chore: add github workflow

.bin/commands.sh

@@ -17,6 +17,8 @@ function Help() {
    echo "  seed:update                                Update seed using a database"
    echo "  seed:apply                                 Apply seed to a database"
    echo "  seed:es                                    Seed Elasticsearch with data"
+   echo "  deploy:log:encrypt                         Encrypt Github ansible logs"
+   echo "  deploy:log:dencrypt                        Decrypt Github ansible logs"
    echo
    echo
 }
@@ -74,3 +76,11 @@ function seed:es() {
   "${SCRIPT_DIR}/seed-es.sh" "$@"
 }
 
+function deploy:log:encrypt() {
+  "${SCRIPT_DIR}/deploy-log-encrypt.sh" "$@"
+}
+
+function deploy:log:decrypt() {
+  "${SCRIPT_DIR}/deploy-log-decrypt.sh" "$@"
+}
+

.bin/scripts/deploy-log-decrypt.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [ -z "${1:-}" ]; then
+  read -p "Veuillez renseigner l'ID du run: " RUN_ID
+else
+    readonly RUN_ID="$1"
+    shift
+fi
+
+if [[ -z "${ANSIBLE_VAULT_PASSWORD_FILE:-}" ]]; then
+  ansible_extra_opts+=("--vault-password-file" "${SCRIPT_DIR}/get-vault-password-client.sh")
+else
+  echo "Récupération de la passphrase depuis l'environnement variable ANSIBLE_VAULT_PASSWORD_FILE" 
+fi
+
+readonly PASSPHRASE="$ROOT_DIR/.bin/SEED_PASSPHRASE.txt"
+readonly VAULT_FILE="${ROOT_DIR}/.infra/vault/vault.yml"
+
+delete_cleartext() {
+  rm -f "$PASSPHRASE"
+}
+trap delete_cleartext EXIT
+
+
+rm -f /tmp/deploy_error.log.gpg
+
+gh run download "$RUN_ID" -n error-logs -D /tmp
+
+ansible-vault view "${ansible_extra_opts[@]}" "$VAULT_FILE" | yq '.vault.SEED_GPG_PASSPHRASE' > "$PASSPHRASE"
+
+gpg -d --batch --passphrase-file "$PASSPHRASE" /tmp/deploy_error.log.gpg

.bin/scripts/deploy-log-encrypt.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ -z "${ANSIBLE_VAULT_PASSWORD_FILE:-}" ]]; then
+  ansible_extra_opts+=("--vault-password-file" "${SCRIPT_DIR}/get-vault-password-client.sh")
+else
+  echo "Récupération de la passphrase depuis l'environnement variable ANSIBLE_VAULT_PASSWORD_FILE" 
+fi
+
+readonly PASSPHRASE="$ROOT_DIR/.bin/SEED_PASSPHRASE.txt"
+readonly VAULT_FILE="${ROOT_DIR}/.infra/vault/vault.yml"
+
+delete_cleartext() {
+  rm -f "$PASSPHRASE"
+}
+trap delete_cleartext EXIT
+
+ansible-vault view "${ansible_extra_opts[@]}" "$VAULT_FILE" | yq '.vault.SEED_GPG_PASSPHRASE' > "$PASSPHRASE"
+
+# Make sur the file exists
+touch /tmp/deploy_error.log
+gpg  -c --cipher-algo twofish --batch --passphrase-file "$PASSPHRASE" -o /tmp/deploy_error.log.gpg /tmp/deploy_error.log

.bin/zsh-completion

@@ -16,6 +16,8 @@ _mna-lba_completion() {
    "seed\:update:'Update seed using a database'"
    "seed\:apply:'Apply seed to a database'"
    "seed\:es:'Seed ElasticSearch with data'"
+   "deploy\:log\:encrypt:'Encrypt Github ansible logs'"
+   "deploy\:log\:dencrypt:'Decrypt Github ansible logs'"
   )
 
   # Set completion behavior based on the current word

.github/workflows/_deploy.yml

@@ -0,0 +1,113 @@
+name: Deployment
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: The environment to deploy to
+        type: choice
+        required: true
+        options:
+          - production
+          - recette
+      app_version:
+        description: app version
+        type: string
+        required: true
+        default: latest
+  workflow_call:
+    inputs:
+      environment:
+        description: The environment to deploy to
+        type: string
+        default: latest
+        required: false
+      app_version:
+        description: app version
+        type: string
+        required: false
+        default: latest
+    secrets:
+      DEPLOY_SSH_PRIVATE_KEY:
+        description: SSH private key
+        required: true
+      DEPLOY_PASS:
+        description: SSH PWD TO DEPLOY
+        required: true
+      SLACK_WEBHOOK:
+        description: Slack webhook URL
+        required: true
+      VAULT_PWD:
+        description: Vault Password
+        required: true
+
+jobs:
+  deploy:
+    name: Deploy ${{ inputs.app_version }} on ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify new deployment on Slack
+        uses: ravsamhq/notify-slack-action@v2
+        if: always()
+        with:
+          status: ${{ job.status }}
+          notification_title: "Déploiement ${{ inputs.app_version }} en ${{ inputs.environment }} initié..."
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+
+      - name: Checkout project
+        uses: actions/checkout@v4
+
+      - name: Install SSH key
+        uses: shimataro/ssh-key-action@v2
+        with:
+          name: github_actions
+          key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
+          known_hosts: ${{ vars.SSH_KNOWN_HOSTS }}
+          config: |
+            Host *
+              IdentityFile ~/.ssh/github_actions
+
+      - name: Create vault pwd file
+        run: echo ${{ secrets.VAULT_PWD }} > .infra/.vault_pwd.txt
+
+      - name: Run playbook
+        run: .bin/mna-lba deploy ${{ inputs.environment }} --extra-vars "app_version=${{ inputs.app_version }}"
+        env:
+          ANSIBLE_VAULT_PASSWORD_FILE: .infra/.vault_pwd.txt
+          ANSIBLE_REMOTE_USER: deploy
+          ANSIBLE_BECOME_PASS: ${{ secrets.DEPLOY_PASS }}
+
+      - name: Encrypt Error log on failure
+        run: .bin/mna-lba deploy:log:encrypt
+        if: failure()
+        env:
+          ANSIBLE_VAULT_PASSWORD_FILE: .infra/.vault_pwd.txt
+
+      - name: Upload failure artifacts on failure
+        if: failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: error-logs
+          path: /tmp/deploy_error.log.gpg
+
+      - name: Notify failure on Slack
+        uses: ravsamhq/notify-slack-action@v2
+        if: always()
+        with:
+          status: ${{ job.status }}
+          notification_title: "Le déploiement ${{ inputs.app_version }} en ${{ inputs.environment }} a échoué"
+          message_format: "{emoji} *[${{ inputs.environment }}]* *{workflow}* {status_message} in <{repo_url}|{branch}> on <{commit_url}|{commit_sha}>. You can get error logs using `.bin/mna-lba deploy:log:decrypt ${{ github.run_id }}`"
+          notify_when: "failure"
+          mention_groups: "!channel"
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+
+      - name: Notify success on Slack
+        uses: ravsamhq/notify-slack-action@v2
+        if: always()
+        with:
+          status: ${{ job.status }}
+          notification_title: "Déploiement ${{ inputs.app_version }} en ${{ inputs.environment }} terminé avec succès"
+          notify_when: "success"
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/ci.yml

@@ -1,16 +1,51 @@
 name: CI
-on: [push]
+
+on:
+  workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        description: Code coverrage token
+        required: true
 jobs:
-  test:
+  tests:
+    name: "Tests"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - name: Checkout project
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+
+      - uses: actions/cache@v3
         with:
-          node-version: "18"
-      - run: make ci
+          path: |
+            **/node_modules
+            .yarn/install-state.gz
+            .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: yarn-
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Make sure to use same dependencies version across all packages
+        run: yarn dedupe --check
 
-      - name: Upload coverage reports to Codecov
+      - name: lint
+        run: yarn lint
+
+      - name: typecheck
+        run: yarn typecheck:ci
+
+      - name: test
+        run: yarn test:ci
+
+      - name: prettier
+        run: yarn prettier:check
+
+      - name: Upload coverage report to Codecov
         uses: codecov/codecov-action@v3
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/codeql.yml

@@ -13,15 +13,20 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main", develop ]
+    branches: [main]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches: [main]
   schedule:
-    - cron: '30 23 * * 6'
+    - cron: "37 12 * * 6"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   analyze:
+    if: github.event.pull_request.draft == false
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
@@ -32,45 +37,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Use only 'java' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        language: ["javascript"]
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
 
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2