🔃 Synced files from fairmoney/github-actions

.github/workflows/api.tests.yml

@@ -0,0 +1,52 @@
+name: Backend API Tests
+on:
+  workflow_call:
+    inputs:
+      tests_path:
+        required: true
+        type: string
+        default: spec
+      continue_on_error:
+        required: false
+        type: boolean
+        default: false
+      image:
+        required: true
+        type: string
+
+env:
+  TESTER_IMAGE: 027159582536.dkr.ecr.eu-west-1.amazonaws.com/backend-api-tests:stable
+  SECRET_ID: arn:aws:secretsmanager:eu-west-1:027159582536:secret:github-actions/repos/backend-api-tests-P0XRKc
+
+jobs:
+  wait_for_deploy:
+    name: Wait for deploy
+    uses: ./.github/workflows/wait-for-deployment.yml
+    secrets: inherit
+    with:
+      image: ${{ inputs.image }}
+
+  api-tests:
+    name: Run test suite
+    needs:
+      - wait_for_deploy
+    runs-on: [self-hosted, large-runner]
+    steps:
+      - name: Generate AWS config
+        run: |
+          mkdir -p ${HOME}/.aws
+          cat << EOF > ${HOME}/.aws/config
+            [profile non-prod]
+            web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+            role_arn = ${{ secrets.NON_PROD_EKS_ROLE_ARN }}
+          EOF
+
+      - name: Get required secrets
+        run: |
+          aws secretsmanager get-secret-value --secret-id=${{ env.SECRET_ID }} --profile non-prod | \
+          jq -r '.SecretString | fromjson? | to_entries | map("\(.key)=\(.value|tostring)") | .[]' > .env
+
+      - name: Run tests in docker
+        continue-on-error: ${{ inputs.continue_on_error }}
+        run: |
+          docker run --rm --env-file=.env ${{ env.TESTER_IMAGE }} bundle exec rspec ${{ inputs.tests_path }}

.github/workflows/devops.cancel-ongoing-sync.yml

@@ -0,0 +1,45 @@
+name: DevOps Workflow called to cancel ongoing ArgoCD application syncs for PR-environment before publishing a new image
+on:
+  workflow_call: {}
+
+jobs:
+  cancel-ongoing-sync:
+    runs-on: [self-hosted, standard-runner]
+    steps:
+      - name: generate aws config
+        run: |
+          mkdir -p ${HOME}/.aws
+          cat << EOF > ${HOME}/.aws/config
+            [profile non-prod]
+            web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+            role_arn = ${{ secrets.NON_PROD_EKS_ROLE_ARN }}
+          EOF
+
+      - name: generate kubeconfig
+        run: |
+          export EKS_CLUSTER_NAME=$(aws ssm get-parameter --name /devops/ci-target/cluster --query 'Parameter.Value' --output text --profile non-prod)
+          aws eks update-kubeconfig --name $EKS_CLUSTER_NAME --profile non-prod
+          env -i PATH=/usr/local/bin:/usr/bin:/bin HOME=/home/runner kubectl version
+
+      - name: get git variables
+        run: |
+          set -euo pipefail
+          REPOSITORY=${{github.repository}}
+          REPOSITORY_OWNER=${{github.repository_owner}}
+          REPOSITORY_NAME=${REPOSITORY##${REPOSITORY_OWNER}/}
+          echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV
+          GITHUB_REF=${{github.ref}}
+          PULL_NUMBER=$(echo "$GITHUB_REF" | awk -F / '{print $3}')
+          echo "PULL_NUMBER=${PULL_NUMBER}" >> $GITHUB_ENV
+
+      - name: cancel ongoing syncs
+        run: |
+          env -i PATH=/usr/local/bin:/usr/bin:/bin HOME=/home/runner kubectl -n argocd-pr get applications.argoproj.io | awk '/^${{env.REPOSITORY_NAME}}-.*-${{env.PULL_NUMBER}}/{print $1}' | while read app
+          do
+            ENV=$(echo ${app} | sed 's/^${{env.REPOSITORY_NAME}}-\(.*\)-${{env.PULL_NUMBER}}/\1/')
+            echo "::group::Cancelling sync in ${ENV}"
+            env -i PATH=/usr/local/bin:/usr/bin:/bin HOME=/home/runner kubectl -n argocd-pr patch app ${app} -p '{"operation":null,"spec":{"syncPolicy":{"automated":null}}}' --type merge && echo "Succeeded" || echo "Failed"
+            echo "::endgroup::"
+          done
+
+

