CFO-CaseAssessmentTrackingSystem/.github/workflows/deploy.yml at d69fa4a8a4d5b3b52c935fd05bc4d8d2be04611b · ministryofjustice/CFO-CaseAssessmentTrackingSystem · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
name: deploy

on:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        options: [dev, staging, production]
        required: true

concurrency:
  group: deploy-${{ github.ref }}
  cancel-in-progress: false

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment }}
    permissions:
      id-token: write # This is required for requesting the JWT
      contents: read # This is required for actions/checkout

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: Setup .NET
        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7
        with:
          global-json-file: global.json

      - name: Restore dependencies
        run: dotnet restore

      - name: Build
        run: dotnet build --configuration Release --no-restore

      - name: Test
        run: dotnet test --configuration Release --no-build --verbosity normal

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@56d6a583f00f6bad6d19d91d53a7bc3b8143d0e9
        with:
          role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
          aws-region: ${{ vars.ECR_REGION }}

      - name: Login to ECR
        uses: aws-actions/amazon-ecr-login@33f92af657bba1882ab79d8621debd2f6769a0c9
        id: login-ecr

      - name: Build and Push Server.UI Container
        run: |
          docker build \
            -f src/Server.UI/Dockerfile \
            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:cats-${{ github.sha }} \
            .
          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:cats-${{ github.sha }}

      - name: Build and Push Worker Container
        run: |
          docker build \
            -f src/Worker/Dockerfile \
            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:worker-${{ github.sha }} \
            .
          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:worker-${{ github.sha }}

      - name: Build and Push DatabaseSeeding Container
        run: |
          docker build \
            -f src/DatabaseSeeding/Dockerfile \
            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:seeder-${{ github.sha }} \
            .
          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:seeder-${{ github.sha }}

      - name: Build and Push DatabaseMigrator Container
        run: |
          docker build \
            -f src/Database/Dockerfile \
            -t ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:migrator-${{ github.sha }} \
            .
          docker push ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:migrator-${{ github.sha }}

      - name: Generate app version
        id: version
        run: echo "app_version=$(date +'%Y.%m.%d').${{ github.run_number }}" >> $GITHUB_OUTPUT

      - name: Setup Helm
        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
        with:
          version: v3.21.2

      - name: Configure kubectl
        run: |
          echo "${{ secrets.KUBE_CERT }}" > ca.crt
          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
          kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
          kubectl config use-context ${KUBE_CLUSTER}
        env:
          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}

      - name: Build Helm dependencies
        run: |
          set -euo pipefail
          helm repo add hmpps-helm-charts https://ministryofjustice.github.io/hmpps-helm-charts
          helm dependency update ./helm_deploy/cats

      - name: Run database migrations
        run: |
          set -euo pipefail
          helm upgrade --install cats-migrate ./helm_deploy/cats \
            --namespace "${KUBE_NAMESPACE}" \
            --values ./helm_deploy/cats/values-${{ inputs.environment }}.yaml \
            --set migrator.enabled=true \
            --set serviceAccountName="${KUBE_NAMESPACE}" \
            --set migrator.image.repository="${REGISTRY}/${REPOSITORY}" \
            --set migrator.image.tag="migrator-${{ github.sha }}" \
            --timeout 5m
          kubectl -n "${KUBE_NAMESPACE}" wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=300s pod -l app=migrator
        env:
          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: ${{ vars.ECR_REPOSITORY }}

      - name: Seed the database
        run: |
          set -euo pipefail
          helm upgrade --install cats-seed ./helm_deploy/cats \
            --namespace "${KUBE_NAMESPACE}" \
            --values ./helm_deploy/cats/values-${{ inputs.environment }}.yaml \
            --set seeder.enabled=true \
            --set serviceAccountName="${KUBE_NAMESPACE}" \
            --set seeder.image.repository="${REGISTRY}/${REPOSITORY}" \
            --set seeder.image.tag="seeder-${{ github.sha }}" \
            --timeout 5m
          kubectl -n "${KUBE_NAMESPACE}" wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=300s pod -l app=seeder
        env:
          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: ${{ vars.ECR_REPOSITORY }}

      - name: Deploy CATS and Worker
        run: |
          set -euo pipefail
          IMAGE_REPOSITORY="${REGISTRY}/${REPOSITORY}"

          helm upgrade --install cats ./helm_deploy/cats \
            --namespace "${KUBE_NAMESPACE}" \
            --values ./helm_deploy/cats/values-${{ inputs.environment }}.yaml \
            --set app.enabled=true \
            --set worker.enabled=true \
            --set rabbitmq.enabled=true \
            --set redis.enabled=true \
            --set serviceAccountName="${KUBE_NAMESPACE}" \
            --set app.serviceAccountName="${KUBE_NAMESPACE}" \
            --set app.image.repository="${IMAGE_REPOSITORY}" \
            --set app.image.tag="cats-${{ github.sha }}" \
            --set app.env.Sentry__Release="${APP_VERSION}" \
            --set app.env.AppConfigurationSettings__Version="${APP_VERSION}" \
            --set worker.serviceAccountName="${KUBE_NAMESPACE}" \
            --set worker.image.repository="${IMAGE_REPOSITORY}" \
            --set worker.image.tag="worker-${{ github.sha }}" \
            --set worker.env.Sentry__Release="${APP_VERSION}" \
            --set worker.env.AppConfigurationSettings__Version="${APP_VERSION}" \
            --atomic --wait --timeout 10m
        env:
          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: ${{ vars.ECR_REPOSITORY }}
          APP_VERSION: ${{ steps.version.outputs.app_version }}