.outputs.ts }} | |
| thread_ts: ${{ steps.slack.outputs.thread_ts }} | |
| needs: | |
| - cypress_tests_Signup_StichedPF | |
| - cypress_tests_Signup_StichedHW | |
| - cypress_tests_SignupIncluded | |
| - cypress_tests_Remaining | |
| - set_variables | |
| steps: | |
| - id: slack | |
| uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 | |
| with: | |
| channel-id: "C9PNCT2KS" | |
| payload: | | |
| { | |
| "icon_emoji": ":robot_face:", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Production Deployment", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Status:*\nStarted :hourglass_flowing_sand:" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Started by:*\n ${{ github.triggering_actor }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Commit:*\n <https://github.com/ministryofjustice/opg-lpa/commit/${{ github.sha }}|${{ needs.set_variables.outputs.short_sha }}>" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "<https://github.com/ministryofjustice/opg-lpa/actions/runs/${{github.run_id}}|View workflow>" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN}} | |
| terraform_account_production: | |
| name: TF Production - Account | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| needs: | |
| - slack_msg_production_deploy_begin | |
| - set_variables | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.account_terraform_version }} | |
| terraform_workspace: production | |
| is_ephemeral: false | |
| terraform_apply: true | |
| terraform_directory: ./terraform/account | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_region_production: | |
| name: TF Production - Region | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| needs: | |
| - slack_msg_production_deploy_begin | |
| - set_variables | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.region_terraform_version }} | |
| terraform_workspace: production | |
| is_ephemeral: false | |
| terraform_apply: true | |
| terraform_directory: ./terraform/region | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| terraform_environment_production: | |
| name: TF Production - Environment | |
| uses: ministryofjustice/opg-github-workflows/.github/workflows/[email protected] | |
| with: | |
| terraform_version: ${{ needs.set_variables.outputs.environment_terraform_version }} | |
| terraform_workspace: production | |
| is_ephemeral: false | |
| terraform_apply: true | |
| terraform_directory: ./terraform/environment | |
| use_ssh_private_key: true | |
| persist_artifacts: true | |
| terraform_variables: "-var container_version=main-${{ needs.set_variables.outputs.semver_tag }}" | |
| needs: | |
| - docker_build_scan_push | |
| - slack_msg_production_deploy_begin | |
| - set_variables | |
| secrets: | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PAGERDUTY_TOKEN: ${{ secrets.PAGERDUTY_TOKEN }} | |
| AWS_ACCESS_KEY_ID_ACTIONS: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
| AWS_SECRET_ACCESS_KEY_ACTIONS: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| run_smoke_tests: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| smoke_test_status: ${{ steps.smoke_tests.outputs.smoke_test_status }} | |
| needs: | |
| - terraform_environment_production | |
| - terraform_region_production | |
| - terraform_account_production | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Download Terraform Task definition | |
| uses: actions/[email protected] | |
| with: | |
| name: terraform-artifact | |
| path: /tmp/ | |
| - name: Setup Python | |
| uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 | |
| with: | |
| python-version: '3.9' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r scripts/pipeline/requirements.txt | |
| - name: Run smoke tests | |
| id: smoke_tests | |
| run: | | |
| if python scripts/pipeline/healthcheck_test/healthcheck_test.py; then | |
| echo "smoke_test_status=passed" >> $GITHUB_OUTPUT | |
| else | |
| echo "smoke_test_status=failed" >> $GITHUB_OUTPUT | |
| fi | |
| slack_msg_production_deployed: | |
| name: Post-Deployment Slack message | |
| runs-on: ubuntu-latest | |
| if: always() | |
| needs: | |
| - slack_msg_production_deploy_begin | |
| - run_smoke_tests | |
| - set_variables | |
| steps: | |
| - uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 | |
| if: needs.run_smoke_tests.outputs.smoke_test_status == 'passed' | |
| with: | |
| channel-id: "C9PNCT2KS" | |
| update-ts: ${{ needs.slack_msg_production_deploy_begin.outputs.ts }} | |
| payload: | | |
| { | |
| "icon_emoji": ":robot_face:", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Production Deployment", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Status:*\nComplete :white_check_mark:" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Started by:*\n ${{ github.triggering_actor }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Commit:*\n <https://github.com/ministryofjustice/opg-lpa/commit/${{ github.sha }}|${{ needs.set_variables.outputs.short_sha }}>" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "<https://github.com/ministryofjustice/opg-lpa/actions/runs/${{github.run_id}}|View workflow>" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| - uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 | |
| if: needs.run_smoke_tests.outputs.smoke_test_status != 'passed' | |
| with: | |
| channel-id: "C9PNCT2KS" | |
| update-ts: ${{ needs.slack_msg_production_deploy_begin.outputs.ts }} | |
| payload: | | |
| { | |
| "icon_emoji": ":robot_face:", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Production Deployment", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Status:*\nFailed! :x:" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Started by:*\n ${{ github.triggering_actor }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Commit:*\n <https://github.com/ministryofjustice/opg-lpa/commit/${{ github.sha }}|${{ needs.set_variables.outputs.short_sha }}>" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "<https://github.com/ministryofjustice/opg-lpa/actions/runs/${{github.run_id}}|View workflow>" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| - uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1 | |
| if: needs.run_smoke_tests.outputs.smoke_test_status != 'passed' | |
| with: | |
| channel-id: "C9PNCT2KS" | |
| payload: | | |
| { | |
| "icon_emoji": ":warning:", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "Production Make deployment failed. Please check the <https://github.com/ministryofjustice/opg-lpa/actions/runs/${{github.run_id}}|workflow> for more details. <!here>" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |