Skip to content

enable astra scan #2737

enable astra scan

enable astra scan #2737

name: Build and Deploy
on:
push:
branches: [feature/*, dev, test]
env:
REGISTRY: ghcr.io
REGISTRY_USERNAME: ${{ secrets.CONTAINER_REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/bcgov/api-services-portal/api-services-portal
- name: Set DEPLOY_ID which will deploy a custom deploy to 'dev' environment
run: |
echo '::set-output name=DEPLOY_ID::${{ steps.docker_meta.outputs.version }}'
echo '::set-output name=APP_VERSION::${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.version'] }}'
echo '::set-output name=APP_REVISION::${{ fromJSON(steps.docker_meta.outputs.json).labels['org.opencontainers.image.revision'] }}'
id: set-deploy-id
- name: Get deploy ID
run: echo "The DEPLOY_ID is ${{ steps.set-deploy-id.outputs.DEPLOY_ID }}"
- uses: actions/checkout@v2
- name: Install oc
uses: redhat-actions/oc-installer@v1
with:
version: '4.6'
- name: Authenticate to silver and set context
uses: redhat-actions/oc-login@v1
with:
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
# Disables SSL cert checking. Use this if you don't have the certificate authority data.
insecure_skip_tls_verify: true
namespace: ${{ env.OPENSHIFT_NAMESPACE }}
- name: Login to DockerHub
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USERNAME }}
password: ${{ env.REGISTRY_PASSWORD }}
- uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
- name: Build
uses: docker/build-push-action@v2
with:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
context: .
file: Dockerfile
tags: ${{ steps.docker_meta.outputs.tags }}
load: true
build-args: |
GITHUB_API_TOKEN=${{ secrets.CONTAINER_REGISTRY_PASSWORD }}
APP_VERSION=${{ steps.set-deploy-id.outputs.APP_VERSION }}
APP_REVISION=${{ steps.set-deploy-id.outputs.APP_REVISION }}
- name: Push
run: docker push ${{ steps.docker_meta.outputs.tags }}
- name: 'Get Helm'
if: github.ref != 'refs/heads/dev'
run: |
curl -L -O https://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz
tar -xf helm-v3.4.2-linux-amd64.tar.gz
- name: 'Deploy Database'
if: github.ref != 'refs/heads/dev'
run: |
export PATH=$PATH:`pwd`/linux-amd64
echo '
image:
registry: docker.pkg.github.com
repository: bcgov-dss/api-serv-infra/mongodb
tag: 5.0-7a639fba
pullPolicy: IfNotPresent
pullSecrets:
- dev-github-read-packages-creds
auth:
rootPassword: "s3cr3t"
serviceAccount:
create: false
name: asp-service-account
arbiter:
enabled: false
rbac:
create: true
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 100%
readinessProbe:
timeoutSeconds: 30
periodSeconds: 120
livenessProbe:
timeoutSeconds: 30
periodSeconds: 120
persistence:
enabled: true
size: 2Gi
resources:
requests:
cpu: 85m
memory: 480M
limits:
cpu: 300m
memory: 720M
podSecurityContext:
enabled: true
fsGroup: ${{ secrets.RUNNING_UID_GID }}
containerSecurityContext:
enabled: true
runAsUser: ${{ secrets.RUNNING_UID_GID }}
' > values.yaml
helm repo add bitnami https://charts.bitnami.com/bitnami
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db --version 12.1.31 -f values.yaml --history-max 3 bitnami/mongodb
- name: 'Deploy Backend'
if: github.ref != 'refs/heads/dev'
run: |
export PATH=$PATH:`pwd`/linux-amd64
echo "
podAnnotations:
sha: $GITHUB_SHA
replicaCount: 1
rollingUpdate:
maxUnavailable: 100%
maxSurge: 0%
image:
