[EC-386] Azure DevOps pipelines migrated into GitHub Actions (#238)

pagopa · Aug 8, 2024 · 8f59705 · 8f59705
1 parent 8e38bed
commit 8f59705
Show file tree

Hide file tree

Showing 24 changed files with 757 additions and 1 deletion.
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
@@ -0,0 +1,67 @@
+name: Code Review
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - "*"
+      - "!infra/*"
+      - "!.github/*"
+
+jobs:
+  js_code_review:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check-out code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # Corepack is an official tool by Node.js that manages package managers versions
+
+      # This is needed to avoid
+      # Error: Error when performing the request to https://registry.npmjs.org/yarn/latest; 
+      - name: Setup target Node.js to enable Corepack
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version-file: ".node-version"
+
+      - name: Setup yarn
+        run: corepack enable
+
+      - name: Setup Node.js
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version-file: ".node-version"
+          cache: "yarn"
+
+      - name: Install dependencies
+        run: yarn install --immutable
+        working-directory: .
+
+      - name: Build
+        run: yarn build
+
+      - name: Lint
+        run: yarn lint
+
+      - name: Validate definitions specification
+        run: npx oval validate -p definitions.yaml
+
+      - name: Generate models
+        run: yarn generate
+
+      - name: Unit tests exec
+        run: yarn test:coverage
+
+      # Codecov provides reports and metrics about test coverage data.
+      # To enable set CODECOV_TOKEN secret at repo level and make sure
+      # that your "code-review" script creates a "coverage/" folder in
+      # the root workspace.
+      - name: Upload coverage report to codecov.io
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        if: ${{ env.CODECOV_TOKEN != '' }}
+        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
+        with:
+          token: ${{ env.CODECOV_TOKEN }}
diff --git a/.github/workflows/deploy-pipelines-prod.yaml b/.github/workflows/deploy-pipelines-prod.yaml
@@ -0,0 +1,16 @@
+name: Deploy Pipelines - PROD
+
+on:
+  workflow_dispatch:
+
+jobs:
+  deploy_on_prod:
+    uses: ./.github/workflows/deploy-pipelines.yaml
+    name: Deploy on PROD
+    secrets: inherit
+    with:
+      environment: 'prod'
+      resource_group_name: 'io-p-selfcare-be-rg'
+      app_name: 'io-p-app-devportal-be'
+      use_staging_slot: false
+      use_private_agent: false
diff --git a/.github/workflows/deploy-pipelines.yaml b/.github/workflows/deploy-pipelines.yaml
@@ -0,0 +1,175 @@
+name: Deploy Pipelines
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: Environment where the artifact will be deployed.
+        type: string
+        required: true
+      resource_group_name:
+        description: Web App resource group name.
+        type: string
+        required: true
+      app_name:
+        description: Web App name.
+        type: string
+        required: true
+      use_staging_slot:
+        description: True if artifact should be deployed to staging slot
+        type: boolean
+        required: false
+        default: true
+      use_private_agent:
+        description: Use a private agent to deploy the built artifact.
+        type: boolean
+        required: false
+        default: true
+
+env:
+  BUNDLE_NAME: bundle
+
+concurrency:
+  group: ${{ github.workflow }}-cd
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    env:
+      WORKSPACE: ${{ github.workspace }}
+
+    steps:
+      - name: Check-out code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Node.js
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version-file: ".node-version"
+          cache: "yarn"
+          cache-dependency-path: "yarn.lock"
+
+      - name: Install dependencies
+        run: yarn install --immutable
+        working-directory: .
+
+      - name: Build
+        run: yarn build
+        working-directory: .
+
+      - name: Copy deploy files
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+        env:
+          TARGET_FOLDER: "${{ github.workspace }}/${{ env.BUNDLE_NAME }}"
+          SOURCE_FOLDER: "${{ github.workspace }}"
+          CONTENTS: |
+            **/*
+            !.git/**/*
+            !**/*.js.map
+            !**/*.ts
+            !.vscode/**/*
+            !.devops/**/*
+            !.github/**/*
+            !.prettierrc
+            !.gitignore
+            !README.md
+            !jest.config.js
+            !local.settings.json
+            !test
+            !tsconfig.json
+            !tslint.json
+            !yarn.lock
+            !Dangerfile.js
+            !CODEOWNERS
+            !__*/**/*
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          script: |-
+            const fs = require('fs').promises
+            const path = require('path')
+            const target = path.resolve(process.env.TARGET_FOLDER)
+
+            process.chdir(process.env.SOURCE_FOLDER || '.')
+
+            if (process.env.CLEAN_TARGET_FOLDER === 'true') await io.rmRF(target)
+
+            const flattenFolders = process.env.FLATTEN_FOLDERS === 'true'
+            const options = {force: process.env.OVERWRITE === 'true'}
+            const globber = await glob.create(process.env.CONTENTS || '**')
+
+            for await (const file of globber.globGenerator()) {
+              if ((await fs.lstat(file)).isDirectory()) continue
+              const filename = flattenFolders ? path.basename(file) : file.substring(process.cwd().length)
+              const dest = path.join(target, filename)
+              await io.mkdirP(path.dirname(dest))
+              await io.cp(file, dest, options)
+            }
+
+      - name: Make Zip File
+        run: zip -r ${{ github.workspace }}/${{ env.BUNDLE_NAME }}.zip ${{ github.workspace }}/${{ env.BUNDLE_NAME }}
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: ${{ env.BUNDLE_NAME }}
+          path: "${{ github.workspace }}/${{ env.BUNDLE_NAME }}.zip"
+          if-no-files-found: error
+          retention-days: 7
+
+  deploy:
+    if: ${{ !github.event.act }}
+    needs: [build]
+    runs-on: ${{ inputs.use_private_agent == true && 'self-hosted' || 'ubuntu-22.04' }}
+    environment: ${{ inputs.environment }}-cd
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Download Artifact
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: ${{ env.BUNDLE_NAME }}
+
+      - name: Azure Login
+        uses: azure/login@v2 # v2.0.0
+        env:
+          ARM_USE_OIDC: true
+        with:
+          client-id: ${{ secrets.ARM_CLIENT_ID }}
+          tenant-id: ${{ secrets.ARM_TENANT_ID }}
+          subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+
+      - name: Deploy
+        if: ${{ inputs.use_staging_slot == false }}
+        run: |
+          az webapp deploy \
+            --resource-group ${{ inputs.resource_group_name }} \
+            --name ${{ inputs.app_name }} \
+            --src-path  ${{ github.workspace }}/${{ env.BUNDLE_NAME }}.zip \
+            --type zip \
+            --async false
+
+      - name: Deploy to Staging Slot
+        if: ${{ inputs.use_staging_slot == true }}
+        run: |
+          az webapp deploy \
+            --resource-group ${{ inputs.resource_group_name }} \
+            --name ${{ inputs.app_name }} \
+            --slot staging \
+            --src-path  ${{ github.workspace }}/${{ env.BUNDLE_NAME }}.zip \
+            --type zip \
+            --async false
+
+      - name: Swap Staging and Production Slots
+        if: ${{ inputs.use_staging_slot == true }}
+        run: |
+          az webapp deployment slot swap \
+            -g ${{ inputs.resource_group_name }} \
+            -n ${{ inputs.app_name }} \
+            --slot staging \
+            --target-slot production
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,26 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
 gh-pages
 site
 **/node_modules

