govuk-one-login
diff --git a/‎.github/workflows/_secure-pipeline-deploy.yml‎
Lines changed: 107 additions & 0 deletions b/‎.github/workflows/_secure-pipeline-deploy.yml‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎.github/workflows/cleanup.yml‎
Lines changed: 74 additions & 0 deletions b/‎.github/workflows/cleanup.yml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-dev.yml‎
Lines changed: 21 additions & 0 deletions b/‎.github/workflows/deploy-dev.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-preview.yml‎
Lines changed: 80 additions & 0 deletions b/‎.github/workflows/deploy-preview.yml‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎.github/workflows/post-merge.yml‎
Lines changed: 56 additions & 7 deletions b/‎.github/workflows/post-merge.yml‎
Lines changed: 56 additions & 7 deletions
@@ -0,0 +1,107 @@
+name: Build and deploy
+
+on:
+  workflow_call:
+    secrets:
+      role_arn:
+        required: true
+      artifact_bucket:
+        required: true
+      # ecr_repository_test:
+      #   required: true
+      # ecr_repository_traffic_test:
+      #   required: true
+      # container_sign_kms_key:
+      #   required: true
+      signing_profile:
+        required: true
+      # environment:
+      #   required: true
+      # dynatrace_paas_token:
+      #   required: true
+    inputs:
+      region:
+        required: false
+        type: string
+        default: eu-west-2
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  # test-images-build-and-push:
+  #   name: Build and push test images
+  #   runs-on: ubuntu-latest
+  #   env:
+  #     AWS_REGION: eu-west-2
+  #     ENVIRONMENT: ${{ secrets.environment }}
+  # is this needed?
+  # could these run in paralell?
+  # steps:
+  # why ?
+  # - name: Login to Dynatrace Container Registry
+  #   uses: docker/login-action@v4
+  #   with:
+  #     registry: khw46367.live.dynatrace.com
+  #     username: khw46367
+  #     password: ${{ secrets.dynatrace_paas_token }}
+
+  # # this checkouts, sets up AWS creds and logs into docker registry
+  # - name: Test image build and push
+  #   uses: uses: govuk-one-login/devplatform-upload-action-ecr@v1.5.0
+  #   with:
+  #     role-to-assume-arn: ${{ secrets.role_arn }}
+  #     build-and-push-image-only: true
+  #     working-directory: test
+  #     artifact-bucket-name: "" # ? shouldnt that be optional?
+  #     ecr-repo-name: ${{ secrets.ecr_repository_test }}
+  #     push-latest-tag: true
+  #     container-sign-kms-key-arn: ${{ secrets.container_sign_kms_key }} # ?
+
+  # # this checkouts, sets up AWS creds and logs into docker registry
+  # - name: Traffic test image build and push
+  #   uses: uses: govuk-one-login/devplatform-upload-action-ecr@v1.5.0
+  #   with:
+  #     role-to-assume-arn: ${{ secrets.role_arn }}
+  #     build-and-push-image-only: true
+  #     working-directory: test
+  #     artifact-bucket-name: "" # ? shouldnt that be optional?
+  #     ecr-repo-name: ${{ secrets.ecr_repository_traffic_test }}
+  #     dockerfile: Dockerfile-traffictest # think about name
+  #     push-latest-tag: true # ?
+  #     container-sign-kms-key-arn: ${{ secrets.container_sign_kms_key }} # ?
+  # UNCOMMENT LAST in case cosign blocks ^
+  # hopefully can run pipeline without test images - might have to change terraform for build?
+  # hasn't blocked front though - whats the difference?
