Merge pull request #224 from navapbc/seant/8

[Sean] Issue 8 - Add app-flask and app-nextjs

Author: sean-navapbc

.github/workflows/cd-app-flask.yml

@@ -0,0 +1,38 @@
+name: Deploy app-flask
+# Need to set a default value for when the workflow is triggered from a git push
+# which bypasses the default configuration for inputs
+run-name: Deploy ${{inputs.version || 'main' }} to app-flask ${{ inputs.environment || 'dev' }}
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "app-flask/**"
+      - "bin/**"
+      - "infra/**"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to deploy to
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to deploy
+
+jobs:
+  deploy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/deploy.yml
+    with:
+      app_name: "app-flask"
+      environment: ${{ inputs.environment || 'dev' }}
+      version: ${{ inputs.version || 'main' }}
+    secrets: inherit

.github/workflows/cd-app-nextjs-storybook.yml

@@ -0,0 +1,58 @@
+name: Deploy Storybook
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - app-nextjs/**
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow access to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Cancel any older in-progress runs of this workflow
+concurrency:
+  group: "pages"
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ./app-nextjs/package.json
+          cache-dependency-path: ./app-nextjs/package-lock.json # or yarn.lock
+          cache: npm # or yarn
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+        id: pages_config
+      - name: Install dependencies
+        run: npm ci
+        working-directory: ./app-nextjs
+      - name: Build
+        run: NEXT_PUBLIC_BASE_PATH=${{ steps.pages_config.outputs.base_path }} npm run storybook-build
+        working-directory: ./app-nextjs
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: ./app-nextjs/storybook-static
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.hosting.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: hosting
+        uses: actions/deploy-pages@v4

.github/workflows/cd-app-nextjs.yml

@@ -0,0 +1,38 @@
+name: Deploy app-nextjs
+# Need to set a default value for when the workflow is triggered from a git push
+# which bypasses the default configuration for inputs
+run-name: Deploy ${{inputs.version || 'main' }} to app-nextjs ${{ inputs.environment || 'dev' }}
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "app-nextjs/**"
+      - "bin/**"
+      - "infra/**"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to deploy to
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to deploy
+
+jobs:
+  deploy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/deploy.yml
+    with:
+      app_name: "app-nextjs"
+      environment: ${{ inputs.environment || 'dev' }}
+      version: ${{ inputs.version || 'main' }}
+    secrets: inherit

.github/workflows/ci-app-flask-infra-service.yml

@@ -0,0 +1,62 @@
+name: CI Infra Service Checks - app-flask
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - infra/app-flask/service/**
+      - infra/modules/**
+      - infra/test/**
+      - .github/workflows/ci-app-flask-infra-service.yml
+  pull_request:
+    paths:
+      - infra/app-flask/service/**
+      - infra/modules/**
+      - infra/test/**
+      - .github/workflows/ci-app-flask-infra-service.yml
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to test
+
+jobs:
+  build-and-publish:
+    name: Build
+    uses: ./.github/workflows/build-and-publish.yml
+    with:
+      app_name: app-flask
+      ref: ${{ inputs.version || github.ref }}
+
+  infra-test-e2e:
+    name: Test service
+    runs-on: ubuntu-latest
+    needs: [build-and-publish]
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.version || github.ref }}
+
+      - name: Set up Terraform
+        uses: ./.github/actions/setup-terraform
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "infra/test/go.mod"
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          app_name: app-flask
+          # Run infra CI on dev environment
+          environment: dev
+
+      - name: Run Terratest
+        run: make infra-test-service APP_NAME=app-flask

.github/workflows/ci-app-flask-openapi.yml

@@ -0,0 +1,42 @@
+# Update OpenAPI docs so that they remain up to date with the application
+name: Update OpenAPI Docs
+
+on:
+  pull_request:
+    paths:
+      - app-flask/**
+      - Makefile
+      - .github/workflows/ci-app-flask-openapi.yml
+
+defaults:
+  run:
+    working-directory: ./app-flask
+
+# Only trigger run one update of the OpenAPI spec at a time on the branch.
+# If new commits are pushed to the branch, cancel in progress runs and start
+# a new one.
+concurrency:
+  group: ${{ github.head_ref }}
+  cancel-in-progress: true
+
+
+jobs:
+  update-openapi-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Checkout the feature branch associated with the pull request
+          ref: ${{ github.head_ref }}
+
+      - name: Update OpenAPI spec
+        run: make openapi-spec
+
+      - name: Push changes
+        run: |
+          git config user.name nava-platform-bot
+          git config user.email platform-admins@navapbc.com
+          git add --all
+          # Commit changes (if no changes then no-op)
+          git diff-index --quiet HEAD || git commit -m "Update OpenAPI spec"
+          git push

.github/workflows/ci-app-flask-pr-environment-checks.yml

@@ -0,0 +1,22 @@
+name: CI app-flask PR Environment Checks
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        required: true
+        type: string
+      commit_hash:
+        required: true
+        type: string
+  pull_request:
+
+jobs:
+  update:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/pr-environment-checks.yml
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.state == 'open'
+    with:
+      app_name: "app-flask"
+      environment: "dev"
+      pr_number: ${{ inputs.pr_number || github.event.number }}
+      commit_hash: ${{ inputs.commit_hash || github.event.pull_request.head.sha }}

.github/workflows/ci-app-flask-pr-environment-destroy.yml

@@ -0,0 +1,18 @@
+name: CI app-flask PR Environment Destroy
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        required: true
+        type: string
+  pull_request_target:
+    types: [closed]
+
+jobs:
+  destroy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/pr-environment-destroy.yml
+    with:
+      app_name: "app-flask"
+      environment: "dev"
+      pr_number: ${{ inputs.pr_number || github.event.number }}

.github/workflows/ci-app-flask-vulnerability-scans.yml

@@ -0,0 +1,28 @@
+name: CI Vulnerability Scans - app-flask
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app-flask/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/vulnerability-scans.yml
+      - .github/workflows/ci-app-flask-vulnerability-scans.yml
+  pull_request:
+    paths:
+      - app-flask/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/vulnerability-scans.yml
+      - .github/workflows/ci-app-flask-vulnerability-scans.yml
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: "app-flask"

.github/workflows/ci-app-flask.yml

@@ -0,0 +1,51 @@
+name: CI - app-flask
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app-flask/**
+      - .github/workflows/ci-app-flask.yml
+  pull_request:
+    paths:
+      - app-flask/**
+      - .github/workflows/ci-app-flask.yml
+
+defaults:
+  run:
+    working-directory: ./app-flask
+
+jobs:
+  # As an enhancement, it is possible to share the built docker image and share
+  # it across jobs as described in:
+  # https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts#passing-data-between-jobs-in-a-workflow
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run format check
+        run: make format-check
+
+      - name: Run linting
+        run: make lint
+  security-scan:
+    name: Security scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run security linting
+        run: make lint-security
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Start tests
+        run: |
+          make test-audit
+          make test-coverage