Merge pull request #334 from NHSDigital/dependabot/github_actions/act… #309
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: Deploys merged code to the dev environment. | |
| # Triggered on push to main. Tags the commit with a dev-<timestamp> label. | |
| # Does not create GitHub Releases or production tags (v1.x.x). | |
| name: "2. CD | Deploy to Dev" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - hotfix/* | |
| concurrency: | |
| group: terraform-dev | |
| cancel-in-progress: false | |
| jobs: | |
| metadata: | |
| name: "Set CI/CD metadata" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 1 | |
| outputs: | |
| build_datetime: ${{ steps.variables.outputs.build_datetime }} | |
| build_timestamp: ${{ steps.variables.outputs.build_timestamp }} | |
| build_epoch: ${{ steps.variables.outputs.build_epoch }} | |
| nodejs_version: ${{ steps.variables.outputs.nodejs_version }} | |
| python_version: ${{ steps.variables.outputs.python_version }} | |
| terraform_version: ${{ steps.variables.outputs.terraform_version }} | |
| version: ${{ steps.variables.outputs.version }} | |
| steps: | |
| - name: "Checkout code" | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.ref_name }} | |
| - name: "Set CI/CD variables" | |
| id: variables | |
| run: | | |
| datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') | |
| echo "build_datetime=$datetime" >> $GITHUB_OUTPUT | |
| echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT | |
| echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "version=dev-$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| - name: "List variables" | |
| run: | | |
| echo "Deploying to: DEV" | |
| echo "VERSION=${{ steps.variables.outputs.version }}" | |
| publish: | |
| name: "Publish to dev" | |
| runs-on: ubuntu-latest | |
| needs: [metadata] | |
| timeout-minutes: 30 | |
| environment: "dev" | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: "Setup Terraform" | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ needs.metadata.outputs.terraform_version }} | |
| - name: "Set up Python" | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.13' | |
| - name: "Checkout Repository" | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.ref_name }} | |
| - name: "Build lambda artefact" | |
| run: | | |
| make dependencies install-python | |
| make build | |
| - name: "Upload lambda artefact" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: lambda | |
| path: dist/lambda.zip | |
| - name: "Download Built Lambdas" | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: lambda | |
| path: ./build | |
| - name: "Configure AWS Credentials" | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role | |
| aws-region: eu-west-2 | |
| - name: "Terraform Apply" | |
| env: | |
| ENVIRONMENT: dev | |
| WORKSPACE: "default" | |
| TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} | |
| TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} | |
| TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} | |
| TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} | |
| TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} | |
| run: | | |
| mkdir -p ./build | |
| echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" | |
| make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE | |
| echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" | |
| make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE | |
| working-directory: ./infrastructure | |
| - name: "Tag the dev deployment" | |
| run: | | |
| git config user.name "github-actions" | |
| git config user.email "github-actions@github.com" | |
| git tag ${{ needs.metadata.outputs.version }} | |
| git push origin ${{ needs.metadata.outputs.version }} | |
| - name: "Notify Slack on PR merge" | |
| uses: slackapi/slack-github-action@v2.1.1 | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| webhook-type: webhook-trigger | |
| payload: | | |
| status: "${{ job.status }}" | |
| link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" | |
| Author: "${{ github.actor }}" | |
| title: "Pushed to main" | |
| version: "${{ needs.metadata.outputs.version }}" | |
| regression-tests: | |
| name: "Regression Tests" | |
| needs: publish | |
| uses: ./.github/workflows/regression-tests.yml | |
| with: | |
| ENVIRONMENT: "dev" | |
| VERSION_NUMBER: "main" | |
| secrets: inherit |