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,16 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.83.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+      - id: terraform_tfsec
+        files: ^infra/
+        args:
+          - --args=--exclude-downloaded-modules
+      - id: terraform_validate
+        exclude: '(\/_?modules\/.*)'
+        args:
+          - --init-args=-lockfile=readonly
+          - --args=-json
+          - --args=-no-color
diff --git a/.terraform-version b/.terraform-version
@@ -0,0 +1 @@
+1.7.5
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,3 +1,7 @@
 # see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file
 
 * @pagopa/io-platform-green-unit
+
+# engineering-team-cloud-eng
+/infra/ @pagopa/engineering-team-cloud-eng
+/.github/ @pagopa/engineering-team-cloud-eng
diff --git a/infra/identity/prod/.terraform.lock.hcl b/infra/identity/prod/.terraform.lock.hcl
diff --git a/infra/identity/prod/README.md b/infra/identity/prod/README.md
@@ -0,0 +1,35 @@
+# IO Developer portal Backend- GitHub federated Managed Identities
+
+<!-- markdownlint-disable -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.112.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_federated_identities"></a> [federated\_identities](#module\_federated\_identities) | github.com/pagopa/dx//infra/modules/azure_federated_identity_with_github | main |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_federated_cd_identity"></a> [federated\_cd\_identity](#output\_federated\_cd\_identity) | n/a |
+| <a name="output_federated_ci_identity"></a> [federated\_ci\_identity](#output\_federated\_ci\_identity) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/infra/identity/prod/locals.tf b/infra/identity/prod/locals.tf
@@ -0,0 +1,19 @@
+locals {
+  prefix    = "io"
+  env_short = "p"
+  env       = "prod"
+  location  = "italynorth"
+  project   = "${local.prefix}-${local.env_short}"
+  domain    = "devportal-backend"
+
+  repo_name = "io-developer-portal-backend"
+
+  tags = {
+    CostCenter     = "TS310 - PAGAMENTI & SERVIZI"
+    CreatedBy      = "Terraform"
+    Environment    = "Prod"
+    Owner          = "IO"
+    ManagementTeam = "IO Enti & Servizi"
+    Source         = "https://github.com/pagopa/io-developer-portal-backend/blob/master/infra/identity/prod"
+  }
+}