Skip to content

chore: initial new build process #10390

chore: initial new build process

chore: initial new build process #10390

Workflow file for this run

# Main workflow, orchestrating and triggering other workflows
name: main
on:
workflow_call: # be sure to use 'secrets: inherit' in the caller
push:
branches: ['main']
pull_request:
branches: [main]
jobs:
has-merge-conflict:
uses: ./.github/workflows/move-on-merge-conflict.yaml
secrets: inherit
build:
uses: ./.github/workflows/build.yaml
secrets:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
install-env:
uses: ./.github/workflows/install-env.yaml
secrets: inherit
test-code:
needs: [install-env]
uses: ./.github/workflows/test-code.yaml
secrets: inherit
test-checks:
uses: ./.github/workflows/test-checks.yaml
secrets: inherit
test-containers:
needs: [build]
uses: ./.github/workflows/test-containers.yaml
secrets:
HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }}
HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
test-zap:
needs: [build, install-env]
uses: ./.github/workflows/test-zap.yaml
test-e2e:
needs: [install-env]
uses: ./.github/workflows/test-e2e.yaml
secrets:
HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }}
HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
setup-s3-backup:
uses: ./.github/workflows/s3-backup.yaml
secrets:
AWS_ARN_DEV: ${{ secrets.AWS_ARN_DEV }}
OPENSHIFT_TOKEN_DEV: ${{ secrets.OPENSHIFT_TOKEN_DEV }}
OPENSHIFT_APP_NAMESPACE_DEV: ${{ secrets.OPENSHIFT_APP_NAMESPACE_DEV }}
AWS_PARAM_DEV: ${{ secrets.AWS_PARAM_DEV }}
AWS_ARN_TEST: ${{ secrets.AWS_ARN_TEST }}
OPENSHIFT_TOKEN_TEST: ${{ secrets.OPENSHIFT_TOKEN_TEST }}
OPENSHIFT_APP_NAMESPACE_TEST: ${{ secrets.OPENSHIFT_APP_NAMESPACE_TEST }}
AWS_ARN_PROD: ${{ secrets.AWS_ARN_PROD }}
AWS_PARAM_TEST: ${{ secrets.AWS_PARAM_TEST }}
OPENSHIFT_TOKEN_PROD: ${{ secrets.OPENSHIFT_TOKEN_PROD }}
OPENSHIFT_APP_NAMESPACE_PROD: ${{ secrets.OPENSHIFT_APP_NAMESPACE_PROD }}
AWS_PARAM_PROD: ${{ secrets.AWS_PARAM_PROD }}
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
rebase-feature-pr:
if: github.event.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Get list of PRs
id: branch-list
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { owner, repo } = context.repo
const listOfBranches = [];
const prs = await github.rest.pulls.list({ owner, repo, state: 'open' });
const checkboxText = "[x] Check for automatic rebasing";
for (const pr of prs.data) {
// check if PR is rebaseable, not draft, and mergable before adding to list
const baseBranch = pr.base.ref;
const headBranch = pr.head.ref;
const comparison = await github.rest.repos.compareCommits({
owner,
repo,
base: baseBranch,
head: headBranch
});
const checkboxChecked = pr.body.includes(checkboxText);
if(comparison.data.behind_by > 0 && !pr.draft && checkboxChecked){
listOfBranches.push(pr.head.ref);
}
}
core.setOutput('branches', JSON.stringify(listOfBranches));
return JSON.stringify(listOfBranches)
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
- name: Set up Git and import GPG key
env:
GPG_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
run: |
echo "${GPG_PRIVATE_KEY}" | gpg --import
git config user.name "CCBC Service Account"
git config user.email "[email protected]"
git config user.signingkey "$(gpg --list-secret-keys --with-colons | awk -F: '/sec:/ {print $5}')"
git config commit.gpgsign true
- name: Rebase PRs
run: |
git checkout main
git pull
branches=$(echo "${{ steps.branch-list.outputs.result }}" | jq -r '.[]')
for branch in $branches; do
git checkout main
git pull
git checkout $branch
git pull
set +e
git rebase main
# if rebase succeeds, force push else abort rebase
REBASE_STATUS=$?
set -e
echo $REBASE_STATUS
if [ $REBASE_STATUS -eq 0 ]; then
git push --force
else
git rebase --abort
fi
done
is-tagged-release:
runs-on: ubuntu-latest
outputs:
tagVersion: ${{steps.tagVersion.outputs.tagVersion}}
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Is Tagged Commit
id: tagVersion
# Check if one of the commits is associated with a tag
run: |
echo "tagVersion=$( git tag --merged ${{ github.sha }} --no-merged ${{ github.event.before }} | grep v*)" >>$GITHUB_OUTPUT
ensure-sqitch-plan-ends-with-tag:
runs-on: ubuntu-latest
needs: [is-tagged-release]
if: contains(needs.is-tagged-release.outputs.tagVersion, 'v')
steps:
