From 9c5c3aac1b9d4e2c626281c057fc782898e3259a Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Mon, 2 Jun 2025 16:37:38 +0100 Subject: [PATCH 1/3] eja - experimenting with slack webhook --- .github/workflows/cicd-2-publish.yaml | 151 ++++++++------------------ 1 file changed, 44 insertions(+), 107 deletions(-) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 218571d01..65e4e885c 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -1,11 +1,8 @@ -# Description: Deploys merged code to the dev environment. -# Triggered on push to main. Tags the commit with a dev- label. -# Does not create GitHub Releases or production tags (v1.x.x). - name: "CI/CD publish" on: - push: + pull_request: + types: [closed] branches: - main @@ -13,6 +10,7 @@ jobs: metadata: name: "Set CI/CD metadata" runs-on: ubuntu-latest + if: github.event.pull_request.merged == true timeout-minutes: 1 outputs: build_datetime: ${{ steps.variables.outputs.build_datetime }} @@ -25,7 +23,6 @@ jobs: steps: - name: "Checkout code" uses: actions/checkout@v4 - - name: "Set CI/CD variables" id: variables run: | @@ -36,120 +33,60 @@ jobs: echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "version=dev-$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT - + # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow + echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT - name: "List variables" run: | - echo "Deploying to: DEV" - echo "VERSION=${{ steps.variables.outputs.version }}" - + export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}" + export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}" + export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}" + export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}" + export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}" + export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}" + export VERSION="${{ steps.variables.outputs.version }}" + make list-variables publish: - name: "Publish to dev" + name: "Publish packages" runs-on: ubuntu-latest needs: [metadata] - timeout-minutes: 10 - environment: "dev" - permissions: - id-token: write - contents: read + if: github.event.pull_request.merged == true + timeout-minutes: 3 steps: - - name: "Setup Terraform" - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ needs.metadata.outputs.terraform_version }} - - - name: "Set up Python" - uses: actions/setup-python@v5 - with: - python-version: '3.13' - - - name: "Checkout Repository" + - name: "Checkout code" uses: actions/checkout@v4 - - - name: "Build lambda artefact" + - name: "Get the artefacts" run: | - make dependencies install-python - make build - - - name: "Upload lambda artefact" - uses: actions/upload-artifact@v4 - with: - name: lambda - path: dist/lambda.zip - - - name: "Download Built Lambdas" - uses: actions/download-artifact@v4 - with: - name: lambda - path: ./build - - - name: "Configure AWS Credentials" - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role - aws-region: eu-west-2 - - - name: "Terraform Plan Stacks" + echo "Getting the artefacts created by the build stage ..." + # TODO: Use either action/cache or action/upload-artifact + - name: "Create release" + id: create_release + uses: actions/create-release@v1 env: - ENVIRONMENT: dev - WORKSPACE: "default" - TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} - TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} - TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} - - # just planning for now for safety and until review - run: | - mkdir -p ./build - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan" - make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan" - make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE - working-directory: ./infrastructure - - - name: "Tag the dev deployment" - run: | - git config user.name "github-actions" - git config user.email "github-actions@github.com" - git tag ${{ needs.metadata.outputs.version }} - git push origin ${{ needs.metadata.outputs.version }} - - # --- Keeping these just in case: Uncomment to release to GitHub --- - # - name: "Create release" - # id: create_release - # uses: actions/create-release@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # tag_name: ${{ needs.metadata.outputs.version }} - # release_name: Release ${{ needs.metadata.outputs.version }} - # body: | - # Release of ${{ needs.metadata.outputs.version }} - # draft: false - # prerelease: true - + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ needs.metadata.outputs.version }} + release_name: Release ${{ needs.metadata.outputs.version }} + body: | + Release of ${{ needs.metadata.outputs.version }} + draft: false + prerelease: false # - name: "Upload release asset" # uses: actions/upload-release-asset@v1 # env: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # with: # upload_url: "${{ steps.create_release.outputs.upload_url }}" - # asset_path: ./build/lambda.zip - # asset_name: lambda-${{ needs.metadata.outputs.version }}.zip - # asset_content_type: application/zip - success: - name: "Success notification" - runs-on: ubuntu-latest - needs: [publish] - steps: - - name: "Check prerequisites for notification" - id: check - run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT - - name: "Notify on publishing packages" - if: steps.check.outputs.secret_exist == 'true' - uses: nhs-england-tools/notify-msteams-action@v1.0.0 + # asset_path: ./* + # asset_name: repository-template-${{ needs.metadata.outputs.version }}.tar.gz + # asset_content_type: "application/gzip" + - name: "Notify Slack on PR merge" + uses: slackapi/slack-github-action@v2.1.0 with: - github-token: ${{ secrets.GITHUB_TOKEN }} - teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }} - message-title: "Notification title" - message-text: "This is a notification body" - link: ${{ github.event.pull_request.html_url }} + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: webhook-trigger + payload: | + status: "${{ job.status }}" + link: "${{ github.event.pull_request.html_url }}" + Author: "${{ github.event.pull_request.user.login }}" + title: "${{ github.event.pull_request.title }}" + version: "${{ needs.metadata.outputs.version }}" From f645e5240fb5a4e7dafa3fcaac264c06b39e0485 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Tue, 3 Jun 2025 15:08:20 +0100 Subject: [PATCH 2/3] pulling in main, getting rid of merge artifacts --- .github/workflows/cicd-2-publish.yaml | 118 +++++++++++++++++++------- 1 file changed, 86 insertions(+), 32 deletions(-) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 9b9f6daf4..f771c4f45 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -1,8 +1,11 @@ +# Description: Deploys merged code to the dev environment. +# Triggered on push to main. Tags the commit with a dev- label. +# Does not create GitHub Releases or production tags (v1.x.x). + name: "CI/CD publish" on: - pull_request: - types: [closed] + push: branches: - main @@ -10,7 +13,6 @@ jobs: metadata: name: "Set CI/CD metadata" runs-on: ubuntu-latest - if: github.event.pull_request.merged == true timeout-minutes: 1 outputs: build_datetime: ${{ steps.variables.outputs.build_datetime }} @@ -23,6 +25,7 @@ jobs: steps: - name: "Checkout code" uses: actions/checkout@v4 + - name: "Set CI/CD variables" id: variables run: | @@ -33,20 +36,15 @@ jobs: echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow - echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT + echo "version=dev-$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT + - name: "List variables" run: | - export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}" - export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}" - export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}" - export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}" - export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}" - export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}" - export VERSION="${{ steps.variables.outputs.version }}" - make list-variables + echo "Deploying to: DEV" + echo "VERSION=${{ steps.variables.outputs.version }}" + publish: - name: "Publish packages" + name: "Publish to dev" runs-on: ubuntu-latest needs: [metadata] timeout-minutes: 10 @@ -55,33 +53,89 @@ jobs: id-token: write contents: write steps: - - name: "Checkout code" + - name: "Setup Terraform" + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ needs.metadata.outputs.terraform_version }} + + - name: "Set up Python" + uses: actions/setup-python@v5 + with: + python-version: '3.13' + + - name: "Checkout Repository" uses: actions/checkout@v4 - - name: "Get the artefacts" + + - name: "Build lambda artefact" run: | - echo "Getting the artefacts created by the build stage ..." - # TODO: Use either action/cache or action/upload-artifact - - name: "Create release" - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + make dependencies install-python + make build + + - name: "Upload lambda artefact" + uses: actions/upload-artifact@v4 + with: + name: lambda + path: dist/lambda.zip + + - name: "Download Built Lambdas" + uses: actions/download-artifact@v4 with: - tag_name: ${{ needs.metadata.outputs.version }} - release_name: Release ${{ needs.metadata.outputs.version }} - body: | - Release of ${{ needs.metadata.outputs.version }} - draft: false - prerelease: false + name: lambda + path: ./build + + - name: "Configure AWS Credentials" + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role + aws-region: eu-west-2 + + - name: "Terraform Plan Stacks" + env: + ENVIRONMENT: dev + WORKSPACE: "default" + TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} + TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} + TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} + + # just planning for now for safety and until review + run: | + mkdir -p ./build + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan" + make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan" + make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE + working-directory: ./infrastructure + + - name: "Tag the dev deployment" + run: | + git config user.name "github-actions" + git config user.email "github-actions@github.com" + git tag ${{ needs.metadata.outputs.version }} + git push origin ${{ needs.metadata.outputs.version }} + + # --- Keeping these just in case: Uncomment to release to GitHub --- + # - name: "Create release" + # id: create_release + # uses: actions/create-release@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # tag_name: ${{ needs.metadata.outputs.version }} + # release_name: Release ${{ needs.metadata.outputs.version }} + # body: | + # Release of ${{ needs.metadata.outputs.version }} + # draft: false + # prerelease: true + # - name: "Upload release asset" # uses: actions/upload-release-asset@v1 # env: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # with: # upload_url: "${{ steps.create_release.outputs.upload_url }}" - # asset_path: ./* - # asset_name: repository-template-${{ needs.metadata.outputs.version }}.tar.gz - # asset_content_type: "application/gzip" + # asset_path: ./build/lambda.zip + # asset_name: lambda-${{ needs.metadata.outputs.version }}.zip + # asset_content_type: application/zip - name: "Notify Slack on PR merge" uses: slackapi/slack-github-action@v2.1.0 with: From 360fc02b21477afa78a8151ab19290f4f3b22b2d Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Tue, 3 Jun 2025 16:09:20 +0100 Subject: [PATCH 3/3] using slightly different variables as the PR branch isn't know in this workflow --- .github/workflows/cicd-2-publish.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index f771c4f45..f8b66911d 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -143,7 +143,7 @@ jobs: webhook-type: webhook-trigger payload: | status: "${{ job.status }}" - link: "${{ github.event.pull_request.html_url }}" - Author: "${{ github.event.pull_request.user.login }}" - title: "${{ github.event.pull_request.title }}" + link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" + Author: "${{ github.actor }}" + title: "Pushed to main" version: "${{ needs.metadata.outputs.version }}"