-
Notifications
You must be signed in to change notification settings - Fork 7
207 lines (200 loc) · 8.3 KB
/
pull_request.yml
File metadata and controls
207 lines (200 loc) · 8.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
name: deploy_pr
on:
pull_request:
branches: [master]
merge_group:
branches: [master]
permissions: {}
jobs:
get_config_values:
uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
with:
verify_published_from_main_image: false
permissions:
attestations: read
contents: read
packages: read
quality_checks:
uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@76baf9dd964311c337af3ec78e8cb1e915c006ce
needs: [get_config_values]
permissions:
contents: read
id-token: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
run_docker_scan: true
docker_images: fhir-facade,validator
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
pr_title_format_check:
if: github.event_name != 'merge_group'
uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@76baf9dd964311c337af3ec78e8cb1e915c006ce
permissions:
pull-requests: write
get_issue_number:
runs-on: ubuntu-22.04
needs: quality_checks
outputs:
issue_number: ${{ steps.get_issue_number.outputs.result }}
version: ${{ steps.get_issue_number.outputs.version_number }}
steps:
- uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
name: get issue number
id: get_issue_number
with:
result-encoding: string
script: |
// 1. Normal pull_request event
if (context.eventName === 'pull_request' && context.payload.pull_request) {
return context.payload.pull_request.number;
}
// 2. merge_group event
if (context.eventName === 'merge_group') {
const queueRef = context.ref; // refs/heads/gh-readonly-queue/main/pr-142-abc
const match = queueRef.match(/pr-(\d+)/);
if (match) {
return String(match[1]);
}
// Fallback to commit association using the synthetic SHA
const sha = context.payload.merge_group.head_sha;
const { data } =
await github.rest.repos.listPullRequestsAssociatedWithCommit({
owner: context.repo.owner,
repo: context.repo.repo,
commit_sha: sha,
});
if (!data.length) {
core.setFailed(`No PR associated with commit ${sha}`);
}
// Strict match: PR head SHA must match original PR head
const pr = data.find(pr => pr.head.sha === data[0].head.sha);
return String(pr.number);
}
get_commit_id:
runs-on: ubuntu-22.04
permissions:
contents: read
outputs:
commit_id: ${{ steps.commit_id.outputs.commit_id }}
sha_short: ${{ steps.commit_id.outputs.sha_short }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Get Commit ID
id: commit_id
run: |
# echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV"
echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
package_code:
needs: [get_issue_number, get_commit_id, get_config_values]
permissions:
id-token: write
contents: read
packages: read
uses: ./.github/workflows/cdk_package_code.yml
with:
VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
release_code:
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/cdk_release_code.yml
permissions:
id-token: write
contents: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
STACK_NAME: prescribe-dispense-pr-${{needs.get_issue_number.outputs.issue_number}}
STATEFUL_STACK_NAME: prescriptions-stateful-resources-pr-${{needs.get_issue_number.outputs.issue_number}}
AWS_ENVIRONMENT: dev
APIGEE_ENVIRONMENT: internal-dev
ENABLE_MUTUAL_TLS: false
TRUSTSTORE_FILE: fhirfacade-truststore.pem
VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
LOG_LEVEL: debug
VALIDATOR_LOG_LEVEL: INFO
LOG_RETENTION_DAYS: 30
DEPLOY_APIGEE: true
TARGET_SPINE_SERVER: msg.veit07.devspineservices.nhs.uk
DOCKER_IMAGE_TAG: PR-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}
RUN_REGRESSION_TEST: true
TO_ASID: 567456789789
TO_PARTY_KEY: YES-0000806
IS_PULL_REQUEST: true
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 0
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
DESIRED_PEAK_CLAIMS_COUNT: 1
DESIRED_OFF_PEAK_CLAIMS_COUNT: 1
SERVICE_CPU: 2048
SERVICE_MEMORY: 4096
MTLS_KEY: fhir-facade-mtls-1
FORWARD_CSOC_LOGS: false
secrets:
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
API_CLIENT_ID: ${{ secrets.DEV_API_CLIENT_ID }}
API_CLIENT_SECRET: ${{ secrets.DEV_API_CLIENT_SECRET }}
SIGNING_PRIVATE_KEY: ${{ secrets.DEV_SIGNING_PRIVATE_KEY }}
SIGNING_CERT: ${{ secrets.DEV_SIGNING_CERT }}
DEFAULT_PTL_ASID: ${{ secrets.DEFAULT_PTL_ASID }}
DEFAULT_PTL_PARTY_KEY: ${{ secrets.DEFAULT_PTL_PARTY_KEY }}
release_sandbox_code:
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/cdk_release_code.yml
permissions:
id-token: write
contents: write
packages: read
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
STACK_NAME: prescribe-dispense-pr-${{needs.get_issue_number.outputs.issue_number}}-sandbox
STATEFUL_STACK_NAME: prescriptions-stateful-resources-pr-${{needs.get_issue_number.outputs.issue_number}}-sandbox
AWS_ENVIRONMENT: dev
APIGEE_ENVIRONMENT: internal-dev-sandbox
ENABLE_MUTUAL_TLS: false
TRUSTSTORE_FILE: fhirfacade-sandbox-truststore.pem
VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
LOG_LEVEL: debug
VALIDATOR_LOG_LEVEL: INFO
LOG_RETENTION_DAYS: 30
DEPLOY_APIGEE: true
TARGET_SPINE_SERVER: unused
DOCKER_IMAGE_TAG: PR-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}
RUN_REGRESSION_TEST: false
TO_ASID: unused
TO_PARTY_KEY: unused
IS_PULL_REQUEST: true
ENABLE_DEFAULT_ASID_PARTY_KEY: true
SHA1_ENABLED_APPLICATION_IDS: 486a14ea-a0df-4f76-abac-e7d10dab8ae2,aa237a18-24af-421d-a4a8-e82474572a49,babc739d-6a30-4bb1-b4b2-919c6b63c7bc,1122eb42-c783-4748-84b7-47e20446306d
ENABLE_PRESCRIBING_SIGNATURE_VALIDATION: false
SANDBOX_MODE_ENABLED: 1
DESIRED_FHIR_FACADE_COUNT: 1
DESIRED_CLAIMS_COUNT: 1
DESIRED_PEAK_CLAIMS_COUNT: 1
DESIRED_OFF_PEAK_CLAIMS_COUNT: 1
SERVICE_CPU: 2048
SERVICE_MEMORY: 4096
MTLS_KEY: fhir-facade-mtls-1
FORWARD_CSOC_LOGS: false
secrets:
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
API_CLIENT_ID: ${{ secrets.DEV_API_CLIENT_ID }}
API_CLIENT_SECRET: ${{ secrets.DEV_API_CLIENT_SECRET }}
SIGNING_PRIVATE_KEY: ${{ secrets.DEV_SIGNING_PRIVATE_KEY }}
SIGNING_CERT: ${{ secrets.DEV_SIGNING_CERT }}
DEFAULT_PTL_ASID: unused
DEFAULT_PTL_PARTY_KEY: unused