Pull Request Deploy #245

Workflow file for this run

.github/workflows/pull-request-deploy.yaml at a9b0ae5

	name: Pull Request Deploy
	on:
	workflow_dispatch:
	inputs:
	pr-number:
	description: "Pull Request Number:"
	type: string
	required: true
	namespace:
	description: "Deploy To:"
	type: choice
	required: true
	options:
	- The Q Dev
	- QMS Dev
	- The Q Test

	jobs:

	##### SETUP ##################################################################

	parse-inputs:
	name: refs/pull/${{ github.event.inputs.pr-number }}/head to ${{ github.event.inputs.namespace }}
	runs-on: ubuntu-latest
	outputs:
	environment: ${{ steps.parse.outputs.environment }}
	image-tag: ${{ steps.parse.outputs.image-tag }}
	push-qms: ${{ steps.parse.outputs.push-qms }}
	push-theq: ${{ steps.parse.outputs.push-theq }}
	ref: ${{ steps.parse.outputs.ref }}

	steps:
	# Use the input values to create more coding-friendly values.
	- name: Parse Inputs
	id: parse
	run: \|
	# Gets "dev" or "test".
	ENVIRONMENT=$(echo ${{ github.event.inputs.namespace }} \| \
	awk -F' ' '{print $NF}' \| tr '[:upper:]' '[:lower:]')
	echo ENVIRONMENT:$ENVIRONMENT
	echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT

	IMAGE_TAG=pr${{ github.event.inputs.pr-number }}
	echo IMAGE_TAG:$IMAGE_TAG
	echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

	if [ $GITHUB_REPOSITORY_OWNER != "bcgov" ]; then
	# Never push in forks - useful and safer for development.
	PUSH_QMS=false
	PUSH_THEQ=false
	elif [[ "${{ github.event.inputs.namespace }}" == QMS* ]]; then
	PUSH_QMS=true
	PUSH_THEQ=false
	else
	PUSH_QMS=false
	PUSH_THEQ=true
	fi

	echo PUSH_QMS:$PUSH_QMS
	echo "push-qms=$PUSH_QMS" >> $GITHUB_OUTPUT

	echo PUSH_THEQ:$PUSH_THEQ
	echo "push-theq=$PUSH_THEQ" >> $GITHUB_OUTPUT

	REF=refs/pull/${{ github.event.inputs.pr-number }}/head
	echo REF:$REF
	echo "ref=$REF" >> $GITHUB_OUTPUT

	##### TEST ###################################################################

	appointment-frontend-cypress:
	name: Appointment Frontend Cypress
	needs: parse-inputs
	uses: ./.github/workflows/tyu-reusable-appointment-frontend-cypress.yaml
	secrets:
	bceid-endpoint: ${{ secrets.CYPRESS_BCEID_ENDPOINT }}
	bceid-password: ${{ secrets.CYPRESS_BCEID_PASSWORD }}
	bceid-username: ${{ secrets.CYPRESS_BCEID_USERNAME }}
	cypress-project-id: ${{ secrets.CYPRESS_PROJECT_ID }}
	cypress-record-key: ${{ secrets.CYPRESS_RECORD_KEY }}
	keycloak-auth-url: ${{ secrets.KEYCLOAK_AUTH_URL_DEV }}/auth/
	keycloak-client: ${{ secrets.KEYCLOAK_APPOINTMENTS_FRONTEND_CLIENT }}
	keycloak-realm: ${{ secrets.KEYCLOAK_REALM }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}

	##### BUILD ##################################################################

	appointment-frontend:
	name: appointment-frontend
	needs: [parse-inputs, appointment-frontend-cypress]
	uses: ./.github/workflows/reusable-build-dockerfile.yaml
	secrets:
	artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
	artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
	artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
	namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
	namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
	namespace-theq-username: ${{ secrets.SA_USERNAME }}
	namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
	namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
	namespace-qms-username: ${{ secrets.SA_USERNAME }}
	openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}
	directory: appointment-frontend
	image-name: appointment-nginx-frontend
	image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
	push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
	push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}

