feat: Secretless client creation #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Post-merge/release workflow for CSTAR | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| types: | |
| - closed | |
| branches: | |
| - main | |
| jobs: | |
| ############################################################################## | |
| # # | |
| # RELEASE CANDIDATE # | |
| # # | |
| ############################################################################## | |
| release_candidate: | |
| if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-22.04 | |
| environment: cstar-d-mcshared | |
| permissions: | |
| id-token: write # Get OIDC token to authenticate to Azure. | |
| packages: write # Push container imaged to GHCR. | |
| contents: write # Create a new release. | |
| outputs: | |
| new_release_published: ${{ steps.semantic.outputs.new_release_published }} | |
| new_release_version: ${{ steps.semantic.outputs.new_release_version }} | |
| steps: | |
| # | |
| # Checkout the source code. | |
| # | |
| - name: Checkout the source code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 | |
| with: | |
| token: ${{ secrets.GIT_PAT }} | |
| fetch-depth: 0 | |
| # | |
| # Install Node. | |
| # | |
| - name: Install Node | |
| uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c | |
| with: | |
| node-version: "20.18.0" | |
| # | |
| # Calculate of the new version (dry-run). | |
| # | |
| - name: Calculate of the new version (dry-run) | |
| uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # 4.1.1 | |
| id: semantic | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| semantic_version: 21.1.1 | |
| branch: main | |
| extra_plugins: | | |
| @semantic-release/release-notes-generator@14.0.1 # 44c780c6f9c1bf2643fe48b6718bd9a84b820132 | |
| @semantic-release/git@10.0.1 # 3e934d45f97fd07a63617c0fc098c9ed3e67d97a | |
| dry_run: true | |
| # | |
| # Setup Java Build Environment. | |
| # | |
| - name: Setup Java Build Environment | |
| uses: pagopa/mil-actions/setup-java-build-env@f782a1b3cdb79afda2c10007ae46b831b31fe640 # 1.1.2 | |
| with: | |
| gh_user: ${{ secrets.GIT_USER }} | |
| gh_token: ${{ secrets.GIT_PAT }} | |
| # | |
| # RELEASE CANDIDATE - Update of pom.xml and openapi.yaml with the RC new version. | |
| # | |
| - name: RELEASE CANDIDATE - Update of pom.xml and openapi.yaml with the new version | |
| if: steps.semantic.outputs.new_release_published == 'true' | |
| run: | | |
| yq -i ".info.version = \"${{ steps.semantic.outputs.new_release_version }}-RC\"" "src/main/resources/META-INF/openapi.yaml" | |
| yq -i ".info.version = \"${{ steps.semantic.outputs.new_release_version }}-RC\"" "src/main/resources/META-INF/openapi_not_admin.yaml" | |
| ${{ runner.temp }}/maven/bin/mvn versions:set -DnewVersion=${{ steps.semantic.outputs.new_release_version }}-RC -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
| # | |
| # RELEASE CANDIDATE - Build and push native container image. | |
| # | |
| - name: RELEASE CANDIDATE - Build and push native container image | |
| id: rc_image | |
| if: steps.semantic.outputs.new_release_published == 'true' | |
| uses: pagopa/mil-actions/build-push-native-image@241c6c17f483229fdd4ac26c6d79d1d65be2659c # 1.1.1 | |
| with: | |
| gh_token: ${{ secrets.GIT_PAT }} | |
| sonar_token: ${{ secrets.SONAR_TOKEN }} | |
| release_version: ${{ steps.semantic.outputs.new_release_version }}-RC | |
| skip_test: false | |
| # | |
| # Setup Terraform | |
| # | |
| - name: Setup Terraform | |
| if: steps.semantic.outputs.new_release_published == 'true' | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: 1.9.7 | |
| # | |
| # RELEASE CANDIDATE - Update Container App. | |
| # | |
| - name: RELEASE CANDIDATE - Update Container App | |
| if: steps.semantic.outputs.new_release_published == 'true' | |
| shell: bash | |
| working-directory: src/main/terraform | |
| env: | |
| ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" | |
| ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" | |
| ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" | |
