CCM-11067: Add Internal Workflows

jamesthompson26-nhs · jamesthompson26-nhs · commit 44fb2bcd2e0d · 2025-07-23T11:49:58.000+01:00
diff --git a/.github/workflows/pr_closed.disabled b/.github/workflows/pr_closed.disabled
@@ -0,0 +1,58 @@
+## This workflow is DISABLED.
+## To enable, rename from .disabled to .yaml and replace any references as per the comments.
+name: PR Closed
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  check-merge-or-workflow-dispatch:
+    runs-on: ubuntu-latest
+    outputs:
+      deploy: ${{ steps.check.outputs.deploy }}
+    steps:
+      - name: Check if PR was merged or workflow is triggered by workflow_dispatch
+        id: check
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "deploy=true" >> $GITHUB_OUTPUT
+            echo "Job triggered by workflow_dispatch - running 'deploy-main'"
+          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.merged }}" == "true" ]]; then
+            echo "deploy=true" >> $GITHUB_OUTPUT
+            echo "Job triggered by Merged PR - running 'deploy-main'"
+          else
+            echo "deploy=false" >> $GITHUB_OUTPUT
+            echo "Job not triggered by workflow_dispatch or Merged PR - Skipping 'deploy-main'"
+          fi
+
+  deploy-main:
+    needs: check-merge-or-workflow-dispatch
+    name: Deploy changes to main in dev AWS account
+    if: needs.check-merge-or-workflow-dispatch.outputs.deploy == 'true'
+
+    permissions:
+      id-token: write
+      contents: read
+
+    strategy:
+      max-parallel: 1
+      matrix:
+        component: [acct, app]
+
+    uses: ./.github/workflows/reusable_internal_repo_build.yaml
+    secrets: inherit
+    with:
+      releaseVersion: main
+      targetWorkflow: "dispatch-deploy-static-notify-bounded-context-env.yaml" ## Replace with correct targetWorkflow
+      targetEnvironment: "main"
+      targetAccountGroup: "nhs-notify-bounded-context-dev" ## Replace with correct targetAccountGroup
+      targetComponent: ${{ matrix.component }}
+      terraformAction: "apply"
diff --git a/.github/workflows/pr_create_dynamic_env.disabled b/.github/workflows/pr_create_dynamic_env.disabled
@@ -0,0 +1,51 @@
+## This workflow is DISABLED.
+## To enable, rename from .disabled to .yaml and replace any references as per the comments.
+name: PR Create Environment
+
+on:
+  pull_request:
+    types: [labeled, opened, synchronize, reopened, unlabeled, edited]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  create-dynamic-environment:
+    name: Create Dynamic Environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Trigger nhs-notify-internal dynamic environment workflow
+        shell: bash
+        run: |
+          set -x
+          this_repo_name=$(echo ${{ github.repository }} | cut -d'/' -f2)
+
+          DISPATCH_EVENT=$(jq -ncM \
+            --arg infraRepoName "${this_repo_name}" \
+            --arg releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --arg targetEnvironment "pr${{ github.event.number }}" \
+            --arg targetAccountGroup "nhs-notify-bounded-context-dev" \ ## Replace with correct targetAccountGroup
+            --arg targetComponent "component" \ ## Replace with correct targetComponent
+            --arg terraformAction "apply" \
+            --arg overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            '{ "ref": "main",
+              "inputs": {
+                "infraRepoName": $infraRepoName,
+                "releaseVersion", $releaseVersion,
+                "targetEnvironment", $targetEnvironment,
+                "targetAccountGroup", $targetAccountGroup,
+                "targetComponent", $targetComponent,
+                "terraformAction", $terraformAction,
+                "overrides", $overrides,
+              }
+            }')
+
+          curl --fail -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/dispatch-deploy-dynamic-env.yaml/dispatches \
+            -d "${DISPATCH_EVENT}"
diff --git a/.github/workflows/pr_destroy_dynamic_env.disabled b/.github/workflows/pr_destroy_dynamic_env.disabled
@@ -0,0 +1,49 @@
+## This workflow is DISABLED.
+## To enable, rename from .disabled to .yaml and replace any references as per the comments.
+name: PR Destroy Environment
+
+on:
+  pull_request:
+    types: [closed]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  create-dynamic-environment:
+    name: Destroy Dynamic Environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Trigger nhs-notify-internal dynamic environment destruction
+        shell: bash
+        run: |
+          set -x
+          this_repo_name=$(echo ${{ github.repository }} | cut -d'/' -f2)
+
+          DISPATCH_EVENT=$(jq -ncM \
+            --arg infraRepoName "${this_repo_name}" \
+            --arg releaseVersion "main" \
+            --arg targetEnvironment "pr${{ github.event.number }}" \
+            --arg targetAccountGroup "nhs-notify-template-management-dev" \ ## Replace with correct targetAccountGroup
+            --arg targetComponent "component" \ ## Replace with correct targetComponent
+            --arg terraformAction "destroy" \
+            '{ "ref": "main",
+              "inputs": {
+                "infraRepoName": $infraRepoName,
+                "releaseVersion", $releaseVersion,
+                "targetEnvironment", $targetEnvironment,
+                "targetAccountGroup", $targetAccountGroup,
+                "targetComponent", $targetComponent,
+                "terraformAction", $terraformAction,
+              }
+            }')
+
+          curl --fail -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/dispatch-deploy-dynamic-env.yaml/dispatches \
+            -d "${DISPATCH_EVENT}"
diff --git a/.github/workflows/release_created.disabled b/.github/workflows/release_created.disabled
@@ -0,0 +1,34 @@
+## This workflow is DISABLED.
