.github/workflows/deploy.yml #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
# Triggers the workflow on push or pull request events but only for the main branch | |
workflow_call: | |
inputs: | |
app_name: | |
required: true | |
type: string | |
api: | |
required: false | |
default: false | |
type: boolean | |
assets_required: | |
required: false | |
default: false | |
type: boolean | |
postgres_unit_testing: | |
required: false | |
default: false | |
type: boolean | |
db_name: | |
required: false | |
default: "postgres_db" | |
type: string | |
apply_network_policy: | |
required: false | |
default: false | |
type: boolean | |
deploy_to_dev: | |
required: false | |
default: true | |
type: boolean | |
run_performance_tests: | |
required: false | |
default: false | |
type: boolean | |
run_e2e_tests: | |
required: false | |
default: true | |
type: boolean | |
include_manifest: | |
required: false | |
default: false | |
type: boolean | |
# not required when not deploying to cf | |
secrets: | |
CF_API: | |
required: false | |
CF_ORG: | |
required: false | |
CF_SPACE: | |
required: false | |
CF_USER: | |
required: false | |
CF_PASSWORD: | |
required: false | |
RSA256_PUBLIC_KEY_BASE64: | |
required: false | |
GOV_NOTIFY_API_KEY: | |
required: false | |
SENTRY_DSN: | |
required: false | |
FORMS_SERVICE_PRIVATE_HOST: | |
required: false | |
RSA256_PRIVATE_KEY_BASE64: | |
required: false | |
AZURE_AD_CLIENT_ID: | |
required: false | |
AZURE_AD_TENANT_ID: | |
required: false | |
AZURE_AD_CLIENT_SECRET: | |
required: false | |
SECRET_KEY: | |
required: false | |
SESSION_COOKIE_NAME: | |
required: false | |
#Needed to clone and execute the e2e tests | |
E2E_PAT: | |
required: true | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
jobs: | |
testing-unit: | |
runs-on: ubuntu-latest | |
environment: Dev | |
if: ${{ inputs.postgres_unit_testing == false }} | |
steps: | |
- name: checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.10.x | |
cache: 'pip' | |
cache-dependency-path: 'requirements-dev.txt' | |
- name: install dependencies | |
run: python -m pip install --upgrade pip && python -m pip install -r requirements-dev.txt | |
- name: build static assets (if frontend) | |
if: ${{inputs.assets_required == true}} | |
env: | |
FLASK_ENV: "development" | |
run: python build.py | |
- name: run unit tests | |
env: | |
GOV_NOTIFY_API_KEY: ${{ secrets.GOV_NOTIFY_API_KEY }} | |
# pytest -m "not accessibility" runs every test which is not marked | |
# accessibility. | |
run: python -m pip install pytest && python -m pytest -m "not accessibility" . | |
testing-unit-postgres: | |
runs-on: ubuntu-latest | |
environment: Dev | |
if: ${{ inputs.postgres_unit_testing == true }} | |
services: | |
# Label used to access the service containers | |
postgres: | |
# Docker Hub image | |
image: postgres | |
# Provide the password for postgres | |
env: | |
POSTGRES_PASSWORD: postgres | |
POSTGRES_DB: ${{inputs.db_name}} | |
# Set health checks to wait until postgres has started | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
steps: | |
- name: checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.10.x | |
cache: 'pip' | |
cache-dependency-path: 'requirements-dev.txt' | |
- name: install dependencies | |
run: python -m pip install --upgrade pip && python -m pip install -r requirements-dev.txt | |
