From f909e550eb15b34fdaeb0f93c4b3028329a12e2d Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:15:10 +0000 Subject: [PATCH 1/5] deploy from pull requests --- .github/workflows/pull_request.yml | 71 +++++++++++++ .github/workflows/quality_checks.yml | 65 ++++++++++++ .github/workflows/sam_package_code.yml | 60 +++++++++++ .github/workflows/sam_release_code.yml | 137 +++++++++++++++++++++++++ 4 files changed, 333 insertions(+) create mode 100644 .github/workflows/pull_request.yml create mode 100644 .github/workflows/quality_checks.yml create mode 100644 .github/workflows/sam_package_code.yml create mode 100644 .github/workflows/sam_release_code.yml diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml new file mode 100644 index 00000000..5b0d04c9 --- /dev/null +++ b/.github/workflows/pull_request.yml @@ -0,0 +1,71 @@ +name: deploy_pr + +on: + pull_request: + branches: [main] + +env: + BRANCH_NAME: ${{ github.event.pull_request.head.ref }} + +jobs: + quality_checks: + uses: ./.github/workflows/quality_checks.yml + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + get_issue_number: + runs-on: ubuntu-latest + needs: quality_checks + outputs: + issue_number: ${{steps.get_issue_number.outputs.result}} + + steps: + - uses: actions/github-script@v7 + name: get issue number + id: get_issue_number + with: + script: | + if (context.issue.number) { + // Return issue number if present + return context.issue.number; + } else { + // Otherwise return issue number from commit + return ( + await github.rest.repos.listPullRequestsAssociatedWithCommit({ + commit_sha: context.sha, + owner: context.repo.owner, + repo: context.repo.repo, + }) + ).data[0].number; + } + result-encoding: string + + get_commit_id: + runs-on: ubuntu-latest + outputs: + commit_id: ${{ steps.commit_id.outputs.commit_id }} + steps: + - name: Get Commit ID + id: commit_id + run: | + echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + + package_code: + needs: get_issue_number + uses: ./.github/workflows/sam_package_code.yml + + release_code: + needs: [get_issue_number, package_code, get_commit_id] + uses: ./.github/workflows/sam_release_code.yml + with: + STACK_NAME: fhir-validator-pr-${{needs.get_issue_number.outputs.issue_number}} + ARTIFACT_BUCKET_PREFIX: fhir-validator-PR-${{needs.get_issue_number.outputs.issue_number}} + TARGET_ENVIRONMENT: dev-pr + BUILD_ARTIFACT: packaged_code + VERSION_NUMBER: fhir-validator-PR-${{ needs.get_issue_number.outputs.issue_number }} + COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }} + LOG_LEVEL: DEBUG + LOG_RETENTION_DAYS: 30 + secrets: + CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }} + diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/quality_checks.yml new file mode 100644 index 00000000..e346a6de --- /dev/null +++ b/.github/workflows/quality_checks.yml @@ -0,0 +1,65 @@ +name: quality checks + +on: + workflow_call: + secrets: + SONAR_TOKEN: + required: true + +jobs: + quality_checks: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + + - name: Cache asdf + uses: actions/cache@v4 + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf- + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: Setting up .npmrc + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc + + - name: make install + run: | + make install + + - name: run check-licenses + run: make check-licenses + + - name: run lint + run: make lint + + - name: run unit tests + run: make test + +# - name: SonarCloud Scan +# uses: SonarSource/sonarcloud-github-action@master +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/sam_package_code.yml b/.github/workflows/sam_package_code.yml new file mode 100644 index 00000000..204b8489 --- /dev/null +++ b/.github/workflows/sam_package_code.yml @@ -0,0 +1,60 @@ +name: sam package code + +on: + workflow_call: + +jobs: + sam_package_code: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + packages: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + + - name: Cache asdf + uses: actions/cache@v4 + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf- + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 + with: + asdf_branch: v0.11.3 + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: make install + run: | + make install + + - shell: bash + name: package code + run: | + cp .tool-versions ~/ + rm -rf .aws-sam + make sam-build + cp Makefile .aws-sam/build/ + cp samconfig_package_and_deploy.toml .aws-sam/build/ + + - uses: actions/upload-artifact@v4 + name: upload build artifact + with: + name: packaged_code + path: | + .aws-sam/build + diff --git a/.github/workflows/sam_release_code.yml b/.github/workflows/sam_release_code.yml new file mode 100644 index 00000000..d5fe95eb --- /dev/null +++ b/.github/workflows/sam_release_code.yml @@ -0,0 +1,137 @@ +name: sam release code + +on: + workflow_call: + inputs: + STACK_NAME: + required: true + type: string + ARTIFACT_BUCKET_PREFIX: + required: true + type: string + TARGET_ENVIRONMENT: + required: true + type: string + BUILD_ARTIFACT: + required: true + type: string + VERSION_NUMBER: + required: true + type: string + COMMIT_ID: + required: true + type: string + LOG_LEVEL: + required: true + type: string + LOG_RETENTION_DAYS: + required: true + type: string + CREATE_INT_RELEASE_NOTES: + type: boolean + default: false + CREATE_INT_RC_RELEASE_NOTES: + type: boolean + default: false + CREATE_PROD_RELEASE_NOTES: + type: boolean + default: false + MARK_JIRA_RELEASED: + type: boolean + default: false + secrets: + CLOUD_FORMATION_DEPLOY_ROLE: + required: true + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: + required: false + INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: + required: false + PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: + required: false + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: + required: false + +jobs: + sam_release_code: + runs-on: ubuntu-latest + environment: ${{ inputs.TARGET_ENVIRONMENT }} + permissions: + id-token: write + contents: read + + steps: + - name: Checkout local github actions + uses: actions/checkout@v4 + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + sparse-checkout: | + .github + + - name: create_int_rc_release_notes + uses: ./.github/actions/update_confluence_jira + if: ${{ inputs.CREATE_INT_RC_RELEASE_NOTES == true }} + with: + TARGET_ENVIRONMENT: int + RELEASE_TAG: ${{ inputs.VERSION_NUMBER }} + CONFLUENCE_PAGE_ID: "778783127" + CREATE_RC_RELEASE_NOTES: true + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }} + role-session-name: github-actions + + - name: download build artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.BUILD_ARTIFACT }} + path: . + + - name: release code + shell: bash + working-directory: .github/scripts + env: + artifact_bucket_prefix: fhir_validator/${{ inputs.ARTIFACT_BUCKET_PREFIX }} + COMMIT_ID: ${{ inputs.COMMIT_ID }} + LOG_LEVEL: ${{ inputs.LOG_LEVEL }} + LOG_RETENTION_DAYS: ${{ inputs.LOG_RETENTION_DAYS }} + stack_name: ${{ inputs.STACK_NAME }} + TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }} + template_file: template.yaml + VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} + run: ./release_code.sh + + - name: create_int_release_notes + uses: ./.github/actions/update_confluence_jira + if: ${{ inputs.CREATE_INT_RELEASE_NOTES == true && always() && !failure() && !cancelled() }} + with: + TARGET_ENVIRONMENT: int + CONFLUENCE_PAGE_ID: "778783122" + CREATE_RC_RELEASE_NOTES: false + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} + + - name: create_prod_release_notes + uses: ./.github/actions/update_confluence_jira + if: ${{ inputs.CREATE_PROD_RELEASE_NOTES == true && always() && !failure() && !cancelled() }} + with: + TARGET_ENVIRONMENT: prod + CONFLUENCE_PAGE_ID: "778783125" + CREATE_RC_RELEASE_NOTES: false + DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} + + - name: mark_released_in_jira + uses: ./.github/actions/mark_jira_released + if: ${{ inputs.MARK_JIRA_RELEASED == true && always() && !failure() && !cancelled() }} + with: + RELEASE_TAG: ${{ inputs.VERSION_NUMBER }} + DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} From fdc8e7be62f58ada66ef42ca107bd4db1ac0769b Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:16:47 +0000 Subject: [PATCH 2/5] no need to setup .npmrc --- .github/workflows/quality_checks.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/quality_checks.yml index e346a6de..7cb9396d 100644 --- a/.github/workflows/quality_checks.yml +++ b/.github/workflows/quality_checks.yml @@ -38,13 +38,6 @@ jobs: env: PYTHON_CONFIGURE_OPTS: --enable-shared - - name: Setting up .npmrc - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc - echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc - - name: make install run: | make install From 7063bcb0875712d5c37d6baaf1c310fe1607481e Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:21:04 +0000 Subject: [PATCH 3/5] correct name of makefile target --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3b078cc4..bb8c426e 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ lint-githubaction-scripts: test: download-dependencies mvn test -check-licences: +check-licenses: scripts/check_python_licenses.sh mvn validate From 03d8fc5b192aef839eecad032a132bcee9725e7a Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:33:29 +0000 Subject: [PATCH 4/5] no need to change directory --- .github/scripts/release_code.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh index bc0b70ac..67e32060 100755 --- a/.github/scripts/release_code.sh +++ b/.github/scripts/release_code.sh @@ -13,5 +13,4 @@ TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6) LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text) export LATEST_TRUSTSTORE_VERSION -cd ../../.aws-sam/build || exit make sam-deploy-package From d6d1704fd1aed842b5232ee953a0d812cd4784b3 Mon Sep 17 00:00:00 2001 From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:40:38 +0000 Subject: [PATCH 5/5] cd to correct directory --- .github/scripts/release_code.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh index 67e32060..31c93572 100755 --- a/.github/scripts/release_code.sh +++ b/.github/scripts/release_code.sh @@ -13,4 +13,5 @@ TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6) LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text) export LATEST_TRUSTSTORE_VERSION +cd ../../ || exit make sam-deploy-package