Merge pull request #3643 from bcgov/NDT-567-Add-Data-team-email-for-i… #9726
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Main workflow, orchestrating and triggering other workflows | |
| name: main | |
| on: | |
| workflow_call: # be sure to use 'secrets: inherit' in the caller | |
| push: | |
| branches: ['main'] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| has-merge-conflict: | |
| uses: ./.github/workflows/move-on-merge-conflict.yaml | |
| secrets: inherit | |
| build: | |
| uses: ./.github/workflows/build.yaml | |
| secrets: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| install-env: | |
| uses: ./.github/workflows/install-env.yaml | |
| secrets: inherit | |
| test-code: | |
| needs: [install-env] | |
| uses: ./.github/workflows/test-code.yaml | |
| secrets: inherit | |
| test-checks: | |
| uses: ./.github/workflows/test-checks.yaml | |
| secrets: inherit | |
| test-containers: | |
| needs: [build] | |
| uses: ./.github/workflows/test-containers.yaml | |
| secrets: | |
| HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} | |
| HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} | |
| RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }} | |
| RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }} | |
| test-zap: | |
| needs: [build, install-env] | |
| uses: ./.github/workflows/test-zap.yaml | |
| test-e2e: | |
| needs: [build, install-env] | |
| uses: ./.github/workflows/test-e2e.yaml | |
| secrets: | |
| HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} | |
| HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} | |
| RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }} | |
| RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }} | |
| setup-s3-backup: | |
| uses: ./.github/workflows/s3-backup.yaml | |
| secrets: | |
| AWS_ARN_DEV: ${{ secrets.AWS_ARN_DEV }} | |
| OPENSHIFT_TOKEN_DEV: ${{ secrets.OPENSHIFT_TOKEN_DEV }} | |
| OPENSHIFT_APP_NAMESPACE_DEV: ${{ secrets.OPENSHIFT_APP_NAMESPACE_DEV }} | |
| AWS_PARAM_DEV: ${{ secrets.AWS_PARAM_DEV }} | |
| AWS_ARN_TEST: ${{ secrets.AWS_ARN_TEST }} | |
| OPENSHIFT_TOKEN_TEST: ${{ secrets.OPENSHIFT_TOKEN_TEST }} | |
| OPENSHIFT_APP_NAMESPACE_TEST: ${{ secrets.OPENSHIFT_APP_NAMESPACE_TEST }} | |
| AWS_ARN_PROD: ${{ secrets.AWS_ARN_PROD }} | |
| AWS_PARAM_TEST: ${{ secrets.AWS_PARAM_TEST }} | |
| OPENSHIFT_TOKEN_PROD: ${{ secrets.OPENSHIFT_TOKEN_PROD }} | |
| OPENSHIFT_APP_NAMESPACE_PROD: ${{ secrets.OPENSHIFT_APP_NAMESPACE_PROD }} | |
| AWS_PARAM_PROD: ${{ secrets.AWS_PARAM_PROD }} | |
| OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} | |
| rebase-feature-pr: | |
| if: github.event.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get list of PRs | |
| id: branch-list | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { owner, repo } = context.repo | |
| const listOfBranches = []; | |
| const prs = await github.rest.pulls.list({ owner, repo, state: 'open' }); | |
| const checkboxText = "[x] Check for automatic rebasing"; | |
| for (const pr of prs.data) { | |
| // check if PR is rebaseable, not draft, and mergable before adding to list | |
| const baseBranch = pr.base.ref; | |
| const headBranch = pr.head.ref; | |
| const comparison = await github.rest.repos.compareCommits({ | |
| owner, | |
| repo, | |
| base: baseBranch, | |
| head: headBranch | |
| }); | |
| const checkboxChecked = pr.body.includes(checkboxText); | |
| if(comparison.data.behind_by > 0 && !pr.draft && checkboxChecked){ | |
| listOfBranches.push(pr.head.ref); | |
| } | |
| } | |
| core.setOutput('branches', JSON.stringify(listOfBranches)); | |
