Skip to content

fix: add permissions and secrets for prep rollback #1546

fix: add permissions and secrets for prep rollback

fix: add permissions and secrets for prep rollback #1546

Workflow file for this run

name: CI
on:
pull_request:
permissions:
contents: read
jobs:
security-app:
name: Security
uses: ./.github/workflows/security-app.yaml
permissions:
contents: read
security-events: write
secrets: inherit
security-docker:
name: Security
uses: ./.github/workflows/security-docker.yaml
permissions:
contents: read
security-events: write
security-terraform:
name: Security
uses: ./.github/workflows/security-terraform.yaml
permissions:
contents: read
security-events: write
orchestrator:
name: Orchestrator
runs-on: ubuntu-latest
outputs:
# Docs
should-build-docs: ${{ steps.changed-website-files.outputs.any_modified == 'true' || null }}
# App
should-build-app: ${{ steps.changed-app-files.outputs.any_modified == 'true' || null }}
should-build-api: ${{ contains(steps.changed-app-files.outputs.all_modified_files, 'app/api') || null }}
should-build-selfserve: ${{ contains(steps.changed-app-files.outputs.all_modified_files, 'app/selfserve') || null }}
should-build-internal: ${{ contains(steps.changed-app-files.outputs.all_modified_files, 'app/internal') || null }}
# Assets
should-build-assets: ${{ steps.changed-asset-files.outputs.any_modified == 'true' || null }}
# Docker
should-build-docker: ${{ steps.changed-docker-files.outputs.any_modified == 'true' || null }}
should-build-api-docker: ${{ contains(steps.changed-docker-files.outputs.all_modified_files, 'infra/docker/api') || null }}
should-build-cli-docker: ${{ contains(steps.changed-docker-files.outputs.all_modified_files, 'infra/docker/cli') || null }}
should-build-selfserve-docker: ${{ contains(steps.changed-docker-files.outputs.all_modified_files, 'infra/docker/selfserve') || null }}
should-build-internal-docker: ${{ contains(steps.changed-docker-files.outputs.all_modified_files, 'infra/docker/internal') || null }}
should-build-search-docker: ${{ contains(steps.changed-docker-files.outputs.all_modified_files, 'infra/docker/search') || null }}
# Terraform accounts
should-plan-terraform-accounts: ${{ steps.changed-accounts-terraform-files.outputs.any_modified == 'true' || null }}
should-plan-nonprod-account-terraform: ${{ contains(steps.changed-accounts-terraform-files.outputs.all_modified_files, 'infra/terraform/modules') || contains(steps.changed-accounts-terraform-files.outputs.all_modified_files, 'infra/terraform/accounts/nonprod') || null }}
should-plan-prod-account-terraform: ${{ contains(steps.changed-accounts-terraform-files.outputs.all_modified_files, 'infra/terraform/modules') || contains(steps.changed-accounts-terraform-files.outputs.all_modified_files, 'infra/terraform/accounts/prod') || null }}
# Terraform environments
should-plan-terraform-environments: ${{ steps.changed-environments-terraform-files.outputs.any_modified == 'true' || null }}
should-plan-dev-environment-terraform: ${{ contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/modules') || contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/environments/dev') || null }}
should-plan-int-environment-terraform: ${{ contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/modules') || contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/environments/int') || null }}
should-plan-prep-environment-terraform: ${{ contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/modules') || contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/environments/prep') || null }}
should-plan-prod-environment-terraform: ${{ contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/modules') || contains(steps.changed-environments-terraform-files.outputs.all_modified_files, 'infra/terraform/environments/prod') || null }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: tj-actions/changed-files@v45
id: changed-app-files
with:
dir_names: true
files: |
app/api/**
app/selfserve/**
app/internal/**
# since_last_remote_commit: true
- uses: tj-actions/changed-files@v45
id: changed-asset-files
with:
dir_names: true
files: |
app/cdn/**
# since_last_remote_commit: true
- uses: tj-actions/changed-files@v45
id: changed-docker-files
with:
dir_names: true
files: |
infra/docker/**
files_ignore: |
