[Workflow] Cleanup PR Workspaces #20675
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "[Workflow] Cleanup PR Workspaces" | |
on: | |
schedule: | |
# every hour | |
- cron: '0 * * * *' | |
permissions: | |
actions: none | |
checks: none | |
contents: read | |
deployments: none | |
id-token: write | |
issues: none | |
packages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
jobs: | |
fetch_s3_av_version: | |
name: Fetch the S3 AV Zip version tag | |
runs-on: ubuntu-latest | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
with: | |
aws-region: eu-west-1 | |
role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ssm-get-parameter | |
role-duration-seconds: 900 | |
role-session-name: GithubActionsSSMGetParameter | |
- name: Pull S3 AV Zip tag | |
id: pull_s3_av_tag | |
run: | | |
key="/opg-s3-antivirus/zip-version-main" | |
value=$(aws ssm get-parameter --name "$key" --query 'Parameter.Value' --output text 2>/dev/null || true) | |
echo "Using $key: $value" | |
echo "tag=${value}" >> $GITHUB_OUTPUT | |
outputs: | |
s3_av_scanner_zip_tag: ${{ steps.pull_s3_av_tag.outputs.tag }} | |
terraform_environment_cleanup: | |
runs-on: ubuntu-latest | |
needs: [ fetch_s3_av_version ] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
- name: get lambda function zips | |
working-directory: ./terraform/environment/region/modules/s3_antivirus/ | |
run: | | |
echo "Pulling AV lambda version: ${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}" >> $GITHUB_STEP_SUMMARY | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip -O lambda_layer.zip | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip.sha256sum -O lambda_layer.zip.sha256sum | |
sha256sum -c "lambda_layer.zip.sha256sum" | |
echo "Lambda Layer Zip SHA256 Hash: $(cat lambda_layer.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip -O myFunction.zip | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip.sha256sum -O myFunction.zip.sha256sum | |
sha256sum -c "myFunction.zip.sha256sum" | |
echo "Lambda Function Zip SHA256 Hash: $(cat myFunction.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY | |
- uses: unfor19/install-aws-cli-action@v1 | |
- name: Parse terraform version | |
id: tf_version_setup | |
working-directory: ./terraform/environment | |
run: | | |
if [ -f ./versions.tf ]; then | |
terraform_version=$(cat ./versions.tf | ../../scripts/terraform-version.sh) | |
echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY | |
echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT | |
fi | |
- name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" | |
run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" | |
working-directory: ./terraform/environment | |
- uses: hashicorp/setup-terraform@v3.1.2 | |
with: | |
terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Configure AWS Credentials For Terraform | |
uses: aws-actions/configure-aws-credentials@v4.0.2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
aws-region: eu-west-1 | |
role-duration-seconds: 3600 | |
role-session-name: OPGModernisingLPATerraformGithubAction | |
- uses: webfactory/ssh-agent@v0.9.0 | |
with: | |
ssh-private-key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }} | |
- name: Install Terraform Workspace Manager | |
run: | | |
wget https://github.com/ministryofjustice/opg-terraform-workspace-manager/releases/download/v0.3.2/opg-terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz | |
sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin | |
sudo chmod +x /usr/local/bin/terraform-workspace-manager | |
- name: Terraform Init | |
run: terraform init -input=false | |
working-directory: ./terraform/environment | |
- name: Destroy PR Terraform Workspaces | |
working-directory: ./terraform/environment | |
env: | |
TF_VAR_pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }} | |
run: | | |
../../scripts/workspace_cleanup.sh $(terraform-workspace-manager -protected-workspaces=true -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci) |