secrets #62
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Build, Deploy (all environments)' | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- '*' | |
jobs: | |
build: | |
name: 'Build' | |
runs-on: ubuntu-latest | |
steps: | |
- name: 'Checkout Code' | |
uses: actions/checkout@v4 | |
- name: 'Install Terraform' | |
uses: hashicorp/setup-terraform@v3 | |
- name: 'Install dotnet 8.0.x' | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: '8.0.x' | |
- name: 'Install Node.JS version 20 (v22 caused an error during npm ci)' | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: 'Init Terraform (with no backend)' | |
run: | | |
terraform init -backend=false | |
working-directory: ./terraform | |
- name: 'Validate Terraform (with no backend)' | |
run: | | |
terraform validate | |
working-directory: ./terraform | |
- name: 'Install Node.JS (npm) dependencies' | |
run: | | |
npm ci | |
working-directory: GenderPayGap.WebUI | |
- name: 'Build JS and SCSS code' | |
run: | | |
npm run build | |
working-directory: GenderPayGap.WebUI | |
- name: 'Install .Net (nuget) dependencies' | |
run: | | |
dotnet restore GenderPayGap.Core/GenderPayGap.Core.csproj | |
dotnet restore GenderPayGap.Database/GenderPayGap.Database.csproj | |
dotnet restore GenderPayGap.WebUI/GenderPayGap.WebUI.csproj | |
dotnet restore GenderPayGap.UnitTests/GenderPayGap.WebUI.Tests/GenderPayGap.WebUI.Tests.csproj | |
- name: 'Save build run info to JSON file' | |
run: | | |
echo '{ "BuildNumber": "${{ github.run_id }}", "git_commit": "${{ github.sha }}", "git_branch": "${{ github.ref_name }}", "github_action_name": "${{ github.workflow }}", "github_action_run_url": "https://github.com/${{github.repository}}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}" }' > build-number.json | |
working-directory: GenderPayGap.WebUI | |
- name: 'Build .Net code' | |
run: | | |
dotnet build GenderPayGap.WebUI/GenderPayGap.WebUI.csproj | |
- name: 'Test .Net code' | |
run: | | |
dotnet test GenderPayGap.UnitTests/GenderPayGap.WebUI.Tests/GenderPayGap.WebUI.Tests.csproj --logger "trx;LogFileName=test-results.trx" | |
- name: 'Publish .Net test results' | |
uses: dorny/test-reporter@v1 | |
if: ${{ always() }} # Use always() to always run this step to publish test results when there are test failures | |
with: | |
name: 'test-results' | |
path: GenderPayGap.UnitTests/GenderPayGap.WebUI.Tests/TestResults/test-results.trx | |
reporter: dotnet-trx | |
- name: 'Publish .Net code' | |
run: | | |
dotnet publish GenderPayGap.WebUI/GenderPayGap.WebUI.csproj -p:Configuration=Release | |
- name: 'Zip up the code' | |
run: | | |
zip -rq build.zip . | |
working-directory: GenderPayGap.WebUI/bin/Release/net8.0/publish/ | |
- name: 'Save build zip as GitHub Actions artifact' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: build-zip | |
path: GenderPayGap.WebUI/bin/Release/net8.0/publish/build.zip | |
pause_workflow: | |
# For the subsequent jobs, we want to the use 2 GitHub features: | |
# - environments: to ensure deployments are manually kicked off (builds can happen automatically, but not deploys) | |
# - concurrency: to prevent 2 jobs deploying or terraforming at the same time | |
# But the way GitHub has implemented this combination of features means that: | |
# - the first workflow/job to get to the manual approval gate waits for approval | |
# - any parallel workflows/jobs to get to the manyal approval gate cannot be run until the first job has completed | |
# i.e. we can't start a deployment on workflow run 11 until the same deployment on wofklow run 10 has completed (even if we don't want to deploy workflow run 10 at all!) | |
# Cancelling the workflow allows us to run-run any jobs as we like, and takes them all out of the approval queue | |
name: 'Pause the workflow here' | |
runs-on: ubuntu-latest | |
needs: [build] | |
steps: | |
- name: 'Cancel workflow' | |
run: | | |
curl -L \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel | |
start_dev: | |
# This "Start" task is to work around a bug in GitHub | |
# Without this, when you manually re-run the "Terraform (dev)" job, it also kicks off the "Terraform (prod)" job | |
# It only started doing this once we moved the Terraform shared functionality into a sub-workflow | |
name: 'Start (dev)' | |
runs-on: ubuntu-latest | |
needs: [pause_workflow] | |
steps: | |
- name: 'No-op' | |
run: echo "Hello" | |
terraform_dev: | |
name: 'Terraform (dev)' | |
concurrency: '${{ github.workflow }}--terraform_dev' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time) | |
needs: [start_dev] | |
uses: ./.github/workflows/_terraform-shared.yml | |
with: | |
GITHUB_ACTIONS_ENVIRONMENT: dev | |
TERRAFORM_ENVIRONMENT_NAME: dev | |
TERRAFORM_STATE_FILE: gender-pay-gap_dev.tfstate | |
TERRAFORM_TFVARS_FILE: dev.tfvars | |
OFFSET_CURRENT_DATE_TIME_FOR_SITE: ${{ vars.OFFSET_CURRENT_DATE_TIME_FOR_SITE }} | |
MAINTENANCE_MODE: ${{ vars.MAINTENANCE_MODE }} | |
MAINTENANCE_MODE_UP_AGAIN_TIME: ${{ vars.MAINTENANCE_MODE_UP_AGAIN_TIME }} | |
secrets: | |
TERRAFORM_AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }} | |
TERRAFORM_AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }} | |
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} | |
DEFAULT_ENCRYPTION_KEY: ${{ secrets.DEFAULT_ENCRYPTION_KEY }} | |
DEFAULT_ENCRYPTION_IV: ${{ secrets.DEFAULT_ENCRYPTION_IV }} | |
DATA_MIGRATION_PASSWORD: ${{ secrets.DATA_MIGRATION_PASSWORD }} | |
COMPANIES_HOUSE_API_KEY: ${{ secrets.COMPANIES_HOUSE_API_KEY }} | |
GOV_UK_NOTIFY_API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }} | |
BASIC_AUTH_USERNAME: ${{ secrets.BASIC_AUTH_USERNAME }} | |
BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} | |
EHRC_API_TOKEN: ${{ secrets.EHRC_API_TOKEN }} | |
deploy_dev: | |
name: 'Deploy (dev)' | |
concurrency: '${{ github.workflow }}--deploy_dev' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time) | |
needs: [terraform_dev] | |
uses: ./.github/workflows/_deploy-shared.yml | |
with: | |
GITHUB_ACTIONS_ENVIRONMENT: dev | |
EB_APP_NAME: ${{ needs.terraform_dev.outputs.main_app_elastic_beanstalk_application_name }} | |
EB_ENVIRONMENT_NAME: ${{ needs.terraform_dev.outputs.main_app_elastic_beanstalk_environment_name }} | |
EB_CODE_BUCKET: ${{ needs.terraform_dev.outputs.main_app_elastic_beanstalk_code_s3_bucket }} | |
secrets: | |
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }} | |
start_prod: | |
# This "Start" task is to work around a bug in GitHub | |
# Without this, when you manually re-run the "Terraform (dev)" job, it also kicks off the "Terraform (prod)" job | |
# It only started doing this once we moved the Terraform shared functionality into a sub-workflow | |
name: 'Start (prod)' | |
runs-on: ubuntu-latest | |
needs: [pause_workflow] | |
steps: | |
- name: 'No-op' | |
run: echo "Hello" | |
terraform_prod: | |
name: 'Terraform (prod)' | |
concurrency: '${{ github.workflow }}--terraform_prod' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time) | |
needs: [start_prod] | |
uses: ./.github/workflows/_terraform-shared.yml | |
with: | |
GITHUB_ACTIONS_ENVIRONMENT: prod | |
TERRAFORM_ENVIRONMENT_NAME: prod | |
TERRAFORM_STATE_FILE: gender-pay-gap_prod.tfstate | |
TERRAFORM_TFVARS_FILE: prod.tfvars | |
OFFSET_CURRENT_DATE_TIME_FOR_SITE: ${{ vars.OFFSET_CURRENT_DATE_TIME_FOR_SITE }} | |
MAINTENANCE_MODE: ${{ vars.MAINTENANCE_MODE }} | |
MAINTENANCE_MODE_UP_AGAIN_TIME: ${{ vars.MAINTENANCE_MODE_UP_AGAIN_TIME }} | |
secrets: | |
TERRAFORM_AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }} | |
TERRAFORM_AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }} | |
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} | |
DEFAULT_ENCRYPTION_KEY: ${{ secrets.DEFAULT_ENCRYPTION_KEY }} | |
DEFAULT_ENCRYPTION_IV: ${{ secrets.DEFAULT_ENCRYPTION_IV }} | |
DATA_MIGRATION_PASSWORD: ${{ secrets.DATA_MIGRATION_PASSWORD }} | |
COMPANIES_HOUSE_API_KEY: ${{ secrets.COMPANIES_HOUSE_API_KEY }} | |
GOV_UK_NOTIFY_API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }} | |
BASIC_AUTH_USERNAME: ${{ secrets.BASIC_AUTH_USERNAME }} | |
BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} | |
EHRC_API_TOKEN: ${{ secrets.EHRC_API_TOKEN }} | |
deploy_prod: | |
name: 'Deploy (prod)' | |
concurrency: '${{ github.workflow }}--deploy_prod' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time) | |
needs: [terraform_prod] | |
uses: ./.github/workflows/_deploy-shared.yml | |
with: | |
GITHUB_ACTIONS_ENVIRONMENT: prod | |
EB_APP_NAME: ${{ needs.terraform_prod.outputs.main_app_elastic_beanstalk_application_name }} | |
EB_ENVIRONMENT_NAME: ${{ needs.terraform_prod.outputs.main_app_elastic_beanstalk_environment_name }} | |
EB_CODE_BUCKET: ${{ needs.terraform_prod.outputs.main_app_elastic_beanstalk_code_s3_bucket }} | |
secrets: | |
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }} |