From 714f79434314a65c9deaea1efc042a3c2e081ef0 Mon Sep 17 00:00:00 2001 From: Mitch Dawson Date: Mon, 22 Jan 2024 14:23:59 +0000 Subject: [PATCH] :fire: Remove workflow files --- .github/workflows/build-push-deploy-dev.yml | 175 ------------------- .github/workflows/build-push-deploy-prod.yml | 173 ------------------ .github/workflows/dependency-review.yml | 21 +++ 3 files changed, 21 insertions(+), 348 deletions(-) delete mode 100644 .github/workflows/build-push-deploy-dev.yml delete mode 100644 .github/workflows/build-push-deploy-prod.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/build-push-deploy-dev.yml b/.github/workflows/build-push-deploy-dev.yml deleted file mode 100644 index b96ece9c..00000000 --- a/.github/workflows/build-push-deploy-dev.yml +++ /dev/null @@ -1,175 +0,0 @@ -name: CI/CD dev - -on: - pull_request: - branches-ignore: - - dependabot/** - workflow_dispatch: - -permissions: {} -concurrency: dev - -jobs: - build-push-dev: - name: Build & Push New Image - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: write # This is required for actions/checkout - environment: dev - outputs: - new_tag: ${{ steps.set-version-tag-output.outputs.new_tag }} - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Bump version and push tag - uses: anothrNick/github-tag-action@1.62.0 - id: bump-id - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - WITH_V: true - DEFAULT_BUMP: patch - PRERELEASE: true - PRERELEASE_SUFFIX: dev - - - name: Set Version tag output - id: set-version-tag-output - run: echo "new_tag=${{ steps.bump-id.outputs.new_tag }}" >> $GITHUB_OUTPUT - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure AWS Data Account Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: "arn:aws:iam::${{ secrets.DATA_ACCOUNT_ID }}:role/github-actions-ecr-oidc" - role-session-name: githubactionsiamsession - aws-region: eu-west-1 - - - name: Login to Amazon ECR - id: login-data-acct-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build - env: - NEW_TAG_V: ${{ steps.set-version-tag-output.outputs.new_tag }} - shell: bash - run: | - docker build . -t working_image:$NEW_TAG_V - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.DEV_ECR_ROLE_TO_ASSUME }} - aws-region: ${{ vars.DEV_ECR_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Tag, and push image to Amazon ECR - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: ${{ vars.DEV_ECR_REPOSITORY }} - NEW_TAG_V: ${{ steps.set-version-tag-output.outputs.new_tag }} - shell: bash - run: | - docker tag working_image:$NEW_TAG_V $ECR_REGISTRY/$ECR_REPOSITORY:$NEW_TAG_V - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$NEW_TAG_V - - deploy-dev: - needs: build-push-dev - if: github.event_name == 'pull_request' - name: Deploy Helm Chart into Cloud Platform - runs-on: ubuntu-latest - permissions: - contents: write # This is required for actions/checkout - id-token: write # This is required for requesting the JWT - environment: dev - steps: - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} - kubectl config use-context ${KUBE_CLUSTER} - - - name: add helm repo - continue-on-error: true - run: | - helm repo add mojanalytics http://moj-analytics-helm-repo.s3-website-eu-west-1.amazonaws.com/ - - - name: update helm repo - continue-on-error: true - run: | - helm repo update mojanalytics - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.DEV_ECR_ROLE_TO_ASSUME }} - aws-region: ${{ vars.DEV_ECR_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Upgrade the Helm chart - env: - APP_ROLE_ARN: ${{ secrets.APP_ROLE_ARN }} - AUTH0_CALLBACK_URL: ${{ vars.AUTH0_CALLBACK_URL }} - AUTH0_CLIENT_ID: ${{ secrets.AUTH0_CLIENT_ID }} - AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }} - AUTH0_DOMAIN: ${{ vars.AUTH0_DOMAIN }} - AUTH0_PASSWORDLESS: ${{ vars.AUTH0_PASSWORDLESS }} - AUTH0_TOKEN_ALG: ${{ vars.AUTH0_TOKEN_ALG }} - AUTHENTICATION_REQUIRED: ${{ vars.AUTHENTICATION_REQUIRED }} - COOKIE_SECRET: ${{ secrets.COOKIE_SECRET }} - ECR_REPO_AUTH0: ${{ steps.login-ecr.outputs.registry }}/analytical-platform/ap-auth-proxy-prod-ecr - ECR_REPO_WEBAPP: ${{ steps.login-ecr.outputs.registry }}/${{ vars.DEV_ECR_REPOSITORY }} - IP_RANGES: ${{ secrets.IP_RANGES }} - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - NEW_TAG_V: ${{ needs.build-push-dev.outputs.new_tag }} - RELEASE_NAME: ${{ github.event.repository.name }}-dev - SECRETS_CONTEXT: ${{ toJson(secrets) }} - VARS_CONTEXT: ${{ toJson(vars) }} - run: | - process_ip_range=$(echo $IP_RANGES | sed "s/,/\\\,/g") - - combined_json=$(jq -n \ - --argjson secrets_json "$SECRETS_CONTEXT" \ - --argjson vars_json "$VARS_CONTEXT" \ - '$secrets_json + $vars_json') - - custom_variables="" - for row in $(echo "${combined_json}" | jq -r 'to_entries[] | @base64'); do - key=$(echo ${row} | base64 --decode | jq -r '.key') - value=$(echo ${row} | base64 --decode | jq -r '.value') - if [[ $key == XXX* ]]; then - custom_key=$(echo $key | sed 's/^XXX_/Secrets.WebApp.Parameters./') - custom_variables="$custom_variables --set $custom_key=$value" - fi - done - - helm upgrade --install --wait --timeout 10m0s --namespace $KUBE_NAMESPACE $RELEASE_NAME mojanalytics/webapp-cp \ - --set AuthProxy.Env.Auth0Domain=$AUTH0_DOMAIN \ - --set AuthProxy.Env.Auth0Passwordless=$AUTH0_PASSWORDLESS \ - --set AuthProxy.Env.Auth0TokenAlg=$AUTH0_TOKEN_ALG \ - --set AuthProxy.Env.AuthenticationRequired=$AUTHENTICATION_REQUIRED \ - --set AuthProxy.Env.IPRanges=$process_ip_range \ - --set AuthProxy.Image.Repository=$ECR_REPO_AUTH0 \ - --set AuthProxy.Image.Tag="latest" \ - --set Namespace=$KUBE_NAMESPACE \ - --set Secrets.Auth0.ClientId=$AUTH0_CLIENT_ID \ - --set Secrets.Auth0.ClientSecret=$AUTH0_CLIENT_SECRET \ - --set Secrets.Auth0.CookieSecret=$COOKIE_SECRET \ - --set ServiceAccount.RoleARN=$APP_ROLE_ARN \ - --set WebApp.Image.Repository=$ECR_REPO_WEBAPP \ - --set WebApp.Image.Tag=$NEW_TAG_V \ - --set WebApp.Name=$KUBE_NAMESPACE \ - $custom_variables diff --git a/.github/workflows/build-push-deploy-prod.yml b/.github/workflows/build-push-deploy-prod.yml deleted file mode 100644 index 91eae8fe..00000000 --- a/.github/workflows/build-push-deploy-prod.yml +++ /dev/null @@ -1,173 +0,0 @@ -name: CI/CD prod - -on: - push: - branches: - - main - release: - types: - - published - -permissions: {} -concurrency: prod - -jobs: - build-push-prod: - name: Build & Push New Image - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: write # This is required for actions/checkout - environment: prod - outputs: - new_tag: ${{ steps.set-version-tag-output.outputs.new_tag }} - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Bump version and push tag - uses: anothrNick/github-tag-action@1.62.0 - id: bump-id - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - WITH_V: true - - - name: Set Version tag output - id: set-version-tag-output - run: echo "new_tag=${{ steps.bump-id.outputs.new_tag }}" >> $GITHUB_OUTPUT - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure AWS Data Account Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: "arn:aws:iam::${{ secrets.DATA_ACCOUNT_ID }}:role/github-actions-ecr-oidc" - role-session-name: githubactionsiamsession - aws-region: eu-west-1 - - - name: Login to Amazon ECR - id: login-data-acct-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build - env: - NEW_TAG_V: ${{ steps.set-version-tag-output.outputs.new_tag }} - shell: bash - run: | - docker build . -t working_image:$NEW_TAG_V - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.PROD_ECR_ROLE_TO_ASSUME }} - aws-region: ${{ vars.PROD_ECR_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Tag, and push image to Amazon ECR - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: ${{ vars.PROD_ECR_REPOSITORY }} - NEW_TAG_V: ${{ steps.set-version-tag-output.outputs.new_tag }} - shell: bash - run: | - docker tag working_image:$NEW_TAG_V $ECR_REGISTRY/$ECR_REPOSITORY:$NEW_TAG_V - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$NEW_TAG_V - - deploy-prod: - needs: build-push-prod - name: Deploy Helm Chart into Cloud Platform - runs-on: ubuntu-latest - permissions: - contents: write # This is required