Skip to content

and topics

and topics #7919

Workflow file for this run

name: Deploy
on:
push:
branches:
- "*"
- "!skipci*"
concurrency:
group: ${{ github.ref_name }}
permissions:
id-token: write
contents: write
pages: write
actions: read
jobs:
unit-tests:
name: Unit Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: set variable values
run: ./.github/build-vars.sh set_values
env:
CODE_CLIMATE_ID: ${{ secrets.CODE_CLIMATE_ID }}
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
- uses: actions/cache@v4
with:
path: |
**/node_modules
~/.cache/Cypress
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock', 'plugins/**') }}
- name: set path
run: |
echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV
- name: run unit tests
run: ./scripts/test-unit.sh
- name: publish test coverage to code climate
if: env.CODE_CLIMATE_ID != ''
uses: paambaati/codeclimate-action@v6
env:
CC_TEST_REPORTER_ID: ${{ secrets.CODE_CLIMATE_ID }}
with:
coverageLocations: |
${{github.workspace}}/services/app-api/coverage/lcov.info:lcov
${{github.workspace}}/services/ui-src/coverage/lcov.info:lcov
- name: Store unit test results
if: failure()
uses: actions/upload-artifact@v4
with:
name: unit-test-results
path: |
${{github.workspace}}/services/app-api/coverage/lcov.info
${{github.workspace}}/services/ui-src/coverage/lcov.info
retention-days: 14
deploy:
needs: unit-tests
runs-on: ubuntu-latest
env:
SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline
steps:
- uses: actions/checkout@v4
- name: set branch_name # Some integrations (Snyk) build very long branch names. This is a switch to make long branch names shorter.
run: |
BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }})
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV
- name: Validate branch name
run: ./.github/branch-name-validation.sh $STAGE_PREFIX$branch_name
- name: set branch specific variable names
run: ./.github/build-vars.sh set_names
- name: set variable values
run: ./.github/build-vars.sh set_values
env:
AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }}
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }}
CODE_CLIMATE_ID: ${{ secrets.CODE_CLIMATE_ID }}
- name: Configure AWS credentials for GitHub Actions
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
- uses: actions/cache@v4
with:
path: |
**/node_modules
~/.cache/Cypress
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock', 'plugins/**') }}
- name: set path
run: |
echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV
- name: deploy
run: |
# When deploying multiple copies of this quickstart to the same AWS Account (not ideal), a prefix helps prevent stepping on each other.
# This can optionally be set as an GitHub Actions Secret
./run deploy --stage $STAGE_PREFIX$branch_name
- id: endpoint
run: |
APPLICATION_ENDPOINT=$(./output.sh ui ApplicationEndpointUrl $STAGE_PREFIX$branch_name)
echo "application_endpoint=$APPLICATION_ENDPOINT" >> $GITHUB_OUTPUT
echo "## Application Endpoint" >> $GITHUB_STEP_SUMMARY
echo "<$APPLICATION_ENDPOINT>" >> $GITHUB_STEP_SUMMARY
working-directory: services
outputs:
application_endpoint: ${{ steps.endpoint.outputs.application_endpoint}}
BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION }}
BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME }}
register-runner:
name: Register GitHub Runner
if: ${{ github.ref_name != 'main' && github.ref_name != 'val' && github.ref_name != 'production' }}
runs-on: ubuntu-latest
needs: deploy
env:
SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline
steps:
- name: Checkout
uses: actions/checkout@v4
- name: set branch_name
run: |
BRANCH_NAME=$(./.github/setBranchName.sh ${{ github.ref_name }})
echo "branch_name=${BRANCH_NAME}" >> $GITHUB_ENV
- name: set branch specific variable names
id: set_names
run: ./.github/build-vars.sh set_names
- name: set variable values
id: set_values
run: ./.github/build-vars.sh set_values
env:
AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }}
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }}
- name: Configure AWS credentials for GitHub Actions
