.github/workflows/deploy-pm4.yml

name: deploy-k8s
run-name: ${{ github.actor }} send deploy EKS 🚀
on:
  pull_request:
    types: [opened, reopened, synchronize, edited, closed]
  schedule:
    - cron: '30 2 * * *'  # run daily
  workflow_dispatch:
  workflow_call:
env:
  aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
  aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  aws-region: ${{ secrets.AWS_REGION }}
  AWS_URL: ${{ secrets.AWS_URL }}
  pull_req_id: ${{github.event.pull_request.number}}
  DATE: $(date -d '-1 day' '+%Y-%m-%d'|sed 's/-//g')
  CURRENT_DATE: $(date '+%Y-%m-%d %H:%M:%S'|sed 's/-//g')
  CI_PACKAGE_BRANCH: ${{ github.event.pull_request.head.ref || github.event.ref || 'develop' }}
  CI_PROJECT: ${{github.event.pull_request.head.repo.name || github.event.repository.name || 'processmaker' }}
  CI_PR_BODY: ${{ github.event_name == 'schedule' && 'No ci tags needed here' || github.event.pull_request.body }}
  IMAGE_TAG: $(echo "$CI_PROJECT-$CI_PACKAGE_BRANCH" | sed "s;/;-;g" | sed "s/refs-heads-//g")
  DEPLOY: ${{ secrets.DEPLOY }}
  GH_USER: ${{ secrets.GH_USER }}
  GH_EMAIL: ${{ secrets.GH_EMAIL }}
  GITHUB_COMMENT: ${{ secrets.GH_COMMENT }}
  DOM_EKS: ${{ secrets.DOM_EKS }}
  GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }}
  BUILD_BASE: ${{ (contains(github.event.pull_request.body, 'ci:build-base') || github.event_name == 'schedule') && '1' || '0' }}
  BASE_IMAGE: ${{ secrets.REGISTRY_HOST }}/processmaker/processmaker:base
  K8S_BRANCH: ${{ contains(github.event.pull_request.body, 'ci:next') && 'next' || 'develop' }}
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
jobs:
  imageEKS:
    name: build-docker-image-EKS
    if: github.event.action != 'closed'
    runs-on: ${{ vars.RUNNER }}
    steps:
      - name: Set image name
        run: |
            RESOLVED_IMAGE_TAG=${{ env.IMAGE_TAG }}
            echo "IMAGE=${{ secrets.REGISTRY_HOST }}/processmaker/enterprise:$RESOLVED_IMAGE_TAG" >> $GITHUB_ENV
      - name: Clone repo K8S
        run: |
          echo "IMAGE: ${{ env.IMAGE }}"
          git clone --depth 1 -b "$K8S_BRANCH" "https://$GITHUB_TOKEN@github.com/ProcessMaker/pm4-k8s-distribution.git" pm4-k8s-distribution
      - name: Generate image EKS
        run: |
          cd pm4-k8s-distribution/images
          branch=$(echo "${{ env.CI_PACKAGE_BRANCH }}" | sed 's/refs-heads-//g') tag=${{env.IMAGE_TAG}} bash build.k8s-cicd.sh
          echo "VERSION=${{ env.IMAGE_TAG }}" >> $GITHUB_ENV
      - name: List Images
        run: |
          docker images
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: processmaker/enterprise:${{ env.VERSION }}
          format: 'table'
          exit-code: '0'
          ignore-unfixed: false
          vuln-type: 'os,library'
          scanners: 'vuln,secret'
          severity: 'MEDIUM,HIGH,CRITICAL'
        env:
          TRIVY_TIMEOUT: 30m
      - name: Login to Harbor
        uses: docker/login-action@v2
        with:
          registry: ${{ secrets.REGISTRY_HOST  }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Push Enterprise Image to Harbor
        run: |          
          docker tag processmaker/enterprise:${{env.IMAGE_TAG}} ${{ secrets.REGISTRY_HOST }}/processmaker/enterprise:${{env.IMAGE_TAG}}
          docker push ${{ secrets.REGISTRY_HOST }}/processmaker/enterprise:${{env.IMAGE_TAG}}
  deployEKS:
    name: build-deploy-EKS
    if: contains(github.event.pull_request.body, 'ci:deploy')
    needs: imageEKS
    runs-on: ${{ vars.RUNNER }}
    steps:
      - name: Clone private repository
        run: |
          git clone --depth 1 -b eng "https://$GITHUB_TOKEN@github.com/ProcessMaker/argocd.git" argocd
      - name: Install pm4-tools
        run: |
          git clone --depth 1 -b "$K8S_BRANCH" "https://$GITHUB_TOKEN@github.com/ProcessMaker/pm4-k8s-distribution.git" pm4-k8s-distribution     
          echo "versionHelm=$(grep "version:" "pm4-k8s-distribution/charts/enterprise/Chart.yaml" | awk '{print $2}' | sed 's/\"//g')" >> $GITHUB_ENV
          cd pm4-k8s-distribution/images/pm4-tools
          composer install --no-interaction
          cd ..