+## To enable, rename from .disabled to .yaml and replace any references as per the comments.
+name: Github Release Created
+
+on:
+  release:
+    types: ["published"] # Inherits all input defaults
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy-main:
+    name: Deploy changes to main in nonprod AWS Account
+
+    permissions:
+      id-token: write
+      contents: read
+
+    strategy:
+      max-parallel: 1
+      matrix:
+        component: [component1, component2] ## Replace with correct components
+
+    uses: ./.github/workflows/reusable_internal_repo_build.yaml
+    secrets: inherit
+    with:
+      releaseVersion: ${{ github.event.release.tag_name }}
+      targetWorkflow: "dispatch-deploy-static-notify-bounded-context-env.yaml" ## Replace with correct targetWorkflow
+      targetEnvironment: "main"
+      targetAccountGroup: "nhs-notify-bounded-context-nonprod" ## Replace with correct targetAccountGroup
+      targetComponent: ${{ matrix.component }}
+      terraformAction: "apply"
diff --git a/.github/workflows/reusable_internal_repo_build.disabled b/.github/workflows/reusable_internal_repo_build.disabled
@@ -0,0 +1,144 @@
+## This workflow is DISABLED.
+## To enable, rename from .disabled to .yaml and replace any references as per the comments.
+name: Call Notify Internal Infrastructure Deployment
+## Sub workflow which plans and deploys Notify components as part of the workflow.
+## Review Gates may be required to proceed on triggered builds.
+
+on:
+  workflow_call:
+    inputs:
+      releaseVersion:
+        type: string
+        description: The Github release version, commit, or tag.
+        default: main
+      targetWorkflow:
+        type: string
+        description: The name of the github workflow to call.
+        default: main
+      targetEnvironment:
+        type: string
+        description: The Terraform environment to deploy
+        default: main
+      targetComponent:
+        type: string
+        description: The Terraform component to deploy
+        required: true
+      targetAccountGroup:
+        type: string
+        description: The Terraform group to deploy
+        required: true
+      terraformAction:
+        type: string
+        description: The Terraform component to deploy
+        default: plan
+
+concurrency:
+  group: ${{ inputs.targetEnvironment }}-${{ inputs.targetAccountGroup }}-${{ inputs.targetComponent }}-${{ inputs.terraformAction }}
+
+jobs:
+  trigger:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trigger nhs-notify-internal static environment workflow deployment
+        shell: bash
+        run: |
+          set -x
+
+          DISPATCH_EVENT=$(jq -ncM \
+            --arg releaseVersion ${{ inputs.releaseVersion }} \
+            --arg targetEnvironment ${{ inputs.targetEnvironment }} \
+            --arg targetAccountGroup ${{ inputs.targetAccountGroup }} \
+            --arg targetComponent ${{ inputs.targetComponent }} \
+            --arg terraformAction ${{ inputs.terraformAction }} \
+            '{ "ref": "main",
+              "inputs": {
+                "releaseVersion", $releaseVersion,
+                "targetEnvironment", $targetEnvironment,
+                "targetAccountGroup", $targetAccountGroup,
+                "targetComponent", $targetComponent,
+                "terraformAction", $terraformAction
+              }
+            }')
+
+          # Trigger The workflow
+          curl -L \
+            --fail \
+            --silent \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/${{ inputs.targetWorkflow }}/dispatches" \
+            -d "${DISPATCH_EVENT}"
+
+          echo "Workflow triggered successfully. HTTP response. Waiting for the workflow to complete.."
+
+          # Poll GitHub API to check the workflow status
+          run_id=""
+          for i in {1..12}; do
+            in_progress=$(curl -s \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch&status=in_progress")
+
+            run_id=$(echo "$in_progress" | jq -r \
+              --arg env "${{ inputs.targetEnvironment }}" \
+              --arg component "${{ inputs.targetComponent }}" \
+              --arg group "${{ inputs.targetAccountGroup }}" \
+              --arg releaseVersion "${{ inputs.releaseVersion }}" \
+              '.workflow_runs[]
+                | select(.name | contains($env) and contains($component) and contains($group) and contains($releaseVersion))
+                | .id' | head -n 1)
+
+            if [[ -n "$run_id" && "$run_id" != null ]]; then
+              echo "Found workflow run with ID: $run_id"
+              break
+            fi
+
+            echo "Waiting for workflow to start..."
+            sleep 10
+          done
+
+          if [[ -z "$run_id" || "$run_id" == null ]]; then
+            echo "Failed to get the workflow run ID. Exiting."
+            exit 1
+          fi
+
+          # Wait for workflow completion
+          while true; do
+            sleep 10
+            status=$(curl -s \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs/$run_id" \
+              | jq -r '.status')
+
+            conclusion=$(curl -s \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs/$run_id" \
+              | jq -r '.conclusion')
+
+            if [ "$status" == "completed" ]; then
+              if [ "$conclusion" == "success" ]; then
+                echo "Workflow completed successfully."
+                exit 0
+              else
+                echo "Workflow failed with conclusion: $conclusion"
+                exit 1
+              fi
+            fi
+
+            echo "Workflow still running..."
+            sleep 20
+          done
