.github/workflows/deploy-to-openshift-backend-dev.yml

name: 1 DEV - Deploy Backend

env:
  # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
  # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
  # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
  OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
  OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
  # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
  OPENSHIFT_NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-dev

  SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

    # 🖊️ EDIT to change the image registry settings.
  # Registries such as GHCR, Quay.io, and Docker Hub are supported.
  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
  IMAGE_REGISTRY_USER: ${{ github.actor }}
  IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

  DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
  ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca

  APP_NAME: 'ccof'
  REPO_NAME: "educ-ccof"
  #grabs the branch name from github dynamically
  BRANCH: ${{ github.ref_name }}
  APP_NAME_BACKEND: "backend"
  APP_FOLDER: "backend"
  NAMESPACE: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}
  NAMESPACE_TOOLS: ${{ secrets.CCOF_NAMESPACE_NO_ENV }}-tools
  COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}
  TAG: "latest"

  MIN_REPLICAS: "1"
  MAX_REPLICAS: "1"
  MIN_CPU: "50m"
  MAX_CPU: "250m"
  MIN_MEM: "200Mi"
  MAX_MEM: "700Mi"
  # SITE_URL should have no scheme or port. It will be prepended with https://
  HOST_ROUTE: ${{ secrets.SITE_URL }}

on:
  workflow_dispatch:

jobs:
  openshift-ci-cd:
    name: Build and deploy Backend to DEV
    runs-on: ubuntu-20.04
    environment: dev

    outputs:
      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

    steps:
    - name: Check for required secrets
      uses: actions/github-script@v4
      with:
        script: |
          const secrets = {
            OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
            OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
          };

          const GHCR = "ghcr.io";
          if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
            core.info(`Image registry is ${GHCR} - no registry password required`);
          }
          else {
            core.info("A registry password is required");
            secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
          }

          const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
            if (value.length === 0) {
              core.error(`Secret "${name}" is not set`);
              return true;
            }
            core.info(`✔️ Secret "${name}" is set`);
            return false;
          });

          if (missingSecrets.length > 0) {
            core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
              "You can add it using:\n" +
              "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
              "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
              "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
          }
          else {
            core.info(`✅ All the required secrets are set`);
          }

    - name: Check out repository with branch [${{ env.BRANCH }}]
      uses: actions/checkout@v2
      with:
        ref: ${{ env.BRANCH }}

    - name: Login to Docker Hub
      uses: docker/login-action@v1
      with:
        registry: ${{ env.DOCKER_ARTIFACTORY_REPO }}
        username: ${{ secrets.DOCKER_HUB_USERNAME }}
        password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

    - name: Build backend from Dockerfile
      id: build-image-backend
      uses: redhat-actions/buildah-build@v2
      with:
        image: ${{ env.APP_NAME_BACKEND }}
        tags: "latest"

        # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
        # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
        # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
        dockerfiles: |
          ./${{ env.APP_FOLDER }}/Dockerfile
        context: ./${{ env.APP_FOLDER }}

      # https://github.com/redhat-actions/push-to-registry#readme
    - name: Push backend to registry
      id: push-image-backend
      uses: redhat-actions/push-to-registry@v2
      with:
        image: ${{ steps.build-image-backend.outputs.image }}
        tags: ${{ steps.build-image-backend.outputs.tags }}
        registry: ${{ env.IMAGE_REGISTRY }}
        username: ${{ env.IMAGE_REGISTRY_USER }}
        password: ${{ env.IMAGE_REGISTRY_PASSWORD }}

    - name: Install oc
      uses: redhat-actions/openshift-tools-installer@v1
      with:
        oc: 4

      # https://github.com/redhat-actions/oc-login#readme
#    - uses: actions/checkout@v2
    - name: Deploy
      run: |
        set -eux
        # Login to OpenShift and select project
        oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
        oc project ${{ env.OPENSHIFT_NAMESPACE }}
        # Cancel any rollouts in progress
        oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }} 2> /dev/null \
        || true && echo "No rollout in progress"

        # Create the image stream if it doesn't exist
        oc create imagestream ${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }} 2> /dev/null || true && echo "Backend image stream in place"

        oc tag ${{ steps.push-image-backend.outputs.registry-path }} ${{ env.REPO_NAME }}-${{ env.APP_NAME_BACKEND }}-${{ env.BRANCH }}:${{ env.TAG }}

        # Process and apply deployment template
        oc process -f tools/openshift/backend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }}\
        | oc apply -f -

        # Process update-configmap
        curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh | bash /dev/stdin dev ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.SPLUNK_TOKEN }}

        # Start rollout (if necessary) and follow it
        oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }} 2> /dev/null \
        || true && echo "Rollout in progress"

        # Get status, returns 0 if rollout is successful
        oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_BACKEND }}

    # - name: ZAP Scan
    #   uses: zaproxy/action-full-scan@v0.3.0
    #   with:
    #     target: 'https://${{ env.HOST_ROUTE }}'