[98] Integrate DfE sign in #241

Workflow file for this run

.github/workflows/build-and-deploy.yml at 042affa

	name: Build and Deploy
	concurrency: build_and_deploy_${{ github.ref_name }}

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main
	types: [opened, reopened, synchronize, labeled]

	permissions:
	contents: write
	deployments: write
	packages: write
	pull-requests: write

	jobs:
	build:
	name: Build
	env:
	DOCKER_IMAGE: ghcr.io/dfe-digital/check-childrens-barred-list
	outputs:
	docker_image: ${{ env.DOCKER_IMAGE }}
	image_tag: ${{ env.IMAGE_TAG }}
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v3
	name: Checkout

	- name: Set environment variables (push)
	if: github.event_name == 'push'
	run: \|
	GIT_BRANCH=${GITHUB_REF##*/}
	echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main
	echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV

	- name: Set environment variables (pull_request)
	if: github.event_name == 'pull_request'
	run: \|
	GIT_BRANCH=${GITHUB_HEAD_REF##*/}
	echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
	echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV

	- name: Set KV environment variables
	if: github.actor != 'dependabot[bot]'
	run: \|
	# tag build to the review env for vars and secrets
	tf_vars_file=terraform/aks/config/review.tfvars.json
	echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
	echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v2
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- uses: azure/login@v1
	if: github.actor != 'dependabot[bot]'
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}

	- uses: DFE-Digital/keyvault-yaml-secret@v1
	if: github.actor != 'dependabot[bot]'
	id: get-secret
	with:
	keyvault: ${{ env.KEY_VAULT_NAME }}
	secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }}
	key: SNYK_TOKEN

	- name: Build Docker Image
	uses: docker/build-push-action@v4
	with:
	tags: \|
	${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
	${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
	push: false
	load: true
	cache-to: type=inline
	cache-from: \|
	type=registry,ref=${{env.DOCKER_IMAGE}}:main
	type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
	type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
	build-args: COMMIT_SHA=${{ env.IMAGE_TAG }}

	- name: Push ${{ env.DOCKER_IMAGE }} images for review
	if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
	run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}

	- name: Run Snyk to check Docker image for vulnerabilities
	if: github.actor != 'dependabot[bot]'
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }}
	with:
	image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}
	args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns

	- name: Push ${{ env.DOCKER_IMAGE }} images
	if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }}
	run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}

	deploy-review-app:
	name: Deployment To Review
	concurrency: deploy_review_${{ github.event.pull_request.number }}
	if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
	needs: [build]
	runs-on: ubuntu-latest
	steps:
	- name: Start review-${{ github.event.pull_request.number }} Deployment
	uses: bobheadxi/deployments@v1
	id: deployment
	with:
	env: review-${{ github.event.pull_request.number }}
	ref: ${{ github.head_ref }}
	step: start
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Checkout
	uses: actions/checkout@v3

	- name: Deploy App to Review
	id: deploy_review
	uses: ./.github/actions/deploy/
	with:
	azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
	environment: review
	pr-number: ${{ github.event.pull_request.number }}
	sha: ${{ needs.build.outputs.IMAGE_TAG }}

	- name: Update review-${{ github.event.pull_request.number }} status
	if: always()
	uses: bobheadxi/deployments@v1
	with:
	env: review-${{ github.event.pull_request.number }}
	ref: ${{ github.head_ref }}
	step: finish
	token: ${{ secrets.GITHUB_TOKEN }}
	status: ${{ job.status }}
	deployment_id: ${{ steps.deployment.outputs.deployment_id }}
	env_url: ${{ steps.deploy_review.outputs.deploy-url }}

	deploy_nonprod:
	name: Deploy to ${{ matrix.environment }} environment
	runs-on: ubuntu-latest
	needs: [build]
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	concurrency: deploy_${{ matrix.environment }}
	strategy:
	fail-fast: false
	matrix:
	environment: [test, preproduction]
	environment:
	name: ${{ matrix.environment }}
	url: ${{ steps.deploy.outputs.url }}
	outputs:
	environment_name: ${{ matrix.environment }}
	environment_url: ${{ steps.deploy.outputs.url }}
	steps:
	- uses: actions/checkout@v3
	- uses: ./.github/actions/deploy/
	id: deploy
	with:
	azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
	environment: ${{ matrix.environment }}
	sha: ${{ needs.build.outputs.IMAGE_TAG }}

	deploy_production:
	name: Deploy to production AKS environment
	needs: [build, deploy_nonprod]
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	environment:
	name: production
	url: ${{ steps.deploy.outputs.url }}
	concurrency: deploy_production

	steps:
	- uses: actions/checkout@v3

	- uses: ./.github/actions/deploy
	id: deploy
	with:
	azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
	environment: production
	sha: ${{ needs.build.outputs.IMAGE_TAG }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[98] Integrate DfE sign in #241

Workflow file

[98] Integrate DfE sign in #241

Jobs

Run details

Workflow file for this run