Merge pull request #282 from NHSDigital/PPHA-588-Create-the-Review-environment-and-pr-trigger

PPHA-588: create the review environment and pr trigger

Author: mrlockstar

.azuredevops/pipelines/deploy.yml

@@ -47,7 +47,7 @@ stages:
                 - task: AzureCLI@2
                   displayName: Run terraform
                   inputs:
-                    azureSubscription: lung-${{ parameters.environment }}
+                    azureSubscription: sc-lungcs-${{ parameters.environment }}-spoke
                     scriptType: bash
                     scriptLocation: inlineScript
                     addSpnToEnvironment: true

.github/workflows/cicd-1-pull-request-closed.yaml

@@ -0,0 +1,49 @@
+name: Delete review app
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  destroy:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Delete review app pr-${{ github.event.pull_request.number }}
+    permissions:
+      id-token: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    environment: review
+    # Prevent concurrent jobs on the same environment and between deploy and delete workflows
+    concurrency: deploy-review-${{ github.event.pull_request.number }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Call delete review app pipeline
+        run: |
+          echo "Starting Azure devops pipeline \"Delete review app\"..."
+          RUN_ID=$(az pipelines run \
+            --commit-id ${{ github.event.pull_request.head.sha }}\
+            --name "Delete review app"\
+            --org https://dev.azure.com/nhse-dtos \
+            --project lung-cancer-risk-check \
+            --parameters commitSHA=${{ github.event.pull_request.head.sha }} prNumber=${{ github.event.pull_request.number }} \
+            --output tsv --query id)
+
+          echo "See pipeline run in Azure devops: https://dev.azure.com/nhse-dtos/lung-cancer-risk-check/_build/results?buildId=${RUN_ID}&view=results"
+
+          scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos lung_cancer_screening
+
+      - name: Post URL to PR comments
+        uses: marocchino/sticky-pull-request-comment@5060d4700a91de252c87eeddd2da026382d9298a
+        with:
+          message: |
+            The review app at this URL has been deleted:
+            https://pr-${{ github.event.pull_request.number }}.non-live.digital-lung-cancer-screening.nhs.uk

.github/workflows/cicd-1-pull-request.yaml

@@ -1,18 +1,12 @@
-name: "CI/CD pull request"
-
-# The total recommended execution time for the "CI/CD Pull Request" workflow is around 20 minutes.
+name: 'CI/CD pull request'
 
 on:
-  push:
-    branches:
-      - "**"
-      - "!main"
   pull_request:
-    types: [opened, reopened]
+    types: [opened, reopened, synchronize, labeled]
 
 jobs:
   metadata:
-    name: "Set CI/CD metadata"
+    name: 'Set CI/CD metadata'
     runs-on: ubuntu-latest
     timeout-minutes: 1
     outputs:
@@ -23,28 +17,23 @@ jobs:
       nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
       python_version: ${{ steps.variables.outputs.python_version }}
       terraform_version: ${{ steps.variables.outputs.terraform_version }}
-      version: ${{ steps.variables.outputs.version }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
-      branch_name: ${{ steps.variables.outputs.branch_name }}
+      version: ${{ steps.variables.outputs.version }}
     steps:
-      - name: "Checkout code"
+      - name: 'Checkout code'
         uses: actions/checkout@v6
-      - name: "Set CI/CD variables"
+      - name: 'Set CI/CD variables'
         id: variables
-        env:
-          BRANCH_NAME: ${{ github.head_ref }}
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
-          BUILD_DATETIME=$datetime make version-create-effective-file
           echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-          echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
-          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^python" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "version=${GITHUB_REF}" >> $GITHUB_OUTPUT
       - name: "Check if pull request exists for this branch"
         id: pr_exists
         env:
@@ -72,45 +61,45 @@ jobs:
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
           export BRANCH_NAME="${{ steps.variables.outputs.branch_name }}"
           make list-variables
-  commit-stage: # Recommended maximum execution time is 2 minutes
-    name: "Commit stage"
+  commit-stage:
+    name: 'Commit stage'
     needs: [metadata]
     uses: ./.github/workflows/stage-1-commit.yaml
     with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"
+      build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
+      build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
+      build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
+      nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
+      python_version: '${{ needs.metadata.outputs.python_version }}'
+      terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
+      version: '${{ needs.metadata.outputs.version }}'
     secrets: inherit
-  test-stage: # Recommended maximum execution time is 5 minutes
-    name: "Test stage"
-    needs: [metadata, commit-stage]
+  test-stage:
+    name: 'Test stage'
+    needs: [metadata]
     uses: ./.github/workflows/stage-2-test.yaml
     with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"
+      build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
+      build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
+      build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
+      nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
+      python_version: '${{ needs.metadata.outputs.python_version }}'
+      terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
+      version: '${{ needs.metadata.outputs.version }}'
     secrets: inherit
-  build-stage: # Recommended maximum execution time is 3 minutes
-    name: "Build stage"
-    needs: [metadata, test-stage]
+  build-stage:
+    name: 'Build stage'
+    needs: [metadata]
     uses: ./.github/workflows/stage-3-build.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
     with:
-      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
-      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
-      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
-      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
-      python_version: "${{ needs.metadata.outputs.python_version }}"
-      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
-      version: "${{ needs.metadata.outputs.version }}"
+      build_datetime: '${{ needs.metadata.outputs.build_datetime }}'
+      build_timestamp: '${{ needs.metadata.outputs.build_timestamp }}'
+      build_epoch: '${{ needs.metadata.outputs.build_epoch }}'
+      nodejs_version: '${{ needs.metadata.outputs.nodejs_version }}'
+      python_version: '${{ needs.metadata.outputs.python_version }}'
+      terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
+      version: '${{ needs.metadata.outputs.version }}'
+      commit_sha: '${{ github.event.pull_request.head.sha }}'
     secrets: inherit
   acceptance-stage: # Recommended maximum execution time is 10 minutes
     name: "Acceptance stage"
@@ -125,4 +114,30 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
+  deploy-stage:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Deploy review app pr-${{ github.event.pull_request.number }}
+    needs: [build-stage]
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-5-deploy.yaml
+    with:
+      environments: '["review"]'
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+      pr_number: ${{ github.event.pull_request.number }}
     secrets: inherit
+  post-url:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Post URL pr-${{ github.event.pull_request.number }} to PR comments
+    runs-on: ubuntu-latest
+    needs: [deploy-stage]
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Post URL to PR comments
+        uses: marocchino/sticky-pull-request-comment@5060d4700a91de252c87eeddd2da026382d9298a
+        with:
+          message: |
+            The review app is available at this URL:
+            https://pr-${{ github.event.pull_request.number }}.non-live.digital-lung-cancer-screening.nhs.uk/
+            You must authenticate with HTTP basic authentication. Ask the team for credentials.

.github/workflows/cicd-2-main-branch.yaml

@@ -89,19 +89,8 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
+      commit_sha: '${{ github.sha }}'
     secrets: inherit
-
-  deploy-stage:
-    name: Deploy stage
-    needs: [build-stage]
-    permissions:
-      id-token: write
-    uses: ./.github/workflows/stage-4-deploy.yaml
-    with:
-      environments: '["dev"]'
-      commit_sha: ${{ github.sha }}
-    secrets: inherit
-
   acceptance-stage: # Recommended maximum execution time is 10 minutes
     name: "Acceptance stage"
     needs: [metadata, build-stage]
@@ -115,3 +104,13 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
+  deploy-stage:
+    name: Deploy stage
+    needs: [build-stage]
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-5-deploy.yaml
+    with:
+      environments: '["review","dev","preprod","prod"]'
+      commit_sha: ${{ github.sha }}
+    secrets: inherit