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID1 }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY1 }}
          aws-region: ${{ secrets.AWS_REGION }}
      - name: Set up kubectl
        run: |
          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          chmod +x kubectl
          sudo mv kubectl /usr/local/bin/
      - name: Authenticate with Amazon EKS
        run: aws eks update-kubeconfig --region us-east-1 --name pm4-eng
      - name: Deploy instance EKS
        run: |
          cd argocd 
          deploy=$(echo -n ${{env.IMAGE_TAG}} | md5sum | head -c 10)
          current_datetime=$(echo -n ${{env.CURRENT_DATE}} | md5sum | head -c 10)
          echo "NAMESPACE : ci-$deploy-ns-pm4"
          helm repo add processmaker ${{ secrets.HELM_REPO }} --username ${{ secrets.HELM_USERNAME }} --password ${{ secrets.HELM_PASSWORD }} && helm repo update
          if ! kubectl get namespace/ci-$deploy-ns-pm4 ; then 
            echo "Creating DB"
            sed -i "s/{{instance}}/ci-$deploy/" template-db.yaml
            kubectl apply -f template-db.yaml
            echo "Creating Deploy :: $deploy"
            #Sed PMAI
            if [[ $K8S_BRANCH == "develop" ]] ; then
              sed -i "s/{{pmai-system}}/pmai-system/" template-instance.yaml
            else
              sed -i "s/{{pmai-system}}/pmai-system-next/" template-instance.yaml
            fi
            sed -i "s/{{instance}}/ci-$deploy/" template-instance.yaml
            sed -i "s/{{image}}/${{env.IMAGE_TAG}}/" template-instance.yaml
            cat template-instance.yaml         
            helm install --timeout 60m -f template-instance.yaml ci-$deploy processmaker/enterprise
            #Add cert
            sed -i "s/{{instance}}/ci-$deploy/" template-cert.yaml
            sed -i "s/{{tls-crt}}/${{ secrets.TLS_CRT }}/" template-cert.yaml
            sed -i "s/{{tls-key}}/${{ secrets.TLS_KEY }}/" template-cert.yaml
            kubectl apply -f template-cert.yaml          
          else
            echo "Bouncing Instance  ";
            sed -i "s/{{instance}}/ci-$deploy/g" template-bounce.yaml
            sed -i "s/{{current_datetime}}/$current_datetime/g" template-bounce.yaml
            helm upgrade --timeout 60m ci-$deploy processmaker/enterprise --version ${{ env.versionHelm }}          
            kubectl apply -f template-bounce.yaml
          fi
          export INSTANCE_URL=https://ci-$deploy$DOM_EKS
          echo "INSTANCE_URL=${INSTANCE_URL}" >> "$GITHUB_ENV"
          ../pm4-k8s-distribution/images/pm4-tools/pm wait-for-instance-ready
      - name: Comment Instance
        run: |
          echo "Instance URL: '${INSTANCE_URL}'"
          bash argocd/gh_comment.sh "$CI_PROJECT" "$pull_req_id"
  runAPITest:
    name: Run API Tests
    needs: [deployEKS]
    if: contains(github.event.pull_request.body, 'ci:api-test')
    runs-on: self-hosted
    steps:
      - name: Clone private repository
        run: |
          git clone --depth 1 -b eng "https://$GITHUB_TOKEN@github.com/ProcessMaker/argocd.git" argocd
      - name: Install pm4-tools
        run: |
          git clone --depth 1 -b "$K8S_BRANCH" "https://$GITHUB_TOKEN@github.com/ProcessMaker/pm4-k8s-distribution.git" pm4-k8s-distribution     
          echo "versionHelm=$(grep "version:" "pm4-k8s-distribution/charts/enterprise/Chart.yaml" | awk '{print $2}' | sed 's/\"//g')" >> $GITHUB_ENV
          cd pm4-k8s-distribution/images/pm4-tools
          composer install --no-interaction
          cd ..
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID1 }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY1 }}
          aws-region: ${{ secrets.AWS_REGION }}
      - name: Set up kubectl
        run: |
          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          chmod +x kubectl
          sudo mv kubectl /usr/local/bin/
      - name: Authenticate with Amazon EKS
        run: aws eks update-kubeconfig --region us-east-1 --name pm4-eng
      - name: Run the API tests
        run: |
          cd argocd 
          deploy=$(echo -n ${{env.IMAGE_TAG}} | md5sum | head -c 10)
          namespace="ci-$deploy-ns-pm4"
          pr_body=$(jq -r .pull_request.body < "$GITHUB_EVENT_PATH" | base64)
          kubectl get pods --namespace=$namespace
          pod_names=$(kubectl get pods --namespace=$namespace --field-selector=status.phase=Running -o jsonpath="{.items[*].metadata.name}" | tr ' ' '\n' | grep -E '(-processmaker-scheduler-)')
          for pod in $pod_names; do
            code='
              has_processmaker=$(ls /opt | grep processmaker)
              has_sudo=$(ls /usr/bin | grep sudo)
              has_php=$(ls /usr/bin | grep php)
              if [ ! -z "$has_processmaker" ] && [ ! -z "$has_sudo" ] && [ ! -z "$has_php" ]; then
                echo $pr_body | base64 -d > /tmp/pr_body
                cd /opt/processmaker
                sudo -u nginx php artisan package-api-testing:run --body="$pr_body"
              else
                exit 1
              fi'
            kubectl exec -n $namespace $pod -- /bin/sh -c "pr_body='${pr_body}';${code}" | tee /tmp/comment.md && break || true
          done
          # Send the content of /tmp/comment.md as a PR comment
          MESSAGE=$(cat /tmp/comment.md)
          GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
          GITHUB_REPOSITORY=${{ github.repository }}
          PR_NUMBER=$(jq -r .number < "$GITHUB_EVENT_PATH")

          if [ -z "$PR_NUMBER" ]; then
              echo "The PR number is not available. Make sure this script is executed in a context of Pull Request."
              exit 1
          fi

          URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments"
          json_payload=$(jq -n --arg message "$MESSAGE" '{"body": $message}')

          curl -s \
               -H "Authorization: token ${GITHUB_TOKEN}" \
               -H "Accept: application/vnd.github.v3+json" \
               -d "$json_payload" \
               "${URL}"
  deleteEKS:
    name: Delete Instance
    if: github.event.action == 'closed'
    runs-on: self-hosted
    steps:
      - name: Delete instance EKS
        run: |           
          deploy=$(echo -n ${{env.IMAGE_TAG}} | md5sum | head -c 10)
          if kubectl get namespace/ci-$deploy-ns-pm4 ; then
            echo "Deleting Instace :: ci-$deploy"
            helm delete ci-$deploy
            kubectl delete namespace ci-$deploy-ns-pm4
            #Drop database
            deploy_db="\`pm4_ci-$deploy\`"
            deploy_ai="\`pm4_ci-${deploy}_ai\`" 
            mysql -u${{ secrets.USER_MYSQL_ENG }} -p${{ secrets.PASS_MYSQL_ENG }} -e "DROP DATABASE $deploy_db" -h ${{ secrets.RDS_ENG }}
            mysql -u${{ secrets.USER_MYSQL_ENG }} -p${{ secrets.PASS_MYSQL_ENG }} -e "DROP DATABASE $deploy_ai" -h ${{ secrets.RDS_ENG }}
            #Drop image Harbor        
            curl -X DELETE -u ${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_PASSWORD }} "https://${{ secrets.REGISTRY_HOST }}/api/v2.0/projects/processmaker/repositories/enterprise/artifacts/${{env.IMAGE_TAG}}"
            echo "The instance [https://ci-$deploy.engk8s.processmaker.net] was deleted!!"
          else
            echo "The pull request does not have an instance on K8s [https://ci-$deploy.engk8s.processmaker.net] not found!!"
          fi
  runPhpUnit:
    name: run-phpunit
    if: github.event.action != 'closed'
    needs: imageEKS
    runs-on: ${{ vars.RUNNER }}
    steps:
      - name: Export Params
        run: |
          echo "IMAGE=${{ secrets.REGISTRY_HOST }}/processmaker/enterprise:${{env.IMAGE_TAG}}" >> $GITHUB_ENV
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Clone repo K8S
        run: |
          echo "IMAGE: ${{ env.IMAGE }}"
          git clone --depth 1 -b "$K8S_BRANCH" "https://$GITHUB_TOKEN@github.com/ProcessMaker/pm4-k8s-distribution.git" pm4-k8s-distribution
      - name: Login to Harbor
        uses: docker/login-action@v2
        with:
          registry: ${{ secrets.REGISTRY_HOST  }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: PHPUnits
        run: |          
          cd pm4-k8s-distribution/images/pm4-tools
          docker pull $IMAGE
          docker compose down -v
          docker compose build phpunit
          docker compose run phpunit
          CONTAINER_ID=$(docker ps -a --filter ancestor=pm4-eks-phpunit:latest --format "{{.ID}}" | head -n 1)
          docker cp $CONTAINER_ID:/opt/processmaker/coverage.xml coverage.xml
      - name: Archive code coverage
        uses: actions/upload-artifact@v4
        with:
          name: code-coverage
          path: ./pm4-k8s-distribution/images/pm4-tools/coverage.xml
      - name: SonarQube Coverage Report
        uses: sonarsource/sonarqube-scan-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        with:
          args: >
            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
            -Dsonar.sources=.
            -Dsonar.tests=.
            -Dsonar.test.inclusions=**/*Test.php
            -Dsonar.php.coverage.reportPaths=./pm4-k8s-distribution/images/pm4-tools/coverage.xml