repository: ${{ env.REGISTRY }}/bcgov/api-services-portal/api-services-portal
tag: ${{ steps.set-deploy-id.outputs.DEPLOY_ID }}
pullPolicy: Always
imagePullSecrets:
- name: dev-github-read-packages-creds
podSecurityContext:
fsGroup: ${{ secrets.RUNNING_UID_GID }}
securityContext:
runAsUser: ${{ secrets.RUNNING_UID_GID }}
containerPort: 3000
resources:
requests:
cpu: 20m
memory: 400M
limits:
cpu: 100m
memory: 800M
serviceAccount:
create: false
name: asp-service-account
oauthProxy:
enabled: true
image:
repository: ${{ env.REGISTRY }}/bcgov-dss/api-serv-infra/oauth2-proxy
tag: 7.2.1-8c743f0c
pullPolicy: IfNotPresent
config:
upstream: http://127.0.0.1:3000
client-id: ${{ secrets.OIDC_CLIENT_ID }}
client-secret: ${{ secrets.OIDC_CLIENT_SECRET }}
oidc-issuer-url: ${{ secrets.OIDC_ISSUER }}
redirect-url: https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca/oauth2/callback
skip-auth-regex: '/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed/|/signout|/content|^[/]$'
whitelist-domain: authz-apps-gov-bc-ca.dev.api.gov.bc.ca
skip-provider-button: 'true'
profile-url: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
insecure-oidc-allow-unverified-email: 'true'
oidc-email-claim: 'sub'
pass-basic-auth: 'false'
pass-access-token: 'true'
set-xauthrequest: 'true'
skip-jwt-bearer-tokens: 'false'
set-authorization-header: 'false'
pass-authorization-header: 'false'
env:
SESSION_SECRET:
value: '234873290483290'
secure: true
AUTH_STRATEGY:
value: Oauth2Proxy
KONG_URL:
value: '${{ secrets.KONG_URL_DEV}}'
MONGO_URL:
value: 'mongodb://proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db-mongodb:27017'
MONGO_USER:
value: root
secure: true
MONGO_PASSWORD:
value: s3cr3t
secure: true
FEEDER_URL:
value: 'http://proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-feeder-generic-api'
GITHUB_API_TOKEN:
value: '${{ secrets.GH_TOKEN_FOR_CONTENT}}'
secure: true
OIDC_ISSUER:
value: '${{ secrets.OIDC_ISSUER }}'
JWKS_URL:
value: '${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/certs'
EXTERNAL_URL:
value: 'https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca'
SSR_API_ROOT:
value: 'http://localhost:7999'
NEXT_PUBLIC_API_ROOT:
value: 'https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca'
NEXT_PUBLIC_GRAFANA_URL:
value: 'https://grafana-apps-gov-bc-ca.dev.api.gov.bc.ca'
NEXT_PUBLIC_KUBE_CLUSTER:
value: 'feature-silver'
NEXT_PUBLIC_HELP_DESK_URL:
value: 'https://dpdd.atlassian.net/servicedesk/customer/portal/1/group/2'
NEXT_PUBLIC_HELP_CHAT_URL:
value: 'https://chat.developer.gov.bc.ca/channel/aps-ops'
NEXT_PUBLIC_HELP_ISSUE_URL:
value: 'https://github.com/bcgov/api-services-portal/issues'
NEXT_PUBLIC_HELP_API_DOCS_URL:
value: '/ds/api/v3/console/'
NEXT_PUBLIC_HELP_SUPPORT_URL:
value: 'https://developer.gov.bc.ca/docs/default/component/aps-infra-platform-docs/'
NEXT_PUBLIC_HELP_RELEASE_URL:
value: 'https://developer.gov.bc.ca/docs/default/component/aps-infra-platform-docs/reference/releases/'
NEXT_PUBLIC_HELP_STATUS_URL:
value: 'https://uptime.com/s/bcgov-dss'
NEXT_PUBLIC_DEVELOPER_IDS:
value: 'idir,bceid,bcsc,github'
NEXT_PUBLIC_PROVIDER_IDS:
value: 'idir'
NEXT_PUBLIC_ACCOUNT_BCEID_URL:
value: 'https://www.test.bceid.ca/logon.aspx?returnUrl=/profile_management'
NEXT_PUBLIC_ACCOUNT_BCSC_URL:
value: 'https://id.gov.bc.ca/account/'
GWA_API_URL:
value: 'https://gwa-api-gov-bc-ca.dev.api.gov.bc.ca'