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }}
- name: output account id
id: output_account_id
run: |
#!/bin/bash
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo "Current Account ID: ${AWS_ACCOUNT_ID}"
- name: Get Github Actions CIDR Blocks
id: get-gha-cidrs
shell: bash
run: |
#! /bin/bash
GHA_RESP=$(curl --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' https://api.github.com/meta)
echo "Response for GHA runner CIDR blocks: $GHA_RESP"
IPV4_CIDR_ARR=($(echo $GHA_RESP | jq -r '.actions | .[]' | grep -v ':'))
GHA_CIDRS_IPV4=$(echo $(IFS=" "; echo ${IPV4_CIDR_ARR[*]}))
echo "GHA_CIDRS_IPV4=$GHA_CIDRS_IPV4" >> $GITHUB_OUTPUT
- name: Generate IP Set Name
id: gen-ip-set-name
run: |
#!/bin/bash
STAGE_GH_IPSET_NAME=$STAGE_PREFIX$branch_name-gh-ipset
echo "Github IP Set name: $STAGE_GH_IPSET_NAME"
echo "STAGE_GH_IPSET_NAME=$STAGE_GH_IPSET_NAME" >> $GITHUB_OUTPUT
- name: Fetch AWS IP Set Metadata
id: fetch-ip-set-info
run: |
#!/bin/bash
# Fetch AWS IP set ARNs using AWS CLI and store them in a variable
AWS_IP_SET_INFO=$(aws wafv2 list-ip-sets --scope=CLOUDFRONT)
echo "Outputting AWS IP Set Info: ${AWS_IP_SET_INFO}"
# Store the IP set ARNs in an output variable using GITHUB_OUTPUT
IPSET_NAME=${{ steps.gen-ip-set-name.outputs.STAGE_GH_IPSET_NAME }}
IPSET=$(jq '.IPSets | map(select(.Name == "'${IPSET_NAME}'")) | .[]' <<< ${AWS_IP_SET_INFO})
[ -z "$IPSET" ] && echo "IP Set with name ${IPSET_NAME} was not located. Exiting..." && exit 1
echo "IP Set metadata: ${IPSET}"
#Get Values from the IP SET
IPSET_ID=$(jq -r '.Id' <<< ${IPSET})
echo "IPSET_ARN=$IPSET_ARN" >> $GITHUB_OUTPUT
echo "IPSET_NAME=$IPSET_NAME" >> $GITHUB_OUTPUT
echo "IPSET_ID=$IPSET_ID" >> $GITHUB_OUTPUT
- name: Update IP Set
id: update-ip-set
run: ./.github/waf-controller.sh set ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }} ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }} ${{ steps.get-gha-cidrs.outputs.GHA_CIDRS_IPV4 }}
env:
AWS_RETRY_MODE: adaptive
AWS_MAX_ATTEMPTS: 10
outputs:
ipset_name: ${{ steps.fetch-ip-set-info.outputs.IPSET_NAME }}
ipset_id: ${{ steps.fetch-ip-set-info.outputs.IPSET_ID }}
e2e-test:
name: E2E Integration Tests
needs:
- deploy
- register-runner
if: ${{ always() && !cancelled() && needs.deploy.result == 'success' && github.ref_name != 'production' }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Cypress Tests
uses: cypress-io/github-action@v6
with:
working-directory: tests
spec: |
cypress/e2e/*.cy.js
cypress/e2e/admin/*.cy.js
cypress/e2e/mcpar/*.cy.js
cypress/e2e/mlr/*.cy.js
browser: chrome
config: baseUrl=${{ needs.deploy.outputs.application_endpoint }}
wait-on: ${{ needs.deploy.outputs.application_endpoint }}
env: true
env:
CYPRESS_STATE_USER_EMAIL: ${{ secrets.CYPRESS_STATE_USER_EMAIL }}
CYPRESS_STATE_USER_PASSWORD: ${{ secrets.CYPRESS_STATE_USER_PASSWORD }}
CYPRESS_ADMIN_USER_EMAIL: ${{ secrets.CYPRESS_ADMIN_USER_EMAIL }}
CYPRESS_ADMIN_USER_PASSWORD: ${{ secrets.CYPRESS_ADMIN_USER_PASSWORD }}
- name: Upload screenshots
uses: actions/upload-artifact@v4
if: failure()
with:
name: cypress-test-results
path: |
${{github.workspace}}/tests/cypress/screenshots/
${{github.workspace}}/tests/cypress/videos/
retention-days: 14
a11y-tests:
name: E2E A11y Tests
needs:
- deploy
- register-runner
if: ${{ always() && !cancelled() && needs.deploy.result == 'success' && github.ref_name != 'production' }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check Project A11y
uses: cypress-io/github-action@v6
with:
working-directory: tests
spec: cypress/e2e/accessibility/*.cy.js
browser: chrome
config: baseUrl=${{ needs.deploy.outputs.application_endpoint }}
wait-on: ${{ needs.deploy.outputs.application_endpoint }}
env: true
env:
CYPRESS_STATE_USER_EMAIL: ${{ secrets.CYPRESS_STATE_USER_EMAIL }}
CYPRESS_STATE_USER_PASSWORD: ${{ secrets.CYPRESS_STATE_USER_PASSWORD }}
CYPRESS_ADMIN_USER_EMAIL: ${{ secrets.CYPRESS_ADMIN_USER_EMAIL }}
CYPRESS_ADMIN_USER_PASSWORD: ${{ secrets.CYPRESS_ADMIN_USER_PASSWORD }}
RUN_PA11Y: true
- name: Upload screenshots
uses: actions/upload-artifact@v4
if: failure()
