diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh index bc0b70ac..31c93572 100755 --- a/.github/scripts/release_code.sh +++ b/.github/scripts/release_code.sh @@ -13,5 +13,5 @@ TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6) LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text) export LATEST_TRUSTSTORE_VERSION -cd ../../.aws-sam/build || exit +cd ../../ || exit make sam-deploy-package diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml new file mode 100644 index 00000000..5b0d04c9 --- /dev/null +++ b/.github/workflows/pull_request.yml @@ -0,0 +1,71 @@ +name: deploy_pr + +on: + pull_request: + branches: [main] + +env: + BRANCH_NAME: ${{ github.event.pull_request.head.ref }} + +jobs: + quality_checks: + uses: ./.github/workflows/quality_checks.yml + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + get_issue_number: + runs-on: ubuntu-latest + needs: quality_checks + outputs: + issue_number: ${{steps.get_issue_number.outputs.result}} + + steps: + - uses: actions/github-script@v7 + name: get issue number + id: get_issue_number + with: + script: | + if (context.issue.number) { + // Return issue number if present + return context.issue.number; + } else { + // Otherwise return issue number from commit + return ( + await github.rest.repos.listPullRequestsAssociatedWithCommit({ + commit_sha: context.sha, + owner: context.repo.owner, + repo: context.repo.repo, + }) + ).data[0].number; + } + result-encoding: string + + get_commit_id: + runs-on: ubuntu-latest + outputs: + commit_id: ${{ steps.commit_id.outputs.commit_id }} + steps: + - name: Get Commit ID + id: commit_id + run: | + echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + + package_code: + needs: get_issue_number + uses: ./.github/workflows/sam_package_code.yml + + release_code: + needs: [get_issue_number, package_code, get_commit_id] + uses: ./.github/workflows/sam_release_code.yml + with: + STACK_NAME: fhir-validator-pr-${{needs.get_issue_number.outputs.issue_number}} + ARTIFACT_BUCKET_PREFIX: fhir-validator-PR-${{needs.get_issue_number.outputs.issue_number}} + TARGET_ENVIRONMENT: dev-pr + BUILD_ARTIFACT: packaged_code + VERSION_NUMBER: fhir-validator-PR-${{ needs.get_issue_number.outputs.issue_number }} + COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} + LOG_LEVEL: DEBUG + LOG_RETENTION_DAYS: 30 + secrets: + CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }} + diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/quality_checks.yml new file mode 100644 index 00000000..7cb9396d --- /dev/null +++ b/.github/workflows/quality_checks.yml @@ -0,0 +1,58 @@ +name: quality checks + +on: + workflow_call: + secrets: + SONAR_TOKEN: + required: true + +jobs: + quality_checks: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + + - name: Cache asdf + uses: actions/cache@v4 + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf- + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: make install + run: | + make install + + - name: run check-licenses + run: make check-licenses + + - name: run lint + run: make lint + + - name: run unit tests + run: make test + +# - name: SonarCloud Scan +# uses: SonarSource/sonarcloud-github-action@master +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/sam_package_code.yml b/.github/workflows/sam_package_code.yml new file mode 100644 index 00000000..204b8489 --- /dev/null +++ b/.github/workflows/sam_package_code.yml @@ -0,0 +1,60 @@ +name: sam package code + +on: + workflow_call: + +jobs: + sam_package_code: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + packages: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + + - name: Cache asdf + uses: actions/cache@v4 + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf- + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: make install + run: | + make install + + - shell: bash + name: package code + run: | + cp .tool-versions ~/ + rm -rf .aws-sam + make sam-build + cp Makefile .aws-sam/build/ + cp samconfig_package_and_deploy.toml .aws-sam/build/ + + - uses: actions/upload-artifact@v4 + name: upload build artifact + with: + name: packaged_code + path: | + .aws-sam/build + diff --git a/.github/workflows/sam_release_code.yml b/.github/workflows/sam_release_code.yml new file mode 100644 index 00000000..d5fe95eb --- /dev/null +++ b/.github/workflows/sam_release_code.yml @@ -0,0 +1,137 @@ +name: sam release code + +on: + workflow_call: + inputs: + STACK_NAME: + required: true + type: string + ARTIFACT_BUCKET_PREFIX: + required: true + type: string + TARGET_ENVIRONMENT: + required: true + type: string + BUILD_ARTIFACT: + required: true + type: string + VERSION_NUMBER: + required: true + type: string + COMMIT_ID: + required: true + type: string + LOG_LEVEL: + required: true + type: string + LOG_RETENTION_DAYS: + required: true + type: string + CREATE_INT_RELEASE_NOTES: + type: boolean + default: false + CREATE_INT_RC_RELEASE_NOTES: + type: boolean + default: false + CREATE_PROD_RELEASE_NOTES: + type: boolean + default: false + MARK_JIRA_RELEASED: + type: boolean + default: false + secrets: + CLOUD_FORMATION_DEPLOY_ROLE: + required: true + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: + required: false + INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: + required: false + PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: + required: false + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: + required: false + +jobs: + sam_release_code: + runs-on: ubuntu-latest + environment: ${{ inputs.TARGET_ENVIRONMENT }} + permissions: + id-token: write + contents: read + + steps: + - name: Checkout local github actions + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + sparse-checkout: | + .github + + - name: create_int_rc_release_notes + uses: ./.github/actions/update_confluence_jira + if: ${{ inputs.CREATE_INT_RC_RELEASE_NOTES == true }} + with: + TARGET_ENVIRONMENT: int + RELEASE_TAG: ${{ inputs.VERSION_NUMBER }} + CONFLUENCE_PAGE_ID: "778783127" + CREATE_RC_RELEASE_NOTES: true + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }} + role-session-name: github-actions + + - name: download build artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.BUILD_ARTIFACT }} + path: . + + - name: release code + shell: bash + working-directory: .github/scripts + env: + artifact_bucket_prefix: fhir_validator/${{ inputs.ARTIFACT_BUCKET_PREFIX }} + COMMIT_ID: ${{ inputs.COMMIT_ID }} + LOG_LEVEL: ${{ inputs.LOG_LEVEL }} + LOG_RETENTION_DAYS: ${{ inputs.LOG_RETENTION_DAYS }} + stack_name: ${{ inputs.STACK_NAME }} + TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }} + template_file: template.yaml + VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} + run: ./release_code.sh + + - name: create_int_release_notes + uses: ./.github/actions/update_confluence_jira + if: ${{ inputs.CREATE_INT_RELEASE_NOTES == true && always() && !failure() && !cancelled() }} + with: + TARGET_ENVIRONMENT: int + CONFLUENCE_PAGE_ID: "778783122" + CREATE_RC_RELEASE_NOTES: false + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} + + - name: create_prod_release_notes + uses: ./.github/actions/update_confluence_jira + if: ${{ inputs.CREATE_PROD_RELEASE_NOTES == true && always() && !failure() && !cancelled() }} + with: + TARGET_ENVIRONMENT: prod + CONFLUENCE_PAGE_ID: "778783125" + CREATE_RC_RELEASE_NOTES: false + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} + + - name: mark_released_in_jira + uses: ./.github/actions/mark_jira_released + if: ${{ inputs.MARK_JIRA_RELEASED == true && always() && !failure() && !cancelled() }} + with: + RELEASE_TAG: ${{ inputs.VERSION_NUMBER }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} diff --git a/Makefile b/Makefile index 3b078cc4..bb8c426e 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ lint-githubaction-scripts: test: download-dependencies mvn test -check-licences: +check-licenses: scripts/check_python_licenses.sh mvn validate