Update PR Environment - #564 (NRL-641 Fix SonarCloud warnings) #33
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy PR Environment | |
| run-name: "${{ github.event.action == 'synchronize' && 'Update' || 'Create' }} PR Environment - #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})" | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| concurrency: | |
| group: environment-${{ github.event.pull_request.number }} | |
| cancel-in-progress: false | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| issues: write | |
| pull-requests: write | |
| jobs: | |
| set-environment-id: | |
| name: Set Environment ID | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Set a ID based on the branch name | |
| id: set_environment_id | |
| run: | | |
| JIRA_TICKET=$( | |
| echo '${{ github.event.pull_request.head.ref }}' | \ | |
| grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \ | |
| sed 's/-//g' | \ | |
| tr '[:upper:]' '[:lower:]' || \ | |
| true | |
| ) | |
| BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6) | |
| if [ -z "$JIRA_TICKET" ]; then | |
| echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT | |
| else | |
| echo "environment_id=${JIRA_TICKET}-${BRANCH_HASH}" > $GITHUB_OUTPUT | |
| fi | |
| outputs: | |
| environment_id: ${{ steps.set_environment_id.outputs.environment_id }} | |
| build: | |
| name: Build Application | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Git Clone - ${{ github.event.pull_request.head.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Run Linting | |
| run: make lint | |
| - name: Run Unit Tests | |
| run: make test | |
| - name: Build Project | |
| run: make build | |
| - name: Save Build Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: dist/*.zip | |
| - name: Add Failure Pull Request Comment | |
| uses: actions/github-script@v7 | |
| if: ${{ failure() }} | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: `💥 Something went wrong while building the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})` | |
| }) | |
| deploy: | |
| name: Deploy PR Environment | |
| runs-on: [self-hosted, ci] | |
| needs: [set-environment-id, build] | |
| steps: | |
| - name: Git Clone - ${{ github.event.pull_request.head.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Download Artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: dist | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.CI_ROLE_NAME }} | |
| role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} | |
| - name: Retrieve Server Certificates | |
| run: aws s3 cp s3://nhsd-nrlf--truststore/server/dev.pem truststore/server/dev.pem | |
| - name: Get AWS Account ID | |
| id: get_account_id | |
| run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT" | |
| - name: Terraform Init | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${{ needs.set-environment-id.outputs.environment_id }} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }} | |
| - name: Terraform Plan | |
| run: | | |
| terraform -chdir=terraform/infrastructure plan \ | |
| --var-file=etc/dev.tfvars \ | |
| --var assume_account=${{ steps.get_account_id.outputs.aws_account_id }} \ | |
| --var assume_role=terraform \ | |
| -out tfplan | |
| - name: Store Terraform Plan Output | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: tfplan-output | |
| path: terraform/infrastructure/tfplan* | |
| - name: Terraform Apply | |
| id: terraform-apply | |
| run: | | |
| terraform -chdir=terraform/infrastructure apply tfplan | |
| - name: Store Terraform Outputs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: terraform-outputs | |
| path: terraform/infrastructure/output.json | |
| - name: Add Success Pull Request Comment | |
| uses: actions/github-script@v7 | |
| if: ${{ success() }} | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: "🚀 PR environment successfully deployed.\nCommit Hash: `${{ github.event.pull_request.head.sha }}`\nURL: https://${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk/" | |
| }) | |
| - name: Add Failure Pull Request Comment | |
| uses: actions/github-script@v7 | |
| if: ${{ failure() }} | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: `💥 Something went wrong while deploying the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})` | |
| }) | |
| integration-test: | |
| name: Run Integration Tests | |
| needs: [set-environment-id, deploy] | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Git Clone - ${{ github.event.pull_request.head.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf and tools | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Python Dependency Install | |
| run: poetry install --no-root | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.CI_ROLE_NAME }} | |
| role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} | |
| - name: Retrieve Client Certificates | |
| run: | | |
| aws s3 cp s3://nhsd-nrlf--truststore/client/dev.key truststore/client/dev.key | |
| aws s3 cp s3://nhsd-nrlf--truststore/client/dev.crt truststore/client/dev.crt | |
| - name: Get AWS Account ID | |
| id: get_account_id | |
| run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT" | |
| - name: Configure Dev Account Credentials | |
| id: configure-dev-account-credentials | |
| run: | | |
| aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} --output json) | |
| echo "aws_access_key_id=$(echo $aws_credentials | jq -r '.Credentials.AccessKeyId')" >> "$GITHUB_OUTPUT" | |
| echo "aws_secret_access_key=$(echo $aws_credentials | jq -r '.Credentials.SecretAccessKey')" >> "$GITHUB_OUTPUT" | |
| echo "aws_session_token=$(echo $aws_credentials | jq -r '.Credentials.SessionToken')" >> "$GITHUB_OUTPUT" | |
| - name: Run Integration Tests | |
| run: make test-features-integration TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }} | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }} | |
| AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }} | |
| AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }} | |
| performance-test: | |
| name: Run Performance Tests | |
| needs: [set-environment-id, integration-test] | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Git Clone - ${{ github.event.pull_request.head.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf and tools | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.CI_ROLE_NAME }} | |
| role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} | |
| - name: Pull Client Certificates | |
| run: make truststore-pull-client ENV=dev | |
| - name: Get AWS Account ID | |
| id: get_account_id | |
| run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT" | |
| - name: Configure Dev Account Credentials | |
| id: configure-dev-account-credentials | |
| run: | | |
| aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} --output json) | |
| echo "aws_access_key_id=$(echo $aws_credentials | jq -r '.Credentials.AccessKeyId')" >> "$GITHUB_OUTPUT" | |
| echo "aws_secret_access_key=$(echo $aws_credentials | jq -r '.Credentials.SecretAccessKey')" >> "$GITHUB_OUTPUT" | |
| echo "aws_session_token=$(echo $aws_credentials | jq -r '.Credentials.SessionToken')" >> "$GITHUB_OUTPUT" | |
| - name: Setup Environment Test Data | |
| run: make test-performance-prepare TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }} | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }} | |
| AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }} | |
| AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }} | |
| - name: Run Performance Test - Baseline | |
| run: make test-performance-baseline HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev | |
| - name: Run Performance Test - Stress | |
| run: make test-performance-stress HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev | |
| - name: Process Performance Test Outputs | |
| run: make test-performance-output | |
| - name: Store Performance Test Outputs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: performance-test-outputs | |
| path: dist/*.png | |
| - name: Cleanup Environment Test Data | |
| run: make test-performance-cleanup TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }} | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }} | |
| AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }} | |
| AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }} |