Skip to content

Github actions WIF #5651

Github actions WIF

Github actions WIF #5651

name: Build and deploy to AKS cluster
on:
push:
branches: [main]
pull_request:
types: [labeled, opened, reopened, synchronize]
concurrency: deploy-${{ github.ref }}
permissions:
packages: write
pull-requests: write
id-token: write
jobs:
build:
runs-on: ubuntu-latest
outputs:
docker-image-tag: ${{ steps.build-image.outputs.tag }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
snyk-token: ${{ secrets.SNYK_TOKEN }}
deploy_review:
name: Deploy to review environment
concurrency: deploy_review_${{ github.event.pull_request.number }}
runs-on: ubuntu-latest
if: ${{ contains(github.event.pull_request.labels.*.name, 'deploy') }}
needs: [build]
environment:
name: review
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: ./.github/actions/deploy-environment
id: deploy
with:
environment: review
docker-image: ${{ needs.build.outputs.docker-image-tag }}
pull-request-number: ${{ github.event.number }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- name: Post comment to Pull Request ${{ github.event.number }}
if: ${{ github.event_name == 'pull_request' }}
uses: marocchino/sticky-pull-request-comment@v2
with:
header: aks
message: |
### Deployments
| App | URL |
| ----------------- | ---------------------------------------------------------------------------------------- |
| Track & Pay | <https://track-and-pay-${{ github.event.number }}.test.teacherservices.cloud> |
| School Placements | <https://manage-school-placements-${{ github.event.number }}.test.teacherservices.cloud> |
deploy_nonprod:
name: Deploy to ${{ matrix.environment }} environment
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
concurrency: deploy_${{ matrix.environment }}
needs: [build]
strategy:
max-parallel: 1
matrix:
environment: [qa, staging, sandbox] ## add future nonprod environments here
environment:
name: ${{ matrix.environment }}
url: ${{ steps.deploy.outputs.environment_url }}
outputs:
environment_url: ${{ steps.deploy.outputs.environment_url }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- uses: ./.github/actions/deploy-environment
id: deploy
with:
environment: ${{ matrix.environment }}
docker-image: ${{ needs.build.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{ env.SLACK_FAILURE }}
SLACK_TITLE: Failure deploying release to ${{ matrix.environment }}
SLACK_MESSAGE: Failure deploying release to ${{ matrix.environment }} - Docker tag ${{ needs.build.outputs.docker-image-tag }}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}
deploy_prod:
name: Deploy to production environment
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
concurrency: deploy_production
needs: [build, deploy_nonprod]
environment:
name: production
url: ${{ steps.deploy.outputs.environment_url }}
outputs:
environment_url: ${{ steps.deploy.outputs.environment_url }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Fetch secrets from key vault
uses: azure/CLI@v2
id: keyvault-yaml-secret
with:
inlineScript: |
SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv)
echo "::add-mask::$SLACK_WEBHOOK"
echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
- uses: ./.github/actions/deploy-environment
id: deploy
with:
environment: production
docker-image: ${{ needs.build.outputs.docker-image-tag }}
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Slack Notification
if: failure()
uses: rtCamp/action-slack-notify@master
env:
SLACK_COLOR: ${{ env.SLACK_FAILURE }}
SLACK_TITLE: Failure deploying release to production
SLACK_MESSAGE: Failure deploying release to production - Docker tag ${{ needs.build.outputs.docker-image-tag }}
SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}