ministryofjustice · BenMillar-MOJ · May 23, 2024 · May 14, 2024 · May 14, 2024 · May 14, 2024
@@ -0,0 +1,47 @@
+name: Build and Push image
+on:
+  workflow_call:
+    inputs:
+      ECR_REGION:
+        required: true
+        type: string
+      ECR_REPOSITORY:
+        required: true
+        type: string
+    secrets:
+      ECR_ROLE_TO_ASSUME:
+        required: true
+
+
+jobs:
+  build-and-push-to-ecr:
+    name: Build and Push
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    steps:
+      - name: Checkout GitHub repository 
+        uses: actions/checkout@v4
+
+      - name: Assume role in Cloud Platform
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+          aws-region: ${{ inputs.ECR_REGION }}
+
+      - name: Login to container repository
+        uses: aws-actions/amazon-ecr-login@v2
+        id: login-ecr
+        with:
+          mask-password: true
+
+      - name:  Build and push a Docker image to the container repository
+        id: docker-build
+        run: |
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: ${{ inputs.ECR_REPOSITORY }}
+          IMAGE_TAG: ${{ github.sha }}
@@ -0,0 +1,37 @@
+# Uninstalls the dev helm chart when a PR is merged, or closed
+name: Clean up the dev release
+
+run-name: Clean up ${{ github.head_ref || github.ref_name }}
+
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  clean-up-release:
+    name: Clean up release
+    environment: dev
+    runs-on: ubuntu-latest
+    permissions:
+        id-token: write # This is required for requesting the JWT
+        contents: read  # This is required for actions/checkout
+    steps:
+      - name: Authenticate to the cluster
+        env:
+          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+        run: |
+          echo "${{ secrets.KUBE_CERT }}" > ca.crt
+          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
+          kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
+          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
+          kubectl config use-context ${KUBE_CLUSTER}
+
+      - name: Uninstall the helm chart
+        env:
+          # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push.
+          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        run: |
+            export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//')
+            helm uninstall ${CLEANED_BRANCH_NAME}
@@ -0,0 +1,73 @@
+name: Deploy image to the dev environment
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      ECR_REGION:
+        required: true
+        type: string
+      ECR_REPOSITORY:
+        required: true
+        type: string
+    secrets:
+      ECR_ROLE_TO_ASSUME:
+        required: true
+      KUBE_CERT:
+        required: true
+      KUBE_CLUSTER:
+        required: true
+      KUBE_NAMESPACE:
+        required: true
+      KUBE_TOKEN:
+        required: true
+
+
+jobs:
+  deploy:
+    name: Deploy
+    environment: ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    steps:
+      - name: Checkout GitHub repository
+        uses: actions/checkout@v4
+
+      - name: Authenticate to the cluster
+        env:
+          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+        run: |
+          echo "${{ secrets.KUBE_CERT }}" > ca.crt
+          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
+          kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
+          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
+          kubectl config use-context ${KUBE_CLUSTER}
+
+      - name: Upgrade the Helm chart
+        env:
+          IMAGE_TAG: ${{ github.sha }}
+          REGISTRY: ${{ secrets.ECR_REGISTRY }}
+          REPOSITORY: ${{ inputs.ECR_REPOSITORY }}
+          HELM_DIR: "helm_deploy/laa-access-civil-legal-aid"
+          DEV_HOST: "access-cla.cloud-platform.service.justice.gov.uk"
+          # head_ref is set if the workflow was triggered by a PR, ref_name is used if the workflow was trigged by a push.