	feedback-api:
	name: feedback-api
	needs: [parse-inputs, appointment-frontend-cypress]
	uses: ./.github/workflows/reusable-build-s2i.yaml
	secrets:
	namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
	namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
	namespace-theq-username: ${{ secrets.SA_USERNAME }}
	namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
	namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
	namespace-qms-username: ${{ secrets.SA_USERNAME }}
	openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}
	directory: feedback-api
	image-name: feedback-api
	image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
	push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
	push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}

	notifications-api:
	name: notifications-api
	needs: [parse-inputs, appointment-frontend-cypress]
	uses: ./.github/workflows/reusable-build-s2i.yaml
	secrets:
	namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
	namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
	namespace-theq-username: ${{ secrets.SA_USERNAME }}
	namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
	namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
	namespace-qms-username: ${{ secrets.SA_USERNAME }}
	openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}
	directory: notifications-api
	image-name: notifications-api
	image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
	push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
	push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}

	queue-management-api:
	name: queue-management-api
	needs: [parse-inputs, appointment-frontend-cypress]
	uses: ./.github/workflows/reusable-build-s2i.yaml
	secrets:
	artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
	artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
	artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
	namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
	namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
	namespace-theq-username: ${{ secrets.SA_USERNAME }}
	namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
	namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
	namespace-qms-username: ${{ secrets.SA_USERNAME }}
	openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}
	directory: api
	image-name: queue-management-api
	image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
	push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
	push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}

	queue-management-frontend:
	name: queue-management-frontend
	needs: [parse-inputs, appointment-frontend-cypress]
	uses: ./.github/workflows/reusable-build-dockerfile.yaml
	secrets:
	artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
	artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
	artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
	namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
	namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
	namespace-theq-username: ${{ secrets.SA_USERNAME }}
	namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
	namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
	namespace-qms-username: ${{ secrets.SA_USERNAME }}
	openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}
	directory: frontend
	image-name: queue-management-nginx-frontend
	image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
	push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
	push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}

	send-appointment-reminder-crond:
	name: send-appointment-reminder-crond
	needs: [parse-inputs, appointment-frontend-cypress]
	uses: ./.github/workflows/reusable-build-dockerfile.yaml
	secrets:
	artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
	artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
	artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
	namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
	namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
	namespace-theq-username: ${{ secrets.SA_USERNAME }}
	namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
	namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
	namespace-qms-username: ${{ secrets.SA_USERNAME }}
	openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	with:
	ref: ${{ needs.parse-inputs.outputs.ref }}
	directory: jobs/appointment_reminder
	image-name: send-appointment-reminder-crond
	image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
	push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
	push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}

	##### DEPLOY #################################################################

	tag:
	name: Tag
	if: github.repository_owner == 'bcgov'
	needs: [parse-inputs, appointment-frontend, feedback-api, notifications-api, queue-management-api, queue-management-frontend, send-appointment-reminder-crond]
	uses: ./.github/workflows/reusable-tag-image.yaml
	secrets:
	licence-plate: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.LICENCE_PLATE_QMS \|\| secrets.LICENCE_PLATE_THEQ }}
	openshift-api: ${{ secrets.OPENSHIFT_API }}
	token: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.SA_PASSWORD_QMS_TOOLS \|\| secrets.SA_PASSWORD_THEQ_TOOLS }}
	with:
	image-names: appointment-nginx-frontend feedback-api notifications-api queue-management-api queue-management-nginx-frontend send-appointment-reminder-crond
	tag-from: ${{ needs.parse-inputs.outputs.image-tag }}
	tag-to: ${{ needs.parse-inputs.outputs.environment }}

	wait-for-rollouts:
	name: Wait for Rollouts
	if: github.repository_owner == 'bcgov'
	needs: [parse-inputs, tag]
	uses: ./.github/workflows/reusable-wait-for-rollouts.yaml
	secrets:
	licence-plate: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.LICENCE_PLATE_QMS \|\| secrets.LICENCE_PLATE_THEQ }}
	openshift-api: ${{ secrets.OPENSHIFT_API }}
	token: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.SA_PASSWORD_QMS_DEV \|\| ( needs.parse-inputs.outputs.environment == 'dev' && secrets.SA_PASSWORD_THEQ_DEV \|\| secrets.SA_PASSWORD_THEQ_TEST ) }}
	with:
	image-names: appointment-nginx-frontend feedback-api notifications-api queue-management-api queue-management-nginx-frontend send-appointment-reminder-crond-${{ needs.parse-inputs.outputs.environment }}
	tag-to: ${{ needs.parse-inputs.outputs.environment }}