GWA_PROD_ENV_SLUG:
value: 'FB000000'
GWA_RES_SVR_CLIENT_ID:
value: '${{ secrets.OIDC_CLIENT_ID }}'
secure: true
GWA_RES_SVR_CLIENT_SECRET:
value: '${{ secrets.OIDC_CLIENT_SECRET }}'
secure: true
KEYCLOAK_AUTH_URL:
value: '${{ secrets.KEYCLOAK_AUTH }}'
KEYCLOAK_REALM:
value: '${{ secrets.KEYCLOAK_REALM }}'
COOKIE_SECURE:
value: 'true'
LOG_LEVEL:
value: 'debug'
DISABLE_LOGGING:
value: 'true'
EMAIL_ENABLED:
value: 'true'
EMAIL_FROM:
value: '[email protected]'
EMAIL_HOST:
value: 'apps.smtp.gov.bc.ca'
readinessProbe:
exec:
command:
- sh
- -c
- 'state=\$(curl -XGET -m 2 --silent -f -H \"Accept: application/json\" http://localhost:3000/health | jq -r \".status | ascii_downcase\"); if [ ! \"\$state\" == \"ready\" ]; then exit 1; fi'
timeoutSeconds: 3
periodSeconds: 10
" > values.yaml
helm repo add bcgov http://bcgov.github.io/helm-charts
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }} -f values.yaml --history-max 3 bcgov/generic-api
- name: 'Deploy Routes'
if: github.ref != 'refs/heads/dev'
run: |
export PATH=$PATH:`pwd`/linux-amd64
echo "
routes:
- host: api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca
targetPort: http
service: proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-generic-api
wildcardPolicy: None
tls:
termination: edge
" > values.yaml
helm repo add bcgov http://bcgov.github.io/helm-charts
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-routes -f values.yaml --history-max 3 bcgov/ocp-route
- name: 'Seed Data'
if: github.ref != 'refs/heads/dev'
run: |
export PATH=$PATH:`pwd`/linux-amd64
cd .github/workflows
SERVICE=proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-feeder-generic-api \
PORTAL_URL=https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca \
OIDC_ISSUER=${{ secrets.OIDC_ISSUER }} \
OIDC_CLIENT_ID=${{ secrets.OIDC_CLIENT_ID }} \
OIDC_CLIENT_SECRET=${{ secrets.OIDC_CLIENT_SECRET }} \
./scripts/init.sh
- name: Authenticate to Gold and set context
if: github.ref == 'refs/heads/test'
uses: redhat-actions/oc-login@v1
with:
openshift_server_url: ${{ secrets.OPENSHIFT_GOLD_SERVER }}
openshift_token: ${{ secrets.OPENSHIFT_GOLD_TOKEN }}
insecure_skip_tls_verify: true
namespace: ${{ secrets.OPENSHIFT_GOLD_TEST_NAMESPACE }}
- name: 'Restart Portal in Gold Test Namespace'
if: github.ref == 'refs/heads/test'
run: |
oc rollout restart deployment/bcgov-aps-portal-generic-api -n ${{ secrets.OPENSHIFT_GOLD_TEST_NAMESPACE }}
oc rollout restart deployment/bcgov-aps-portal-batch-generic-api -n ${{ secrets.OPENSHIFT_GOLD_TEST_NAMESPACE }}
- name: 'Create Pull Request for Release'
if: github.ref == 'refs/heads/test'
uses: actions/github-script@v6
with:
script: |
const { repo, owner } = context.repo;
const openPrs = await github.rest.pulls.list({
owner,
repo,
head: '${{ github.ref_name }}',
base: 'main',
state: 'open'
})
if(openPrs.data.length === 0){
await github.rest.pulls.create({
title: 'Create Latest Release',
owner,
repo,
head: '${{ github.ref_name }}',
base: 'main',
body: [
'This Pull Request is auto-created by [actions/github-script](https://github.com/actions/github-script).',
'Please update this PR with appropriate labels to target specific type of release'
].join('\n\n'),
draft: true
});
} else {
console.log("There is already an open Pull Request in place.\n")
openPrs.data.forEach((item) => {
console.log(item.html_url)
})
}