with:
name: a11y-test-results
path: |
${{github.workspace}}/tests/cypress/screenshots/
${{github.workspace}}/tests/cypress/videos/
retention-days: 14
test:
name: Playwright Tests
needs:
- deploy
- register-runner
- e2e-test
- a11y-tests
if: ${{ always() && !cancelled() && needs.deploy.result == 'success' && github.ref_name != 'production' }}
timeout-minutes: 60
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials for GitHub Actions
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }}
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
- name: yarn install
run: yarn install
- name: yarn install tests
run: yarn install
working-directory: tests
- name: Install Playwright Browsers
run: yarn playwright install --with-deps
working-directory: tests
- name: Run Playwright tests
run: yarn playwright test
working-directory: tests
continue-on-error: true
env:
BASE_URL: ${{ needs.deploy.outputs.application_endpoint }}
TEST_STATE_USER_EMAIL: ${{ secrets.CYPRESS_STATE_USER_EMAIL }}
TEST_STATE_USER_PASSWORD: ${{ secrets.CYPRESS_STATE_USER_PASSWORD }}
TEST_ADMIN_USER_EMAIL: ${{ secrets.CYPRESS_ADMIN_USER_EMAIL }}
TEST_ADMIN_USER_PASSWORD: ${{ secrets.CYPRESS_ADMIN_USER_PASSWORD }}
- uses: actions/upload-artifact@v4
if: ${{ !cancelled() }}
with:
name: playwright-html-report # upload artifact as this name
# path: playwright-report/index.html # path on runner
path: tests/playwright-report # path on runner
retention-days: 30
upload-reports:
name: Upload Reports
needs:
- test
if: ${{ always() && github.ref_name != 'production' }}
runs-on: ubuntu-latest
outputs:
timestamp: ${{ steps.timestampid.outputs.timestamp }}
steps:
# create a unique folder name to put playwright reports in
- name: Set a Timestamp
id: timestampid
run: echo "timestamp=$(date --utc +%Y%m%d_%H%M%SZ)" >> "$GITHUB_OUTPUT"
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
- name: Install dependencies
run: yarn install
# downloads artifact created from the test job
- name: Download reports from GitHub Actions Artifacts
uses: actions/download-artifact@v4
with:
name: playwright-html-report # download from previous job
path: downloaded-html-report # save as this when downloaded
- name: Push files to github pages
uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./downloaded-html-report # publish downloaded dir to github pages
destination_dir: ${{ steps.timestampid.outputs.timestamp }}
# need to extract just org name for reassembling the github pages URL
- name: Extract Organization Name
id: extract-org
run: |
echo "ORG_NAME=$(echo $GITHUB_REPOSITORY | cut -d'/' -f1)" >> $GITHUB_ENV
echo "org name: ${ORG_NAME}"
# need to extract just the repo name for reassembling the github pages URL
- name: Extract Repository Name
id: extract-repo
run: |
echo "REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" >> $GITHUB_ENV
echo "repo name: ${REPO_NAME}"
# assembles org name, repo name, and unique timestamp to link to github pages url that was published
- name: Write URL in Summary
run: |
echo "## Playwright Test Results" >> $GITHUB_STEP_SUMMARY
echo "https://${ORG_NAME}.github.io/${REPO_NAME}/${{ steps.timestampid.outputs.timestamp }}/" >> $GITHUB_STEP_SUMMARY
cleanup:
name: Delist GHA Runner CIDR Blocks
if: ${{ github.ref_name != 'main' && github.ref_name != 'val' && github.ref_name != 'production' }}
runs-on: ubuntu-latest
needs:
- register-runner
- a11y-tests
- e2e-test
- test
env:
SLS_DEPRECATION_DISABLE: "*" # Turn off deprecation warnings in the pipeline
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials for GitHub Actions
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
aws-region: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }}
- name: output account id
id: output_account_id
run: |
#!/bin/bash
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo "Current Account ID: ${AWS_ACCOUNT_ID}"
- name: cleanup-ip-list
id: reset-ip-set
run: ./.github/waf-controller.sh set ${{ needs.register-runner.outputs.ipset_name }} ${{ needs.register-runner.outputs.ipset_id }} '[]'
env:
AWS_RETRY_MODE: adaptive
AWS_MAX_ATTEMPTS: 10