CI-CD Release Dev to Test #298

Workflow file for this run

.github/workflows/retag-dev-to-test.yml at 2b8887a

	name: CI-CD Release Dev to Test
	env:
	OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
	# service account: gitaction
	OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
	OPENSHIFT_TOOLS_NAMESPACE: "3cd915-tools"
	OPENSHIFT_REGISTRY: ${{ secrets.OPENSHIFT_REGISTRY }}
	OC_USERNAME_SA: ${{ secrets.OC_USERNAME_SA }}
	MS_TEAMS_WEBHOOK_BUILD_CHANNEL: ${{ secrets.MS_TEAMS_WEBHOOK_URI_BUILD_CHANNEL }}
	AUTH__KEYCLOAK__SECRET: ${{ secrets.KEYCLOAK_SECRET_TEST }}
	AUTH__KEYCLOAK__SERVICEACCOUNT__SECRET: ${{ secrets.KEYCLOAK_SERVICEACCOUNT_SECRET }}
	sync-directory: ./tools/keycloak/sync
	ASPNETCORE_ENVIRONMENT: "Test"

	## variables for scripts under git\openshift\4.0\scripts\oc-*.sh
	APP_PORT: 8080
	DESTINATION: "test"
	GIT_URL: "${{github.server_url}}/${{github.repository}}"
	GIT_BRANCH: "${{github.ref}}"
	APP_NAME: "pims"
	PROJ_PREFIX: "3cd915"
	PROJ_TOOLS: "3cd915-tools"
	PROJ_DEV: "dev"
	PROJ_TEST: "test"
	PROJ_PROD: "prod"
	TAG_DEV: "dev"
	TAG_TEST: "test"
	TAG_PROD: "prod"
	INSTANCE: "-test"
	NAMESPACE_OVERRIDE: "3cd915-dev"
	RELEASE_TAG: "dev"
	DEPLOYMENT_NAMESPACE: "3cd915-dev"

	on: workflow_dispatch

	jobs:
	ci-cd-start-notification:
	name: CI-CD Start Notification to Teams Channel
	runs-on: ubuntu-22.04
	steps:
	- name: Start notification to Teams Channel
	uses: dragos-cojocari/ms-teams-notification@bdee8c5584729d6a2dcaad8fc21ecfd40d1418ab # v1.0.2
	with:
	github-token: ${{ github.token }}
	ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }}
	notification-summary: PIMS Release DEV to TST Started
	notification-color: 17a2b8
	timezone: America/Los_Angeles

	deploy:
	name: Retag/Deploy to OpenShift
	needs: ci-cd-start-notification
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout Source Code
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	- name: Login to OpenShift
	uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # v1.3
	with:
	openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
	openshift_token: ${{ env.OPENSHIFT_TOKEN }}
	insecure_skip_tls_verify: true
	namespace: ${{ env.OPENSHIFT_TOOLS_NAMESPACE }}
	- name: Docker login to OpenShift registry
	run: echo "${{ env.OPENSHIFT_TOKEN }}" \| docker login ${{ env.OPENSHIFT_REGISTRY }} -u unused --password-stdin
	- name: Pre-deploy scan frontend (block on CRITICAL/HIGH)
	env:
	IMAGE: ${{ env.OPENSHIFT_REGISTRY }}/3cd915-tools/pims-app:dev
	run: \|
	docker pull "$IMAGE";
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --exit-code 1 --scanners vuln,secret,misconfig --format table --severity CRITICAL,HIGH "$IMAGE" \| tee frontend_predeploy_scan.txt;
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:/workspace" aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --scanners vuln,secret,misconfig --format sarif --severity CRITICAL,HIGH "$IMAGE" -o /workspace/frontend_predeploy_scan.sarif
	- name: Upload frontend SARIF to Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.9
	with:
	sarif_file: frontend_predeploy_scan.sarif
	category: test-frontend-predeploy
	- name: Deploy PIMS frontend
	shell: bash
	run: \|
	oc tag pims-app:$RELEASE_TAG pims-app:$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-app-$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-app-$DESTINATION
	- name: Pre-deploy scan api (block on CRITICAL/HIGH)
	env:
	IMAGE: ${{ env.OPENSHIFT_REGISTRY }}/3cd915-tools/pims-api:dev
	run: \|
	docker pull "$IMAGE";
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --exit-code 1 --scanners vuln,secret,misconfig --format table --severity CRITICAL,HIGH "$IMAGE" \| tee api_predeploy_scan.txt;
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:/workspace" aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --scanners vuln,secret,misconfig --format sarif --severity CRITICAL,HIGH "$IMAGE" -o /workspace/api_predeploy_scan.sarif
	- name: Upload api SARIF to Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.9
	with:
	sarif_file: api_predeploy_scan.sarif
	category: test-api-predeploy
	- name: Deploy PIMS api
	shell: bash
	run: \|
	oc tag pims-api:$RELEASE_TAG pims-api:$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-api-$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-api-$DESTINATION
	- name: Pre-deploy scan proxy (block on CRITICAL/HIGH)
	env:
	IMAGE: ${{ env.OPENSHIFT_REGISTRY }}/3cd915-tools/pims-proxy:dev
	run: \|
	docker pull "$IMAGE";
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --exit-code 1 --scanners vuln,secret,misconfig --format table --severity CRITICAL,HIGH "$IMAGE" \| tee proxy_predeploy_scan.txt;
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:/workspace" aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --scanners vuln,secret,misconfig --format sarif --severity CRITICAL,HIGH "$IMAGE" -o /workspace/proxy_predeploy_scan.sarif
	- name: Upload proxy SARIF to Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.9
	with:
	sarif_file: proxy_predeploy_scan.sarif
	category: test-proxy-predeploy
	- name: Deploy geoserver proxy microservice
	shell: bash
	run: \|
	oc tag pims-proxy:$RELEASE_TAG pims-proxy:$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-proxy-$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-proxy-$DESTINATION
	- name: Pre-deploy scan scheduler (block on CRITICAL/HIGH)
	env:
	IMAGE: ${{ env.OPENSHIFT_REGISTRY }}/3cd915-tools/pims-scheduler:dev
	run: \|
	docker pull "$IMAGE";
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --exit-code 1 --scanners vuln,secret,misconfig --format table --severity CRITICAL,HIGH "$IMAGE" \| tee scheduler_predeploy_scan.txt;
	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:/workspace" aquasec/trivy@sha256:b7dc41ff0c3224dea024ee21bb9f6920a8af2fb343bba7139140d8fd0df1bac3 image --scanners vuln,secret,misconfig --format sarif --severity CRITICAL,HIGH "$IMAGE" -o /workspace/scheduler_predeploy_scan.sarif
	- name: Upload scheduler SARIF to Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.9
	with:
	sarif_file: scheduler_predeploy_scan.sarif
	category: test-scheduler-predeploy
	- name: Deploy scheduler microservice
	shell: bash
	run: \|
	oc tag pims-scheduler:$RELEASE_TAG pims-scheduler:$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout restart deployment/pims-scheduler-$DESTINATION
	oc -n $DEPLOYMENT_NAMESPACE rollout status --timeout=600s deployment/pims-scheduler-$DESTINATION
	- name: Upload scan reports
	if: failure()
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: test-predeploy-scan-reports
	path: \|
	frontend_predeploy_scan.txt
	api_predeploy_scan.txt
	proxy_predeploy_scan.txt
	scheduler_predeploy_scan.txt
	retention-days: 14
	- name: Upload SARIF files as artifacts
	if: always()
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: test-predeploy-sarif-reports
	path: \|
	frontend_predeploy_scan.sarif
	api_predeploy_scan.sarif
	proxy_predeploy_scan.sarif
	scheduler_predeploy_scan.sarif
	retention-days: 14
	- name: Deploy mayan
	shell: bash
	run: \|
	oc tag mayan-bcgov:$RELEASE_TAG mayan-bcgov:$DESTINATION
	# the command:
	# 1) creates an openshift job with generated name to avoid name conflict, substituting the variables in the template.
	# 2) greps the generated name from the previous step.
	# 3) waits for the job to complete using the generated name.
	database-upgrade:
	name: Upgrade database
	needs: [deploy]
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout Source Code
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	- name: Login to OpenShift
	uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # v1.3
	with:
	openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
	openshift_token: ${{ env.OPENSHIFT_TOKEN }}
	insecure_skip_tls_verify: true
	namespace: 3cd915-dev
	- name: call scripts to upgrade database
	shell: bash
	run: \|
	JOB_NAME=$(oc process -f ./openshift/4.0/templates/jobs/db-deploy.yaml -p DB_SECRET_NAME=pims-database-test -p GIT_BRANCH=dev -p SERVER_NAME=sqldevtst.th.gov.bc.ca -p DB_NAME=PIMS_TST -p NAMESPACE=3cd915-dev \| oc create -f - \| grep -oP "(?<=job\.batch/)[^\s]*")
	oc wait --for=condition=complete job/$JOB_NAME --timeout=120s
	oc get pods -o custom-columns=POD:.metadata.name --no-headers \| grep -Eo $JOB_NAME-[^\s].* \| (read POD_NAME; oc logs $POD_NAME)

