Bump govuk-frontend from 5.6.0 to 5.7.1 #1645
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy | |
| concurrency: build_and_deploy_${{ github.ref_name }} | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| types: [opened, reopened, synchronize, labeled] | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Environment" | |
| required: true | |
| type: choice | |
| options: | |
| - test | |
| - preproduction | |
| - production | |
| permissions: | |
| contents: write | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| jobs: | |
| build: | |
| name: Build | |
| env: | |
| DOCKER_IMAGE: ghcr.io/dfe-digital/check-childrens-barred-list | |
| outputs: | |
| docker_image: ${{ env.DOCKER_IMAGE }} | |
| image_tag: ${{ env.IMAGE_TAG }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| name: Checkout | |
| - name: Set environment variables (push, workflow_dispatch) | |
| if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| GIT_BRANCH=${GITHUB_REF##*/} | |
| echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main | |
| echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV | |
| - name: Set environment variables (pull_request) | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| GIT_BRANCH=${GITHUB_HEAD_REF##*/} | |
| echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
| echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV | |
| - name: Set KV environment variables | |
| if: github.actor != 'dependabot[bot]' | |
| run: | | |
| # tag build to the review env for vars and secrets | |
| tf_vars_file=terraform/aks/config/review.tfvars.json | |
| echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV | |
| echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: azure/login@v2 | |
| if: github.actor != 'dependabot[bot]' | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
| - uses: DFE-Digital/keyvault-yaml-secret@v1 | |
| if: github.actor != 'dependabot[bot]' | |
| id: get-secret | |
| with: | |
| keyvault: ${{ env.KEY_VAULT_NAME }} | |
| secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }} | |
| key: SNYK_TOKEN | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| tags: | | |
| ${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} | |
| ${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} | |
| push: false | |
| load: true | |
| cache-to: type=inline | |
| cache-from: | | |
| type=registry,ref=${{env.DOCKER_IMAGE}}:main | |
| type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} | |
| type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} | |
| build-args: COMMIT_SHA=${{ env.IMAGE_TAG }} | |
| - name: Push ${{ env.DOCKER_IMAGE }} images for review | |
| if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }} | |
| run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} | |
| - name: Run Snyk to check Docker image for vulnerabilities | |
| if: github.actor != 'dependabot[bot]' | |
| uses: snyk/actions/docker@master | |
| env: | |
| SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }} | |
| with: | |
| image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }} | |
| args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns | |
| - name: Push ${{ env.DOCKER_IMAGE }} images | |
| if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }} | |
| run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} | |
| deploy_review_app: | |
| name: Deployment To Review | |
| concurrency: deploy_review_${{ github.event.pull_request.number }} | |
| if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }} | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Start review-${{ github.event.pull_request.number }} Deployment | |
| uses: bobheadxi/deployments@v1 | |
| id: deployment | |
| with: | |
| env: review-${{ github.event.pull_request.number }} | |
| ref: ${{ github.head_ref }} | |
| step: start | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Deploy App to Review | |
| id: deploy_review | |
| uses: ./.github/actions/deploy/ | |
| with: | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} | |
| environment: review | |
| pr-number: ${{ github.event.pull_request.number }} | |
| sha: ${{ needs.build.outputs.IMAGE_TAG }} | |
| - name: Update review-${{ github.event.pull_request.number }} status | |
| if: always() | |
| uses: bobheadxi/deployments@v1 | |
| with: | |
| env: review-${{ github.event.pull_request.number }} | |