| run: | | |
| terraform init -backend-config="env/cstar-d-mcshared/backend.tfvars" -reconfigure | |
| terraform apply -var-file="env/cstar-d-mcshared/terraform.tfvars" -var="mil_auth_image=${{ steps.rc_image.outputs.image }}" -auto-approve -lock-timeout=300s | |
| ############################################################################## | |
| # # | |
| # CREATE RUNNER # | |
| # # | |
| ############################################################################## | |
| create_runner: | |
| needs: release_candidate | |
| if: needs.release_candidate.outputs.new_release_published == 'true' | |
| runs-on: ubuntu-22.04 | |
| environment: cstar-d-mcshared | |
| permissions: | |
| id-token: write | |
| outputs: | |
| runner_name: ${{ steps.create_github_runner.outputs.runner_name }} | |
| steps: | |
| - name: Create GitHub Runner | |
| id: create_github_runner | |
| uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@ca5ac73f306764b9ec186af3594d905deab50590 | |
| with: | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| container_app_environment_name: ${{ secrets.ACA_ENV_NAME }} | |
| resource_group_name: ${{ secrets.ACA_ENV_RESOURCE_GROUP_NAME }} | |
| pat_token: ${{ secrets.GIT_PAT }} | |
| self_hosted_runner_image_tag: "v3.5.1" | |
| ############################################################################## | |
| # # | |
| # INTEGRATION TESTS # | |
| # # | |
| ############################################################################## | |
| integration_tests: | |
| needs: create_runner | |
| runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] | |
| environment: cstar-d-mcshared | |
| steps: | |
| # | |
| # Checkout the source code. | |
| # | |
| - name: Checkout the source code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 | |
| # | |
| # Setup Java Build Environment. | |
| # | |
| - name: Setup Java Build Environment | |
| uses: pagopa/mil-actions/setup-java-build-env@f782a1b3cdb79afda2c10007ae46b831b31fe640 # 1.1.2 | |
| with: | |
| gh_user: ${{ secrets.GIT_USER }} | |
| gh_token: ${{ secrets.GIT_PAT }} | |
| # | |
| # Run integration tests. | |
| # | |
| - name: Run integration tests | |
| run: | | |
| ${{ runner.temp }}/maven/bin/mvn verify \ | |
| -s ${{ runner.temp }}/settings.xml \ | |
| --no-transfer-progress \ | |
| -DskipUTs=true \ | |
| -DskipITs=false \ | |
| -Dbase_uri=${{ secrets.IT_BASE_URI }} \ | |
| -Dadmin_client_id=${{ secrets.IT_ADMIN_CLIENT_ID }} \ | |
| -Dadmin_client_secret=${{ secrets.IT_ADMIN_CLIENT_SECRET }} \ | |
| -Dtoken_info_client_id=${{ secrets.IT_TOKEN_INFO_CLIENT_ID }} \ | |
| -Dtoken_info_client_secret=${{ secrets.IT_TOKEN_INFO_CLIENT_SECRET }} \ | |
| -Dtest_username=${{ secrets.IT_TEST_USERNAME }} \ | |
| -Dtest_password=${{ secrets.IT_TEST_PASSWORD }} | |
| ############################################################################## | |
| # # | |
| # CLEANUP RUNNER # | |
| # # | |
| ############################################################################## | |
| cleanup_runner: | |
| needs: [create_runner, integration_tests] | |
| if: always() | |
| runs-on: ubuntu-22.04 | |
| environment: cstar-d-mcshared | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Cleanup GitHub Runner | |
| uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@0ee2f58fd46d10ac7f00bce4304b98db3dbdbe9a | |
| with: | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| resource_group_name: ${{ secrets.ACA_ENV_RESOURCE_GROUP_NAME }} | |
| runner_name: ${{ needs.create_runner.outputs.runner_name }} | |
| pat_token: ${{ secrets.GIT_PAT }} | |
| ############################################################################## | |
| # # | |
| # STABLE # | |
| # # | |
| ############################################################################## | |
| stable: | |
| needs: [release_candidate, integration_tests] | |
| runs-on: ubuntu-22.04 | |
| environment: cstar-d-mcshared | |
| permissions: | |
| id-token: write # Get OIDC token to authenticate to Azure. | |