| return JSON.stringify(listOfBranches) | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.RENOVATE_GITHUB_TOKEN }} | |
| - name: Set up Git and import GPG key | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }} | |
| run: | | |
| echo "${GPG_PRIVATE_KEY}" | gpg --import | |
| git config user.name "CCBC Service Account" | |
| git config user.email "116113628+ccbc-service-account@users.noreply.github.com" | |
| git config user.signingkey "$(gpg --list-secret-keys --with-colons | awk -F: '/sec:/ {print $5}')" | |
| git config commit.gpgsign true | |
| - name: Rebase PRs | |
| run: | | |
| git checkout main | |
| git pull | |
| branches=$(echo "${{ steps.branch-list.outputs.result }}" | jq -r '.[]') | |
| for branch in $branches; do | |
| git checkout main | |
| git pull | |
| git checkout $branch | |
| git pull | |
| set +e | |
| git rebase main | |
| # if rebase succeeds, force push else abort rebase | |
| REBASE_STATUS=$? | |
| set -e | |
| echo $REBASE_STATUS | |
| if [ $REBASE_STATUS -eq 0 ]; then | |
| git push --force | |
| else | |
| git rebase --abort | |
| fi | |
| done | |
| is-tagged-release: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tagVersion: ${{steps.tagVersion.outputs.tagVersion}} | |
| steps: | |
| - name: Git Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Is Tagged Commit | |
| id: tagVersion | |
| # Check if one of the commits is associated with a tag | |
| run: | | |
| echo "tagVersion=$( git tag --merged ${{ github.sha }} --no-merged ${{ github.event.before }} | grep v*)" >>$GITHUB_OUTPUT | |
| ensure-sqitch-plan-ends-with-tag: | |
| runs-on: ubuntu-latest | |
| needs: [is-tagged-release] | |
| if: contains(needs.is-tagged-release.outputs.tagVersion, 'v') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: ./.bin/sqitch-last-change-is-tag.sh db | |
| deploy: | |
| if: github.event.ref == 'refs/heads/main' | |
| needs: [test-code, test-containers] | |
| uses: ./.github/workflows/deploy.yaml | |
| secrets: | |
| OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} | |
| OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} | |
| OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }} | |
| OPENSHIFT_METABASE_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_NAMESPACE }} | |
| OPENSHIFT_METABASE_PROD_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_PROD_NAMESPACE }} | |
| NEXT_PUBLIC_GROWTHBOOK_API_KEY: ${{ secrets.NEXT_PUBLIC_GROWTHBOOK_API_KEY }} | |
| CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} | |
| OPENSHIFT_SECURE_ROUTE: ${{ secrets.OPENSHIFT_SECURE_ROUTE }} | |
| AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} | |
| AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} | |
| AWS_S3_KEY: ${{ secrets.AWS_S3_KEY }} | |
| AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} | |
| AWS_S3_SECRET_KEY: ${{ secrets.AWS_S3_SECRET_KEY }} | |
| CERTBOT_EMAIL: ${{ secrets.CERTBOT_EMAIL }} | |
| CERTBOT_SERVER: ${{ secrets.CERTBOT_SERVER }} | |
| AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }} | |
| METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }} | |
| METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }} | |
| CERT: ${{ secrets.CERT }} | |
| CERT_KEY: ${{ secrets.CERT_KEY }} | |
| CERT_CA: ${{ secrets.CERT_CA }} | |
| SP_SA_USER: ${{ secrets.SP_SA_USER }} | |
| SP_SA_PASSWORD: ${{ secrets.SP_SA_PASSWORD }} | |
| SP_DOC_LIBRARY: ${{ secrets.SP_DOC_LIBRARY }} | |
| SP_SITE: ${{ secrets.SP_SITE }} | |
| SP_MS_FILE_NAME: ${{ secrets.SP_MS_FILE_NAME }} | |
| SA_CLIENT_SECRET: ${{ secrets.SA_CLIENT_SECRET }} | |
| SA_CLIENT_ID: ${{ secrets.SA_CLIENT_ID }} | |
| KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_HOST }} | |
| SP_LIST_NAME: ${{ secrets.SP_LIST_NAME }} | |
| VAULT_ADDR: ${{ secrets.VAULT_ADDR }} | |
| VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} | |
| VAULT_NAMESPACE: ${{ secrets.VAULT_NAMESPACE}} | |
| RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }} | |
| RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }} | |
| CHES_API_URL: ${{ secrets.CHES_API_URL }} | |
| CHES_CLIENT: ${{ secrets.CHES_CLIENT }} | |
| CHES_CLIENT_SECRET: ${{ secrets.CHES_CLIENT_SECRET }} | |
| CHES_TO_EMAIL: ${{ secrets.CHES_TO_EMAIL }} | |
| CHES_KEYCLOAK_HOST: ${{ secrets.CHES_KEYCLOAK_HOST }} | |
| AWS_S3_BACKUPS_BUCKET: ${{ secrets.AWS_S3_BACKUPS_BUCKET }} | |
| ER_FILE: ${{ secrets.ER_FILE }} | |
| RD_FILE: ${{ secrets.RD_FILE }} | |
| COVERAGES_FILE: ${{ secrets.COVERAGES_FILE }} | |
| deploy-feature: | |
| if: github.event_name == 'pull_request' && github.event.pull_request.draft == false | |
| needs: [build] | |
| uses: ./.github/workflows/deploy_feature.yaml | |
| secrets: | |
| OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} | |
| OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} | |
| OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }} | |
| OPENSHIFT_METABASE_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_NAMESPACE }} | |
| OPENSHIFT_METABASE_PROD_NAMESPACE: ${{ secrets.OPENSHIFT_METABASE_PROD_NAMESPACE }} | |
| NEXT_PUBLIC_GROWTHBOOK_API_KEY: ${{ secrets.NEXT_PUBLIC_GROWTHBOOK_API_KEY }} | |
| CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} | |
| OPENSHIFT_SECURE_ROUTE: ${{ secrets.OPENSHIFT_SECURE_ROUTE }} | |
| AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} | |
| AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} | |
| AWS_S3_KEY: ${{ secrets.AWS_S3_KEY }} | |
| AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} | |
| AWS_S3_SECRET_KEY: ${{ secrets.AWS_S3_SECRET_KEY }} | |
| AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }} | |
| METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }} | |
| METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }} | |
| SP_SA_USER: ${{ secrets.SP_SA_USER }} | |
| SP_SA_PASSWORD: ${{ secrets.SP_SA_PASSWORD }} | |
| SP_DOC_LIBRARY: ${{ secrets.SP_DOC_LIBRARY }} | |
| SP_SITE: ${{ secrets.SP_SITE }} | |
| SP_MS_FILE_NAME: ${{ secrets.SP_MS_FILE_NAME }} | |
| SA_CLIENT_SECRET: ${{ secrets.SA_CLIENT_SECRET }} | |
| SA_CLIENT_ID: ${{ secrets.SA_CLIENT_ID }} | |
| KEYCLOAK_HOST: ${{ secrets.KEYCLOAK_HOST }} | |
| SP_LIST_NAME: ${{ secrets.SP_LIST_NAME }} | |
| RENOVATE_GITHUB_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }} | |
| RENOVATE_PRIVATE_KEY: ${{ secrets.RENOVATE_PRIVATE_KEY }} | |
| CHES_API_URL: ${{ secrets.CHES_API_URL }} | |
| CHES_CLIENT: ${{ secrets.CHES_CLIENT }} | |
| CHES_CLIENT_SECRET: ${{ secrets.CHES_CLIENT_SECRET }} | |
| CHES_TO_EMAIL: ${{ secrets.CHES_TO_EMAIL }} | |
| CHES_KEYCLOAK_HOST: ${{ secrets.CHES_KEYCLOAK_HOST }} | |
| TEST_PG_PASSWORD: ${{ secrets.TEST_PG_PASSWORD }} | |
| JIRA_AUTH: ${{ secrets.JIRA_AUTH }} | |
| AWS_S3_FEAT_BUCKET: ${{ secrets.AWS_S3_FEAT_BUCKET }} | |
| AWS_S3_FEAT_CLAM_BUCKET: ${{ secrets.AWS_S3_FEAT_CLAM_BUCKET }} | |
| AWS_FEAT_ARN: ${{ secrets.AWS_FEAT_ARN }} | |
| cleanup_feature: | |
| if: github.event_name == 'pull_request' && github.event.pull_request.draft == true | |
| uses: ./.github/workflows/clean-feature-env.yaml | |
| secrets: | |
| OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} | |
| OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} | |
| OPENSHIFT_APP_NAMESPACE: ${{ secrets.OPENSHIFT_APP_NAMESPACE }} |