-
Notifications
You must be signed in to change notification settings - Fork 4
272 lines (254 loc) · 8.67 KB
/
pull-request-path.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
name: "[Workflow] All branch based pushes"
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
defaults:
run:
shell: bash
on:
push:
branches:
- '*' # matches every branch that doesn't contain a '/'
- '*/*' # matches every branch containing a single '/'
- '**' # matches every branch
- '!main' # reverse match main
- '!dependabot/**' # reverse match dependabot PRs
- 'dependabot/docker/**' # match dependabot PRs that update docker
- 'dependabot/pip/**' # match dependabot PRs that update pip
permissions:
contents: write
security-events: write
pull-requests: read
actions: none
checks: none
deployments: none
issues: none
packages: none
repository-projects: none
statuses: none
jobs:
workflow_variables:
runs-on: ubuntu-latest
name: output workflow variables
outputs:
parsed_branch: ${{ steps.variables.outputs.branch_formatted }}
short_sha: ${{ steps.variables.outputs.short_sha }}
specific_path: ${{ steps.variables.outputs.path }}
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3
with:
fetch-depth: 2
- name: get changed files in the admin folder
id: changed-files-admin
uses: tj-actions/changed-files@6e4b6b77a3fd4d60bd02608dba69c7eae38a117f
with:
files: |
service-admin/**
- name: get changed files in the terraform folder
id: changed-files-terraform
uses: tj-actions/changed-files@6e4b6b77a3fd4d60bd02608dba69c7eae38a117f
with:
files: |
terraform/**
- name: extract variables for workflow
id: variables
run: |
echo "branch_formatted=$(echo ${GITHUB_HEAD_REF:-${GITHUB_REF##*/}} | tr -cd '[:alnum:]' | tr '[:upper:]' '[:lower:]' | cut -c1-8)" >> $GITHUB_OUTPUT
echo "short_sha=$(echo ${GITHUB_SHA:0:7})" >> $GITHUB_OUTPUT
if [[ ${{ steps.changed-files-terraform.outputs.only_changed }} = "true" ]]
then
echo "path=$(echo terraform)" >> $GITHUB_OUTPUT
elif [[ ${{ steps.changed-files-admin.outputs.only_changed }} = "true" ]]
then
echo "path=$(echo admin)" >> $GITHUB_OUTPUT
else
echo "path=$(echo all)" >> $GITHUB_OUTPUT
fi
- name: show specific path
env:
SPECIFIC_PATH: ${{ steps.variables.outputs.path }}
run: |
echo "path chosen - $SPECIFIC_PATH"
terraform_lint:
name: lint terraform code
uses: ./.github/workflows/_lint-terraform.yml
needs:
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.parsed_branch }}
secrets: inherit
if: |
always() &&
needs.workflow_variables.result == 'success'
node_test:
name: test node dependencies
uses: ./.github/workflows/_node-test.yml
needs:
- workflow_variables
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.workflow_variables.outputs.specific_path == 'all'
node_build:
name: build node dependencies
uses: ./.github/workflows/_node-build.yml
needs:
- workflow_variables
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.workflow_variables.outputs.specific_path == 'all'
docker_build_scan_push:
name: build, test, scan and push
uses: ./.github/workflows/_build-and-push.yml
needs:
- workflow_variables
- node_test
- node_build
with:
tag: ${{ needs.workflow_variables.outputs.parsed_branch }}-${{ needs.workflow_variables.outputs.short_sha }}
branch_name: ${{ needs.workflow_variables.outputs.parsed_branch }}
push_to_ecr: true
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
secrets: inherit
if: |
always() &&
(needs.node_test.result == 'success' || needs.node_test.result == 'skipped') &&
(needs.node_build.result == 'success' || needs.node_build.result == 'skipped') &&
needs.workflow_variables.result == 'success'
terraform_apply_shared_development:
name: terraform apply shared development
uses: ./.github/workflows/_run-terraform.yml
needs:
- terraform_lint
- workflow_variables
with:
workspace: development
terraform_path: account
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
apply: true
secrets: inherit
if: |
always() &&
needs.terraform_lint.result == 'success'
terraform_apply_environment:
name: terraform apply environment
uses: ./.github/workflows/_run-terraform.yml
needs:
- docker_build_scan_push
- terraform_lint
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.parsed_branch }}
terraform_path: environment
container_version: ${{ needs.workflow_variables.outputs.parsed_branch }}-${{ needs.workflow_variables.outputs.short_sha }}
apply: true
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
add_ttl: true
secrets: inherit
if: |
always() &&
needs.terraform_lint.result == 'success' &&
needs.docker_build_scan_push.result == 'success' &&
needs.workflow_variables.result == 'success'
terraform_preproduction_plan_environment:
name: terraform apply environment
uses: ./.github/workflows/_run-terraform.yml
needs:
- docker_build_scan_push
- terraform_lint
- workflow_variables
with:
workspace: preproduction
terraform_path: environment
container_version: main-${{ needs.workflow_variables.outputs.short_sha }}
apply: false
specific_path: all
add_ttl: false
secrets: inherit
if: |
always() &&
needs.terraform_lint.result == 'success' &&
needs.docker_build_scan_push.result == 'success' &&
needs.workflow_variables.result == 'success'
seed_dynamodb:
name: seed dynamodb
uses: ./.github/workflows/_seed-database.yml
needs:
- terraform_apply_environment
- terraform_apply_shared_development
secrets: inherit
if: |
always() &&
needs.terraform_apply_environment.result == 'success' &&
needs.terraform_apply_shared_development.result == 'success'
run_behat_suite:
name: run behat tests against environment
uses: ./.github/workflows/_run-behat-tests.yml
needs:
- seed_dynamodb
- workflow_variables
with:
workspace: ${{ needs.workflow_variables.outputs.parsed_branch }}
secrets: inherit
if: |
always() &&
needs.workflow_variables.result == 'success' &&
needs.seed_dynamodb.result == 'success'
slack_notify:
name: notify of result
uses: ./.github/workflows/_slack-notification.yml
needs:
- run_behat_suite
with:
template: successful_dev_build.txt
workflow_status: ${{ needs.run_behat_suite.result }}
secrets:
webhook: ${{ secrets.DEV_SLACK_WEB_HOOK }}
if: |
always() &&
needs.run_behat_suite.result == 'success'
code_coverage:
name: upload to code coverage
uses: ./.github/workflows/_codecov.yml
with:
specific_path: ${{ needs.workflow_variables.outputs.specific_path }}
needs:
- docker_build_scan_push
- workflow_variables
secrets: inherit
if: |
always() &&
needs.docker_build_scan_push.result == 'success'
ecr_scan_results:
name: ecr scan results
uses: ./.github/workflows/_ecr-scanning.yml
with:
tag: ${{ needs.workflow_variables.outputs.parsed_branch }}-${{ needs.workflow_variables.outputs.short_sha }}
needs:
- code_coverage
- terraform_apply_environment
- workflow_variables
secrets: inherit
if: |
always() &&
needs.code_coverage.result == 'success' &&
needs.terraform_apply_environment.result == 'success'
# Required end of workflow job
end_of_workflow:
name: end of workflow
runs-on: ubuntu-latest
needs:
- ecr_scan_results
- slack_notify
- workflow_variables
steps:
- name: workflow has ended without issue
run: |
echo "${{ needs.workflow_variables.outputs.parsed_branch }} PR environment tested, built and deployed"
echo "Tag Used: ${{ needs.workflow_variables.outputs.parsed_branch }}-${{ needs.workflow_variables.outputs.short_sha }}"
echo "URL: https://${{ needs.workflow_variables.outputs.parsed_branch }}.use-lasting-power-of-attorney.service.gov.uk"
if: |
always() &&
needs.ecr_scan_results.result == 'success' &&
needs.slack_notify.result == 'success' &&
needs.workflow_variables.result == 'success'