PIMS-2106: Address WAVA Scan Findings #242
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GitHub Actions workflow for deploying API image on PR merge to main branch | |
name: EXPRESS API-DEV Deploy | |
on: | |
pull_request: | |
types: | |
- closed | |
branches: [main] | |
paths: | |
- 'express-api/**' # Triggers on changes to files in the express-api/ directory. | |
workflow_dispatch: | |
inputs: | |
image_tag: | |
description: 'Image Tag to deploy' | |
required: true | |
env: | |
IMAGE_TAG: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || github.event.pull_request.number }} | |
jobs: | |
# Job to deploy API image to OpenShift | |
Deploy-To-OpenShift: | |
if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged }} | |
name: Deploy to OpenShift | |
runs-on: ubuntu-latest | |
steps: | |
# Install yaml Parser | |
- name: Install yaml Parser (yq) | |
run: | | |
curl -Lo yq "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64" | |
chmod +x yq | |
mv yq /home/runner/bin | |
# Add deploy key to runner | |
- name: Setup SSH | |
run: | | |
mkdir -p ~/.ssh | |
echo "${{ secrets.MANIFEST_REPO_DEPLOY_KEY }}" > ~/.ssh/id_rsa | |
chmod 600 ~/.ssh/id_rsa | |
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts | |
# Make changes to image tag in values.yaml within GitOps repo | |
- name: Clone, Update, and Commit Changes | |
run: | | |
git clone [email protected]:bcgov-c/tenant-gitops-354028.git | |
cd tenant-gitops-354028 | |
FILE_PATH="pims-v2/values-dev.yaml" | |
NEW_TAG="${{ env.IMAGE_TAG }}" | |
yq e ".backend.image.tag = \"$NEW_TAG\"" -i "$FILE_PATH" | |
git config user.email "[email protected]" | |
git config user.name "ManishSihag" | |
git pull origin main | |
git add "$FILE_PATH" | |
git commit -m "Update backend image tag to $NEW_TAG" | |
# Retry push with rebase to handle conflicts from simultaneous frontend/backend updates | |
RETRY_COUNT=2 | |
RETRY_DELAY=15 | |
for ((i=0; i<=$RETRY_COUNT; i++)); do | |
git push && break || { | |
echo "Push failed. Retrying in $RETRY_DELAY seconds..." | |
sleep $RETRY_DELAY | |
git pull --rebase origin main | |
git add "$FILE_PATH" | |
git commit --amend --no-edit | |
} | |
done | |
# Job to update the wiki with deployed image tag information | |
Update_Wiki_Tags: | |
needs: [ Deploy-To-OpenShift ] | |
name: Update table in wiki | |
runs-on: ubuntu-latest | |
env: | |
GH_TOKEN: ${{ github.token }} | |
steps: | |
# Checkout the repository | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Clone wiki repository | |
- name: Clone wiki repository | |
run: | | |
echo "Cloning wiki repo https://github.com/$GITHUB_REPOSITORY.wiki.git" | |
git clone "https://$GITHUB_ACTOR:[email protected]/$GITHUB_REPOSITORY.wiki.git" ./wiki | |
# Setup Python | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
# Run update wiki python script | |
- name: Run update wiki python script | |
run: python ./.github/helpers/update-wiki-table.py ./wiki/Image-tags.md "API V2" "Deployed Image Tag in DEV" "${{ env.IMAGE_TAG }}" | |
# Commit and push changes to wiki | |
- name: Commit and push changes to wiki | |
run: | | |
cd ./wiki | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
git add . | |
if git diff-index --quiet HEAD; then | |
echo "Nothing changed" | |
exit 0 | |
fi | |
echo "Pushing changes to wiki" | |
git commit -m "Value populated at Deploy API" && git push "https://$GITHUB_ACTOR:[email protected]/$GITHUB_REPOSITORY.wiki.git" |