	# ## Call the mayan sync task three times, once for each mayan sync endpoint. The task will wait for the job to complete before exiting.
	# ## Note: this depends on the mayan-sync configmap for the target namespace being up to date.
	mayan-sync:
	name: sync mayan
	needs: database-upgrade
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout Source Code
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	- name: Login to OpenShift
	uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # v1.3
	with:
	openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
	openshift_token: ${{ env.OPENSHIFT_TOKEN }}
	insecure_skip_tls_verify: true
	namespace: 3cd915-dev
	- name: call scripts to sync mayan
	shell: bash
	run: \|
	oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-dev -p TOKEN_URL=https://dev.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-test-3cd915-dev.apps.silver.devops.gov.bc.ca:443/api/documents/sync/mayan/metadatatype -p KEYCLOAK_SECRET_NAME=pims-api-sso-test \| oc create -f - \| grep -oP "(?<=\/)[^\s]*" \| (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s)
	oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-dev -p TOKEN_URL=https://dev.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-test-3cd915-dev.apps.silver.devops.gov.bc.ca:443/api/documents/sync/documenttype -p KEYCLOAK_SECRET_NAME=pims-api-sso-test \| oc create -f - \| grep -oP "(?<=\/)[^\s]*" \| (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s)
	oc process -f ./openshift/4.0/templates/jobs/mayan-sync.yaml -p NAMESPACE=3cd915-dev -p TOKEN_URL=https://dev.loginproxy.gov.bc.ca:443/auth/realms/standard/protocol/openid-connect/token -p CLIENT_ID=property-services-project-api-4380 -p MAYAN_SYNC_URL=https://pims-app-test-3cd915-dev.apps.silver.devops.gov.bc.ca:443/api/documents/sync/mayan -p KEYCLOAK_SECRET_NAME=pims-api-sso-test \| oc create -f - \| grep -oP "(?<=\/)[^\s]*" \| (read TASK_NAME; oc wait --for=condition=succeeded taskruns/$TASK_NAME --timeout=80s)

	# ## Call the tekton pipeline that executes the keycloak sync. Dependent on the pims-api being accessible. Can run in parallel with the mayan sync.
	keycloak-sync:
	name: sync keycloak
	needs: database-upgrade
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout Source Code
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	- name: Login to OpenShift
	uses: redhat-actions/oc-login@5eb45e848b168b6bf6b8fe7f1561003c12e3c99d # v1.3
	with:
	openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
	openshift_token: ${{ env.OPENSHIFT_TOKEN }}
	insecure_skip_tls_verify: true
	namespace: ${{ env.NAMESPACE_OVERRIDE }}
	- name: call scripts to sync keycloak
	shell: bash
	run: \|
	oc process -f ./openshift/4.0/templates/jobs/keycloak-sync-pipeline-run.yaml -p ASPNETCORE_ENVIRONMENT=$ASPNETCORE_ENVIRONMENT -p NAMESPACE=$NAMESPACE_OVERRIDE -p BRANCH=dev -p KEYCLOAK_SECRET_NAME=pims-api-sso-test -p KEYCLOAK_SERVICE_ACCOUNT_SECRET_NAME=pims-api-sso-test -p API_URL=http://pims-api-test:8080/api \| oc create -f - \| grep -oP "(?<=\/)[^\s]*" \| (read PIPELINE_NAME; oc wait --for=condition=succeeded pipelineruns/$PIPELINE_NAME --timeout=600s)

	ci-cd-end-notification:
	name: CI-CD End Notification to Teams Channel
	runs-on: ubuntu-22.04
	needs: keycloak-sync
	steps:
	- name: check workflow status
	uses: martialonline/workflow-status@326830cacf79872efe767e15031f58d1ea0508c4 # v4.2
	id: check
	- name: End notification to Teams Channel
	uses: dragos-cojocari/ms-teams-notification@bdee8c5584729d6a2dcaad8fc21ecfd40d1418ab # v1.0.2
	with:
	github-token: ${{ github.token }}
	ms-teams-webhook-uri: ${{ env.MS_TEAMS_WEBHOOK_BUILD_CHANNEL }}
	notification-summary: PIMS Release DEV to TEST COMPLETED with status ${{ steps.check.outputs.status }}
	notification-color: 17a2b8
	timezone: America/Los_Angeles

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CI-CD Release Dev to Test #298

Workflow file

CI-CD Release Dev to Test #298

Uh oh!

Workflow file for this run