	##### TEST ###################################################################

	# Only run Newman for The Q dev - other environments will fail due to data.
	newman-theq-dev:
	name: Newman Tests
	if: github.event.inputs.namespace == 'The Q Dev'
	needs: [parse-inputs, wait-for-rollouts]
	runs-on: ubuntu-latest

	steps:
	- name: Check out
	uses: actions/checkout@v2

	- name: NPM Install
	run: \|
	cd api/postman
	npm install newman

	- name: Run Newman Tests
	run: \|
	cd api/postman
	node_modules/newman/bin/newman.js run API_Test_TheQ_Booking.json \
	-e postman_env.json \
	--delay-request 250 \
	--global-var 'auth_url=${{ vars.POSTMAN_AUTH_URL_DEV }}' \
	--global-var 'client_secret=${{ secrets.POSTMAN_CLIENT_SECRET_DEV }}' \
	--global-var 'clientid=${{ vars.POSTMAN_CLIENTID_DEV }}' \
	--global-var 'password=${{ secrets.POSTMAN_PASSWORD }}' \
	--global-var 'password_nonqtxn=${{ secrets.POSTMAN_PASSWORD_NONQTXN }}' \
	--global-var 'public_url=${{ vars.POSTMAN_PUBLIC_API_URL_THEQ_DEV }}' \
	--global-var 'public_user_id=${{ vars.POSTMAN_PUBLIC_USERID }}' \
	--global-var 'public_user_password=${{ secrets.POSTMAN_PASSWORD_PUBLIC_USER }}' \
	--global-var 'realm=${{ vars.POSTMAN_REALM }}' \
	--global-var 'url=${{ vars.POSTMAN_API_URL_THEQ_DEV }}' \
	--global-var 'userid=${{ vars.POSTMAN_USERID }}' \
	--global-var 'userid_nonqtxn=${{ vars.POSTMAN_USERID_NONQTXN }}'

	owasp-staff:
	name: OWASP ZAP Scan of Staff Frontend
	needs: [parse-inputs, wait-for-rollouts]
	runs-on: ubuntu-latest

	steps:
	- name: Get Parameters
	run: \|
	if [ ${{ needs.parse-inputs.outputs.push-qms }} == true ]; then
	echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_QMS_DEV }}" >> $GITHUB_ENV
	elif [ ${{ needs.parse-inputs.outputs.environment }} == dev ]; then
	echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_THEQ_DEV }}" >> $GITHUB_ENV
	else
	echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_THEQ_TEST }}" >> $GITHUB_ENV
	fi

	- name: OWASP ZAP Scan
	uses: zaproxy/[email protected]
	with:
	allow_issue_writing: false
	cmd_options: '-z "-config scanner.threadPerHost=20"'
	target: ${{ env.ZAP_URL }}

	- name: Upload Report as Artifact
	uses: actions/upload-artifact@v3
	with:
	name: OWASP ZAP - Staff Front End Report
	path: report_html.html

	owasp-appointment:
	name: OWASP ZAP Scan of Appointment Frontend
	needs: [parse-inputs, wait-for-rollouts]
	runs-on: ubuntu-latest

	steps:
	- name: Get Parameters
	run: \|
	if [ ${{ needs.parse-inputs.outputs.push-qms }} == true ]; then
	echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_QMS_DEV }}" >> $GITHUB_ENV
	elif [ ${{ needs.parse-inputs.outputs.environment }} == dev ]; then
	echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_THEQ_DEV }}" >> $GITHUB_ENV
	else
	echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_THEQ_TEST }}" >> $GITHUB_ENV
	fi

	- name: OWASP ZAP Scan
	uses: zaproxy/[email protected]
	with:
	allow_issue_writing: false
	cmd_options: '-z "-config scanner.threadPerHost=20"'
	target: ${{ env.ZAP_URL }}

	- name: Upload Report as Artifact
	uses: actions/upload-artifact@v3
	with:
	name: OWASP ZAP - Appointment Front End Report
	path: report_html.html

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pull Request Deploy #245

Workflow file

Pull Request Deploy #245

Jobs

Run details

Workflow file for this run