Skip to content

MLPAB-2276 - don't use ci role for state access (#1342) #1211

MLPAB-2276 - don't use ci role for state access (#1342)

MLPAB-2276 - don't use ci role for state access (#1342) #1211

name: "Path To Live"
on:
push:
branches:
- main
permissions:
id-token: write
contents: write
security-events: write
pull-requests: write
actions: none
checks: none
deployments: none
issues: write
packages: none
repository-projects: none
statuses: none
defaults:
run:
shell: bash
jobs:
create_tags:
name: Create Tags
uses: ./.github/workflows/tags_job.yml
with:
changes_detected: 'true'
go_unit_tests:
name: Run Go unit tests
uses: ./.github/workflows/go-unit-tests.yml
needs: [create_tags]
with:
tag: ${{ needs.create_tags.outputs.version_tag }}
commit_sha: ${{ github.sha }}
branch: 'main'
secrets:
pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }}
codecov_token: ${{ secrets.CODECOV_TOKEN }}
docker_build_scan_push:
name: Docker Build, Scan and Push
uses: ./.github/workflows/docker_job.yml
needs: [go_unit_tests,create_tags]
with:
tag: ${{ needs.create_tags.outputs.version_tag }}
terraform_account_workflow_development:
name: TF Apply Dev Account
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: development
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
terraform_account_workflow_preproduction:
name: TF Apply Preprod Account
needs: terraform_account_workflow_development
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: preproduction
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
preproduction_deploy:
name: Preproduction Deploy
needs: [create_tags, terraform_account_workflow_preproduction, docker_build_scan_push]
uses: ./.github/workflows/terraform_environment_job.yml
with:
workspace_name: preproduction
version_tag: ${{ needs.create_tags.outputs.version_tag }}
s3_av_scanner_zip_tag: ${{ needs.create_tags.outputs.s3_av_scanner_zip_tag }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
github_access_token: ${{ secrets.GITHUB_TOKEN }}
pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
ui_tests_preproduction_env:
name: Run Cypress UI Tests On Preproduction Environment
uses: ./.github/workflows/ui_test_job.yml
needs: [preproduction_deploy, create_tags]
with:
run_against_image: false
base_url: "https://${{ needs.preproduction_deploy.outputs.url }}"
tag: ${{ needs.create_tags.outputs.version_tag }}
environment_config_json: ${{ needs.preproduction_deploy.outputs.environment_config_json }}
specs: 'cypress/smoke/*.cy.js'
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
cypress_record_key: ${{ secrets.CYPRESS_RECORD_KEY }}
github_access_token: ${{ secrets.GITHUB_TOKEN }}
test_onelogin_basic_auth: ${{ secrets.TEST_ONELOGIN_BASIC_AUTH }}
test_onelogin_totp_key: ${{ secrets.TEST_ONELOGIN_TOTP_KEY }}
test_onelogin_password: ${{ secrets.TEST_ONELOGIN_PASSWORD }}
preproduction_deploy_complete:
name: Preproduction Deployment
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: preproduction
needs: [ui_tests_preproduction_env]
steps:
- name: Complete
run: |
echo "preproduction environment tested, built and deployed"
always_remove_ingress:
name: Remove CI ingress from environment
if: ${{ always() }}
uses: ./.github/workflows/remove_ingress_job.yml
needs: [ui_tests_preproduction_env, preproduction_deploy]
with:
environment_config_json: ${{ needs.preproduction_deploy.outputs.environment_config_json }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
terraform_account_workflow_production:
name: TF Apply Prod Account
needs: [preproduction_deploy_complete]
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: production
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
production_deploy:
name: Production Deploy
needs: [create_tags, terraform_account_workflow_production, docker_build_scan_push]
uses: ./.github/workflows/terraform_environment_job.yml
with:
workspace_name: production
version_tag: ${{ needs.create_tags.outputs.version_tag }}
public_access_enabled: false
s3_av_scanner_zip_tag: ${{ needs.create_tags.outputs.s3_av_scanner_zip_tag }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
github_access_token: ${{ secrets.GITHUB_TOKEN }}
pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
demo_deploy:
name: Production Deploy
needs: [create_tags, terraform_account_workflow_production, docker_build_scan_push]
uses: ./.github/workflows/terraform_environment_job.yml
with:
workspace_name: demo
version_tag: ${{ needs.create_tags.outputs.version_tag }}
public_access_enabled: false
s3_av_scanner_zip_tag: ${{ needs.create_tags.outputs.s3_av_scanner_zip_tag }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
ssh_deploy_key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
github_access_token: ${{ secrets.GITHUB_TOKEN }}
pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
end_of_main_workflow:
name: End of Main Workflow
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
needs: [production_deploy]
steps:
- name: End of Path to Live Workflow
run: |
echo "production environment tested, built and deployed"