Merge pull request #2507 from alphagov/whi-tw/allow-github-hosted-runner-deploy-review-apps

whi-tw · web-flow · commit 39fcbe7972e6 · 2026-03-19T15:36:36.000Z
Use AWS credentials to deploy review apps
diff --git a/.github/workflows/review_apps_on_pr_change.yml b/.github/workflows/review_apps_on_pr_change.yml
@@ -1,104 +1,20 @@
 name: "Review apps: on PR change"
 on:
   pull_request:
-    # being explicit about what to trigger on.
-    # matches the docs for the default types
-    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request
     types: [opened, reopened, synchronize]
-jobs:
-  update-review-app:
-    # this references a codebuild project configured in forms-deploy
-    # see: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html
-    runs-on: codebuild-review-forms-admin-gha-runner-${{github.run_id}}-${{github.run_attempt}}
-
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Generate container image URI
-        run: |
-          echo "CONTAINER_IMAGE_URI=842676007477.dkr.ecr.eu-west-2.amazonaws.com/forms-admin:pr-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}-$(date +%s)" >> "$GITHUB_ENV"
-
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Build container
-        run: |
-          # Docker credentials are configured in CodeBuild
-          # CodeBuild retrieves the credentials from ParameterStore
-          echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin
-          docker build \
-            --tag "${{env.CONTAINER_IMAGE_URI}}" \
-            .
-
-      - name: Push container
-        id: build-container
-        run: |
-          aws ecr get-login-password --region eu-west-2 \
-          | docker login --username AWS --password-stdin 842676007477.dkr.ecr.eu-west-2.amazonaws.com
-
-          echo "Pushing container image"
-          echo "${{env.CONTAINER_IMAGE_URI}}"
-
-          docker push "${CONTAINER_IMAGE_URI}"
-
-      - name: Determine Terraform version
-        id: terraform-version
-        run: |
-          TF_VERSION=$(< .review_apps/.terraform-version)
-          printf "TF_VERSION=%s\n" "$TF_VERSION" >> "$GITHUB_OUTPUT"
 
-      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
-        with:
-          terraform_version: ${{steps.terraform-version.outputs.TF_VERSION}}
+concurrency:
+  group: "review-apps-pr-${{ github.event.pull_request.number }}"
+  cancel-in-progress: false
 
-      - name: Deploy review app
-        id: deploy
-        run: |
-          cd .review_apps/
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 
-          terraform init -backend-config="key=review-apps/forms-admin/pr-${{github.event.pull_request.number}}.tfstate"
-
-          terraform apply \
-            -var "pull_request_number=${{github.event.pull_request.number}}" \
-            -var "forms_admin_container_image=${{env.CONTAINER_IMAGE_URI}}" \
-            -no-color \
-            -auto-approve
-          REVIEW_APP_URL=$(terraform output -raw review_app_url)
-          ECS_CLUSTER_ID=$(terraform output -raw review_app_ecs_cluster_id)
-          ECS_SERVICE_NAME=$(terraform output -raw review_app_ecs_service_name)
-          {
-            printf 'REVIEW_APP_URL=%s\n' "$REVIEW_APP_URL"
-            printf 'ECS_CLUSTER_ID=%s\n' "$ECS_CLUSTER_ID"
-            printf 'ECS_SERVICE_NAME=%s\n' "$ECS_SERVICE_NAME"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Wait for AWS ECS deployments to finish
-        run: |
-          aws ecs wait services-stable \
-            --cluster "${{steps.deploy.outputs.ECS_CLUSTER_ID}}" \
-            --services "${{steps.deploy.outputs.ECS_SERVICE_NAME}}"
-
-      - name: Comment on PR
-        env:
-          COMMENT_MARKER: <!-- review apps on pr change -->
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          cat <<EOF > "${{runner.temp}}/pr-comment.md"
-          :tada: A review copy of this PR has been deployed! You can reach it at: ${{steps.deploy.outputs.REVIEW_APP_URL}}
-
-          It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
-          after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
-          to debug, or otherwise ask an infrastructure person.
-
-          For the sign in details and more information, [see the review apps wiki page](https://github.com/alphagov/forms-team/wiki/Review-apps).
-
-          $COMMENT_MARKER
-          EOF
-
-          old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq "map(select((.user.login == \"github-actions[bot]\") and (.body | endswith(env.COMMENT_MARKER + \"\n\")))) | .[].id")
-          for comment_id in $old_comment_ids; do
-            gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
-          done
-
-          gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md"
+jobs:
+  update-review-app:
+    name: Update review app
+    uses: alphagov/forms-deploy/.github/workflows/reusable-review_apps_on_pr_change.yml@main
+    with:
+      app-name: forms-admin
diff --git a/.github/workflows/review_apps_on_pr_close.yml b/.github/workflows/review_apps_on_pr_close.yml
@@ -1,37 +1,20 @@
 name: "Review apps: on PR close"
 on:
   pull_request:
-    # only run when a PR is closed or merged
     types: [closed]
-env:
-  IMAGE_TAG: "842676007477.dkr.ecr.eu-west-2.amazonaws.com/forms-admin:pr-${{github.event.pull_request.number}}-${{github.event.pull_request.head.ref}}"
-jobs:
-  delete-review-app:
-    # this references a codebuild project configured in forms-deploy
-    # see: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html
-    runs-on: codebuild-review-forms-admin-gha-runner-${{github.run_id}}-${{github.run_attempt}}
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Determine Terraform version
-        id: terraform-version
-        run: |
-          TF_VERSION=$(< .review_apps/.terraform-version)
-          printf "TF_VERSION=%s\n" "$TF_VERSION" >> "$GITHUB_OUTPUT"
+concurrency:
+  group: "review-apps-pr-${{ github.event.pull_request.number }}"
+  cancel-in-progress: false
 