infra/docker/liquibase/**
# since_last_remote_commit: true
- uses: tj-actions/changed-files@v45
id: changed-accounts-terraform-files
with:
dir_names: true
files: |
infra/terraform/accounts/**
infra/terraform/modules/**
files_ignore: |
infra/terraform/modules/service/**
# since_last_remote_commit: true
- uses: tj-actions/changed-files@v45
id: changed-environments-terraform-files
with:
dir_names: true
files: |
infra/terraform/environments/{dev,int,prep,prod}/**
infra/terraform/modules/**
files_ignore: |
infra/terraform/modules/account/**
infra/terraform/modules/github/**
infra/terraform/modules/remote-state/**
# since_last_remote_commit: true
- uses: tj-actions/changed-files@v45
id: changed-website-files
with:
files: |
website/**
docs/**
since_last_remote_commit: true
docs:
name: Documentation
if: ${{ needs.orchestrator.outputs.should-build-docs }}
needs:
- orchestrator
uses: ./.github/workflows/deploy-documentation.yaml
with:
deploy: false
permissions:
contents: read
pages: write
id-token: write
get-version:
name: Get latest app versions
if: ${{ needs.orchestrator.outputs.should-build-assets || needs.orchestrator.outputs.should-build-app || needs.orchestrator.outputs.should-build-docker || needs.orchestrator.outputs.should-plan-terraform-environments }}
needs:
- orchestrator
runs-on: ubuntu-latest
outputs:
api: ${{ steps.api-version.outputs.version }}
cli: ${{ steps.cli-version.outputs.version }}
selfserve: ${{ steps.selfserve-version.outputs.version }}
internal: ${{ steps.internal-version.outputs.version }}
assets: ${{ steps.assets-version.outputs.version }}
search: ${{ steps.search-version.outputs.version }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- id: api-version
uses: dvsa/.github/.github/actions/get-vol-app-version@v5.0.3
with:
project-path: app/api infra/docker/api
- id: cli-version
uses: dvsa/.github/.github/actions/get-vol-app-version@v5.0.3
with:
project-path: app/api infra/docker/cli
- id: selfserve-version
uses: dvsa/.github/.github/actions/get-vol-app-version@v5.0.3
with:
project-path: app/selfserve infra/docker/selfserve
- id: internal-version
uses: dvsa/.github/.github/actions/get-vol-app-version@v5.0.3
with:
project-path: app/internal infra/docker/internal
- id: assets-version
uses: dvsa/.github/.github/actions/get-vol-app-version@v5.0.3
with:
project-path: app/cdn
- id: search-version
uses: dvsa/.github/.github/actions/get-vol-app-version@v5.0.3
with:
project-path: infra/docker/search
- name: Add to summary
run: |
echo "#### App versions:" >> $GITHUB_STEP_SUMMARY
echo "**API**: \`${{ steps.api-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Selfserve**: \`${{ steps.selfserve-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Internal**: \`${{ steps.internal-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Assets**: \`${{ steps.assets-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Search**: \`${{ steps.search-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
cdn:
name: CDN
if: ${{ needs.orchestrator.outputs.should-build-assets }}
concurrency:
group: assets-nonprod
needs:
- orchestrator
- get-version
uses: ./.github/workflows/assets.yaml
with:
version: ${{ needs.get-version.outputs.assets }}
account: nonprod
permissions:
contents: read
id-token: write
app:
name: App
if: >
needs.orchestrator.outputs.should-build-app ||
needs.orchestrator.outputs.should-build-api-docker ||
needs.orchestrator.outputs.should-build-selfserve-docker ||
needs.orchestrator.outputs.should-build-internal-docker
concurrency:
group: app-${{ matrix.project }}-${{ needs.get-version.outputs[matrix.project] }}
needs:
- orchestrator
- get-version
strategy:
fail-fast: false
matrix:
project:
- api
- selfserve
- internal
exclude:
- project: ${{ (needs.orchestrator.outputs.should-build-api || needs.orchestrator.outputs.should-build-api-docker || needs.orchestrator.outputs.should-build-cli-docker) && 'ignored' || 'api' }}
- project: ${{ (needs.orchestrator.outputs.should-build-selfserve || needs.orchestrator.outputs.should-build-selfserve-docker) && 'ignored' || 'selfserve' }}
- project: ${{ (needs.orchestrator.outputs.should-build-internal || needs.orchestrator.outputs.should-build-internal-docker) && 'ignored' || 'internal' }}
uses: ./.github/workflows/php.yaml
with:
project: ${{ matrix.project }}
