Skip to content

Merge pull request #3211 from bcgov/NDT-282-Refactor-how-we-handle-pr… #7359

Merge pull request #3211 from bcgov/NDT-282-Refactor-how-we-handle-pr…

Merge pull request #3211 from bcgov/NDT-282-Refactor-how-we-handle-pr… #7359

Workflow file for this run

# Main workflow, orchestrating and triggering other workflows
name: main
on:
workflow_call: # be sure to use 'secrets: inherit' in the caller
push:
branches: ['main']
pull_request:
branches: [main]
jobs:
build:
uses: ./.github/workflows/build.yaml
install-env:
uses: ./.github/workflows/install-env.yaml
secrets: inherit
test-code:
needs: [install-env]
uses: ./.github/workflows/test-code.yaml
secrets: inherit
test-checks:
uses: ./.github/workflows/test-checks.yaml
secrets: inherit
test-containers:
needs: [build]
uses: ./.github/workflows/test-containers.yaml
secrets:
HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }}
HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
test-zap:
needs: [build, install-env]
uses: ./.github/workflows/test-zap.yaml
test-e2e:
needs: [build, install-env]
uses: ./.github/workflows/test-e2e.yaml
secrets:
HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }}
HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
setup-s3-backup:
uses: ./.github/workflows/s3-backup.yaml
secrets:
AWS_ARN_DEV: ${{ secrets.AWS_ARN_DEV }}
OPENSHIFT_TOKEN_DEV: ${{ secrets.OPENSHIFT_TOKEN_DEV }}
OPENSHIFT_APP_NAMESPACE_DEV: ${{ secrets.OPENSHIFT_APP_NAMESPACE_DEV }}
AWS_PARAM_DEV: ${{ secrets.AWS_PARAM_DEV }}
AWS_ARN_TEST: ${{ secrets.AWS_ARN_TEST }}
OPENSHIFT_TOKEN_TEST: ${{ secrets.OPENSHIFT_TOKEN_TEST }}
OPENSHIFT_APP_NAMESPACE_TEST: ${{ secrets.OPENSHIFT_APP_NAMESPACE_TEST }}
AWS_ARN_PROD: ${{ secrets.AWS_ARN_PROD }}
AWS_PARAM_TEST: ${{ secrets.AWS_PARAM_TEST }}
OPENSHIFT_TOKEN_PROD: ${{ secrets.OPENSHIFT_TOKEN_PROD }}
OPENSHIFT_APP_NAMESPACE_PROD: ${{ secrets.OPENSHIFT_APP_NAMESPACE_PROD }}
AWS_PARAM_PROD: ${{ secrets.AWS_PARAM_PROD }}
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
rebase-feature-pr:
if: github.event.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Get list of PRs
id: branch-list
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { owner, repo } = context.repo
const listOfBranches = [];
const prs = await github.rest.pulls.list({ owner, repo, state: 'open' });
for (const pr of prs.data) {
// check if PR is rebaseable, not draft, and mergable before adding to list
const baseBranch = pr.base.ref;
const headBranch = pr.head.ref;
const comparison = await github.rest.repos.compareCommits({
owner,
repo,
base: baseBranch,
head: headBranch
});
if(comparison.data.behind_by > 0 && !pr.draft && pr.requested_reviewers.length > 0){
listOfBranches.push(pr.head.ref);
}
}
core.setOutput('branches', JSON.stringify(listOfBranches));
return JSON.stringify(listOfBranches)
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
- name: Set up Git and import GPG key
env:
GPG_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
run: |
echo "${GPG_PRIVATE_KEY}" | gpg --import
git config user.name "CCBC Service Account"
git config user.email "[email protected]"
git config user.signingkey "$(gpg --list-secret-keys --with-colons | awk -F: '/sec:/ {print $5}')"
git config commit.gpgsign true
- name: Rebase PRs
run: |
git checkout main
git pull
branches=$(echo "${{ steps.branch-list.outputs.result }}" | jq -r '.[]')
for branch in $branches; do
git checkout main
git pull
git checkout $branch
git pull
set +e
git rebase main
# if rebase succeeds, force push else abort rebase
REBASE_STATUS=$?
set -e
echo $REBASE_STATUS
if [ $REBASE_STATUS -eq 0 ]; then
git push --force
else
git rebase --abort
fi
done
create-release-pr:
if: github.event.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
- name: Set up Git and import GPG key
env:
GPG_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
run: |
echo "${GPG_PRIVATE_KEY}" | gpg --import
git config user.name "CCBC Service Account"
git config user.email "[email protected]"
git config user.signingkey "$(gpg --list-secret-keys --with-colons | awk -F: '/sec:/ {print $5}')"
git config commit.gpgsign true
- name: dev env setup
uses: ./.github/actions/dev-env-setup
- name: Delete Latest Tag If It Already Exists
run: |
git checkout main
yarn
NEW_TAG=$(yarn release-it --release-version | awk 'match($0, /^ *([0-9]+\.[0-9]+\.[0-9]+)/, a) { if (NR == 1) next; print "v" a[1]; exit; }')
TAG_EXISTS=$(git tag -l $NEW_TAG)
echo $NEW_TAG
if [ "$TAG_EXISTS" ]; then
git tag -d $NEW_TAG
git push --delete origin $NEW_TAG
fi
- name: Delete and Recreate Branch
run: |
git branch -D chore/release || true
git push origin --delete chore/release || true
git checkout main
git checkout -b chore/release
- name: Close Previous PRs