-      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
-        with:
-          terraform_version: ${{steps.terraform-version.outputs.TF_VERSION}}
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 
-      - name: Delete review app
-        run: |
-          cd .review_apps/
-
-          terraform init -backend-config="key=review-apps/forms-admin/pr-${{github.event.pull_request.number}}.tfstate"
-          terraform destroy \
-            -var "pull_request_number=${{github.event.pull_request.number}}" \
-            -var "forms_admin_container_image=${{env.IMAGE_TAG}}" \
-            -no-color \
-            -auto-approve
+jobs:
+  delete-review-app:
+    name: Delete review app
+    uses: alphagov/forms-deploy/.github/workflows/reusable-review_apps_on_pr_close.yml@main
+    with:
+      app-name: forms-admin
diff --git a/.review_apps/ecs_task_definition.tf b/.review_apps/ecs_task_definition.tf
@@ -70,11 +70,16 @@ resource "aws_ecs_task_definition" "task" {
       portMappings = [
         {
           containerPort = 3000
+          hostPort      = 3000
           protocol      = "tcp"
           appProtocol   = "http"
         }
       ]
 
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
+
       logConfiguration = {
         logDriver = "awslogs"
         options = {
@@ -89,6 +94,7 @@ resource "aws_ecs_task_definition" "task" {
         interval    = 30
         retries     = 5
         startPeriod = 180
+        timeout     = 5
       }
 
       dependsOn = [
@@ -106,7 +112,17 @@ resource "aws_ecs_task_definition" "task" {
       command   = []
       essential = true
 
-      portMappings = [{ containerPort = 5432 }]
+      portMappings = [
+        {
+          containerPort = 5432
+          hostPort      = 5432
+          protocol      = "tcp"
+        }
+      ]
+
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
 
       environment = [
         { name = "POSTGRES_PASSWORD", value = "postgres" }
@@ -122,7 +138,10 @@ resource "aws_ecs_task_definition" "task" {
       }
 
       healthCheck = {
-        command = ["CMD-SHELL", "psql -h localhost -p 5432 -U postgres -c \"SELECT current_timestamp - pg_postmaster_start_time();\""]
+        command  = ["CMD-SHELL", "psql -h localhost -p 5432 -U postgres -c \"SELECT current_timestamp - pg_postmaster_start_time();\""]
+        interval = 30
+        retries  = 3
+        timeout  = 5
       }
     },
 
@@ -135,6 +154,10 @@ resource "aws_ecs_task_definition" "task" {
       environment            = local.forms_admin_env_vars
       readonlyRootFilesystem = true
 
+      mountPoints    = []
+      systemControls = []
+      volumesFrom    = []
+
       logConfiguration = {
         logDriver = "awslogs"
         options = {
