Skip to content

secrets

secrets #62

name: 'Build, Deploy (all environments)'
on:
workflow_dispatch:
push:
branches:
- '*'
jobs:
build:
name: 'Build'
runs-on: ubuntu-latest
steps:
- name: 'Checkout Code'
uses: actions/checkout@v4
- name: 'Install Terraform'
uses: hashicorp/setup-terraform@v3
- name: 'Install dotnet 8.0.x'
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- name: 'Install Node.JS version 20 (v22 caused an error during npm ci)'
uses: actions/setup-node@v4
with:
node-version: 20
- name: 'Init Terraform (with no backend)'
run: |
terraform init -backend=false
working-directory: ./terraform
- name: 'Validate Terraform (with no backend)'
run: |
terraform validate
working-directory: ./terraform
- name: 'Install Node.JS (npm) dependencies'
run: |
npm ci
working-directory: GenderPayGap.WebUI
- name: 'Build JS and SCSS code'
run: |
npm run build
working-directory: GenderPayGap.WebUI
- name: 'Install .Net (nuget) dependencies'
run: |
dotnet restore GenderPayGap.Core/GenderPayGap.Core.csproj
dotnet restore GenderPayGap.Database/GenderPayGap.Database.csproj
dotnet restore GenderPayGap.WebUI/GenderPayGap.WebUI.csproj
dotnet restore GenderPayGap.UnitTests/GenderPayGap.WebUI.Tests/GenderPayGap.WebUI.Tests.csproj
- name: 'Save build run info to JSON file'
run: |
echo '{ "BuildNumber": "${{ github.run_id }}", "git_commit": "${{ github.sha }}", "git_branch": "${{ github.ref_name }}", "github_action_name": "${{ github.workflow }}", "github_action_run_url": "https://github.com/${{github.repository}}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}" }' > build-number.json
working-directory: GenderPayGap.WebUI
- name: 'Build .Net code'
run: |
dotnet build GenderPayGap.WebUI/GenderPayGap.WebUI.csproj
- name: 'Test .Net code'
run: |
dotnet test GenderPayGap.UnitTests/GenderPayGap.WebUI.Tests/GenderPayGap.WebUI.Tests.csproj --logger "trx;LogFileName=test-results.trx"
- name: 'Publish .Net test results'
uses: dorny/test-reporter@v1
if: ${{ always() }} # Use always() to always run this step to publish test results when there are test failures
with:
name: 'test-results'
path: GenderPayGap.UnitTests/GenderPayGap.WebUI.Tests/TestResults/test-results.trx
reporter: dotnet-trx
- name: 'Publish .Net code'
run: |
dotnet publish GenderPayGap.WebUI/GenderPayGap.WebUI.csproj -p:Configuration=Release
- name: 'Zip up the code'
run: |
zip -rq build.zip .
working-directory: GenderPayGap.WebUI/bin/Release/net8.0/publish/
- name: 'Save build zip as GitHub Actions artifact'
uses: actions/upload-artifact@v4
with:
name: build-zip
path: GenderPayGap.WebUI/bin/Release/net8.0/publish/build.zip
pause_workflow:
# For the subsequent jobs, we want to the use 2 GitHub features:
# - environments: to ensure deployments are manually kicked off (builds can happen automatically, but not deploys)
# - concurrency: to prevent 2 jobs deploying or terraforming at the same time
# But the way GitHub has implemented this combination of features means that:
# - the first workflow/job to get to the manual approval gate waits for approval
# - any parallel workflows/jobs to get to the manyal approval gate cannot be run until the first job has completed
# i.e. we can't start a deployment on workflow run 11 until the same deployment on wofklow run 10 has completed (even if we don't want to deploy workflow run 10 at all!)
# Cancelling the workflow allows us to run-run any jobs as we like, and takes them all out of the approval queue
name: 'Pause the workflow here'
runs-on: ubuntu-latest
needs: [build]
steps:
- name: 'Cancel workflow'
run: |
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ github.token }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel
start_dev:
# This "Start" task is to work around a bug in GitHub
# Without this, when you manually re-run the "Terraform (dev)" job, it also kicks off the "Terraform (prod)" job
# It only started doing this once we moved the Terraform shared functionality into a sub-workflow
name: 'Start (dev)'
runs-on: ubuntu-latest
needs: [pause_workflow]
steps:
- name: 'No-op'
run: echo "Hello"
