GitHub actions (#60)

* GitHub Actions
ministryofjustice · Jan 27, 2025 · 3f98779 · 3f98779
1 parent 3a4298a
commit 3f98779
Show file tree

Hide file tree

Showing 6 changed files with 149 additions and 0 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -0,0 +1,88 @@
+name: Pipeline [test -> build -> deploy]
+
+on:
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+    inputs:
+      additional_docker_tag:
+        description: Additional docker tag that can be used to specify stable or testing tags
+        required: false
+        default: ''
+        type: string
+      push:
+        description: Push docker image to registry flag
+        required: true
+        default: false
+        type: boolean
+
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  helm_lint:
+    strategy:
+      matrix:
+        environments: ['dev', 'test', 'preprod', 'prod']
+    name: helm lint
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/test_helm_lint.yml@v2 # WORKFLOW VERSION
+    secrets: inherit
+    with:
+      environment: ${{ matrix.environments }}
+
+  node_build:
+    name: node build
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/node_build.yml@v2 # WORKFLOW_VERSION
+    secrets: inherit
+    # generic node unit tests - feel free to override with local tests if required
+
+  node_unit_tests:
+    name: node unit tests
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/node_unit_tests.yml@v2 # WORKFLOW_VERSION
+    needs:
+      - node_build
+    secrets: inherit
+
+  build:
+    name: Build docker image from hmpps-github-actions
+    if: github.ref == 'refs/heads/main'
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/docker_build.yml@v2 # WORKFLOW_VERSION
+    needs:
+      - node_unit_tests
+    with:
+      docker_registry: 'ghcr.io'
+      registry_org: 'ministryofjustice'
+      additional_docker_tag: ${{ inputs.additional_docker_tag }}
+      push: ${{ inputs.push || true }}
+      docker_multiplatform: false
+
+  deploy_dev:
+    name: Deploy to the dev environment
+    if: github.ref == 'refs/heads/main'
+    needs:
+    - build
+    - helm_lint
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2 # WORKFLOW_VERSION
+    secrets: inherit
+    with:
+      environment: 'dev'
+      app_version: '${{ needs.build.outputs.app_version }}'
+      helm_timeout: '5m'
+
+  deploy_test:
+    name: Deploy to test
+    if: inputs.deploy_to == 'test'
+    needs:
+      - build
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2
+    secrets: inherit
+    with:
+      environment: 'test'
+      app_version: '${{ needs.build.outputs.app_version }}'
+      helm_timeout: '5m'
diff --git a/.github/workflows/security_npm_dependency.yml b/.github/workflows/security_npm_dependency.yml
@@ -0,0 +1,12 @@
+name: Security npm dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-npm-dependency-check:
+    name: Project security npm dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_npm_dependency.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit
diff --git a/.github/workflows/security_npm_outdated.yml b/.github/workflows/security_npm_outdated.yml
@@ -0,0 +1,13 @@
+name: Security npm outdated check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-npm-dependency-check:
+    name: Project security npm dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_npm_outdated.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+      version: ''
+    secrets: inherit
diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml
@@ -0,0 +1,12 @@
+name: Security trivy dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-kotlin-trivy-check:
+    name: Project security trivy dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit
diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml
@@ -0,0 +1,12 @@
+name: Security veracode pipeline scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-veracode-pipeline-scan:
+    name: Project security veracode pipeline scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit
diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml
@@ -0,0 +1,12 @@
+name: Security veracode policy scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "4 3 * * 1" # Every Monday at 03:04 UTC
+jobs:
+  security-veracode-policy-check:
+    name: Project security veracode policy scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit