eps-assist-me/.github/workflows/pull_request.yml at main · NHSDigital/eps-assist-me · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
name: deploy_pr

on:
  pull_request:
    branches: [main]

permissions: {}

jobs:
  get_config_values:
    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
    permissions:
      attestations: read
      contents: read
      packages: read
    with:
      verify_published_from_main_image: false

  get_commit_message:
    runs-on: ubuntu-22.04
    outputs:
      commit_message: ${{ steps.commit_message.outputs.commit_message }}
    steps:
      - name: Checkout code
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: false
          fetch-depth: 0
      - name: Get Commit message
        id: commit_message
        run: |
          echo "commit_message=$(git show -s --format=%s)" >> "$GITHUB_OUTPUT"

  quality_checks:
    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@8399c1f015c1304e40771cbd8ccc24c7ed48fdbc
    needs: [get_config_values, get_commit_message]
    permissions:
      contents: read
      id-token: write
      packages: read
    if: ${{ ! contains(needs.get_commit_message.outputs.commit_message, '#skip-qc') }}
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
    secrets:
      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  quality_gate:
    needs: get_commit_message
    runs-on: ubuntu-22.04
    if: always()
    steps:
      - name: Wait for quality checks to succeed
        if: ${{ ! contains(needs.get_commit_message.outputs.commit_message, '#skip-qc') }}
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          result-encoding: json
          script: |
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const runId = context.runId;

            // How many times to poll
            const pollTime = 10000; // 10 seconds
            const maxRetries = 120; // 20 minutes at 10 seconds each
            let attempts = 0;

            async function fetchQCJob() {
              const { data } = await github.rest.actions.listJobsForWorkflowRun({
                owner, repo, run_id: runId
              });
              return data.jobs.find(job => job.name === 'quality_checks / quality_checks');
            }

            let qc = await fetchQCJob();
            while ((!qc || qc.status !== 'completed') && attempts < maxRetries) {
              attempts++;
              console.log(`Attempt #${attempts}: ` +
                (qc
                  ? `found job "${qc.name}" with status=${qc.status}`
                  : 'no matching quality_checks job yet'));
              await new Promise(r => setTimeout(r, pollTime));
              qc = await fetchQCJob();
            }

            if (!qc) {
              core.setFailed(
                `Timed out waiting for a "quality_checks" job (after ${attempts} polls).`
              );
              return;
            }

            if (qc.status !== 'completed') {
              core.setFailed(
                `Quality checks job never completed (last status=${qc.status}).`
              );
              return;
            }

            if (qc.conclusion !== 'success') {
              core.setFailed(
                `Quality checks failed (conclusion=${qc.conclusion}).`
              );
            }

      - name: Bypass QC gate
        if: ${{ contains(needs.get_commit_message.outputs.commit_message, '#skip-qc') }}
        run: echo "Skipping QC gate per commit message."

  dependabot-auto-approve-and-merge:
    needs: quality_gate
    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
    permissions:
      contents: write
      pull-requests: write
    secrets:
      AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
      AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}

  pr_title_format_check:
    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
    permissions:
      pull-requests: write

  get_issue_number:
    runs-on: ubuntu-22.04
    outputs:
      issue_number: ${{steps.get_issue_number.outputs.result}}

    steps:
      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
        name: get issue number
        id: get_issue_number
        with:
          script: |
            if (context.issue.number) {
              // Return issue number if present
              return context.issue.number;
            } else {
              // Otherwise return issue number from commit
              return (
                await github.rest.repos.listPullRequestsAssociatedWithCommit({
                  commit_sha: context.sha,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                })
              ).data[0].number;
            }
          result-encoding: string

  package_code:
    needs: [get_issue_number, quality_gate, get_config_values]
    if: |
      always() &&
      ! contains(needs.*.result, 'failure') &&
      ! contains(needs.*.result, 'cancelled')
    uses: ./.github/workflows/cdk_package_code.yml
    permissions:
      contents: read
      id-token: write
      packages: read
    with:
      STACK_NAME: epsam-pr-${{needs.get_issue_number.outputs.issue_number}}
      VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
      COMMIT_ID: ${{ github.sha }}
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

  release_code:
    needs: [get_issue_number, package_code, get_config_values]
    if: |
      always() &&
      ! contains(needs.*.result, 'failure') &&
      ! contains(needs.*.result, 'cancelled')
    uses: ./.github/workflows/release_all_stacks.yml
    permissions:
      contents: write
      id-token: write
    with:
      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
      STACK_NAME: epsam-pr-${{needs.get_issue_number.outputs.issue_number}}
      TARGET_ENVIRONMENT: dev-pr
      VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
      COMMIT_ID: ${{ github.sha }}
      CDK_APP_NAME: EpsAssistMeApp
      DEPLOY_CODE: true
      LOG_RETENTION_IN_DAYS: 30
      LOG_LEVEL: "DEBUG"
      IS_PULL_REQUEST: true
      FORWARD_CSOC_LOGS: false
      RUN_REGRESSION_TESTS: true
    secrets:
      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
      INT_ASSIST_ME_DOCUMENT_SYNC_ROLE: ${{ secrets.INT_ASSIST_ME_DOCUMENT_SYNC_ROLE }}
      DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
      INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
      PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
      DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
      REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
      SLACK_BOT_TOKEN: ${{ secrets.DEV_SLACK_BOT_TOKEN }}
      SLACK_SIGNING_SECRET: ${{ secrets.DEV_SLACK_SIGNING_SECRET }}