Update PR Environment - #669 (NRL-817 Do not store permissions in artifact) #342

Workflow file for this run

.github/workflows/pr-env-deploy.yml at 258dbfb

	name: Deploy PR Environment
	run-name: "${{ github.event.action == 'synchronize' && 'Update' \|\| 'Create' }} PR Environment - #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})"

	on:
	pull_request:
	types: [opened, reopened, synchronize]

	concurrency:
	group: environment-${{ github.event.pull_request.number }}
	cancel-in-progress: false

	permissions:
	id-token: write
	contents: read
	actions: write
	issues: write
	pull-requests: write

	jobs:
	set-environment-id:
	name: Set Environment ID
	runs-on: [self-hosted, ci]
	steps:
	- name: Set a ID based on the branch name
	id: set_environment_id
	run: \|
	JIRA_TICKET=$(
	echo '${{ github.event.pull_request.head.ref }}' \| \
	grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' \| \
	sed 's/-//g' \| \
	tr '[:upper:]' '[:lower:]' \|\| \
	true
	)
	BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' \| sha256sum \| head -c 6)

	if [ -z "$JIRA_TICKET" ]; then
	echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT
	else
	echo "environment_id=${JIRA_TICKET}-${BRANCH_HASH}" > $GITHUB_OUTPUT
	fi
	outputs:
	environment_id: ${{ steps.set_environment_id.outputs.environment_id }}

	build:
	name: Build Application
	runs-on: [self-hosted, ci]
	steps:
	- name: Git Clone - ${{ github.event.pull_request.head.ref }}
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.ref }}

	- name: Setup asdf cache
	uses: actions/cache@v4
	with:
	path: ~/.asdf
	key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
	restore-keys: \|
	${{ runner.os }}-asdf-

	- name: Install asdf
	uses: asdf-vm/actions/[email protected]

	- name: Install zip
	run: sudo apt-get install zip

	- name: Setup Python environment
	run: \|
	poetry install --no-root
	source $(poetry env info --path)/bin/activate

	- name: Run Linting
	run: make lint

	- name: Run Unit Tests
	run: make test

	- name: Build Project
	run: make build

	- name: Configure Management Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: eu-west-2
	role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
	role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}

	- name: Add S3 Permissions to Lambda
	run: \|
	make get-s3-perms ENV=dev

	- name: Save Build Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: build-artifacts
	path: \|
	dist/*.zip
	!dist/nrlf_permissions.zip

	- name: Save NRLF Permissions cache
	uses: actions/cache/save@v4
	with:
	key: ${{ github.run_id }}-nrlf-permissions
	path: dist/nrlf_permissions.zip

	- name: Add Failure Pull Request Comment
	uses: actions/github-script@v7
	if: ${{ failure() }}
	with:
	script: \|
	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `💥 Something went wrong while building the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
	})

	deploy:
	name: Deploy PR Environment
	runs-on: [self-hosted, ci]
	environment: pull-request
	needs: [set-environment-id, build]

	steps:
	- name: Git Clone - ${{ github.event.pull_request.head.ref }}
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.ref }}

	- name: Setup asdf cache
	uses: actions/cache@v4
	with:
	path: ~/.asdf
	key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
	restore-keys: \|
	${{ runner.os }}-asdf-

	- name: Install asdf
	uses: asdf-vm/actions/[email protected]

	- name: Configure Management Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: eu-west-2
	role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
	role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}

	- name: Download Artifacts
	uses: actions/download-artifact@v4
	with:
	name: build-artifacts
	path: dist

	- name: Restore NRLF permissions cache
	uses: actions/cache/restore@v4
	with:
	key: ${{ github.run_id }}-nrlf-permissions
	path: dist/nrlf_permissions
	fail-on-cache-miss: true

	- name: Retrieve Server Certificates
	run: make truststore-pull-server ENV=dev

	- name: Terraform Init
	run: \|
	terraform -chdir=terraform/infrastructure init
	terraform -chdir=terraform/infrastructure workspace new ${{ needs.set-environment-id.outputs.environment_id }} \|\| \
	terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}

	- name: Terraform Plan
	run: terraform -chdir=terraform/infrastructure plan --var-file=etc/dev.tfvars --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} -out tfplan

	- name: Terraform Apply
	id: terraform-apply
	run: terraform -chdir=terraform/infrastructure apply tfplan

	- name: Add Success Pull Request Comment
	uses: actions/github-script@v7
	if: ${{ success() }}
	with:
	script: \|
	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: "🚀 PR environment successfully deployed.\nCommit Hash: `${{ github.event.pull_request.head.sha }}`\nURL: https://${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk/"
	})

	- name: Add Failure Pull Request Comment
	uses: actions/github-script@v7
	if: ${{ failure() }}
	with:
	script: \|
	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `💥 Something went wrong while deploying the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
	})

	integration-test:
	name: Run Integration Tests
	needs: [set-environment-id, deploy]
	environment: pull-request
	runs-on: [self-hosted, ci]

	steps:
	- name: Git Clone - ${{ github.event.pull_request.head.ref }}
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.ref }}

	- name: Setup asdf cache
	uses: actions/cache@v4
	with:
	path: ~/.asdf
	key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
	restore-keys: \|
	${{ runner.os }}-asdf-

	- name: Install asdf and tools
	uses: asdf-vm/actions/[email protected]

	- name: Python Dependency Install
	run: poetry install --no-root

	- name: Configure Management Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: eu-west-2
	role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
	role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}

	- name: Retrieve Client Certificates
	run: make truststore-pull-client ENV=dev

	- name: Configure Dev Account Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: eu-west-2
	role-chaining: true
	role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
	role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}

	- name: Run Integration Tests
	run: make test-features-integration TF_WORKSPACE_NAME=${{ needs.set-environment-id.outputs.environment_id }}

	performance-test:
	name: Run Performance Tests
	needs: [set-environment-id, integration-test]
	environment: pull-request
	runs-on: [self-hosted, ci]

	steps:
	- name: Git Clone - ${{ github.event.pull_request.head.ref }}
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.ref }}

	- name: Setup asdf cache
	uses: actions/cache@v4
	with:
	path: ~/.asdf
	key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
	restore-keys: \|
	${{ runner.os }}-asdf-

	- name: Install asdf and tools
	uses: asdf-vm/actions/[email protected]

	- name: Setup Python environment
	run: \|
	poetry install --no-root
	source $(poetry env info --path)/bin/activate

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: eu-west-2
	role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
	role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}

	- name: Pull Client Certificates
	run: make truststore-pull-client ENV=dev

	- name: Configure Dev Account Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: eu-west-2
	role-chaining: true
	role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
	role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}

	- name: Setup Environment Test Data
	run: make test-performance-prepare TF_WORKSPACE_NAME=${{ needs.set-environment-id.outputs.environment_id }}

	- name: Run Performance Test - Baseline
	run: make test-performance-baseline HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev

	- name: Run Performance Test - Stress
	run: make test-performance-stress HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev

	- name: Process Performance Test Outputs
	run: make test-performance-output

	- name: Store Performance Test Outputs
	uses: actions/upload-artifact@v4
	with:
	name: performance-test-outputs
	path: dist/*.png

	- name: Cleanup Environment Test Data
	run: make test-performance-cleanup TF_WORKSPACE_NAME=${{ needs.set-environment-id.outputs.environment_id }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update PR Environment - #669 (NRL-817 Do not store permissions in artifact) #342

Workflow file

Update PR Environment - #669 (NRL-817 Do not store permissions in artifact) #342

Jobs

Run details

Workflow file for this run