.github/workflows/devops.ci.yml

@@ -0,0 +1,76 @@
+name: Workflow called to run reusable CI steps
+on:
+  workflow_call:
+    inputs:
+      dockerfile:
+        required: false
+        type: string
+        default: Dockerfile
+      image:
+        required: true
+        type: string
+      ci_image:
+        required: false
+        type: string
+        default: ci:test
+      command:
+        required: true
+        type: string
+      target:
+        required: false
+        type: string
+        default: test
+      github_user:
+        required: false
+        type: string
+        default: fm-cicd
+    secrets: {}
+
+env:
+  DOCKER_BUILDKIT: 1
+  GITHUB_USER: ${{ inputs.github_user }}
+  GITHUB_PASSWORD: ${{ secrets.API_TOKEN_GITHUB }}
+
+jobs:
+  ci:
+    timeout-minutes: 60
+    runs-on: [self-hosted, large-runner]
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v3
+
+      - name: pull built image
+        run: |
+          docker pull ${{ inputs.image }}
+
+      - name: build ci image
+        run: |
+          docker build --progress=plain --build-arg BUILDKIT_INLINE_CACHE=1 \
+            --secret id=github_user,env=GITHUB_USER \
+            --secret id=github_password,env=GITHUB_PASSWORD \
+            --cache-from ${{ inputs.image }} \
+            --target ${{ inputs.target }} \
+            -t ${{ inputs.ci_image }} \
+            -f ${{ inputs.dockerfile }} .
+
+      - name: prepare environment
+        run: |
+          mkdir -p ./coverage ./tmp ./log
+          chown -R 1000:1000 ./coverage ./tmp ./log
+
+      - name: run command
+        shell: bash
+        run: ${{ inputs.command }}
+
+      - name: check coverage data
+        run: |
+          COVERAGE_GENERATED=$([ "$(ls -A ./coverage/)" ] && echo true || echo false)
+          echo "COVERAGE_GENERATED=${COVERAGE_GENERATED}" >> $GITHUB_ENV
+
+      - name: upload coverage files
+        if: ${{ env.COVERAGE_GENERATED == 'true' }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverage
+          path: ./coverage
+          retention-days: 7