for actions/checkout - id-token: write # This is required for requesting the JWT - environment: prod - steps: - - name: Authenticate to the cluster - env: - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - KUBE_CLUSTER: ${{ secrets.KUBE_CLUSTER }} - run: | - echo "${{ secrets.KUBE_CERT }}" > ca.crt - kubectl config set-cluster ${KUBE_CLUSTER} --certificate-authority=./ca.crt --server=https://${KUBE_CLUSTER} - kubectl config set-credentials deploy-user --token=${{ secrets.KUBE_TOKEN }} - kubectl config set-context ${KUBE_CLUSTER} --cluster=${KUBE_CLUSTER} --user=deploy-user --namespace=${{ secrets.KUBE_NAMESPACE }} - kubectl config use-context ${KUBE_CLUSTER} - - - name: add helm repo - continue-on-error: true - run: | - helm repo add mojanalytics http://moj-analytics-helm-repo.s3-website-eu-west-1.amazonaws.com/ - - - name: update helm repo - continue-on-error: true - run: | - helm repo update mojanalytics - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.PROD_ECR_ROLE_TO_ASSUME }} - aws-region: ${{ vars.PROD_ECR_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Upgrade the Helm chart - env: - APP_ROLE_ARN: ${{ secrets.APP_ROLE_ARN }} - AUTH0_CALLBACK_URL: ${{ vars.AUTH0_CALLBACK_URL }} - AUTH0_CLIENT_ID: ${{ secrets.AUTH0_CLIENT_ID }} - AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }} - AUTH0_DOMAIN: ${{ vars.AUTH0_DOMAIN }} - AUTH0_PASSWORDLESS: ${{ vars.AUTH0_PASSWORDLESS }} - AUTH0_TOKEN_ALG: ${{ vars.AUTH0_TOKEN_ALG }} - AUTHENTICATION_REQUIRED: ${{ vars.AUTHENTICATION_REQUIRED }} - COOKIE_SECRET: ${{ secrets.COOKIE_SECRET }} - ECR_REPO_AUTH0: ${{ steps.login-ecr.outputs.registry }}/analytical-platform/ap-auth-proxy-prod-ecr - ECR_REPO_WEBAPP: ${{ steps.login-ecr.outputs.registry }}/${{ vars.PROD_ECR_REPOSITORY }} - IP_RANGES: ${{ secrets.IP_RANGES }} - KUBE_NAMESPACE: ${{ secrets.KUBE_NAMESPACE }} - NEW_TAG_V: ${{ needs.build-push-prod.outputs.new_tag }} - RELEASE_NAME: ${{ github.event.repository.name }}-prod - SECRETS_CONTEXT: ${{ toJson(secrets) }} - VARS_CONTEXT: ${{ toJson(vars) }} - run: | - process_ip_range=$(echo $IP_RANGES | sed "s/,/\\\,/g") - - combined_json=$(jq -n \ - --argjson secrets_json "$SECRETS_CONTEXT" \ - --argjson vars_json "$VARS_CONTEXT" \ - '$secrets_json + $vars_json') - - custom_variables="" - for row in $(echo "${combined_json}" | jq -r 'to_entries[] | @base64'); do - key=$(echo ${row} | base64 --decode | jq -r '.key') - value=$(echo ${row} | base64 --decode | jq -r '.value') - if [[ $key == XXX* ]]; then - custom_key=$(echo $key | sed 's/^XXX_/Secrets.WebApp.Parameters./') - custom_variables="$custom_variables --set $custom_key=$value" - fi - done - - helm upgrade --install --wait --timeout 10m0s --namespace $KUBE_NAMESPACE $RELEASE_NAME mojanalytics/webapp-cp \ - --set AuthProxy.Env.Auth0Domain=$AUTH0_DOMAIN \ - --set AuthProxy.Env.Auth0Passwordless=$AUTH0_PASSWORDLESS \ - --set AuthProxy.Env.Auth0TokenAlg=$AUTH0_TOKEN_ALG \ - --set AuthProxy.Env.AuthenticationRequired=$AUTHENTICATION_REQUIRED \ - --set AuthProxy.Env.IPRanges=$process_ip_range \ - --set AuthProxy.Image.Repository=$ECR_REPO_AUTH0 \ - --set AuthProxy.Image.Tag="latest" \ - --set Namespace=$KUBE_NAMESPACE \ - --set Secrets.Auth0.ClientId=$AUTH0_CLIENT_ID \ - --set Secrets.Auth0.ClientSecret=$AUTH0_CLIENT_SECRET \ - --set Secrets.Auth0.CookieSecret=$COOKIE_SECRET \ - --set ServiceAccount.RoleARN=$APP_ROLE_ARN \ - --set WebApp.Image.Repository=$ECR_REPO_WEBAPP \ - --set WebApp.Image.Tag=$NEW_TAG_V \ - --set WebApp.Name=$KUBE_NAMESPACE \ - $custom_variables diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..242ff45d --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,21 @@ +# Need a GitHub Advanced Security license to run this action on private repos. + +name: Dependency Review +on: + pull_request: + types: [opened, edited, reopened, synchronize] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + - name: Dependency Review + uses: actions/dependency-review-action@v3 + with: + # Possible values: critical, high, moderate, low + fail-on-severity: critical