update macfc security hub github action #11189
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy | |
on: | |
push: | |
branches: | |
- "*" | |
- "!skipci*" | |
concurrency: | |
group: ${{ github.ref_name }} | |
permissions: | |
id-token: write | |
contents: read | |
actions: read | |
jobs: | |
unit-tests: | |
name: Unit Tests | |
uses: ./.github/workflows/unittest-workflow.yml | |
secrets: | |
CODE_CLIMATE_ID: ${{ secrets.CODE_CLIMATE_ID }} | |
deploy: | |
runs-on: ubuntu-latest | |
env: | |
SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline | |
steps: | |
- uses: actions/checkout@v4 | |
- name: set branch_name # Some integrations (Snyk) build very long branch names. This is a switch to make long branch names shorter. | |
run: | | |
BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }}) | |
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV | |
- name: Validate branch name | |
run: ./.github/branchNameValidation.sh $STAGE_PREFIX$branch_name | |
- name: set branch specific variable names | |
run: ./.github/build_vars.sh set_names | |
- name: set variable values | |
run: ./.github/build_vars.sh set_values | |
env: | |
AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }} | |
CODE_CLIMATE_ID: ${{ secrets.CODE_CLIMATE_ID }} | |
- name: Configure AWS credentials for GitHub Actions | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
- uses: actions/setup-node@v4 | |
with: | |
node-version-file: ".nvmrc" | |
- uses: actions/cache@v4 | |
with: | |
path: "**/node_modules" | |
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock', 'plugins/**') }} | |
- name: set path | |
run: | | |
echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV | |
- name: deploy | |
run: | | |
# When deploying multiple copies of this quickstart to the same AWS Account (not ideal), a prefix helps prevent stepping on each other. | |
# This can optionally be set as an GitHub Actions Secret | |
./run deploy --stage $STAGE_PREFIX$branch_name | |
- name: Endpoint | |
id: endpoint | |
run: | | |
APPLICATION_ENDPOINT=$(./output.sh ui ApplicationEndpointUrl $STAGE_PREFIX$branch_name) | |
echo "application_endpoint=$APPLICATION_ENDPOINT" >> $GITHUB_OUTPUT | |
echo "## Application Endpoint" >> $GITHUB_STEP_SUMMARY | |
echo "<$APPLICATION_ENDPOINT>" >> $GITHUB_STEP_SUMMARY | |
working-directory: services | |
outputs: | |
application_endpoint: ${{ steps.endpoint.outputs.application_endpoint}} | |
BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION }} | |
BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME }} | |
register-runner: | |
name: Register GitHub Runner | |
if: ${{ github.ref_name != 'master' && github.ref_name != 'val' && github.ref_name != 'production' }} | |
runs-on: ubuntu-latest | |
needs: deploy | |
env: | |
SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: set branch_name | |
run: | | |
BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }}) | |
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV | |
- name: set branch specific variable names | |
id: set_names | |
run: ./.github/build_vars.sh set_names | |
- name: set variable values | |
id: set_values | |
run: ./.github/build_vars.sh set_values | |
env: | |
AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }} | |
- name: Configure AWS credentials for GitHub Actions | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
- name: output account id | |
id: output_account_id | |
run: | | |
#!/bin/bash | |
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | |
echo "Current Account ID: ${AWS_ACCOUNT_ID}" | |
- name: Get Github Actions CIDR Blocks | |
id: get-gha-cidrs | |
shell: bash | |
run: | | |
#!/bin/bash | |
GHA_RESP=$(curl --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/meta) | |
echo "Response for GHA runner CIDR blocks: $GHA_RESP" | |
IPV4_CIDR_ARR=($(echo $GHA_RESP | jq -r '.actions | .[]' | grep -v ':')) | |
GHA_CIDRS_IPV4=$(echo $(IFS=" "; echo ${IPV4_CIDR_ARR[*]})) | |
echo "GHA_CIDRS_IPV4=$GHA_CIDRS_IPV4" >> $GITHUB_OUTPUT | |
- name: Generate IP Set Name | |
id: gen-ip-set-name | |
run: | | |
#!/bin/bash | |
STAGE_GH_IPSET_NAME=$STAGE_PREFIX$branch_name-gh-ipset | |
echo "Github IP Set name: $STAGE_GH_IPSET_NAME" | |
echo "STAGE_GH_IPSET_NAME=$STAGE_GH_IPSET_NAME" >> $GITHUB_OUTPUT | |
- name: Fetch AWS IP Set Metadata | |
id: fetch-ip-set-info | |
run: | | |
#!/bin/bash | |
# Fetch AWS IP set ARNs using AWS CLI and store them in a variable | |
AWS_IP_SET_INFO=$(aws wafv2 list-ip-sets --scope=CLOUDFRONT) | |