- name: run unit tests | |
run: python -m pip install pytest && python -m pytest -m "not accessibility" | |
deploy_dev: | |
if: ${{ always() && github.actor != 'dependabot[bot]' && (needs.testing-unit.result=='success' || needs.testing.result=='success' || needs.testing-unit-postgres.result=='success') && inputs.deploy_to_dev == true}} | |
concurrency: deploy_dev_${{github.repository}} | |
needs: [testing-unit, testing-unit-postgres] | |
runs-on: ubuntu-latest | |
environment: Dev | |
steps: | |
- name: checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.10.x | |
cache: 'pip' | |
cache-dependency-path: 'requirements.txt' | |
- name: create python env | |
run: python -m venv .venv | |
- name: install dependencies | |
run: source .venv/bin/activate && python -m pip install --upgrade pip && pip install -r requirements.txt | |
- name: build static assets (if frontend) | |
if: ${{inputs.assets_required == true}} | |
env: | |
FLASK_ENV: "development" | |
run: source .venv/bin/activate && python build.py | |
- name: download previous build | |
uses: actions/download-artifact@v2 | |
- name: Deploy to Gov PaaS | |
uses: citizen-of-planet-earth/cf-cli-action@v2 | |
with: | |
cf_api: ${{secrets.CF_API}} | |
cf_org: ${{secrets.CF_ORG}} | |
cf_space: ${{secrets.CF_SPACE}} | |
cf_username: ${{secrets.CF_USER}} | |
cf_password: ${{secrets.CF_PASSWORD}} | |
command: push | |
${{(inputs.include_manifest) && '-f manifest-dev.yml' || ''}} | |
${{inputs.app_name}}-dev | |
--var GITHUB_SHA="${{ github.sha }}" | |
${{(secrets.RSA256_PUBLIC_KEY_BASE64) && format('--var RSA256_PUBLIC_KEY_BASE64="{0}"', secrets.RSA256_PUBLIC_KEY_BASE64) || ''}} | |
${{(secrets.SENTRY_DSN) && format('--var SENTRY_DSN={0}', secrets.SENTRY_DSN) || ''}} | |
${{(secrets.FORMS_SERVICE_PRIVATE_HOST) && format('--var FORMS_SERVICE_PRIVATE_HOST={0}', secrets.FORMS_SERVICE_PRIVATE_HOST) || ''}} | |
${{(secrets.RSA256_PRIVATE_KEY_BASE64) && format('--var RSA256_PRIVATE_KEY_BASE64="{0}"', secrets.RSA256_PRIVATE_KEY_BASE64) || ''}} | |
${{(secrets.AZURE_AD_CLIENT_ID) && format('--var AZURE_AD_CLIENT_ID={0}', secrets.AZURE_AD_CLIENT_ID) || ''}} | |
${{(secrets.AZURE_AD_TENANT_ID) && format('--var AZURE_AD_TENANT_ID={0}', secrets.AZURE_AD_TENANT_ID) || ''}} | |
${{(secrets.AZURE_AD_CLIENT_SECRET) && format('--var AZURE_AD_CLIENT_SECRET={0}', secrets.AZURE_AD_CLIENT_SECRET) || ''}} | |
${{(secrets.SECRET_KEY) && format('--var SECRET_KEY={0}', secrets.SECRET_KEY) || ''}} | |
${{(secrets.SESSION_COOKIE_NAME) && format('--var SESSION_COOKIE_NAME={0}', secrets.SESSION_COOKIE_NAME) || ''}} | |
${{(secrets.GOV_NOTIFY_API_KEY) && format('--var GOV_NOTIFY_API_KEY={0}', secrets.GOV_NOTIFY_API_KEY) || ''}} | |
# Action used by Authenticator | |
- name: Apply network policy for notification service | |
if: ${{inputs.apply_network_policy == true}} | |
uses: citizen-of-planet-earth/cf-cli-action@v2 | |
with: | |
cf_api: ${{secrets.CF_API}} | |
cf_org: ${{secrets.CF_ORG}} | |
cf_space: ${{secrets.CF_SPACE}} | |
cf_username: ${{secrets.CF_USER}} | |
cf_password: ${{secrets.CF_PASSWORD}} | |
command: add-network-policy ${{inputs.app_name}}-dev funding-service-design-notification-dev --protocol tcp --port 8080 | |
run_shared_tests_dev: | |
needs: deploy_dev | |
concurrency: run_shared_tests_dev | |