.github/workflows/stage-3-build.yaml

@@ -31,6 +31,10 @@ on:
         description: "Version of the software, set by the CI/CD pipeline workflow"
         required: true
         type: string
+      commit_sha:
+        description: 'Commit sha of the docker image'
+        required: true
+        type: string
 
 env:
   REGISTRY: ghcr.io
@@ -69,7 +73,10 @@ jobs:
             type=raw,value=${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || '{{branch}}' }}
             type=raw,value=${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || '' }}
             type=sha,format=long,prefix=git-sha-
-
+      - name: Print commit SHA
+        env:
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+        run: echo "Commit SHA is ${COMMIT_SHA}"
       - name: Build and push Docker image
         id: push
         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
@@ -78,6 +85,8 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            COMMIT_SHA=${{ inputs.commit_sha }}
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v3

.github/workflows/stage-5-deploy.yaml

@@ -0,0 +1,76 @@
+name: Deployment stage
+
+on:
+  workflow_call:
+    inputs:
+      environments:
+        description: List of environments to deploy to (String array)
+        required: true
+        type: string
+      commit_sha:
+        description: Commit SHA used to fetch ADO pipeline and docker image
+        required: true
+        type: string
+      pr_number:
+        description: Pull request number when used in a pull request
+        required: false
+        type: string
+
+jobs:
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        environment: ${{ fromJson(inputs.environments) }}
+      max-parallel: 1
+    environment: ${{ matrix.environment }}
+    # Prevent concurrent jobs on the same environment and between deploy and delete workflows
+    concurrency: deploy-${{ matrix.environment }}-${{inputs.pr_number}}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Call deployment pipeline
+        env:
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+          ENVIRONMENT: ${{ matrix.environment }}
+          PR_NUMBER: ${{ inputs.pr_number }}
+        run: |
+          if [[ -n "$PR_NUMBER" ]]; then
+            pr_argument="prNumber=$PR_NUMBER"
+          else
+            pr_argument=""
+          fi
+
+          source infrastructure/environments/$ENVIRONMENT/variables.sh
+
+          echo "Starting Azure devops pipeline \"Deploy to Azure - $ENVIRONMENT\"..."
+          RUN_ID=$(az pipelines run \
+            --commit-id "$COMMIT_SHA" \
+            --name "Deploy to Azure - $ENVIRONMENT" \
+            --org https://dev.azure.com/nhse-dtos \
+            --project lung-cancer-screening \
+            --parameters commitSHA="$COMMIT_SHA" "$pr_argument" environment="$ENVIRONMENT" pool=${ADO_MANAGEMENT_POOL} \
+            --output tsv --query id)
+
+          echo "See pipeline run in Azure devops: https://dev.azure.com/nhse-dtos/lung-cancer-screening/_build/results?buildId=${RUN_ID}&view=results"
+
+          scripts/bash/wait_ado_pipeline.sh "$RUN_ID" https://dev.azure.com/nhse-dtos lung-cancer-screening
+
+      - name: Basic application smoke test
+        env:
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+          ENVIRONMENT: ${{ matrix.environment }}
+          PR_NUMBER: ${{ inputs.pr_number }}
+        run: |
+          dns_zone_name=$( grep dns_zone_name infrastructure/environments/$ENVIRONMENT/variables.tfvars | awk -F'"' '{print $2}' )
+          use_apex_domain=$( grep use_apex_domain infrastructure/environments/$ENVIRONMENT/variables.tfvars | awk '{print $3}' || echo "false" )
+          scripts/bash/container_app_smoke_test.sh "$ENVIRONMENT" "$COMMIT_SHA" "${dns_zone_name}" "$PR_NUMBER" "${use_apex_domain}"

.github/workflows/test-deploy.yaml

@@ -9,6 +9,8 @@ on:
         type: choice
         options:
           - poc
+          - review
+          - dev
 
 env:
   TARGET_ENV: ${{ inputs.target_env }}
@@ -40,4 +42,3 @@ jobs:
 
       - name: Terraform plan
         run: make ${TARGET_ENV} ci poc-terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ github.sha }}
-