Task/cdd 3175 permission sets cms #13736
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pipeline | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: | |
| - main | |
| env: | |
| APIENV: "LOCAL" | |
| # With `LOCAL` set, a local sqlite db will be used | |
| AWS_REGION: "eu-west-2" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| ############################################################################### | |
| # Secret Scan | |
| ############################################################################### | |
| secret-scan: | |
| name: Gitleaks Secret Scan | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| if: github.actor != 'dependabot[bot]' | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| ############################################################################### | |
| # Install dependencies & build packages | |
| ############################################################################### | |
| build: | |
| name: Build | |
| needs: [secret-scan] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| ############################################################################### | |
| # Security checks | |
| ############################################################################### | |
| dependency-checks: | |
| name: Dependency checks | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Scan dependencies | |
| run: | | |
| source uhd.sh | |
| uhd security dependencies | |
| vulnerability-checks: | |
| name: Vulnerability checks | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Scan for vulnerabilities | |
| run: | | |
| source uhd.sh | |
| uhd security vulnerabilities | |
| ############################################################################### | |
| # Code quality checks | |
| ############################################################################### | |
| quality-checks: | |
| name: Linting | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Run linters | |
| run: | | |
| source uhd.sh | |
| uhd quality format-check | |
| ############################################################################### | |
| # Architectural constraints checks | |
| ############################################################################### | |
| architecture-checks: | |
| name: Architecture checks | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Check architectural constraints | |
| run: | | |
| source uhd.sh | |
| uhd quality architecture | |
| ############################################################################### | |
| # Unit tests | |
| ############################################################################### | |
| unit-tests: | |
| name: Unit tests | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Run unit tests | |
| run: | | |
| source uhd.sh | |
| uhd tests unit | |
| ############################################################################### | |
| # Integration tests | |
| ############################################################################### | |
| integration-tests: | |
| name: Integration tests | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Run integration tests | |
| run: | | |
| source uhd.sh | |
| uhd tests integration | |
| ############################################################################### | |
| # System tests | |
| ############################################################################### | |
| system-tests: | |
| name: System tests | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Run system tests | |
| run: | | |
| source uhd.sh | |
| uhd tests system | |
| ############################################################################### | |
| # Migration tests | |
| ############################################################################### | |
| migration-tests: | |
| name: Migration tests | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Run migration tests | |
| run: | | |
| source uhd.sh | |
| uhd tests migrations | |
| ############################################################################### | |
| # Test coverage | |
| ############################################################################### | |
| test-coverage: | |
| name: Test coverage | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/install-cache | |
| - name: Evaluate test coverage | |
| run: | | |
| source uhd.sh | |
| uhd tests coverage | |
| ############################################################################### | |
| # Docker build check (PR validation) | |
| ############################################################################### | |
| docker-build-check: | |
| name: Docker Build Check | |
| needs: [build] | |
| runs-on: ubuntu-22.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build main API Docker image | |
| run: docker build -t be-main-test -f Dockerfile . | |
| - name: Build ingestion Docker image | |
| run: docker build -t be-ingestion-test -f Dockerfile-ingestion . | |
| - name: Run main API container | |
| run: docker run -d --name be-main-test-container be-main-test | |
| - name: Health check main API container | |
| run: | | |
| echo "Waiting for main API container to start..." | |
| sleep 10 | |
| if [ "$(docker inspect -f '{{.State.Running}}' be-main-test-container)" != "true" ]; then | |
| echo "Main API container failed to start" | |
| docker logs be-main-test-container | |
| exit 1 | |
| fi | |
| echo "Main API container is running successfully" | |
| - name: Run ingestion container | |
| run: docker run -d --name be-ingestion-test-container be-ingestion-test | |
| - name: Health check ingestion container | |
| run: | | |
| echo "Waiting for ingestion container to start..." | |
| sleep 10 | |
| if [ "$(docker inspect -f '{{.State.Running}}' be-ingestion-test-container)" != "true" ]; then | |
| echo "Ingestion container failed to start" | |
| docker logs be-ingestion-test-container | |
| exit 1 | |
| fi | |
| echo "Ingestion container is running successfully" | |
| - name: Cleanup | |
| if: always() | |
| run: | | |
| docker rm -f be-main-test-container || true | |
| docker rm -f be-ingestion-test-container || true | |
| ############################################################################### | |
| # Build image | |
| ############################################################################### | |
| publish-main-image: | |
| name: Publish main image to central ECR | |
| needs: | |
| [ | |
| quality-checks, | |
| unit-tests, | |
| integration-tests, | |
| system-tests, | |
| migration-tests, | |
| test-coverage, | |
| dependency-checks, | |
| vulnerability-checks, | |
| architecture-checks, | |
| docker-build-check, | |
| ] | |
| runs-on: ubuntu-22.04-arm | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Build and publish docker image | |
| uses: ./.github/actions/publish-image | |
| with: | |
| ecr-repository: ukhsa-data-dashboard/back-end | |
| role-to-assume: ${{ secrets.AWS_TOOLS_ACCOUNT_ROLE }} | |
| image-tag: ${{ github.sha }} | |
| publish-ingestion-image: | |
| name: Publish ingestion image to central ECR | |
| needs: | |
| [ | |
| quality-checks, | |
| unit-tests, | |
| integration-tests, | |
| system-tests, | |
| migration-tests, | |
| test-coverage, | |
| dependency-checks, | |
| vulnerability-checks, | |
| architecture-checks, | |
| docker-build-check, | |
| ] | |
| runs-on: ubuntu-22.04-arm | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Build and publish docker image | |
| uses: ./.github/actions/publish-image | |
| with: | |
| ecr-repository: ukhsa-data-dashboard/ingestion | |
| role-to-assume: ${{ secrets.AWS_TOOLS_ACCOUNT_ROLE }} | |
| dockerfile: Dockerfile-ingestion | |
| image-tag: ${{ github.sha }} | |
| ############################################################################### | |
| # Deploy | |
| ############################################################################### | |
| trigger-deployments: | |
| name: Trigger deployments | |
| needs: [publish-main-image, publish-ingestion-image] | |
| runs-on: ubuntu-22.04-arm | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| # Only deploy if the changes are being pushed to the `main` branch | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Generate ephemeral deployment token | |
| id: generate-deployment-token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.DEPLOYMENT_TOKEN_FACTORY_APP_ID }} | |
| private-key: ${{ secrets.DEPLOYMENT_TOKEN_FACTORY_PRIVATE_KEY }} | |
| skip-token-revoke: false | |
| # Although this is the default, this is explicitly set so that | |
| # we know the token gets revoked after the job has finished | |
| repositories: "data-dashboard-infra" | |
| - uses: ./.github/actions/trigger-deployments | |
| with: | |
| token: ${{ steps.generate-deployment-token.outputs.token }} |