Skip to content

add workflow-level token permissions #38

add workflow-level token permissions

add workflow-level token permissions #38

name: PR Deployment
on:
pull_request:
types:
- opened
- synchronize
- reopened
branches:
- main
concurrency:
group: pr-${{ github.event.pull_request.number }}
# By default, this workflow will cancel a previous run when a new one is queued.
# Depending on when the workflow was cancelled, it may leave orphaned environments
# that will be cleaned up after the PR is closed.
#
# To change this behavior and wait for the previous run to finish executing, set
# cancel-in-progress to false
cancel-in-progress: true
env:
KEY_VAULT_NAME: "kv-symphony-environments" #GitLeaksIgnore
LOCATION_NAME: "westus"
PR_ENVIRONMENT_DIRECTORY: "pr"
jobs:
Setup:
if: ${{ !github.event.pull_request.draft }}
runs-on: ubuntu-latest
outputs:
keyVaultName: ${{ steps.setValues.outputs.keyVaultName }}
locationName: ${{ steps.setValues.outputs.locationName }}
prEnvironmentDirectory: ${{ steps.setValues.outputs.prEnvironmentDirectory }}
environmentName: ${{ steps.setValues.outputs.environmentName }}
steps:
- name: Set Values
id: setValues
run: |
echo "keyVaultName=$KEY_VAULT_NAME" >> $GITHUB_OUTPUT
echo "locationName=$LOCATION_NAME" >> $GITHUB_OUTPUT
echo "prEnvironmentDirectory=$PR_ENVIRONMENT_DIRECTORY" >> $GITHUB_OUTPUT
suffix=$(uuidgen)
# create a 6 character hash of the suffix
suffixHash=$(echo -n "$suffix" | md5sum | cut -c1-6)
echo "environmentName=$suffixHash" >> $GITHUB_OUTPUT
Validate:

Check failure on line 52 in .github/workflows/workflow.pr.bicep.yml

View workflow run for this annotation

GitHub Actions / PR Deployment

Invalid workflow file

The workflow is not valid. .github/workflows/workflow.pr.bicep.yml (Line: 52, Col: 3): Error calling workflow 'microsoft/symphony/.github/workflows/template.bicep.validate.yml@3e4127a43d65824870213b822a4692776946d32e'. The nested job 'Validate' is requesting 'actions: read, security-events: write', but is only allowed 'actions: none, security-events: none'.
needs: Setup
uses: ./.github/workflows/template.bicep.validate.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
# Right now, every new non-draft PR will trigger a new environment to be created.
# To change this behavior, you can add a label to the PR called "ready-to-deploy"
# and uncomment the following step. This will cause the workflow to only run when
# the label is present.
#
#
# CheckReadyToDeploy:
# needs: [Validate, Setup]
# runs-on: ubuntu-latest
# env:
# READY_TO_DEPLOY: ${{ contains(github.event.pull_request.labels.*.name, 'ready-to-deploy') }}
# steps:
# - name: Check if the ready-to-deploy label is present
# run: |
# if [ "$READY_TO_DEPLOY" = "true" ]; then
# echo "ready-to-deploy label present. Continuing..."
# else
# echo "ready-to-deploy label not present. Breaking..."
# exit 1
# fi
NewEnvironment:
needs: [Setup, Validate]
uses: ./.github/workflows/template.storeevent.yml
permissions:
pull-requests: write
with:
pipelineName: PR
eventName: NewEnvironment
eventGroupId: PR-${{ github.event.pull_request.number }}-${{ github.repository_id }}
data: Name=${{ needs.Setup.outputs.environmentName }} SHA=${{ github.event.pull_request.head.sha }} Location=${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
comment: |
Creating environment with name: "${{ needs.Setup.outputs.environmentName }}" using commit: "${{ github.event.pull_request.head.sha }}".
${{
contains(github.event.pull_request.labels.*.name, 'preserve-pr-environment') &&
format('The environment will not be destroyed after the workflow completes.\nTo delete it, use the [Destroy workflow](../actions/workflows/workflow.destroy.bicep.yml) on the current branch with "{0}" as the environment name.', needs.Setup.outputs.environmentName)
||
'The environment will be destroyed after the workflow completes.\nTo preserve it, add the "preserve-pr-environment" label to the PR.'
}}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
PreviewDeployBaseBranch:
needs: [Setup, NewEnvironment]
uses: ./.github/workflows/template.bicep.previewdeploy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.base_ref }} # First, deploy the base branch
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
PreviewDeployPRBranch:
needs: [Setup, PreviewDeployBaseBranch]
uses: ./.github/workflows/template.bicep.previewdeploy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }} # Now, deploy the diff on top of it
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Test:
needs: [Setup, PreviewDeployPRBranch]
permissions:
pull-requests: write
checks: write
uses: ./.github/workflows/template.bicep.test.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Destroy:
if: ${{ always() && !contains(github.event.pull_request.labels.*.name, 'preserve-pr-environment') }}
needs: [Setup, Test]
uses: ./.github/workflows/template.bicep.destroy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}