diff --git a/.github/workflows/app-ci.yaml b/.github/workflows/app-ci.yaml index 6082aea..cf86c81 100644 --- a/.github/workflows/app-ci.yaml +++ b/.github/workflows/app-ci.yaml @@ -1,9 +1,13 @@ -name: Deploy to Production (Azure) +name: APP CI/CD Pipeline on: push: branches: - main + paths: + - "app/**" + tags: + - v.*.*.* workflow_dispatch: jobs: @@ -26,10 +30,10 @@ jobs: run: | if [[ $GITHUB_REF_NAME == 'refs/heads/main' ]]; then echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" - elif [[ $GITHUB_REF_NAME == 'refs/heads/develop' ]]; then - echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" - elif [[ $GITHUB_REF_NAME == 'refs/heads/release' ]]; then - echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" + elif [[ $GITHUB_REF_NAME == *'refs/heads/release'* ]]; then + echo "DEPLOY_ENVIRONMENT=Test" >> "$GITHUB_OUTPUT" + elif [[ $GITHUB_REF_NAME == *'refs/tags/v'* ]]; then + echo "DEPLOY_ENVIRONMENT=Production" >> "$GITHUB_OUTPUT" else echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" fi diff --git a/.github/workflows/infra-ci.yaml b/.github/workflows/infra-ci.yaml new file mode 100644 index 0000000..278989b --- /dev/null +++ b/.github/workflows/infra-ci.yaml @@ -0,0 +1,119 @@ +name: Infra CI Pipeline + +on: + push: + branches: + - main + paths: + - "infra/**" + + workflow_dispatch: + +# To configure required secrets for connecting to Azure, simply run `azd pipeline config` + +# Set up permissions for deploying with secretless Azure federated credentials +# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication +permissions: + id-token: write + contents: read + +jobs: + validate-bicep: + name: "Infra Biceps Validation" + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Build Bicep for linting + uses: azure/CLI@v1 + with: + inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout + + - name: Run Microsoft Security DevOps Analysis + uses: microsoft/security-devops-action@v1 + id: msdo + continue-on-error: true + with: + tools: templateanalyzer + + - name: Upload alerts to Security tab + uses: github/codeql-action/upload-sarif@v2 + if: github.repository == 'Azure-Samples/azure-search-openai-demo-java' + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} + + +# deploy: +# name: "Deploy Infra and App using azd" +# runs-on: ubuntu-latest +# environment: +# name: "Development" +# env: +# AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} +# AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} +# AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} +# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} +# steps: +# - name: Checkout +# uses: actions/checkout@v4 + +# - name: Install azd +# uses: Azure/setup-azd@v0.1.0 + +# - name: Log in with Azure (Federated Credentials) +# if: ${{ env.AZURE_CLIENT_ID != '' }} +# run: | +# azd auth login ` +# --client-id "$Env:AZURE_CLIENT_ID" ` +# --federated-credential-provider "github" ` +# --tenant-id "$Env:AZURE_TENANT_ID" +# shell: pwsh + +# - name: Log in with Azure (Client Credentials) +# if: ${{ env.AZURE_CREDENTIALS != '' }} +# run: | +# $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable; +# Write-Host "::add-mask::$($info.clientSecret)" + +# azd auth login ` +# --client-id "$($info.clientId)" ` +# --client-secret "$($info.clientSecret)" ` +# --tenant-id "$($info.tenantId)" +# shell: pwsh +# env: +# AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + +# - name: Provision Infrastructure +# run: azd provision --no-prompt +# env: +# AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} +# AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} +# AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} +# AZURE_FORMRECOGNIZER_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }} +# AZURE_FORMRECOGNIZER_SERVICE: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }} +# AZURE_OPENAI_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_SERVICE }} +# AZURE_OPENAI_SERVICE: ${{ vars.AZURE_OPENAI_SERVICE }} +# AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }} +# AZURE_SEARCH_SERVICE: ${{ vars.AZURE_SEARCH_SERVICE }} +# AZURE_SEARCH_SERVICE_RESOURCE_GROUP: ${{ vars.AZURE_SEARCH_SERVICE_RESOURCE_GROUP }} +# AZURE_STORAGE_ACCOUNT: ${{ vars.AZURE_STORAGE_ACCOUNT }} +# AZURE_STORAGE_RESOURCE_GROUP: ${{ vars.AZURE_STORAGE_RESOURCE_GROUP }} + +# - name: Deploy Application +# run: azd deploy --no-prompt +# env: +# AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} +# AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} +# AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} +# AZURE_FORMRECOGNIZER_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }} +# AZURE_FORMRECOGNIZER_SERVICE: ${{ vars.AZURE_FORMRECOGNIZER_RESOURCE_GROUP }} +# AZURE_OPENAI_RESOURCE_GROUP: ${{ vars.AZURE_FORMRECOGNIZER_SERVICE }} +# AZURE_OPENAI_SERVICE: ${{ vars.AZURE_OPENAI_SERVICE }} +# AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }} +# AZURE_SEARCH_SERVICE: ${{ vars.AZURE_SEARCH_SERVICE }} +# AZURE_SEARCH_SERVICE_RESOURCE_GROUP: ${{ vars.AZURE_SEARCH_SERVICE_RESOURCE_GROUP }} +# AZURE_STORAGE_ACCOUNT: ${{ vars.AZURE_STORAGE_ACCOUNT }} +# AZURE_STORAGE_RESOURCE_GROUP: ${{ vars.AZURE_STORAGE_RESOURCE_GROUP }} + + diff --git a/.github/workflows/template-validation.yaml b/.github/workflows/template-validation.yaml index 73f2435..ded2185 100644 --- a/.github/workflows/template-validation.yaml +++ b/.github/workflows/template-validation.yaml @@ -1,7 +1,5 @@ name: Validate AZD template on: - push: - branches: [ main ] pull_request: branches: [ main ] schedule: @@ -29,7 +27,7 @@ jobs: - name: Upload alerts to Security tab uses: github/codeql-action/upload-sarif@v2 - if: github.repository == 'Azure-Samples/azure-search-openai-demo' + if: github.repository == 'Azure-Samples/azure-search-openai-demo-java' with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} @@ -42,7 +40,7 @@ jobs: - name: Build React Frontend run: | - echo "Building front-end and merge into Spring Boot static folder. Environment [${{ steps.set-deploy-env.outputs.DEPLOY_ENVIRONMENT }}]" + echo "Building front-end and merge into Spring Boot static folder." cd ./app/frontend npm install npm run build @@ -61,21 +59,8 @@ jobs: java-version: '17' cache: 'maven' - - name: Set environment for branch - id: set-deploy-env - run: | - if [[ $GITHUB_REF_NAME == 'refs/heads/main' ]]; then - echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" - elif [[ $GITHUB_REF_NAME == 'refs/heads/develop' ]]; then - echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" - elif [[ $GITHUB_REF_NAME == 'refs/heads/release' ]]; then - echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" - else - echo "DEPLOY_ENVIRONMENT=Development" >> "$GITHUB_OUTPUT" - fi - - name: Build Spring Boot App run: | - echo "Building Spring Boot app. Environment [${{ steps.set-deploy-env.outputs.DEPLOY_ENVIRONMENT }}]" + echo "Building Spring Boot app." cd ./app/backend ./mvnw verify