Merge pull request #434 from espoon-voltti/dependabot/npm_and_yarn/fr… #843
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2023-2024 City of Espoo | |
| # | |
| # SPDX-License-Identifier: LGPL-2.1-or-later | |
| name: Build | |
| on: | |
| - push | |
| env: | |
| AWS_REGION: eu-north-1 | |
| ECR_REGISTRY: 095341522062.dkr.ecr.eu-north-1.amazonaws.com | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| lint-shell: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: espoon-voltti/voltti-actions/shellcheck@master | |
| check-licenses: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Reuse Compliance Check | |
| uses: fsfe/reuse-action@v5 | |
| dockerize: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: oppivelvollisuus/frontend | |
| path: frontend | |
| - name: oppivelvollisuus/api-gateway | |
| path: api-gateway | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build image | |
| uses: espoon-voltti/voltti-actions/docker-build-push@master | |
| id: build | |
| with: | |
| path: ${{ matrix.path }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| registry: ${{ env.ECR_REGISTRY }} | |
| name: ${{ matrix.name }} | |
| build-args: | | |
| build=${{ github.run_number }} | |
| commit=${{ github.sha }} | |
| - name: Build and run unit tests | |
| uses: espoon-voltti/voltti-actions/docker-build-push@master | |
| id: test | |
| with: | |
| push: false | |
| path: ${{ matrix.path }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| registry: ${{ env.ECR_REGISTRY }} | |
| name: ${{ matrix.name }}-test | |
| build-args: | | |
| build=${{ github.run_number }} | |
| commit=${{ github.sha }} | |
| target: test | |
| service: | |
| runs-on: ubuntu-latest | |
| env: | |
| name: oppivelvollisuus/service | |
| path: service | |
| builder: builder | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build image | |
| uses: espoon-voltti/voltti-actions/docker-build-push@master | |
| id: build | |
| with: | |
| path: ${{ env.path }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| registry: ${{ env.ECR_REGISTRY }} | |
| name: ${{ env.name }} | |
| build-args: | | |
| build=${{ github.run_number }} | |
| commit=${{ github.sha }} | |
| - name: Build builder | |
| uses: espoon-voltti/voltti-actions/docker-build-push@master | |
| id: builder | |
| with: | |
| path: ${{ env.path }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| registry: ${{ env.ECR_REGISTRY }} | |
| name: ${{ env.name }}-${{ env.builder }} | |
| build-args: | | |
| build=${{ github.run_number }} | |
| commit=${{ github.sha }} | |
| target: ${{ env.builder }} | |
| outputs: | |
| image: ${{ steps.build.outputs.image }} | |
| image_name: ${{ steps.build.outputs.image_name }} | |
| builder_image: ${{ steps.builder.outputs.image }} | |
| builder_image_name: ${{ steps.builder.outputs.image_name }} | |
| owasp: | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| needs: | |
| - service | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| role-duration-seconds: 1200 | |
| - name: Login to Amazon ECR | |
| id: ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| mask-password: 'true' | |
| - name: Cache dependency check database | |
| uses: actions/cache@v4 | |
| with: | |
| path: dependency-check-data | |
| key: dependency-check-data-${{ github.run_id }}-${{ github.run_attempt }} | |
| restore-keys: | | |
| dependency-check-data- | |
| - name: Run service OWASP tests | |
| shell: bash | |
| run: | | |
| docker run --rm \ | |
| -e NVD_API_KEY=${{ secrets.NVD_API_KEY }} \ | |
| -v $(pwd)/dependency-check-data:/root/.gradle/dependency-check-data \ | |
| ${{ needs.service.outputs.builder_image }} \ | |
| sh -c "./gradlew --no-daemon dependencyCheckUpdate && ./gradlew --no-daemon dependencyCheckAnalyze" | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: service | |
| env: | |
| BUILD: "false" | |
| TAG: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| defaults: | |
| run: | |
| working-directory: compose | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| role-duration-seconds: 1200 | |
| - name: Login to Amazon ECR | |
| if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Pull images | |
| if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
| run: | | |
| ./test-compose pull | |
| - name: Build images | |
| if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }} | |
| run: | | |
| ./test-compose build --parallel | |
| - name: Run tests | |
| run: | | |
| set -o pipefail | |
| ./test-compose run service-tests | tee tests.log | |
| - name: Get logs | |
| if: always() | |
| run: | | |
| ./test-compose logs > tests-all.log | |
| - name: Store logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: integration-test-results | |
| path: | | |
| compose/tests.log | |
| compose/tests-all.log | |
| retention-days: 2 | |
| e2e-test: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - service | |
| - dockerize | |
| env: | |
| BUILD: "false" | |
| TAG: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| defaults: | |
| run: | |
| working-directory: compose | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| role-duration-seconds: 1200 | |
| - name: Login to Amazon ECR | |
| if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Pull images | |
| if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }} | |
| run: | | |
| ./e2e-test-compose pull | |
| - name: Build images | |
| if: ${{ github.actor == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }} | |
| run: | | |
| ./e2e-test-compose build --parallel | |
| - name: Start dependencies | |
| run: | | |
| ./e2e-test-compose up -d oppivelvollisuus-db redis frontend api-gateway | |
| - name: Run e2e tests | |
| run: | | |
| set -o pipefail | |
| ./e2e-test-compose up --exit-code-from service-e2e-tests service-e2e-tests | tee tests.log | |
| - name: Get logs | |
| if: always() | |
| run: | | |
| ./e2e-test-compose logs > tests-all.log | |
| - name: Store logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: e2e-test-results | |
| path: | | |
| compose/tests.log | |
| compose/tests-all.log | |
| retention-days: 2 | |
| deploy: | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| - e2e-test | |
| - dockerize | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| environment: | |
| - staging | |
| - prod | |
| environment: | |
| name: ${{ matrix.environment }} | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| role-duration-seconds: 1200 | |
| - name: Retag | |
| run: | | |
| for repository in service api-gateway frontend; do | |
| MANIFEST=$(aws ecr batch-get-image --repository-name "oppivelvollisuus/$repository" --image-ids imageTag="${{ github.event.pull_request.head.sha || github.sha }}" --output json | jq --raw-output --join-output '.images[0].imageManifest') | |
| aws ecr put-image --repository-name "oppivelvollisuus/$repository" --image-tag "env-${{ matrix.environment }}" --image-manifest "$MANIFEST" | |
| done | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_ENVIRONMENT }} | |
| role-duration-seconds: 1200 | |
| unset-current-credentials: true | |
| - name: Deploy | |
| run: | | |
| aws ecs update-service \ | |
| --cluster "oppivelvollisuus-${{ matrix.environment }}" \ | |
| --service "oppivelvollisuus-${{ matrix.environment }}" \ | |
| --force-new-deployment | |
| aws ecs wait services-stable \ | |
| --cluster "oppivelvollisuus-${{ matrix.environment }}" \ | |
| --services "oppivelvollisuus-${{ matrix.environment }}" |