ci: workflow and process updates

.github/workflows/merge-main.yml

@@ -1,9 +1,8 @@
-name: Merge to Main
+name: Merge
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
     paths-ignore:
       - ".github/ISSUE_TEMPLATE/*"
       - "**.md"
@@ -14,33 +13,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  codeql:
-    name: Semantic Code Analysis
-    runs-on: ubuntu-24.04
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
+  init:
+    name: Initialize
+    outputs:
+      pr: ${{ steps.pr.outputs.pr }}
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Initialize
-        uses: github/codeql-action/init@v3
-        with:
-          languages: javascript
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        # Get PR number for squash merges to main
+      - id: pr
+        uses: bcgov-nr/[email protected]
 
   deploys-test:
     name: TEST Deployments
-    needs:
-      - codeql
+    needs: [init]
     environment: test
     runs-on: ubuntu-24.04
     strategy:
@@ -59,7 +44,7 @@ jobs:
           oc_token: ${{ secrets.OC_TOKEN }}
           overwrite: ${{ matrix.overwrite }}
           parameters:
-            -p ZONE=test -p TAG=test
+            -p ZONE=test -p TAG=${{ needs.init.outputs.pr }}
             ${{ matrix.parameters }}
             -p IDIM_WEB_SERVICE_URL=${{ vars.IDIM_WEB_SERVICE_URL }}
             -p IDIM_WEB_SERVICE_ID=${{ secrets.IDIM_WEB_SERVICE_ID }}
@@ -70,8 +55,7 @@ jobs:
 
   deploys-prod:
     name: PROD Deployments
-    needs:
-      - deploys-test
+    needs: [init, deploys-test]
     environment: prod
     runs-on: ubuntu-24.04
     strategy:
@@ -90,7 +74,7 @@ jobs:
           oc_token: ${{ secrets.OC_TOKEN }}
           overwrite: ${{ matrix.overwrite }}
           parameters:
-            -p ZONE=prod -p TAG=prod
+            -p ZONE=prod -p TAG=${{ needs.init.outputs.pr }}
             ${{ matrix.parameters }}
             -p IDIM_WEB_SERVICE_URL=${{ vars.IDIM_WEB_SERVICE_URL }}
             -p IDIM_WEB_SERVICE_ID=${{ secrets.IDIM_WEB_SERVICE_ID }}
@@ -101,8 +85,7 @@ jobs:
 
   image-promotions:
     name: Promote images to PROD
-    needs:
-      - deploys-prod
+    needs: [init, deploys-prod]
     runs-on: ubuntu-24.04
     permissions:
       packages: write
@@ -114,5 +97,5 @@ jobs:
         with:
           registry: ghcr.io
           repository: ${{ github.repository }}/${{ matrix.component }}
-          target: test
+          target: ${{ needs.init.outputs.pr }}
           tags: prod

.github/workflows/pr-close.yml

@@ -2,49 +2,20 @@ name: Pull Request Closed
 
 on:
   pull_request:
-    types:
-      - closed
+    types: [closed]
 
 concurrency:
   # PR open and close use the same group, allowing only one at a time
   group: pr-${{ github.workflow }}-${{ github.event.number }}
   cancel-in-progress: true
 
 jobs:
-  # Clean up OpenShift when PR closed, no conditions
-  cleanup-openshift:
-    name: Cleanup OpenShift
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Install CLI tools from OpenShift Mirror
-        uses: redhat-actions/openshift-tools-installer@v1
-        with:
-          oc: "4.14.37"
-
-      - name: Remove OpenShift artifacts
-        run: |
-          # OC Login
-          OC_TEMP_TOKEN=$(curl -k -X POST https://api.silver.devops.gov.bc.ca:6443/api/v1/namespaces/${{ vars.OC_NAMESPACE }}/serviceaccounts/pipeline/token --header "Authorization: Bearer ${{ secrets.OC_TOKEN }}" -d '{"spec": {"expirationSeconds": 600}}' -H 'Content-Type: application/json; charset=utf-8' | jq -r '.status.token' )
-          oc login --token=${OC_TEMP_TOKEN} --server=https://api.silver.devops.gov.bc.ca:6443
-          oc project ${{ vars.OC_NAMESPACE }} # Safeguard!
-
-          # Remove old build runs, build pods and deployment pods
-          oc delete all,pvc,secret -l app=${{ github.event.repository.name }}-${{ github.event.number }}
-
-  # If merged into main, then handle any image promotions
-  image-promotions:
-    name: Image Promotions
-    if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
-    runs-on: ubuntu-24.04
-    permissions:
-      packages: write
-    strategy:
-      matrix:
-        package: [backend]
-    steps:
-      - uses: shrink/actions-docker-registry-tag@v4
-        with:
-          registry: ghcr.io
-          repository: ${{ github.repository }}/${{ matrix.package }}
-          target: ${{ github.event.number }}
-          tags: test
+  cleanup:
+    name: Cleanup and Images
+    uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected]
+    secrets:
+      oc_namespace: ${{ vars.OC_NAMESPACE }}
+      oc_token: ${{ secrets.OC_TOKEN }}
+    with:
+      cleanup: label
+      packages: backend

.github/workflows/pr-open.yml

@@ -9,31 +9,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  pr-greeting:
-    name: PR Greeting
-    if: github.event.action == 'opened' || github.event.action == 'reopened'
-    env:
-      DOMAIN: apps.silver.devops.gov.bc.ca
-      PREFIX: ${{ github.event.repository.name }}-${{ github.event.number }}
-    runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write
-    steps:
-      - name: PR Greeting
-        uses: bcgov-nr/[email protected]
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          add_markdown: |
-            ---
-
-            Thanks for the PR!
-
-            Any successful deployments (not always required) will be available below.
-            [Backend](https://${{ env.PREFIX }}-backend.${{ env.DOMAIN }}/api) available
-
-            Once merged, code will be promoted and handed off to following workflow run.
-            [Main Merge Workflow](https://github.com/${{ github.repository }}/actions/workflows/merge-main.yml)
-
   builds:
     name: Builds
     runs-on: ubuntu-24.04
@@ -53,7 +28,7 @@ jobs:
         with:
           package: ${{ matrix.package }}
           tag: ${{ github.event.number }}
-          tag_fallback: test
+          tag_fallback: latest
           token: ${{ secrets.GITHUB_TOKEN }}
           triggers: ${{ matrix.triggers }}
           build_file: ${{ matrix.build_file }}
@@ -62,8 +37,7 @@ jobs:
 
   deploys:
     name: Deploys
-    needs:
-      - builds
+    needs: builds
     runs-on: ubuntu-24.04
     strategy:
       matrix:

.github/workflows/pr-validate.yml

@@ -0,0 +1,25 @@
+name: PR Validate
+
+on:
+  pull_request:
+    types: [edited, opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: ${{ github.workflow }}-edit-${{ github.event.number }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    name: Validate PR
+    uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected]
+    with:
+      markdown_links: |
+        - [Backend](https://${{ github.event.repository.name }}-${{ github.event.number }}-backend.apps.silver.devops.gov.bc.ca/api) available
+
+  results:
+    name: Validate Results
+    if: always() && (!failure()) && (!cancelled())
+    needs: [validate]
+    runs-on: ubuntu-24.04
+    steps:
+      - run: echo "Success!"