+
+  deploy:
+    name: Deploy stack
+    runs-on: ubuntu-latest
+    # needs: test-images-build-and-push
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Assume temporary AWS role
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: ${{ secrets.role_arn }}
+          aws-region: ${{ inputs.region }}
+
+      - name: SAM validate
+        run: sam validate --region ${{ inputs.region }} -t deploy/template.yaml --lint
+
+      - name: SAM build
+        run: |
+          mkdir out
+          sam build -t deploy/template.yaml --region ${{ inputs.region }} -b out/
+
+      - name: SAM Deploy
+        # concurrency and cancel in progress false
+        uses: govuk-one-login/devplatform-upload-action@v3.13.0
+        with:
+          aws-role-arn: ${{ secrets.role_arn}}
+          artifact-bucket-name: ${{ secrets.artifact_bucket }}
+          signing-profile-name: ${{ secrets.signing_profile }}
+          working-directory: ./out
@@ -0,0 +1,74 @@
+name: Clean up stacks and log groups
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every weekday at 9am
+    - cron: '0 9 * * 1-5'
+
+permissions:
+  id-token: write
+
+# concurrency: cleanup-dev-${{ github.head_ref || github.ref_name }}
+
+jobs:
+  delete-stacks:
+    name: Delete stale stacks
+    runs-on: ubuntu-latest
+    # environment: development
+    steps:
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: ${{ secrets.DEV_GHA_ROLE_ARN }}
+          aws-region: eu-west-2
+
+      - name: Get stale preview stacks
+        uses: govuk-one-login/github-actions/sam/get-stale-stacks@b6494ab79812830486ab6cc1838999d2e1dfba7d
+        with:
+          threshold-days: 14
+          stack-name-filter: preview
+          stack-tag-filters: |
+            cri:deployment-source=github-actions
+            cri:stack-type=preview
+          description: preview
+          env-var-name: PREVIEW_STACKS
+
+      - name: Get stale manually deployed stacks
+        uses: govuk-one-login/github-actions/sam/get-stale-stacks@b6494ab79812830486ab6cc1838999d2e1dfba7d
+        with:
+          threshold-days: 90
+          stack-tag-filters: |
+            cri:component=ipv-cri-ob-api
+            cri:stack-type=dev
+            cri:application=Lime
+            cri:deployment-source=manual
+          description: manually deployed
+          env-var-name: MANUALLY_DEPLOYED_STACKS
+
+      - name: Delete stale preview stacks
+        if: ${{ env.PREVIEW_STACKS != null }}
+        uses: govuk-one-login/github-actions/sam/delete-stacks@2518d831abb4ec03fa3125619507f932966f2833
+        with:
+          stack-names: ${{ env.PREVIEW_STACKS }}
+          verbose: true
+
+      - name: Delete stale manually deployed stacks
+        if: ${{ env.MANUALLY_DEPLOYED_STACKS != null }}
+        uses: govuk-one-login/github-actions/sam/delete-stacks@2518d831abb4ec03fa3125619507f932966f2833
+        with:
+          stack-names: ${{ env.MANUALLY_DEPLOYED_STACKS }}
+          verbose: true
+
+  delete-log-groups:
+    name: Delete stale log groups
+    runs-on: ubuntu-latest
+    steps:
+      - uses: govuk-one-login/github-actions/sam/delete-stale-log-groups@8d9b70ea03249a138db2b04c02071d7826cb00d9
+        with:
+          aws-role-arn: ${{ secrets.DEV_GHA_ROLE_ARN }}
+          cutoff-days: '30'
+          limit: '300'
+          safe-patterns: '/preview-|^API-Gateway-Execution-Logs_'
+          destructive: true
+          verbose: true
@@ -0,0 +1,21 @@
+name: Deploy branch to dev
+on:
+  workflow_dispatch:
+  pull_request: # temp
+
+jobs:
+  deploy-dev:
+    name: Deploy to dev
+    permissions:
+      id-token: write
+      contents: read
+    uses: ./.github/workflows/_secure-pipeline-deploy.yml
+    secrets:
+      role_arn: ${{ secrets.DEV_GHA_ROLE_ARN }}
+      artifact_bucket: ${{ secrets.DEV_ARTIFACT_BUCKET }}
+      # ecr_repository_test: ${{ secrets.DEV_TEST_ECR_REPOSITORY }}
+      # ecr_repository_traffic_test: ${{ secrets.DEV_TRAFFIC_TEST_ECR_REPOSITORY }}
+      # container_sign_kms_key: $ {{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
+      signing_profile: ${{ secrets.DEV_SIGNING_PROFILE_NAME }}
+      # environment: development
+      # dynatrace_paas_token: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
@@ -0,0 +1,80 @@
+name: Deploy preview
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    # if I want to make this triggerable without PR, need to add conditionals for secrets
+    secrets:
+      role_arn:
+        required: true
+      bucket_name:
+        required: true
+    outputs:
+      stack-name:
+        value: ${{ jobs.deploy-preview.outputs.stack-name }}
+      aws-region:
+        value: ${{ jobs.deploy-preview.outputs.aws-region}}
+      # sha-short:
+      #   value: ${{ jobs.build-preview.outputs.sha-short }}
+
+permissions: {}
+
+jobs:
+  build-preview:
+    name: Build app
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    # concurrency:
+    #   group: build-development-${{ github.head_ref || github.ref_name }}
+    outputs:
+      sha-short: ${{ steps.get-sha.outputs.sha-short }}
+    steps:
+      - name: Get short SHA
+        id: get-sha
+        run: echo "sha-short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - name: Build app
+        uses: govuk-one-login/github-actions/sam/build-application@c35aa8daed14bd1b102f6c55afdf77eaeb958954
+        with:
+          template: deploy/template.yaml
+          cache-name: ipv-cri-ob-api-${{ steps.get-sha.outputs.sha-short }}
+          role-to-assume-arn: ${{ secrets.role_arn }}
+          pull-repository: true
+
+  deploy-preview:
+    name: Deploy stack
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    timeout-minutes: 15
+    needs: build-preview
+    # concurrency:
+    #   group: deploy-development-${{ github.head_ref || github.ref_name }}
+    # environment: development
+    outputs:
+      aws-region: ${{ steps.deploy.outputs.aws-region }}
+      stack-name: ${{ steps.deploy.outputs.stack-name }}
+    steps:
+      - name: Deploy stack
+        uses: govuk-one-login/github-actions/sam/deploy-stack@c35aa8daed14bd1b102f6c55afdf77eaeb958954
+        id: deploy
+        with:
+          aws-role-arn: ${{ secrets.role_arn }}
+          s3-prefix: preview
+          sam-deployment-bucket: ${{ secrets.bucket_name }}
+          stack-name: preview-${{ needs.build-preview.outputs.sha-short}}
+          cache-name: ipv-cri-ob-api-${{ needs.build-preview.outputs.sha-short}}
+          delete-failed-stack: true
+          # do we want disable rollback? I reckon so...
+
+          tags: |
+            cri:component=ipv-cri-ob-api
+            cri:stack-type=preview
+            cri:application=Lime
+            cri:deployment-source=github-actions
+          parameters: |
+            DeploymentType=not-pipeline
+            Environment=dev
+            ParameterPrefix="ipv-cri-ob-api"
@@ -4,22 +4,71 @@ on:
   push:
     branches:
       - main
+  # pull_request: # temp
+
+permissions: {}
 
 jobs:
-  sonar-scan:
+  unit-tests:
     runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
+      # this can be condensed with a shared action
       - name: Checkout
         uses: actions/checkout@v6
-        with:
-          fetch-depth: 0 # required for sonar
+
       - name: Setup Node
         uses: ./.github/actions/node-setup
+
       - name: Unit tests
         run: npm run test:coverage
-      - name: Sonar scan
-        uses: SonarSource/sonarqube-scan-action@v7.0.0
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage/
+          retention-days: 1
+
+  sonar-scan:
+    name: Sonar scan
+    runs-on: ubuntu-latest
+    needs: unit-tests
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run Sonar scan
+        uses: govuk-one-login/github-actions/code-quality/sonarcloud@9d6ee027d0b9167dfc25e67124951956278bb585
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          sonar-token: ${{ secrets.SONAR_TOKEN }}
+          coverage-artifact: coverage
+          coverage-run-id: ${{ github.run_id }}
+
+  # deploy-dev:
+  #   uses: ./.github/workflows/_secure-pipeline-deploy.yml
+  #   permissions:
+  #     id-token: write
+  #     contents: read
+  #   secrets:
+  #     role_arn: ${{ secrets.DEV_GH_ACTIONS_ROLE_ARN }}
+  #     artifact_bucket: ${{ secrets.DEV_ARTIFACT_BUCKET }}
+  #     container_sign_kms_key: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
+  #     ecr_repository: ${{ secrets.DEV_ECR_REPOSITORY }}
+  #     dynatrace_paas_token: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
+
+  #   deploy-build:
+  #   uses: ./.github/workflows/_deploy.yml
+  #   permissions:
+  #     id-token: write
+  #     contents: read
+  #   secrets:
+  #     role_arn: ${{ secrets.BUILD_GH_ACTIONS_ROLE_ARN }}
+  #     artifact_bucket: ${{ secrets.BUILD_ARTIFACT_BUCKET }}
+  #     container_sign_kms_key: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
+  #     ecr_repository: ${{ secrets.BUILD_ECR_REPOSITORY }}
+  #     dynatrace_paas_token: ${{ secrets.DYNATRACE_PAAS_TOKEN }}