feat: setup Release Please and prod deploy workflows (#61)

Add Release Please workflow to manage our Production deploys.

Add the Production Docker image build/push and ECS deploy workflows
that will trigger when the Release Please PR merges.

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Users that are allowed to approve a release PR
+.release-please-manifest.json   @bryan-robitaille @dsamojlenko @timarney @craigzour

.github/workflows/prod-deploy.yml

@@ -0,0 +1,74 @@
+name: Production - Deploy
+
+on:
+  workflow_run:
+    workflows: ["Production — Docker build and push"]
+    types:
+      - completed
+
+env:
+  AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }}
+  AWS_REGION: ca-central-1
+  CLUSTER_NAME: Forms
+  SERVICE_NAME: forms-api
+  TASK_DEFINITION_NAME: forms-api
+  REGISTRY: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/forms/api
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-forms-api-service:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Configure AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-api-apply
+          role-session-name: ECSDeploy
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Download ECS task definition
+        run: |
+          aws ecs describe-task-definition \
+            --task-definition ${{ env.SERVICE_NAME }} \
+            --query taskDefinition > task-definition.json
+
+      - name: Update ECS task image
+        id: task-def
+        uses: aws-actions/amazon-ecs-render-task-definition@3c975f1cb22919a28755c6541b4ca2656a690f49 # v1.5.1
+        with:
+          task-definition: task-definition.json
+          container-name: ${{ env.SERVICE_NAME }}
+          image: "${{ env.REGISTRY }}:${{ github.event.workflow_run.head_branch }}"
+
+      - name: Create the new ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@4482193dd766379c66473482bbc77299b053ec94 # v2.1.0
+        with:
+          task-definition: ${{ steps.task-def.outputs.task-definition }}
+          cluster: ${{ env.CLUSTER_NAME }}
+
+      - name: Deploy the new ECS task definition
+        run: |
+          aws ecs update-service \
+            --cluster ${{ env.CLUSTER_NAME }} \
+            --service ${{ env.SERVICE_NAME }} \
+            --task-definition ${{ env.TASK_DEFINITION_NAME }} \
+            --force-new-deployment > /dev/null 2>&1
+          aws ecs wait services-stable \
+            --cluster ${{ env.CLUSTER_NAME }} \
+            --services ${{ env.SERVICE_NAME }}
+
+      - name: Report deployment to Sentinel
+        if: always()
+        uses: cds-snc/sentinel-forward-data-action@main
+        with:
+          input_data: '{"product": "forms", "sha": "${{ github.event.workflow_run.head_branch }}", "version": "${{ github.event.workflow_run.head_branch }}", "repository": "${{ github.repository }}", "environment": "production", "status": "${{ job.status }}"}'
+          log_type: CDS_Product_Deployment_Data
+          log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
+          log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}

.github/workflows/prod-docker-build-push.yml

@@ -0,0 +1,60 @@
+name: "Production — Docker build and push"
+
+on:
+  release:
+    types: [published]
+
+env:
+  AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }}
+  AWS_REGION: ca-central-1
+  ECR_REPOSITORY: forms/api
+  TAG_VERSION: ${{ github.ref_name }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  push-production:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Build Docker image
+        run: docker build -t forms/api .
+
+      - name: Configure AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-api-release
+          role-session-name: ECRPush
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@08fda13c2502925256496fadb53b7718f48b28c5
+
+      - name: Tag images
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        run: |
+          docker tag forms/api $ECR_REGISTRY/$ECR_REPOSITORY:$TAG_VERSION
+          docker tag forms/api $ECR_REGISTRY/$ECR_REPOSITORY:latest
+
+      - name: Push images to Amazon ECR
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        run: |
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$TAG_VERSION
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+
+      - name: Docker generate SBOM
+        uses: cds-snc/security-tools/.github/actions/generate-sbom@598deeaed48ab3bb0df85f0ed124ba53f0ade385 # v3.1.0
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        with:
+          docker_image: "${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.TAG_VERSION }}"
+          dockerfile_path: "Dockerfile"
+          sbom_name: "forms-api"
+          token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/release-generator.yml

@@ -0,0 +1,26 @@
+name: Release Generator
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        id: sre_app_token
+        with:
+          app-id: ${{ secrets.SRE_APP_ID }}
+          private-key: ${{ secrets.SRE_APP_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+        with:
+          token: ${{ steps.sre_app_token.outputs.token }}
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json

.github/workflows/workflow-failure.yml

@@ -5,6 +5,8 @@ on:
     workflows:
       - "Staging - Deploy"
       - "Staging — Docker build and push"
+      - "Production - Deploy"
+      - "Production — Docker build and push"
     types:
       - completed
 

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "1.0.0"
+}

CHANGELOG.md

@@ -0,0 +1,3 @@
+# Changelog
+
+## [1.0.0](https://github.com/cds-snc/forms-api/compare/21dc13edfdf08bed2e745880721a2ccaabc0edce...v1.0.0) (2024-09-16)

release-please-config.json

@@ -0,0 +1,30 @@
+{
+  "packages": {
+    ".": {
+      "release-type": "node",
+      "changelog-path": "CHANGELOG.md",
+      "bump-minor-pre-major": false,
+      "bump-patch-for-minor-pre-major": false,
+      "draft": false,
+      "prerelease": false,
+      "pull-request-title-pattern": "chore: GCForms API release v${version}"
+    }
+  },
+  "changelog-sections": [
+    { "type": "feat", "section": "Features" },
+    { "type": "feature", "section": "Features" },
+    { "type": "fix", "section": "Bug Fixes" },
+    { "type": "perf", "section": "Performance Improvements" },
+    { "type": "revert", "section": "Reverts" },
+    { "type": "docs", "section": "Documentation" },
+    { "type": "style", "section": "Styles" },
+    { "type": "chore", "section": "Miscellaneous Chores" },
+    { "type": "refactor", "section": "Code Refactoring" },
+    { "type": "test", "section": "Tests", "hidden": true },
+    { "type": "build", "section": "Build System", "hidden": true },
+    { "type": "ci", "section": "Continuous Integration", "hidden": true }
+  ],
+  "include-component-in-tag": false,
+  "include-v-in-tag": true,
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
+}