if: ${{ always() && (inputs.deploy_to_dev == true && needs.deploy_dev.result=='success' ) && github.actor != 'dependabot[bot]' }} | |
uses: ./.github/workflows/run-shared-tests.yml | |
with: | |
perf_test_target_url_application_store: https://funding-service-design-application-store-dev.london.cloudapps.digital | |
perf_test_target_url_fund_store: https://funding-service-design-fund-store-dev.london.cloudapps.digital | |
perf_test_target_url_assessment_store: https://funding-service-design-assessment-store-dev.london.cloudapps.digital | |
e2e_tests_target_url_frontend: https://fsd:fsd@frontend.dev.gids.dev | |
e2e_tests_target_url_authenticator: https://fsd:fsd@authenticator2.dev.gids.dev | |
e2e_tests_target_url_form_runner: https://fsd:fsd@forms.dev.gids.dev | |
e2e_tests_target_url_assessment: https://fsd:fsd@assessment.dev.gids.dev | |
run_performance_tests: ${{inputs.run_performance_tests}} | |
run_e2e_tests: false | |
secrets: | |
E2E_PAT: ${{secrets.E2E_PAT}} | |
static_security: | |
if: ${{ always() && (needs.testing-unit.result=='success' || needs.testing.result=='success' || needs.testing-unit-postgres.result=='success')}} | |
needs: [testing-unit, testing-unit-postgres] | |
runs-on: ubuntu-latest | |
environment: Dev | |
steps: | |
- name: checkout code | |
uses: actions/checkout@v3 | |
- name: Set up Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.10.x | |
- name: install dependencies | |
run: python -m pip install --upgrade pip && python -m pip install -r requirements-dev.txt bandit==1.7.4 | |
- name: Bandit | |
run: bandit -r ./app | |
- name: ZAP Scan | |
uses: zaproxy/action-full-scan@v0.4.0 | |
with: | |
target: 'https://funding-service-design-assessment-dev.london.cloudapps.digital/' | |
allow_issue_writing: False | |
deploy_test: | |
needs: run_shared_tests_dev | |
concurrency: deploy_test_${{github.repository}} | |
if: ${{ always() && (inputs.deploy_to_dev == false || (inputs.deploy_to_dev == true && needs.run_shared_tests_dev.result=='success')) && github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
environment: test | |
steps: | |
- name: checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.10.x | |
cache: 'pip' | |
cache-dependency-path: 'requirements-dev.txt' | |
- name: create python env | |
run: python -m venv .venv | |
- name: install dependencies | |
run: source .venv/bin/activate && python -m pip install --upgrade pip && pip install -r requirements.txt | |
- name: build static assets (if frontend) | |
if: ${{inputs.assets_required == true}} | |
env: | |
FLASK_ENV: "development" | |
run: source .venv/bin/activate && python build.py | |
- name: download previous build | |
uses: actions/download-artifact@v2 | |
- name: Deploy to Gov PaaS | |
uses: citizen-of-planet-earth/cf-cli-action@v2 | |
with: | |
cf_api: ${{secrets.CF_API}} | |
cf_org: ${{secrets.CF_ORG}} | |
cf_space: ${{secrets.CF_SPACE}} | |
cf_username: ${{secrets.CF_USER}} | |
cf_password: ${{secrets.CF_PASSWORD}} | |
command: push | |
${{(inputs.include_manifest) && '-f manifest-test.yml' || ''}} | |
${{inputs.app_name}}-test | |
--var GITHUB_SHA="${{ github.sha }}" | |
${{(secrets.RSA256_PUBLIC_KEY_BASE64) && format('--var RSA256_PUBLIC_KEY_BASE64="{0}"', secrets.RSA256_PUBLIC_KEY_BASE64) || ''}} | |
${{(secrets.SENTRY_DSN) && format('--var SENTRY_DSN={0}', secrets.SENTRY_DSN) || ''}} | |