| ref: ${{ github.head_ref }} | |
| step: finish | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| status: ${{ job.status }} | |
| deployment_id: ${{ steps.deployment.outputs.deployment_id }} | |
| env_url: ${{ steps.deploy_review.outputs.deploy-url }} | |
| set_matrix: | |
| name: Set deployment matrix | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| outputs: | |
| deployment_matrix: ${{ steps.set_matrix.outputs.deployment_matrix }} | |
| steps: | |
| - id: set_matrix | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| DEPLOYMENT_MATRIX="{ 'environment': ['${{ github.event.inputs.environment }}'] }" | |
| else | |
| DEPLOYMENT_MATRIX="{ 'environment': ['test', 'preproduction'] }" | |
| fi | |
| echo "deployment_matrix=$DEPLOYMENT_MATRIX" >> $GITHUB_OUTPUT | |
| deploy_nonprod: | |
| name: Deploy to ${{ matrix.environment }} environment | |
| runs-on: ubuntu-latest | |
| needs: [build, set_matrix] | |
| if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch' | |
| concurrency: deploy_${{ matrix.environment }} | |
| strategy: | |
| fail-fast: false # this is necessary to prevent early terminiation of terraform deployments that will result in tfstate locks | |
| max-parallel: 3 | |
| matrix: ${{ fromJson(needs.set_matrix.outputs.deployment_matrix) }} | |
| environment: | |
| name: ${{ matrix.environment }} | |
| url: ${{ steps.deploy.outputs.url }} | |
| outputs: | |
| environment_name: ${{ matrix.environment }} | |
| environment_url: ${{ steps.deploy.outputs.url }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/deploy/ | |
| id: deploy | |
| with: | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
| environment: ${{ matrix.environment }} | |
| sha: ${{ needs.build.outputs.IMAGE_TAG }} | |
| deploy_production: | |
| name: Deploy to production AKS environment | |
| needs: [build, deploy_nonprod] | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| environment: | |
| name: production | |
| url: ${{ steps.deploy.outputs.url }} | |
| concurrency: deploy_production | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/deploy | |
| id: deploy | |
| with: | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
| environment: production | |
| sha: ${{ needs.build.outputs.IMAGE_TAG }} | |
| notify_slack_of_failures: | |
| name: Notify Slack of failures | |
| runs-on: ubuntu-latest | |
| needs: | |
| [build, deploy_review_app, set_matrix, deploy_nonprod, deploy_production] | |
| environment: ${{ needs.deploy_nonprod.outputs.environment_name || 'test' }} | |
| env: | |
| ENVIRONMENT_NAME: ${{ needs.deploy_nonprod.outputs.environment_name || 'test' }} | |
| if: failure() | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set Environment variables | |
| shell: bash | |
| working-directory: terraform | |
| run: | | |
| if ${{ needs.build_image.result == 'failure' }} | |
| then | |
| job=build_image | |
| elif ${{ needs.deploy_review_app.result == 'failure' }} | |
| then | |
| job=deploy_review_app | |
| review=true | |
| elif ${{ needs.set_matrix.result == 'failure' }} | |
| then | |
| job=set_matrix | |
| elif ${{ needs.deploy_nonprod.result == 'failure' }} | |
| then | |
| job=deploy_nonprod | |
| elif ${{ needs.deploy_production.result == 'failure' }} | |
| then | |
| job=deploy_production | |
| fi | |
| tf_vars_file=aks/config/${{ env.ENVIRONMENT_NAME }}.tfvars.json | |
| echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV | |
| echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV | |
| echo "JOB=${job}" >> $GITHUB_ENV | |
| echo "REVIEW=${review}" >> $GITHUB_ENV | |
| - uses: Azure/login@v2 | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS }} | |
| - uses: DfE-Digital/keyvault-yaml-secret@v1 | |
| id: get_monitoring_secret | |
| with: | |
| keyvault: ${{ env.KEY_VAULT_NAME }} | |
| secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }} | |
| key: SLACK_WEBHOOK | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Notify Slack channel on job failure | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_USERNAME: CI Deployment | |
| SLACK_TITLE: Deployment of check-the-childrens-barred-list ${{ env.REVIEW && 'review' }} failed | |
| SLACK_MESSAGE: Job ${{ env.JOB }} failed | |
| SLACK_WEBHOOK: ${{ steps.get_monitoring_secret.outputs.SLACK_WEBHOOK }} | |
| SLACK_COLOR: failure | |
| SLACK_FOOTER: Sent from Build and Deploy workflow |