should-upload-artefact: ${{ !!(needs.orchestrator.outputs[format('should-build-{0}-docker', matrix.project)] || (matrix.project == 'api' && needs.orchestrator.outputs.should-build-cli-docker)) }}
artefact-name: ${{ matrix.project}}
retention-days: 1
permissions:
contents: read
docker:
name: Docker
if: >
always() &&
!cancelled() &&
needs.orchestrator.outputs.should-build-docker &&
needs.security-app.result != 'failure' &&
needs.security-terraform.result != 'failure' &&
needs.orchestrator.result != 'failure' &&
needs.docs.result != 'failure' &&
needs.cdn.result != 'failure' &&
needs.app.result != 'failure' &&
needs.get-version.result != 'failure'
concurrency:
group: docker-${{ matrix.project }}-${{ needs.get-version.outputs[matrix.project] }}
needs:
- security-app
- security-terraform
- orchestrator
- docs
- cdn
- app
- get-version
strategy:
fail-fast: false
matrix:
project:
- api
- cli
- selfserve
- internal
- search
exclude:
- project: ${{ needs.orchestrator.outputs.should-build-api-docker && 'ignored' || 'api' }}
- project: ${{ needs.orchestrator.outputs.should-build-cli-docker && 'ignored' || 'cli' }}
- project: ${{ needs.orchestrator.outputs.should-build-selfserve-docker && 'ignored' || 'selfserve' }}
- project: ${{ needs.orchestrator.outputs.should-build-internal-docker && 'ignored' || 'internal' }}
- project: ${{ needs.orchestrator.outputs.should-build-search-docker && 'ignored' || 'search' }}
uses: ./.github/workflows/docker.yaml
with:
project: ${{ matrix.project }}
version: ${{ needs.get-version.outputs[matrix.project] }}
app-artefact-name: ${{ matrix.project == 'cli' && 'api' || matrix.project }}
push: false
permissions:
contents: read
id-token: write
terraform-lint:
name: Lint Terraform
if: ${{ needs.orchestrator.outputs.should-plan-terraform-accounts || needs.orchestrator.outputs.should-plan-terraform-environments }}
needs:
- orchestrator
runs-on: ubuntu-latest
defaults:
run:
working-directory: infra/terraform
steps:
- uses: actions/checkout@v4
with:
sparse-checkout: infra/terraform
- run: terraform fmt -check -no-color -recursive
- uses: actions/cache@v4
name: Cache plugin dir
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('infra/terraform/.tflint.hcl') }}
- uses: terraform-linters/setup-tflint@v4
- run: tflint --init --recursive --config=$(realpath .tflint.hcl)
- run: tflint --recursive --config=$(realpath .tflint.hcl) -f compact
terraform-account:
name: Terraform Account
if: ${{ needs.orchestrator.outputs.should-plan-terraform-accounts }}
concurrency:
group: terraform-account-${{ matrix.account }}
needs:
- orchestrator
strategy:
fail-fast: false
matrix:
account:
- nonprod
- prod
exclude:
- account: ${{ needs.orchestrator.outputs.should-plan-nonprod-account-terraform && 'ignored' || 'nonprod' }}
- account: ${{ needs.orchestrator.outputs.should-plan-prod-account-terraform && 'ignored' || 'prod' }}
uses: ./.github/workflows/deploy-account.yaml
with:
account: ${{ matrix.account }}
permissions:
contents: read
id-token: write
pull-requests: write
secrets: inherit
terraform-env:
name: Terraform Environment
if: ${{ needs.orchestrator.outputs.should-plan-terraform-environments }}
concurrency:
group: terraform-environment-${{ matrix.environment }}
needs:
- get-version
- orchestrator
strategy:
fail-fast: false
matrix:
environment:
- dev
- int
- prep
#- prod
exclude:
- environment: ${{ needs.orchestrator.outputs.should-plan-dev-environment-terraform && 'ignored' || 'dev' }}
- environment: ${{ needs.orchestrator.outputs.should-plan-int-environment-terraform && 'ignored' || 'int' }}
- environment: ${{ needs.orchestrator.outputs.should-plan-prep-environment-terraform && 'ignored' || 'prep' }}
- environment: ${{ needs.orchestrator.outputs.should-plan-prod-environment-terraform && 'ignored' || 'prod' }}
uses: ./.github/workflows/deploy-environment.yaml
with:
environment: ${{ matrix.environment }}
api-image-tag: ${{ needs.get-version.outputs.api }}
cli-image-tag: ${{ needs.get-version.outputs.cli }}
selfserve-image-tag: ${{ needs.get-version.outputs.selfserve }}
internal-image-tag: ${{ needs.get-version.outputs.internal }}
assets-version: ${{ needs.get-version.outputs.assets }}
search-image-tag: ${{ needs.get-version.outputs.search }}
permissions:
contents: read
id-token: write
pull-requests: write
secrets: inherit