- uses: actions/checkout@v4
- run: ./.bin/sqitch-last-change-is-tag.sh db
deploy:
if: github.event.ref == 'refs/heads/main'
needs: [test-code, test-containers]
uses: ./.github/workflows/deploy.yaml
secrets:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }}
OPENSHIFT_METABASE_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_NAMESPACE }}
OPENSHIFT_METABASE_PROD_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_PROD_NAMESPACE }}
NEXT_PUBLIC_GROWTHBOOK_API_KEY: ${{ secrets.NEXT_PUBLIC_GROWTHBOOK_API_KEY }}
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
OPENSHIFT_SECURE_ROUTE: ${{ secrets.OPENSHIFT_SECURE_ROUTE }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
AWS_S3_KEY: ${{ secrets.AWS_S3_KEY }}
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
AWS_S3_SECRET_KEY: ${{ secrets.AWS_S3_SECRET_KEY }}
CERTBOT_EMAIL: ${{ secrets.CERTBOT_EMAIL }}
CERTBOT_SERVER: ${{ secrets.CERTBOT_SERVER }}
AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }}
METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }}
METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }}
CERT: ${{ secrets.CERT }}
CERT_KEY: ${{ secrets.CERT_KEY }}
CERT_CA: ${{ secrets.CERT_CA }}
SP_SA_USER: ${{ secrets.SP_SA_USER }}
SP_SA_PASSWORD: ${{ secrets.SP_SA_PASSWORD }}
SP_DOC_LIBRARY: ${{ secrets.SP_DOC_LIBRARY }}
SP_SITE: ${{ secrets.SP_SITE }}
SP_MS_FILE_NAME: ${{ secrets.SP_MS_FILE_NAME }}
SA_CLIENT_SECRET: ${{ secrets.SA_CLIENT_SECRET }}
SA_CLIENT_ID: ${{ secrets.SA_CLIENT_ID }}
KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_HOST }}
SP_LIST_NAME: ${{ secrets.SP_LIST_NAME }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
VAULT_NAMESPACE: ${{ secrets.VAULT_NAMESPACE}}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
CHES_API_URL: ${{ secrets.CHES_API_URL }}
CHES_CLIENT: ${{ secrets.CHES_CLIENT }}
CHES_CLIENT_SECRET: ${{ secrets.CHES_CLIENT_SECRET }}
CHES_TO_EMAIL: ${{ secrets.CHES_TO_EMAIL }}
CHES_KEYCLOAK_HOST: ${{ secrets.CHES_KEYCLOAK_HOST }}
AWS_S3_BACKUPS_BUCKET: ${{ secrets.AWS_S3_BACKUPS_BUCKET }}
ER_FILE: ${{ secrets.ER_FILE }}
RD_FILE: ${{ secrets.RD_FILE }}
COVERAGES_FILE: ${{ secrets.COVERAGES_FILE }}
SESSION_SECRET: ${{ secrets.SESSION_SECRET }}
deploy-feature:
if: github.event_name == 'pull_request' && github.event.pull_request.draft == false
needs: [build]
uses: ./.github/workflows/deploy_feature.yaml
secrets:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }}
OPENSHIFT_METABASE_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_NAMESPACE }}
OPENSHIFT_METABASE_PROD_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_PROD_NAMESPACE }}
NEXT_PUBLIC_GROWTHBOOK_API_KEY: ${{ secrets.NEXT_PUBLIC_GROWTHBOOK_API_KEY }}
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
OPENSHIFT_SECURE_ROUTE: ${{ secrets.OPENSHIFT_SECURE_ROUTE }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
AWS_S3_KEY: ${{ secrets.AWS_S3_KEY }}
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
AWS_S3_SECRET_KEY: ${{ secrets.AWS_S3_SECRET_KEY }}
AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }}
METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }}
METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }}
SP_SA_USER: ${{ secrets.SP_SA_USER }}
SP_SA_PASSWORD: ${{ secrets.SP_SA_PASSWORD }}
SP_DOC_LIBRARY: ${{ secrets.SP_DOC_LIBRARY }}
SP_SITE: ${{ secrets.SP_SITE }}
SP_MS_FILE_NAME: ${{ secrets.SP_MS_FILE_NAME }}
SA_CLIENT_SECRET: ${{ secrets.SA_CLIENT_SECRET }}
SA_CLIENT_ID: ${{ secrets.SA_CLIENT_ID }}
KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_HOST }}
SP_LIST_NAME: ${{ secrets.SP_LIST_NAME }}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
CHES_API_URL: ${{ secrets.CHES_API_URL }}
CHES_CLIENT: ${{ secrets.CHES_CLIENT }}
CHES_CLIENT_SECRET: ${{ secrets.CHES_CLIENT_SECRET }}
CHES_TO_EMAIL: ${{ secrets.CHES_TO_EMAIL }}
CHES_KEYCLOAK_HOST: ${{ secrets.CHES_KEYCLOAK_HOST }}
TEST_PG_PASSWORD: ${{ secrets.TEST_PG_PASSWORD }}
JIRA_AUTH: ${{ secrets.JIRA_AUTH }}
AWS_S3_FEAT_BUCKET: ${{ secrets.AWS_S3_FEAT_BUCKET }}
AWS_S3_FEAT_CLAM_BUCKET: ${{ secrets.AWS_S3_FEAT_CLAM_BUCKET }}
AWS_FEAT_ARN: ${{ secrets.AWS_FEAT_ARN }}
cleanup_feature:
if: github.event_name == 'pull_request' && github.event.pull_request.draft == true
uses: ./.github/workflows/clean-feature-env.yaml
secrets:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }}