[6078] Bump ruby to 3.2.2 #7576
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy | |
| concurrency: build_and_deploy_${{ github.ref_name }} | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| types: [opened, reopened, synchronize, labeled] | |
| permissions: | |
| contents: write | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| jobs: | |
| build: | |
| name: Build | |
| env: | |
| DOCKER_IMAGE: ghcr.io/dfe-digital/register-trainee-teachers | |
| DB_USERNAME: postgres | |
| DB_PASSWORD: postgres | |
| DB_HOSTNAME: localhost | |
| outputs: | |
| docker-image: ${{ env.DOCKER_IMAGE }} | |
| image-tag: ${{ env.IMAGE_TAG }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| name: Checkout | |
| - name: Set environment variables (push) | |
| if: github.event_name == 'push' | |
| run: | | |
| GIT_BRANCH=${GITHUB_REF##*/} | |
| echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main | |
| echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV | |
| - name: Set environment variables (pull_request) | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| GIT_BRANCH=${GITHUB_HEAD_REF##*/} | |
| echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV | |
| echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV | |
| - name: Set KV environment variables | |
| run: | | |
| # tag build to the review env for vars and secrets | |
| tf_vars_file=terraform/aks/workspace-variables/review_aks.tfvars.json | |
| echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV | |
| echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: azure/login@v1 | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW_AKS }} | |
| - uses: DFE-Digital/keyvault-yaml-secret@v1 | |
| id: get-secret | |
| with: | |
| keyvault: ${{ env.KEY_VAULT_NAME }} | |
| secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }} | |
| key: SNYK_TOKEN | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| tags: | | |
| ${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} | |
| ${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} | |
| push: false | |
| load: true | |
| cache-to: type=inline | |
| cache-from: | | |
| type=registry,ref=${{env.DOCKER_IMAGE}}:main | |
| type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}} | |
| type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}} | |
| build-args: COMMIT_SHA=${{ github.sha }} | |
| - name: Push ${{ env.DOCKER_IMAGE }} images for review | |
| if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy_v2') }} | |
| run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} | |
| - name: Run Snyk to check Docker image for vulnerabilities | |
| uses: Wandalen/wretry.action@v1.3.0 | |
| env: | |
| SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }} | |
| with: | |
| attempt_limit: 3 | |
| attempt_delay: 2000 | |
| action: snyk/actions/docker@master | |
| with: | | |
| image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }} | |
| args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns | |
| - name: Push ${{ env.DOCKER_IMAGE }} images | |
| if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy_v2') }} | |
| run: docker image push --all-tags ${{ env.DOCKER_IMAGE }} | |
| - name: Check for Failure | |
| uses: ./.github/actions/send-failure-notification/ | |
| if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
| with: | |
| slack-title: 'Build failure' | |
| slack-message: ':alert: Build failure on commit ${{env.IMAGE_TAG}} :sadparrot:' | |
| slack-webhook: ${{ secrets.SLACK_WEBHOOK }} | |
| lint: | |
| name: Lint | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| linter-type: [rubocop, scss, dfe_analytics, javascript_lint_and_test] | |
| include: | |
| - linter-type: rubocop | |
| command: docker-compose exec -T web /bin/sh -c 'bundle exec rubocop app config db lib spec Gemfile --format clang' | |
| - linter-type: scss | |
| command: | | |
| docker-compose exec -T web /bin/sh -c "yarn add stylelint@15.11.0" | |
| docker-compose exec -T web /bin/sh -c "yarn add stylelint-scss@5.3.1" | |
| docker-compose exec -T web /bin/sh -c "yarn add stylelint-config-gds@1.1.0" | |
| docker-compose exec -T web /bin/sh -c "yarn run scss:lint" | |
| - linter-type: dfe_analytics | |
| command: | | |
| docker-compose exec -T web /bin/sh -c "bundle exec rails db:setup" | |
| docker-compose exec -T web /bin/sh -c 'bundle exec rake dfe:analytics:check' | |
| - linter-type: javascript_lint_and_test | |
| command: | | |
| docker-compose exec -T web /bin/sh -c "yarn add jest@29.3.1" | |
| docker-compose exec -T web /bin/sh -c "yarn run standard $(git ls-files '**.js' | tr '\n' ' ')" | |
| docker-compose exec -T web /bin/sh -c 'yarn run test' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Bring docker image up | |
| uses: ./.github/actions/bring-docker-image-up/ | |
| with: | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW_AKS }} | |
| docker-image: ${{needs.build.outputs.docker-image}} | |
| image-tag: ${{ needs.build.outputs.image-tag }} | |
| - name: ${{ matrix.linter-type }} | |
| run: ${{ env.COMMAND }} | |
| env: | |
| COMMAND: ${{ matrix.command }} | |
| - name: Check for Failure | |
| uses: ./.github/actions/send-failure-notification/ | |
| if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
| with: | |
| slack-title: 'Lint failure' | |
| slack-message: ':alert: Lint failure for ${{ matrix.linter_type }} on commit ${{env.IMAGE_TAG}} :sadpanda:' | |
| slack-webhook: ${{ secrets.SLACK_WEBHOOK }} | |
| test: | |
| name: Test | |
| needs: [build] | |
| uses: ./.github/workflows/tests.yml | |
| secrets: inherit | |
| with: | |
| docker-image: ${{needs.build.outputs.docker-image}} | |
| image-tag: ${{ needs.build.outputs.image-tag }} | |
| use-next-academic-year: false | |
| next_academic_year_test: | |
| name: Next academic year tests | |
| needs: [build] | |
| uses: ./.github/workflows/tests.yml | |
| secrets: inherit | |
| with: | |
| docker-image: ${{needs.build.outputs.docker-image}} | |
| image-tag: ${{ needs.build.outputs.image-tag }} | |
| use-next-academic-year: true | |
| deploy-v2-review-app: | |
| name: Deployment To Review v2 | |
| concurrency: deploy_v2_review_${{ github.event.pull_request.number }} | |
| if: ${{ github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'deploy_v2') || contains(github.event.pull_request.labels.*.name, 'dependencies')) }} | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Start review_aks-${{ github.event.pull_request.number }} Deployment | |
| uses: bobheadxi/deployments@v1 | |
| id: deployment | |
| with: | |
| env: review_aks-${{ github.event.pull_request.number }} | |
| ref: ${{ github.head_ref }} | |
| step: start | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Deploy App to Review v2 | |
| id: deploy_v2_review | |
| uses: ./.github/actions/deploy_v2/ | |
| with: | |
| arm-access-key: ${{ secrets.ARM_ACCESS_KEY_REVIEW_AKS }} | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW_AKS }} | |
| environment: review_aks | |
| pr-number: ${{ github.event.pull_request.number }} | |
| sha: ${{ needs.build.outputs.image-tag }} | |
| slack-webhook: ${{ secrets.SLACK_WEBHOOK }} | |
| - name: Update review_aks-${{ github.event.pull_request.number }} status | |
| if: always() | |
| uses: bobheadxi/deployments@v1 | |
| with: | |
| env: review_aks-${{ github.event.pull_request.number }} | |
| ref: ${{ github.head_ref }} | |
| step: finish | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| status: ${{ job.status }} | |
| deployment_id: ${{ steps.deployment.outputs.deployment_id }} | |
| env_url: ${{ steps.deploy_v2_review.outputs.deploy-url }} | |
| merge-dependabot: | |
| name: Merge dependabot | |
| if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies') }} | |
| needs: [lint, test, next_academic_year_test, deploy-v2-review-app] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Merge minor dependency updates | |
| uses: fastify/github-action-merge-dependabot@v3 | |
| with: | |
| github-token: ${{ secrets.API_TOKEN_FOR_GITHUB_ACTION }} | |
| target: minor | |
| exclude: 'govuk-components,govuk_design_system_formbuilder,govuk-frontend,@ministryofjustice/frontend,dfe-analytics' | |
| merge-method: merge | |
| deploy-aks-before-production: | |
| name: Parallel deployment before production v2 | |
| environment: | |
| name: ${{ matrix.environment }} | |
| url: ${{ steps.deploy_app_before_production_v2.outputs.deploy-url }} | |
| if: ${{ success() && github.ref == 'refs/heads/main' }} | |
| needs: [test, next_academic_year_test] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| environment: [qa_aks,staging_aks] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Deploy app to ${{ matrix.environment }} v2 | |
| id: deploy_app_before_production_v2 | |
| uses: ./.github/actions/deploy_v2/ | |
| with: | |
| arm-access-key: ${{ secrets[format('ARM_ACCESS_KEY_{0}', matrix.environment)] }} | |
| azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }} | |
| environment: ${{ matrix.environment }} | |
| sha: ${{ github.sha }} | |
| slack-webhook: ${{ secrets.SLACK_WEBHOOK }} | |
| deploy-aks-production: | |
| name: Production deployment v2 | |
| environment: | |
| name: production_aks | |
| url: ${{ steps.deploy_app_v2.outputs.deploy-url }} | |
| if: ${{ success() && github.ref == 'refs/heads/main' }} | |
| needs: [deploy-aks-before-production] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Deploy app to production v2 | |
| id: deploy_app_v2 | |
| uses: ./.github/actions/deploy_v2/ | |
| with: | |
| arm-access-key: ${{ secrets.ARM_ACCESS_KEY_PRODUCTION_AKS }} | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION_AKS }} | |
| environment: production_aks | |
| sha: ${{ github.sha }} | |
| slack-webhook: ${{ secrets.SLACK_WEBHOOK }} | |
| deploy-aks-after-production: | |
| name: Deployment after production v2 | |
| environment: | |
| name: productiondata_aks | |
| url: ${{ steps.deploy_app_after_production_v2.outputs.deploy-url }} | |
| if: ${{ success() && github.ref == 'refs/heads/main' }} | |
| needs: [deploy-aks-production] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Deploy app to productiondata v2 | |
| id: deploy_app_after_production_v2 | |
| uses: ./.github/actions/deploy_v2/ | |
| with: | |
| arm-access-key: ${{ secrets.ARM_ACCESS_KEY_PRODUCTIONDATA_AKS }} | |
| azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTIONDATA_AKS }} | |
| environment: productiondata_aks | |
| sha: ${{ github.sha }} | |
| slack-webhook: ${{ secrets.SLACK_WEBHOOK }} |