terraform_dev:
name: 'Terraform (dev)'
concurrency: '${{ github.workflow }}--terraform_dev' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time)
needs: [start_dev]
uses: ./.github/workflows/_terraform-shared.yml
with:
GITHUB_ACTIONS_ENVIRONMENT: dev
TERRAFORM_ENVIRONMENT_NAME: dev
TERRAFORM_STATE_FILE: gender-pay-gap_dev.tfstate
TERRAFORM_TFVARS_FILE: dev.tfvars
OFFSET_CURRENT_DATE_TIME_FOR_SITE: ${{ vars.OFFSET_CURRENT_DATE_TIME_FOR_SITE }}
MAINTENANCE_MODE: ${{ vars.MAINTENANCE_MODE }}
MAINTENANCE_MODE_UP_AGAIN_TIME: ${{ vars.MAINTENANCE_MODE_UP_AGAIN_TIME }}
secrets:
TERRAFORM_AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
TERRAFORM_AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
DEFAULT_ENCRYPTION_KEY: ${{ secrets.DEFAULT_ENCRYPTION_KEY }}
DEFAULT_ENCRYPTION_IV: ${{ secrets.DEFAULT_ENCRYPTION_IV }}
DATA_MIGRATION_PASSWORD: ${{ secrets.DATA_MIGRATION_PASSWORD }}
COMPANIES_HOUSE_API_KEY: ${{ secrets.COMPANIES_HOUSE_API_KEY }}
GOV_UK_NOTIFY_API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }}
BASIC_AUTH_USERNAME: ${{ secrets.BASIC_AUTH_USERNAME }}
BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
EHRC_API_TOKEN: ${{ secrets.EHRC_API_TOKEN }}
deploy_dev:
name: 'Deploy (dev)'
concurrency: '${{ github.workflow }}--deploy_dev' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time)
needs: [terraform_dev]
uses: ./.github/workflows/_deploy-shared.yml
with:
GITHUB_ACTIONS_ENVIRONMENT: dev
EB_APP_NAME: ${{ needs.terraform_dev.outputs.main_app_elastic_beanstalk_application_name }}
EB_ENVIRONMENT_NAME: ${{ needs.terraform_dev.outputs.main_app_elastic_beanstalk_environment_name }}
EB_CODE_BUCKET: ${{ needs.terraform_dev.outputs.main_app_elastic_beanstalk_code_s3_bucket }}
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
start_prod:
# This "Start" task is to work around a bug in GitHub
# Without this, when you manually re-run the "Terraform (dev)" job, it also kicks off the "Terraform (prod)" job
# It only started doing this once we moved the Terraform shared functionality into a sub-workflow
name: 'Start (prod)'
runs-on: ubuntu-latest
needs: [pause_workflow]
steps:
- name: 'No-op'
run: echo "Hello"
terraform_prod:
name: 'Terraform (prod)'
concurrency: '${{ github.workflow }}--terraform_prod' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time)
needs: [start_prod]
uses: ./.github/workflows/_terraform-shared.yml
with:
GITHUB_ACTIONS_ENVIRONMENT: prod
TERRAFORM_ENVIRONMENT_NAME: prod
TERRAFORM_STATE_FILE: gender-pay-gap_prod.tfstate
TERRAFORM_TFVARS_FILE: prod.tfvars
OFFSET_CURRENT_DATE_TIME_FOR_SITE: ${{ vars.OFFSET_CURRENT_DATE_TIME_FOR_SITE }}
MAINTENANCE_MODE: ${{ vars.MAINTENANCE_MODE }}
MAINTENANCE_MODE_UP_AGAIN_TIME: ${{ vars.MAINTENANCE_MODE_UP_AGAIN_TIME }}
secrets:
TERRAFORM_AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
TERRAFORM_AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
DEFAULT_ENCRYPTION_KEY: ${{ secrets.DEFAULT_ENCRYPTION_KEY }}
DEFAULT_ENCRYPTION_IV: ${{ secrets.DEFAULT_ENCRYPTION_IV }}
DATA_MIGRATION_PASSWORD: ${{ secrets.DATA_MIGRATION_PASSWORD }}
COMPANIES_HOUSE_API_KEY: ${{ secrets.COMPANIES_HOUSE_API_KEY }}
GOV_UK_NOTIFY_API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }}
BASIC_AUTH_USERNAME: ${{ secrets.BASIC_AUTH_USERNAME }}
BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
EHRC_API_TOKEN: ${{ secrets.EHRC_API_TOKEN }}
deploy_prod:
name: 'Deploy (prod)'
concurrency: '${{ github.workflow }}--deploy_prod' # Prevents more than one instance of this workflow/job running at the same time (to prevent 2 instances deploying or terraforming at the same time)
needs: [terraform_prod]
uses: ./.github/workflows/_deploy-shared.yml
with:
GITHUB_ACTIONS_ENVIRONMENT: prod
EB_APP_NAME: ${{ needs.terraform_prod.outputs.main_app_elastic_beanstalk_application_name }}
EB_ENVIRONMENT_NAME: ${{ needs.terraform_prod.outputs.main_app_elastic_beanstalk_environment_name }}
EB_CODE_BUCKET: ${{ needs.terraform_prod.outputs.main_app_elastic_beanstalk_code_s3_bucket }}
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}