+          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        run: |
+          export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//')
+          export HOST_NAME=${CLEANED_BRANCH_NAME}-${DEV_HOST}
+
+          helm upgrade ${CLEANED_BRANCH_NAME} \
+          ${HELM_DIR} \
+          --namespace=${{ secrets.KUBE_NAMESPACE }} \
+          --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \
+          --set image.repository=${REGISTRY}/${REPOSITORY} \
+          --set image.tag=${IMAGE_TAG} \
+          --set fullnameOverride=${CLEANED_BRANCH_NAME} \
+          --set ingress.hosts[0].host=${HOST_NAME} \
+          --set ingress.tls[0].hosts[0]=${HOST_NAME} \
+          --force \
+          --install
@@ -0,0 +1,64 @@
+name: Deploy to a Cloud Platform environment
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      ECR_REGION:
+        required: true
+        type: string
+      ECR_REPOSITORY:
+        required: true
+        type: string
+    secrets:
+      ECR_ROLE_TO_ASSUME:
+        required: true
+      KUBE_CERT:
+        required: true
+      KUBE_CLUSTER:
+        required: true
+      KUBE_NAMESPACE:
+        required: true
+      KUBE_TOKEN:
+        required: true
+
+
+jobs:
+  deploy:
+    name: Deploy
+    environment: ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    steps:
+      - name: Checkout GitHub repository
+        uses: actions/checkout@v4
+
+      - name: Authenticate to the cluster
+        env:
+          KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+          KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+        run: |
+          echo "${{ secrets.KUBE_CERT }}" > ca.crt
+          kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER}
+          kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }}
+          kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${KUBE_NAMESPACE}
+          kubectl config use-context ${KUBE_CLUSTER}
+
+      - name: Upgrade the Helm chart
+        env:
+          IMAGE_TAG: ${{ github.sha }}
+          REGISTRY: ${{ secrets.ECR_REGISTRY }}
+          REPOSITORY: ${{ inputs.ECR_REPOSITORY }}
+          HELM_DIR: "helm_deploy/laa-access-civil-legal-aid"
+        run: |
+          helm upgrade laa-access-civil-legal-aid \
+          ${HELM_DIR} \
+          --namespace=${{ secrets.KUBE_NAMESPACE }} \
+          --values ${HELM_DIR}/values/values-${{ inputs.environment }}.yaml \
+          --set image.repository=${REGISTRY}/${REPOSITORY} \
+          --set image.tag=${IMAGE_TAG} \
+          --force \
+          --install
@@ -0,0 +1,60 @@
+name: Feature Branch
+
+run-name: Feature - ${{ github.head_ref || github.ref_name }}
+
+on:
+  push:
+    branches-ignore:
+      - main
+  pull_request:
+    types:
+      - reopened
+
+jobs:
+  static-analysis:
+    name: Static Analysis
+    uses: ./.github/workflows/static-analysis.yml
+
+  test:
+    name: Test
+    uses: ./.github/workflows/test.yml
+
+  build-and-push:
+    name: Build
+    uses: ./.github/workflows/build.yml
+    needs: static-analysis
+    with:
+      ECR_REGION: ${{vars.ECR_REGION}}
+      ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}}
+    secrets:
+      ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+
+  deploy-dev:
+    name: Dev
+    uses: ./.github/workflows/deploy-dev.yml
+    needs: build-and-push
+    with:
+      environment: dev
+      ECR_REGION: ${{vars.ECR_REGION}}
+      ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}}
+    secrets:
+      ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+      KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
+
+  deploy-uat:
+    name: UAT
+    uses: ./.github/workflows/deploy.yml
+    needs: [build-and-push, test]
+    with:
+      environment: uat
+      ECR_REGION: ${{vars.ECR_REGION}}
+      ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}}
+    secrets:
+      ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+      KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
@@ -0,0 +1,57 @@
+name: Release
+
+run-name: Release - ${{ github.ref_name }}
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  static-analysis:
+    name: Static Analysis
+    uses: ./.github/workflows/static-analysis.yml
+
+  test:
+    name: Test
+    uses: ./.github/workflows/test.yml
+
+  build-and-push:
+    name: Build
+    uses: ./.github/workflows/build.yml
+    needs: [static-analysis, test]
+    with:
+      ECR_REGION: ${{vars.ECR_REGION}}
+      ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}}
+    secrets:
+      ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+
+  deploy-staging:
+    name: Staging
+    uses: ./.github/workflows/deploy.yml
+    needs: build-and-push
+    with:
+      environment: staging
+      ECR_REGION: ${{vars.ECR_REGION}}
+      ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}}
+    secrets:
+      ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+      KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
+
+  deploy-production:
+    name: Production
+    uses: ./.github/workflows/deploy.yml
+    needs: deploy-staging
+    with:
+      environment: production
+      ECR_REGION: ${{vars.ECR_REGION}}
+      ECR_REPOSITORY: ${{vars.ECR_REPOSITORY}}
+    secrets:
+      ECR_ROLE_TO_ASSUME: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+      KUBE_CERT: ${{ secrets.KUBE_CERT }}
+      KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }}
+      KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }}
+      KUBE_TOKEN: ${{ secrets.KUBE_TOKEN }}
@@ -0,0 +1,13 @@
+name: Static Analysis
+on: workflow_call
+
+jobs:
+  lint:
+    name: Ruff
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: chartboost/ruff-action@v1
+        with:
+          args: check --output-format=github
+          src: './src'
@@ -0,0 +1,33 @@
+name: Test
+
+on: workflow_call
+
+jobs:
+  test:
+    name: Pytest
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout the repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+
+    - name: Test with pytest
+      run: |
+        pip install pytest pytest-cov
+        pytest tests.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html
+
+    - name: Upload pytest test results
+      uses: actions/upload-artifact@v4
+      with:
+        name: pytest-results
+        path: junit/test-results.xml
+      # Use always() to always run this step to publish test results when there are test failures
+      if: ${{ always() }}
@@ -8,3 +8,4 @@ env/
 *.code-workspace
 *.sha256
 terraform.tfstate
+.idea