.github/workflows/devops.docker-build.yml

@@ -0,0 +1,112 @@
+name: DevOps Workflow called to build an image out of a docker container
+on:
+  workflow_call:
+    inputs:
+      dockerfile:
+        required: false
+        type: string
+        default: Dockerfile
+      target:
+        required: false
+        type: string
+      ref:
+        required: false
+        type: string
+        default: master
+      github_user:
+        required: false
+        type: string
+        default: fm-cicd
+    outputs:
+      image:
+        description: The resulting image
+        value: ${{ jobs.build.outputs.image }}
+    secrets: {}
+env:
+  AWS_ACCOUNT: '027159582536'
+  AWS_REGION: eu-west-1
+  DOCKER_BUILDKIT: 1
+  GITHUB_PASSWORD: ${{ secrets.API_TOKEN_GITHUB }}
+  GITHUB_USER: ${{ inputs.github_user }}
+  REGISTRY: 027159582536.dkr.ecr.eu-west-1.amazonaws.com
+jobs:
+  build:
+    timeout-minutes: 60
+    runs-on: [self-hosted, standard-runner]
+    outputs:
+      image: ${{ steps.push.outputs.IMAGE }}
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+          ref: ${{ inputs.ref }}
+
+      - name: get git variables
+        run: |
+          set -euo pipefail
+          REPOSITORY=${{github.repository}}
+          REPOSITORY_OWNER=${{github.repository_owner}}
+          REPOSITORY_NAME=${REPOSITORY##${REPOSITORY_OWNER}/}
+          LATEST_IMAGE_TAG=$(aws ecr describe-images --no-paginate --output text \
+            --registry-id ${{ env.AWS_ACCOUNT }} --repository-name ${REPOSITORY_NAME}  \
+            --query 'imageDetails | sort_by(@, &imagePushedAt) | reverse(@)[0].imageTags[0]')
+          GIT_BRANCH="$(git symbolic-ref HEAD --short 2>/dev/null)"
+          if [ "$GIT_BRANCH" = "" ] ; then
+            GIT_BRANCH="$(git rev-parse HEAD | xargs git name-rev | cut -d' ' -f2 | sed 's/remotes\/origin\///g')";
+          fi
+          GIT_BRANCH_SLUG=$(echo $GIT_BRANCH | sed -r s/[~\^]+//g | sed -r s/[^a-zA-Z0-9]+/-/g | sed -r s/^-+\|-+$//g | tr A-Z a-z)
+          GIT_SHORT_COMMIT="$(git log -1 --pretty=%h)"
+          echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV
+          echo "LATEST_IMAGE_TAG=${LATEST_IMAGE_TAG}" >> $GITHUB_ENV
+          echo "GIT_BRANCH_SLUG=${GIT_BRANCH_SLUG}" >> $GITHUB_ENV
+          echo "GIT_SHORT_COMMIT=${GIT_SHORT_COMMIT}" >> $GITHUB_ENV
+          echo "CACHE_IMAGE=${{ env.REGISTRY }}/${REPOSITORY_NAME}:${LATEST_IMAGE_TAG}" >> $GITHUB_ENV
+
+      - name: set target image name for pull_request
+        if: github.event_name == 'pull_request'
+        run: |
+          echo "TARGET_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME}}:dev.${{ env.GIT_BRANCH_SLUG }}.${{ env.GIT_SHORT_COMMIT }}" >> $GITHUB_ENV
+
+      - name: set target image name for push
+        if: github.event_name == 'push'
+        run: |
+          echo "TARGET_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:master.${{ env.GIT_SHORT_COMMIT }}" >> $GITHUB_ENV
+          echo "LATEST_IMAGE=${{ env.REGISTRY }}/${{ env.REPOSITORY_NAME }}:latest" >> $GITHUB_ENV
+
+      - name: docker cache
+        run: |
+          docker pull ${{ env.CACHE_IMAGE }} || true
+
+      - name: docker build
+        id: docker_build
+        run: |
+          TARGET=""
+          if [ ! -z "${{ inputs.target }}" ] ; then
+            TARGET="--target ${{ inputs.target }}"
+          fi
+          docker build --progress=plain --build-arg BUILDKIT_INLINE_CACHE=1 \
+            --secret id=github_user,env=GITHUB_USER \
+            --secret id=github_password,env=GITHUB_PASSWORD \
+            --pull --cache-from ${{ env.CACHE_IMAGE }} \
+            $TARGET \
+            -t ${{ env.TARGET_IMAGE }} \
+            -f ${{ inputs.dockerfile }} .
+
+      - name: docker push
+        id: push
+        run: |
+          docker push ${{ env.TARGET_IMAGE }}
+          echo "IMAGE=${{ env.TARGET_IMAGE }}" >> $GITHUB_OUTPUT
+
+      - name: docker push latest image
+        if: github.event_name == 'push'
+        run: |
+          docker tag ${{ env.TARGET_IMAGE }} ${{ env.LATEST_IMAGE }}
+          docker push ${{ env.LATEST_IMAGE }}
+
+      - name: generate report
+        run: |
+          echo "# Development image" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`${{ env.TARGET_IMAGE }}\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/devops.get-pr-envs.yml