echo "Outputting AWS IP Set Info: ${AWS_IP_SET_INFO}" | |
# Store the IP set ARNs in an output variable using GITHUB_OUTPUT | |
IPSET_NAME=${{ steps.gen-ip-set-name.outputs.STAGE_GH_IPSET_NAME }} | |
IPSET=$(jq '.IPSets | map(select(.Name == "'${IPSET_NAME}'")) | .[]' <<< ${AWS_IP_SET_INFO}) | |
[ -z "$IPSET" ] && echo "IP Set with name ${IPSET_NAME} was not located. Exiting..." && exit 1 | |
echo "IP Set metadata: ${IPSET}" | |
#Get Values from the IP SET | |
IPSET_ID=$(jq -r '.Id' <<< ${IPSET}) | |
echo "IPSET_ARN=$IPSET_ARN" >> $GITHUB_OUTPUT | |
echo "IPSET_NAME=$IPSET_NAME" >> $GITHUB_OUTPUT | |
echo "IPSET_ID=$IPSET_ID" >> $GITHUB_OUTPUT | |
- name: Update IP Set | |
id: update-ip-set | |
run: ./.github/waf-controller.sh set ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }} ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }} ${{ steps.get-gha-cidrs.outputs.GHA_CIDRS_IPV4 }} | |
env: | |
AWS_RETRY_MODE: adaptive | |
AWS_MAX_ATTEMPTS: 10 | |
outputs: | |
ipset_name: ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }} | |
ipset_id: ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }} | |
e2e-tests-init: | |
name: Initialize End To End Tests | |
if: ${{ always() && !cancelled() && needs.deploy.result == 'success' && github.ref_name != 'master' && github.ref_name != 'val' && github.ref_name != 'prod' }} | |
needs: | |
- deploy | |
- register-runner | |
runs-on: ubuntu-latest | |
steps: | |
- name: Verify Endpoint | |
if: ${{ needs.deploy.outputs.application_endpoint == ''}} | |
run: | | |
echo "No endpoint set, Check if the deploy workflow was successful." | |
exit 1 | |
- uses: actions/checkout@v4 | |
- name: set branch_name | |
run: | | |
BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }}) | |
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV | |
- name: set branch specific variable names | |
id: set_names | |
run: ./.github/build_vars.sh set_names | |
- name: set variable values | |
id: set_values | |
run: ./.github/build_vars.sh set_values | |
env: | |
AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
INFRASTRUCTURE_TYPE: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_INFRASTRUCTURE_TYPE] || secrets.INFRASTRUCTURE_TYPE || 'development' }} | |
STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }} | |
COGNITO_TEST_USERS_PASSWORD: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_COGNITO_TEST_USERS_PASSWORD] || secrets.COGNITO_TEST_USERS_PASSWORD }} | |
- uses: actions/setup-node@v4 | |
with: | |
node-version-file: ".nvmrc" | |
- name: Combine yarn.lock files to single file | |
run: find services -maxdepth 3 -name yarn.lock | xargs cat yarn.lock > combined-yarn.txt | |
- name: cache service dependencies | |
uses: actions/cache@v4 | |
with: | |
path: | | |
services/app-api/node_modules | |
services/uploads/node_modules | |
services/ui/node_modules | |
services/ui-auth/node_modules | |
services/ui-src/node_modules | |
node_modules | |
key: ${{ runner.os }}-${{ hashFiles('combined-yarn.txt') }} | |
- name: Configure AWS credentials for GitHub Actions | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
- name: Install dependencies | |
run: yarn install --frozen-lockfile | |
- name: set path | |
run: | | |
echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV | |
outputs: | |
application_endpoint: ${{ needs.deploy.outputs.application_endpoint }} | |
e2e-tests: | |
name: "Run End To End Tests" | |
uses: ./.github/workflows/cypress-workflow.yml | |
needs: | |
- e2e-tests-init | |
with: | |
test-path: "e2e" | |
test-endpoint: "${{ needs.e2e-tests-init.outputs.application_endpoint }}" | |
secrets: | |
cypress-user2: ${{ secrets.CYPRESS_STATE_USER_2 }} | |
cypress-user4: ${{ secrets.CYPRESS_STATE_USER_4 }} | |
cypress-admin-user: ${{ secrets.CYPRESS_ADMIN_USER }} | |
cypress-password: ${{ secrets.CYPRESS_QMR_PASSWORD }} | |
cleanup: | |
name: Delist GHA Runner CIDR Blocks | |
if: ${{ github.ref_name != 'master' && github.ref_name != 'val' && github.ref_name != 'prod' }} | |
runs-on: ubuntu-latest | |
needs: | |
- deploy | |
- e2e-tests-init | |
- e2e-tests | |
- register-runner | |
env: | |
SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Configure AWS credentials for GitHub Actions | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }} | |
- name: clean-up-iplist | |
id: reset-ip-set | |
run: ./.github/waf-controller.sh set ${{ needs.register-runner.outputs.ipset_name }} ${{ needs.register-runner.outputs.ipset_id }} '[]' | |
env: | |
AWS_RETRY_MODE: adaptive | |
AWS_MAX_ATTEMPTS: 10 |