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { owner, repo } = context.repo
const prs = await github.rest.pulls.list({ owner, repo, state: 'open', head: 'bcgov:chore/release' })
for (const pr of prs.data) {
await github.rest.pulls.update({ owner, repo, pull_number: pr.number, state: 'closed' })
}
- name: Setup Sqitch User
run: |
sqitch config --user user.name 'CCBC Service Account'
sqitch config --user user.email '[email protected]'
- name: Make Release
run: |
git checkout chore/release
git push --set-upstream origin chore/release
git pull
echo '--ci' | make release
- name: Create PR
uses: actions/github-script@v7
with:
github-token: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
script: |
const { owner, repo } = context.repo
await github.rest.pulls.create({
owner,
repo,
title: 'chore: release',
head: 'chore/release',
base: 'main',
});
deploy:
if: github.event.ref == 'refs/heads/main'
needs: [test-code, test-containers]
uses: ./.github/workflows/deploy.yaml
secrets:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }}
OPENSHIFT_METABASE_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_NAMESPACE }}
OPENSHIFT_METABASE_PROD_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_PROD_NAMESPACE }}
NEXT_PUBLIC_GROWTHBOOK_API_KEY: ${{ secrets.NEXT_PUBLIC_GROWTHBOOK_API_KEY }}
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
OPENSHIFT_SECURE_ROUTE: ${{ secrets.OPENSHIFT_SECURE_ROUTE }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
AWS_S3_KEY: ${{ secrets.AWS_S3_KEY }}
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
AWS_S3_SECRET_KEY: ${{ secrets.AWS_S3_SECRET_KEY }}
CERTBOT_EMAIL: ${{ secrets.CERTBOT_EMAIL }}
CERTBOT_SERVER: ${{ secrets.CERTBOT_SERVER }}
AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }}
METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }}
METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }}
CERT: ${{ secrets.CERT }}
CERT_KEY: ${{ secrets.CERT_KEY }}
CERT_CA: ${{ secrets.CERT_CA }}
SP_SA_USER: ${{ secrets.SP_SA_USER }}
SP_SA_PASSWORD: ${{ secrets.SP_SA_PASSWORD }}
SP_DOC_LIBRARY: ${{ secrets.SP_DOC_LIBRARY }}
SP_SITE: ${{ secrets.SP_SITE }}
SP_MS_FILE_NAME: ${{ secrets.SP_MS_FILE_NAME }}
SA_CLIENT_SECRET: ${{ secrets.SA_CLIENT_SECRET }}
SA_CLIENT_ID: ${{ secrets.SA_CLIENT_ID }}
KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_HOST }}
SP_LIST_NAME: ${{ secrets.SP_LIST_NAME }}
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
VAULT_NAMESPACE: ${{ secrets.VAULT_NAMESPACE}}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
CHES_API_URL: ${{ secrets.CHES_API_URL }}
CHES_CLIENT: ${{ secrets.CHES_CLIENT }}
CHES_CLIENT_SECRET: ${{ secrets.CHES_CLIENT_SECRET }}
CHES_TO_EMAIL: ${{ secrets.CHES_TO_EMAIL }}
CHES_KEYCLOAK_HOST: ${{ secrets.CHES_KEYCLOAK_HOST }}
AWS_S3_BACKUPS_BUCKET: ${{ secrets.AWS_S3_BACKUPS_BUCKET }}
deploy-feature:
if: github.event_name == 'pull_request' && github.event.pull_request.draft == false
needs: [test-code, test-containers]
uses: ./.github/workflows/deploy_feature.yaml
secrets:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }}
OPENSHIFT_METABASE_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_NAMESPACE }}
OPENSHIFT_METABASE_PROD_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_PROD_NAMESPACE }}
NEXT_PUBLIC_GROWTHBOOK_API_KEY: ${{ secrets.NEXT_PUBLIC_GROWTHBOOK_API_KEY }}
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
OPENSHIFT_SECURE_ROUTE: ${{ secrets.OPENSHIFT_SECURE_ROUTE }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
AWS_S3_KEY: ${{ secrets.AWS_S3_KEY }}
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
AWS_S3_SECRET_KEY: ${{ secrets.AWS_S3_SECRET_KEY }}
AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }}
METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }}
METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }}
SP_SA_USER: ${{ secrets.SP_SA_USER }}
SP_SA_PASSWORD: ${{ secrets.SP_SA_PASSWORD }}
SP_DOC_LIBRARY: ${{ secrets.SP_DOC_LIBRARY }}
SP_SITE: ${{ secrets.SP_SITE }}
SP_MS_FILE_NAME: ${{ secrets.SP_MS_FILE_NAME }}
SA_CLIENT_SECRET: ${{ secrets.SA_CLIENT_SECRET }}
SA_CLIENT_ID: ${{ secrets.SA_CLIENT_ID }}
KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_HOST }}
SP_LIST_NAME: ${{ secrets.SP_LIST_NAME }}
RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }}
CHES_API_URL: ${{ secrets.CHES_API_URL }}
CHES_CLIENT: ${{ secrets.CHES_CLIENT }}
CHES_CLIENT_SECRET: ${{ secrets.CHES_CLIENT_SECRET }}
CHES_TO_EMAIL: ${{ secrets.CHES_TO_EMAIL }}
CHES_KEYCLOAK_HOST: ${{ secrets.CHES_KEYCLOAK_HOST }}
TEST_PG_PASSWORD: ${{ secrets.TEST_PG_PASSWORD }}
cleanup_feature:
if: github.event_name == 'pull_request' && github.event.pull_request.draft == true
uses: ./.github/workflows/clean-feature-env.yaml
secrets:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }}