Skip to content

UML-3738: eventbridge & lambda permissions #6373

UML-3738: eventbridge & lambda permissions

UML-3738: eventbridge & lambda permissions #6373

name: "[Workflow] PR Environment"
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
defaults:
run:
shell: bash
on:
pull_request:
permissions:
contents: write
security-events: write
pull-requests: read
actions: none
checks: none
deployments: none
issues: none
packages: none
repository-projects: none
statuses: none
jobs:
cleanup_pr_workspaces:
name: cleanup pr workspaces
uses: ./.github/workflows/scheduled-workspace-cleanup.yml
secrets: inherit
if: |
always()
workflow_variables:
runs-on: ubuntu-latest
name: output workflow variables
outputs:
safe_branch_name: ${{ steps.safe_branch_name.outputs.safe }}
short_sha: ${{ steps.variables.outputs.short_sha }}
specific_path: ${{ steps.variables.outputs.path }}
workspace_name: ${{ steps.set_workspace_name.outputs.workspace_name }}
steps:
- uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # pin@v3
with:
fetch-depth: 2
- name: Set safe branch name
id: safe_branch_name
uses: ministryofjustice/opg-github-actions/.github/actions/[email protected]
- name: get changed files in the admin folder
id: changed-files-admin
uses: tj-actions/changed-files@515a6b35d1d0948f7da6d5cdb347ed1600859795
with:
files: |
service-admin/**
- name: get changed files in the terraform folder
id: changed-files-terraform
uses: tj-actions/changed-files@515a6b35d1d0948f7da6d5cdb347ed1600859795
with:
files: |
terraform/**
- name: get changed docs files in any folder
id: changed-files-docs
uses: tj-actions/changed-files@515a6b35d1d0948f7da6d5cdb347ed1600859795
with:
files: |
**/*.md
- name: extract variables for workflow
id: variables
run: |
echo "short_sha=$(echo ${GITHUB_SHA:0:7})" >> $GITHUB_OUTPUT
if [[ ${{ steps.changed-files-terraform.outputs.only_changed }} = "true" ]]
then
echo "path=$(echo terraform)" >> $GITHUB_OUTPUT
elif [[ ${{ steps.changed-files-admin.outputs.only_changed }} = "true" ]]
then
echo "path=$(echo admin)" >> $GITHUB_OUTPUT
elif [[ ${{ steps.changed-files-docs.outputs.only_changed }} = "true" ]]
then
echo "path=$(echo docs)" >> $GITHUB_OUTPUT
else
echo "path=$(echo all)" >> $GITHUB_OUTPUT
fi
- name: show specific path
env:
SPECIFIC_PATH: ${{ steps.variables.outputs.path }}
run: |
echo "path chosen - $SPECIFIC_PATH"
- name: Set workspace name
id: set_workspace_name
run: |
echo "workspace_name=${{ github.event.number }}${{ steps.safe_branch_name.outputs.safe }}" >> $GITHUB_OUTPUT
update_documentation:
name: update documentation
runs-on: ubuntu-latest
needs:
- workflow_variables
steps:
- name: only update documentation
run: echo 'Only docs have changed - skipping rest of pipeline'
if: |
needs.workflow_variables.outputs.specific_path == 'docs'
terraform_lint:
name: lint terraform code
uses: ./.github/workflows/_lint-terraform.yml
needs:
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.workspace_name }}
secrets: inherit
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.workflow_variables.outputs.specific_path != 'docs'
node_test:
name: test node dependencies
uses: ./.github/workflows/_node-test.yml
needs:
- workflow_variables
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.workflow_variables.outputs.specific_path == 'all'
node_build:
name: build node dependencies
uses: ./.github/workflows/_node-build.yml
needs:
- workflow_variables
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.workflow_variables.outputs.specific_path == 'all'
docker_build_scan_push:
name: build, test, scan and push
uses: ./.github/workflows/_build-and-push.yml
needs:
- workflow_variables
- node_test
- node_build
with:
tag: ${{ needs.workflow_variables.outputs.safe_branch_name }}-${{ needs.workflow_variables.outputs.short_sha }}
branch_name: ${{ needs.workflow_variables.outputs.safe_branch_name }}
push_to_ecr: true
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
secrets: inherit
if: |
always() &&
needs.workflow_variables.outputs.specific_path != 'docs' &&
(needs.node_test.result == 'success' || needs.node_test.result == 'skipped') &&
(needs.node_build.result == 'success' || needs.node_build.result == 'skipped') &&
needs.workflow_variables.result == 'success'
code_coverage:
name: upload to code coverage
uses: ./.github/workflows/_codecov.yml
with:
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
needs:
- docker_build_scan_push
- workflow_variables
secrets: inherit
if: |
always() &&
( needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'failure' )
terraform_apply_shared_development:
name: terraform apply shared development
uses: ./.github/workflows/_run-terraform.yml
needs:
- terraform_lint
- workflow_variables
with:
workspace: development
terraform_path: account
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
apply: false
secrets: inherit
if: |
always() &&
needs.terraform_lint.result == 'success'
terraform_apply_environment:
name: terraform apply environment
uses: ./.github/workflows/_run-terraform.yml
needs:
- docker_build_scan_push
- terraform_lint
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.workspace_name }}
terraform_path: environment
container_version: ${{ needs.workflow_variables.outputs.safe_branch_name }}-${{ needs.workflow_variables.outputs.short_sha }}
apply: true
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
add_ttl: true
secrets: inherit
if: |
always() &&
needs.terraform_lint.result == 'success' &&
needs.docker_build_scan_push.result == 'success' &&
needs.workflow_variables.result == 'success'
terraform_preproduction_plan_environment:
name: terraform plan preproduction environment
uses: ./.github/workflows/_run-terraform.yml
needs:
- docker_build_scan_push
- terraform_lint
- workflow_variables
with:
workspace: preproduction
terraform_path: environment
container_version: main-${{ needs.workflow_variables.outputs.short_sha }}
apply: false
specific_path: all
add_ttl: false
secrets: inherit
if: |
always() &&
needs.terraform_lint.result == 'success' &&
needs.docker_build_scan_push.result == 'success' &&
needs.workflow_variables.result == 'success'
seed_dynamodb:
name: seed dynamodb
uses: ./.github/workflows/_seed-database.yml
needs:
- terraform_apply_environment
- terraform_apply_shared_development
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.workspace_name }}
secrets: inherit
if: |
always() &&
needs.terraform_apply_environment.result == 'success' &&
needs.terraform_apply_shared_development.result == 'success'
run_behat_suite:
name: run behat tests against environment
uses: ./.github/workflows/_run-behat-tests.yml
needs:
- seed_dynamodb
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.workspace_name }}
secrets: inherit
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.seed_dynamodb.result == 'success'
slack_notify:
name: notify of result
uses: ./.github/workflows/_slack-notification.yml
needs:
- run_behat_suite
- workflow_variables
with:
template: successful_dev_build.txt
workflow_status: ${{ needs.run_behat_suite.result }}
workspace: ${{ needs.workflow_variables.outputs.workspace_name }}
secrets:
webhook: ${{ secrets.DEV_SLACK_WEB_HOOK }}
if: |
always() &&
needs.run_behat_suite.result == 'success'
ecr_scan_results:
name: ecr scan results
uses: ./.github/workflows/_ecr-scanning.yml
with:
tag: ${{ needs.workflow_variables.outputs.safe_branch_name }}-${{ needs.workflow_variables.outputs.short_sha }}
needs:
- code_coverage
- terraform_apply_environment
- workflow_variables
secrets: inherit
if: |
always() &&
needs.code_coverage.result == 'success' &&
needs.terraform_apply_environment.result == 'success'
# Required end of workflow job
end_of_workflow:
name: end of workflow
runs-on: ubuntu-latest
needs:
- ecr_scan_results
- workflow_variables
- update_documentation
- docker_build_scan_push
- run_behat_suite
- terraform_preproduction_plan_environment
steps:
- uses: actions/checkout@v4
- name: Calculate Step Duration
id: calculate_durations
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python ./scripts/pipeline/output_step_timing/step_timing.py -json '{
"test node dependencies / unit-test": ["run tests with jest"],
"build, test, scan and push / docker_build_scan_push": ["docker unit tests", "docker integration and acceptance tests"],
"run behat tests against environment / build-web": ["run behat test suite"]
}'
- name: Create a table with job durations and set as output
id: create_table
run: |
{
echo ${{ needs.docker_build_scan_push.outputs.matrix_job_names }}
echo "| Job | Step | Duration |"
echo "| --- | --- | --- |"
jobs=$(echo '${{ steps.calculate_durations.outputs.jobs }}' | jq -r '.[]')
steps=$(echo '${{ steps.calculate_durations.outputs.steps }}' | jq -r '.[]')
durations=$(echo '${{ steps.calculate_durations.outputs.durations }}' | jq -r '.[]')
for i in $(seq 0 $(($(echo "$jobs" | wc -l) - 1))); do
job=$(echo "$jobs" | sed -n "$((i+1))p")
step=$(echo "$steps" | sed -n "$((i+1))p")
duration=$(echo "$durations" | sed -n "$((i+1))p")
echo "| $job | $step | $duration |"
done
} >> $GITHUB_STEP_SUMMARY
- name: workflow has ended without issue
run: |
if ${{ contains(needs.run_behat_suite.result, 'success') && contains(needs.ecr_scan_results.result, 'success') && contains(needs.terraform_preproduction_plan_environment.result, 'success') }}; then
echo "${{ needs.workflow_variables.outputs.safe_branch_name }} PR environment tested, built and deployed"
echo "Tag Used: ${{ needs.workflow_variables.outputs.safe_branch_name }}-${{ needs.workflow_variables.outputs.short_sha }}"
echo "URL: https://${{ needs.workflow_variables.outputs.workspace_name }}.use-lasting-power-of-attorney.service.gov.uk"
exit 0
elif [[ ${{ needs.workflow_variables.outputs.specific_path }} = 'docs' ]]; then
echo 'Ending docs workflow'
exit 0
else
echo "Previous jobs in pipeline failed."
exit 1
fi
if: always()