${{(secrets.FORMS_SERVICE_PRIVATE_HOST) && format('--var FORMS_SERVICE_PRIVATE_HOST={0}', secrets.FORMS_SERVICE_PRIVATE_HOST) || ''}} | |
${{(secrets.RSA256_PRIVATE_KEY_BASE64) && format('--var RSA256_PRIVATE_KEY_BASE64="{0}"', secrets.RSA256_PRIVATE_KEY_BASE64) || ''}} | |
${{(secrets.AZURE_AD_CLIENT_ID) && format('--var AZURE_AD_CLIENT_ID={0}', secrets.AZURE_AD_CLIENT_ID) || ''}} | |
${{(secrets.AZURE_AD_TENANT_ID) && format('--var AZURE_AD_TENANT_ID={0}', secrets.AZURE_AD_TENANT_ID) || ''}} | |
${{(secrets.AZURE_AD_CLIENT_SECRET) && format('--var AZURE_AD_CLIENT_SECRET={0}', secrets.AZURE_AD_CLIENT_SECRET) || ''}} | |
${{(secrets.SECRET_KEY) && format('--var SECRET_KEY={0}', secrets.SECRET_KEY) || ''}} | |
${{(secrets.SESSION_COOKIE_NAME) && format('--var SESSION_COOKIE_NAME={0}', secrets.SESSION_COOKIE_NAME) || ''}} | |
${{(secrets.GOV_NOTIFY_API_KEY) && format('--var GOV_NOTIFY_API_KEY={0}', secrets.GOV_NOTIFY_API_KEY) || ''}} | |
- name: Apply network policy for notification service | |
if: ${{inputs.apply_network_policy == true}} | |
uses: citizen-of-planet-earth/cf-cli-action@v2 | |
with: | |
cf_api: ${{secrets.CF_API}} | |
cf_org: ${{secrets.CF_ORG}} | |
cf_space: ${{secrets.CF_SPACE }} | |
cf_username: ${{secrets.CF_USER}} | |
cf_password: ${{secrets.CF_PASSWORD}} | |
command: add-network-policy ${{inputs.app_name}}-test funding-service-design-notification-test --protocol tcp --port 8080 | |
security-with-zap: | |
needs: deploy_test | |
if: ${{ always() && needs.deploy_test.result=='success' && (needs.testing-unit.result=='success' || needs.testing.result=='success' || needs.testing-unit-postgres.result == 'success') && github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
environment: test | |
steps: | |
- name: checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.10.x | |
cache: 'pip' | |
cache-dependency-path: 'requirements.txt' | |
- name: install dependencies | |
run: python -m pip install --upgrade pip && python -m pip install -r requirements.txt bandit==1.7.4 | |
- name: Bandit | |
run: bandit -r ./app | |
- name: ZAP Scan | |
uses: zaproxy/action-full-scan@v0.4.0 | |
with: | |
target: 'https://${{inputs.app_name}}-test.london.cloudapps.digital/' | |
allow_issue_writing: False | |
run_shared_tests_test: | |
if: ${{ always() && needs.deploy_test.result=='success' && github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/main' }} | |
concurrency: run_shared_tests_test | |
uses: ./.github/workflows/run-shared-tests.yml | |
needs: deploy_test | |
with: | |
e2e_tests_target_url_frontend: https://fsd:fsd@frontend.test.gids.dev | |
e2e_tests_target_url_authenticator: https://fsd:fsd@authenticator2.test.gids.dev | |
e2e_tests_target_url_form_runner: https://fsd:fsd@forms.test.gids.dev | |
e2e_tests_target_url_assessment: https://fsd:fsd@assessment.test.gids.dev | |
run_performance_tests: ${{inputs.run_performance_tests}} | |
run_e2e_tests: ${{inputs.run_e2e_tests}} | |
perf_test_target_url_application_store: https://funding-service-design-application-store-test.london.cloudapps.digital | |
perf_test_target_url_fund_store: https://funding-service-design-fund-store-test.london.cloudapps.digital | |
perf_test_target_url_assessment_store: https://funding-service-design-assessment-store-test.london.cloudapps.digital | |
secrets: | |
E2E_PAT: ${{secrets.E2E_PAT}} | |