.github/workflows/merge-main.yml

name: Merge to Main

on:
  push:
    branches:
      - main
    paths-ignore:
      - ".github/ISSUE_TEMPLATE/*"
      - "**.md"
  workflow_dispatch:

env:
  REGISTRY: ghcr.io
  NAME: fom

concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true

jobs:
  codeql:
    name: Semantic Code Analysis
    runs-on: ubuntu-22.04
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Initialize
        uses: github/codeql-action/init@v2
        with:
          languages: javascript

      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

  deploy-test:
    name: TEST Deploys
    needs: [codeql]
    environment: test
    env:
      ZONE: test
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    strategy:
      matrix:
        name: [api, admin, db, init, public]
        include:
          - name: api
            file: api/openshift.deploy.yml
            overwrite: true
            parameters:
              -p URL=fom-test.nrs.gov.bc.ca
              -p FOM_EMAIL_NOTIFY=FLNR.AdminServicesCariboo@gov.bc.ca
              -p DB_TESTDATA=true
              -p AWS_USER_POOLS_WEB_CLIENT_ID="k3b9ip1vf85o4tkqvu5g4adgj"
              -p LOGOUT_CHAIN_URL="https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://test.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri="
          - name: admin
            file: admin/openshift.deploy.yml
            overwrite: true
            parameters: -p URL=fom-test.nrs.gov.bc.ca
          - name: db
            file: db/openshift.deploy.yml
            overwrite: false
          - name: init
            file: libs/openshift.init.yml
            overwrite: false
          - name: public
            file: public/openshift.deploy.yml
            overwrite: true
            parameters: -p URL=fom-test.nrs.gov.bc.ca
    steps:
      - uses: bcgov-nr/action-deployer-openshift@v1.1.1
        with:
          file: ${{ matrix.file }}
          oc_namespace: ${{ vars.OC_NAMESPACE }}
          oc_server: ${{ vars.OC_SERVER }}
          oc_token: ${{ secrets.OC_TOKEN }}
          overwrite: ${{ matrix.overwrite }}
          penetration_test: false
          parameters:
            -p PROMOTE=ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ env.ZONE }}
            -p ZONE=${{ env.ZONE }} ${{ matrix.parameters }}

  certbot-test:
    name: Certbot
    needs: [deploy-test]
    environment: test
    runs-on: ubuntu-22.04
    steps:
      - name: Run Certbot
        run: |
          set -eux

          # Login to OpenShift and select project
          oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
          oc project ${{ vars.OC_NAMESPACE }}

          # Run certbot with one-off job
          oc create job "certbot-manual-$(date +%s)" --from=cronjob/certbot

  deploy-prod:
    name: PROD Deploys
    needs: [codeql, deploy-test]
    environment: prod
    env:
      ZONE: prod
    runs-on: ubuntu-22.04
    timeout-minutes: 10
    strategy:
      matrix:
        name: [api, admin, db, init, public]
        include:
          - name: api
            file: api/openshift.deploy.yml
            overwrite: true
            parameters: 
              -p URL=fom.nrs.gov.bc.ca
              -p AWS_USER_POOLS_WEB_CLIENT_ID="4bu2n8at3m32a2fqnvd4t06la1"
              -p LOGOUT_CHAIN_URL="https://logon7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri="
          - name: admin
            file: admin/openshift.deploy.yml
            overwrite: true
            parameters: -p URL=fom.nrs.gov.bc.ca
          - name: db
            file: db/openshift.deploy.yml
            overwrite: false
          - name: init
            file: libs/openshift.init.yml
            overwrite: false
          - name: public
            file: public/openshift.deploy.yml
            overwrite: true
            parameters: -p URL=fom.nrs.gov.bc.ca
    steps:
      - uses: bcgov-nr/action-deployer-openshift@v1.1.1
        with:
          file: ${{ matrix.file }}
          oc_namespace: ${{ vars.OC_NAMESPACE }}
          oc_server: ${{ vars.OC_SERVER }}
          oc_token: ${{ secrets.OC_TOKEN }}
          overwrite: ${{ matrix.overwrite }}
          penetration_test: false
          parameters:
            -p PROMOTE=ghcr.io/${{ github.repository }}/${{ matrix.name }}:test
            -p ZONE=${{ env.ZONE }} ${{ matrix.parameters }}

  certbot-prod:
    name: Certbot
    needs: [deploy-prod]
    environment: prod
    runs-on: ubuntu-22.04
    steps:
      - name: Run Certbot
        run: |
          set -eux

          # Login to OpenShift and select project
          oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
          oc project ${{ vars.OC_NAMESPACE }}

          # Run certbot with one-off job
          oc create job "certbot-manual-$(date +%s)" --from=cronjob/certbot

  image-promotions:
    name: Promote images to PROD
    needs: [deploy-prod]
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        component: [api, admin, db, public]
    steps:
      - uses: shrink/actions-docker-registry-tag@v3
        with:
          registry: ghcr.io
          repository: ${{ github.repository }}/${{ matrix.component }}
          target: test
          tags: prod