@@ -0,0 +1,47 @@
+name: DevOps Workflow called to get links to ArgoCD application for PR-environments
+on:
+  workflow_call: {}
+
+jobs:
+  get-pr-envs:
+    runs-on: [self-hosted, standard-runner]
+    steps:
+      - name: generate aws config
+        run: |
+          mkdir -p ${HOME}/.aws
+          cat << EOF > ${HOME}/.aws/config
+            [profile non-prod]
+            web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
+            role_arn = ${{ secrets.NON_PROD_EKS_ROLE_ARN }}
+          EOF
+
+      - name: generate kubeconfig
+        run: |
+          export EKS_CLUSTER_NAME=$(aws ssm get-parameter --name /devops/ci-target/cluster --query 'Parameter.Value' --output text --profile non-prod)
+          aws eks update-kubeconfig --name $EKS_CLUSTER_NAME --profile non-prod
+          env -i PATH=/usr/local/bin:/usr/bin:/bin HOME=/home/runner kubectl version
+
+      - name: get git variables
+        run: |
+          set -euo pipefail
+          REPOSITORY=${{github.repository}}
+          REPOSITORY_OWNER=${{github.repository_owner}}
+          REPOSITORY_NAME=${REPOSITORY##${REPOSITORY_OWNER}/}
+          echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV
+          GITHUB_REF=${{github.ref}}
+          PULL_NUMBER=$(echo "$GITHUB_REF" | awk -F / '{print $3}')
+          echo "PULL_NUMBER=${PULL_NUMBER}" >> $GITHUB_ENV
+
+      - name: get pr env urls
+        run: |
+          env -i PATH=/usr/local/bin:/usr/bin:/bin HOME=/home/runner kubectl -n argocd get applicationsets.argoproj.io | awk '/^${{env.REPOSITORY_NAME}}-.*/{print $1}' | while read appset
+          do
+            ENV=$(echo ${appset} | sed 's/^${{env.REPOSITORY_NAME}}-\(.*\)$/\1/')
+            env -i PATH=/usr/local/bin:/usr/bin:/bin HOME=/home/runner kubectl -n argocd get applicationsets.argoproj.io ${appset} -o json | jq -e '.spec.generators[] | select(.matrix) | .matrix.generators[] | select(.pullRequest) | .pullRequest | has("github")' && \
+            (
+              echo "# ${ENV} environment" >> $GITHUB_STEP_SUMMARY
+              echo "ArgoCD application: [${appset}-${{env.PULL_NUMBER}}](https://argocd-non-prod.fm-tech.io/applications/argocd-pr/${appset}-${{env.PULL_NUMBER}})" >> $GITHUB_STEP_SUMMARY
+            ) || true
+          done
+
+

.github/workflows/devops.promote-docker.yml

@@ -0,0 +1,38 @@
+name: DevOps Workflow called to promote a validated image to production
+on:
+  workflow_call:
+    inputs:
+      image:
+        type: string
+        required: true
+    outputs:
+      image:
+        description: The resulting image
+        value: ${{ jobs.pull_request_build.outputs.image }}
+    secrets: {}
+env:
+  PRODUCTION_REGISTRY: 878858384475.dkr.ecr.eu-west-1.amazonaws.com
+  NON_PROD_REGISTRY: 027159582536.dkr.ecr.eu-west-1.amazonaws.com
+jobs:
+  promote_docker:
+    timeout-minutes: 60
+    runs-on: [self-hosted, standard-runner]
+    outputs:
+      image: ${{ steps.push.outputs.IMAGE }}
+    steps:
+      - name: get production image name
+        run: |
+          IMAGE=$(echo ${{ inputs.image }} | sed "s/^${{ env.NON_PROD_REGISTRY }}/${{ env.PRODUCTION_REGISTRY }}/")
+          echo "TARGET_IMAGE=${IMAGE}" >> $GITHUB_ENV
+
+      - name: push image to production
+        run: |
+          docker pull ${{ inputs.image }}
+          docker tag ${{ inputs.image }} ${{ env.TARGET_IMAGE }}
+          docker push ${{ env.TARGET_IMAGE }}
+
+      - name: generate report
+        run: |
+          echo "# Production image" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "\`${{ env.TARGET_IMAGE }}\`" >> $GITHUB_STEP_SUMMARY