| packages: write # Push container imaged to GHCR. | |
| contents: write # Create a new release. | |
| outputs: | |
| image: ${{ steps.stable_image.outputs.image }} | |
| steps: | |
| # | |
| # STABLE - Update of pom.xml and openapi.yaml with the new version. | |
| # | |
| - name: STABLE - Update of pom.xml and openapi.yaml with the new version | |
| run: | | |
| ${{ runner.temp }}/maven/bin/mvn versions:set -DnewVersion=${{ needs.release_candidate.outputs.new_release_version }} -s ${{ runner.temp }}/settings.xml --no-transfer-progress | |
| yq -i ".info.version = \"${{ needs.release_candidate.outputs.new_release_version }}\"" "src/main/resources/META-INF/openapi.yaml" | |
| yq -i ".info.version = \"${{ needs.release_candidate.outputs.new_release_version }}\"" "src/main/resources/META-INF/openapi_not_admin.yaml" | |
| git config user.name "GitHub Workflow" | |
| git config user.email "<>" | |
| git add pom.xml | |
| git add src/main/resources/META-INF/openapi.yaml | |
| git commit -m "Updated with new version ${{ needs.release_candidate.outputs.new_release_version }}" | |
| git push origin main | |
| # | |
| # Calculation of the new version (again) with tagging + releasing + etc. | |
| # | |
| - name: Calculation of the new version (w/o dry_run) and put tag | |
| uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # 4.1.1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| semantic_version: 21.1.1 | |
| branch: main | |
| extra_plugins: | | |
| @semantic-release/release-notes-generator@14.0.1 # 44c780c6f9c1bf2643fe48b6718bd9a84b820132 | |
| @semantic-release/git@10.0.1 # 3e934d45f97fd07a63617c0fc098c9ed3e67d97a | |
| dry_run: false | |
| # | |
| # STABLE - Build and push native container image. | |
| # | |
| - name: STABLE - Build and push native container image | |
| id: stable_image | |
| uses: pagopa/mil-actions/build-push-native-image@241c6c17f483229fdd4ac26c6d79d1d65be2659c # 1.1.1 | |
| with: | |
| gh_token: ${{ secrets.GIT_PAT }} | |
| sonar_token: ${{ secrets.SONAR_TOKEN }} | |
| release_version: ${{ needs.release_candidate.outputs.new_release_version }} | |
| skip_test: true | |
| # | |
| # STABLE - Update Container App. | |
| # | |
| - name: STABLE - Update Container App | |
| if: steps.semantic.outputs.new_release_published == 'true' | |
| shell: bash | |
| working-directory: src/main/terraform | |
| env: | |
| ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" | |
| ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" | |
| ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" | |
| run: | | |
| terraform init -backend-config="env/cstar-d-mcshared/backend.tfvars" -reconfigure | |
| terraform apply -var-file="env/cstar-d-mcshared/terraform.tfvars" -var="mil_auth_image=${{ steps.stable_image.outputs.image }}" -auto-approve -lock-timeout=300s | |
| ############################################################################## | |
| # # | |
| # UAT DEPLOYMENT # | |
| # # | |
| ############################################################################## | |
| uat_deployment: | |
| needs: stable | |
| runs-on: ubuntu-22.04 | |
| environment: cstar-u-mcshared | |
| permissions: | |
| id-token: write | |
| steps: | |
| # | |
| # Checkout the source code. | |
| # | |
| - name: Checkout the source code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 | |
| # | |
| # Setup Terraform | |
| # | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: 1.9.7 | |
| # | |
| # Update Container App. | |
| # | |
| - name: STABLE - Update Container App | |
| shell: bash | |
| working-directory: src/main/terraform | |
| env: | |
| ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}" | |
| ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" | |
| ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}" | |
| run: | | |
| terraform init -backend-config="env/cstar-u-mcshared/backend.tfvars" -reconfigure | |
| terraform apply -var-file="env/cstar-u-mcshared/terraform.tfvars" -var="mil_auth_image=${{ needs.stable.outputs.image }}" -auto-approve -lock-timeout=300s |