PI-2770 move to gha (#815)

Author: anthony-britton-moj

.circleci/config.yml

@@ -0,0 +1,62 @@
+name: integration test template for kotlin
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  integration_tests:
+    runs-on: ubuntu-latest
+    services:
+      opensearch:
+        image: opensearchproject/opensearch:2.5.0
+        env:
+          node.name: opensearch
+          cluster.name: probation-search-cluster
+          discovery.type: single-node
+          bootstrap.memory_lock: true
+          plugins.security.disabled: true
+          OPENSEARCH_JAVA_OPTS: -Xms1g -Xmx1g
+
+        options: >-
+          --health-cmd "curl http://localhost:9200/_cluster/health"
+          --health-interval 10s
+          --health-timeout 30s
+          --health-retries 20
+        ports:
+          - 9200:9200
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: refresh cache
+        id: initial-cache
+        uses: actions/cache@v4
+        env:
+          cache-name: kotlin-cache
+        with:
+          path: |
+            - gradle-{{ checksum "build.gradle.kts" }}
+            - gradle-
+          key: ${{ runner.os }}-gradle-${{ env.cache-name }}-${{ hashFiles('build.gradle.kts') }}
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'gradle'
+          cache-dependency-path: |
+            *.gradle*
+            **/gradle-wrapper.properties
+      - run: ./gradlew check
+        env:
+          JAVA_TOOL_OPTIONS: "-Xmx4g -Dorg.gradle.daemon=false -Dkotlin.compiler.execution.strategy=in-process"
+          TESTCONTAINERS_ELASTICSEARCH_ENABLED: 'false'
+      - name: upload the artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: upload kotlin valdation results
+          path: |
+            build/test-results
+            build/reports/tests

.github/workflows/kotlin_integration_tests.yml

@@ -0,0 +1,83 @@
+name: Pipeline [test -> build -> deploy]
+on:
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+    inputs:
+      additional_docker_tag:
+        description: Additional docker tag that can be used to specify stable or testing tags
+        required: false
+        default: ''
+        type: string
+      push:
+        description: Push docker image to registry flag
+        required: true
+        default: false
+        type: boolean
+permissions:
+  contents: read
+  packages: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+jobs:
+  helm_lint:
+    strategy:
+      matrix:
+        environments: ['dev', 'preprod', 'prod']
+    name: helm lint
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/test_helm_lint.yml@v2 # WORKFLOW VERSION
+    secrets: inherit
+    with:
+      environment: ${{ matrix.environments }}
+  kotlin_validate:
+    name: Validate the kotlin
+    uses: ./.github/workflows/kotlin_integration_tests.yml
+    secrets: inherit
+  build:
+    name: Build docker image from hmpps-github-actions
+    if: github.ref == 'refs/heads/main'
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/docker_build.yml@v2 # WORKFLOW_VERSION
+    needs:
+      - kotlin_validate
+    with:
+      docker_registry: 'ghcr.io'
+      registry_org: 'ministryofjustice'
+      additional_docker_tag: ""
+      push: ${{ inputs.push || true }}
+      docker_multiplatform: false
+      additional_docker_build_args: ""
+  deploy_dev:
+    name: Deploy to the dev environment
+    if: github.ref == 'refs/heads/main'
+    needs:
+    - build
+    - helm_lint
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2 # WORKFLOW_VERSION
+    secrets: inherit
+    with:
+      environment: 'dev'
+      app_version: '${{ needs.build.outputs.app_version }}'
+  deploy_preprod:
+    name: Deploy to the preprod environment
+    needs:
+    - build
+    - helm_lint
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2 # WORKFLOW_VERSION
+    secrets: inherit
+    with:
+      environment: 'preprod'
+      app_version: '${{ needs.build.outputs.app_version }}'
+  deploy_prod:
+    name: Deploy to the prod environment
+    needs:
+    - build
+    - helm_lint
+    - deploy_dev
+    - deploy_preprod
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2 # WORKFLOW_VERSION
+    secrets: inherit
+    with:
+      environment: 'prod'
+      app_version: '${{ needs.build.outputs.app_version }}'

.github/workflows/pipeline.yml

@@ -0,0 +1,12 @@
+name: Security OWASP dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "29 3 * * MON-FRI" # Every weekday at 03:29 UTC
+jobs:
+  security-kotlin-owasp-check:
+    name: Kotlin security OWASP dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_owasp.yml

@@ -0,0 +1,12 @@
+name: Security trivy dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "29 3 * * MON-FRI" # Every weekday at 03:29 UTC
+jobs:
+  security-kotlin-trivy-check:
+    name: Project security trivy dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_trivy.yml

@@ -0,0 +1,12 @@
+name: Security veracode pipeline scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "29 3 * * MON-FRI" # Every weekday at 03:29 UTC
+jobs:
+  security-veracode-pipeline-scan:
+    name: Project security veracode pipeline scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_veracode_pipeline_scan.yml

@@ -0,0 +1,12 @@
+name: Security veracode policy scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "50 3 * * 1" # Every Monday at 03:50 UTC
+jobs:
+  security-veracode-policy-check:
+    name: Project security veracode policy scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_veracode_policy_scan.yml

@@ -10,3 +10,6 @@
 # Suppression for h2 2.1.214 password on command line vulnerability
 #   can be suppressed as we only run h2 locally and not on build environments
 CVE-2022-45868
+# Suppression for tomcat vulnerability affecting jsp compilation in the default servlet
+#   can be suppressed as we do not use the default servlet and haven't configured it for write either
+CVE-2024-50379

.trivyignore

@@ -1,7 +1,7 @@
 # probation-offender-search
 
 [![CircleCI](https://circleci.com/gh/ministryofjustice/probation-offender-search/tree/main.svg?style=svg)](https://circleci.com/gh/ministryofjustice/probation-offender-search)
-[![Docker](https://quay.io/repository/hmpps/probation-offender-search/status)](https://quay.io/repository/hmpps/probation-offender-search/status)
+[![Docker](https://github.com/orgs/ministryofjustice/packages?repo_name=probation-offender-search)](https://github.com/orgs/ministryofjustice/packages?repo_name=probation-offender-search)
 [![API docs](https://img.shields.io/badge/API_docs_(needs_VPN)-view-85EA2D.svg?logo=swagger)](https://probation-offender-search-dev.hmpps.service.justice.gov.uk/swagger-ui/index.html)
 
 API to provides searching of offender records in Delius via Elastic search

README.md

@@ -1,7 +1,7 @@
 version: "3"
 services:
   offender-search:
-    image: quay.io/hmpps/probation-offender-search:latest
+    image: ghcr.io/ministryofjustice/probation-offender-search:latest
     networks:
       - hmpps
     container_name: probation-offender-search

docker-compose.yml

@@ -0,0 +1,8 @@
+# WARNING - THIS FILE WAS GENERATED BY THE dps-gradle-spring-boot GRADLE PLUGIN
+#           AND ANY MANUAL CHANGES WILL BE OVERRIDDEN ON YOUR NEXT BUILD.
+#
+# To make general changes to the configuration below, change the gradle plugin dps-gradle-spring-boot,
+# publish a new version and update to the new version in your gradle build script
+#
+# To stop the dps-gradle-spring-boot project from overwriting any project specific customisations here, remove the
+# warning at the top of this file.