manage-vaccinations-in-schools/.github/workflows/deploy.yml at d6bb8692d18290afcad4dbff3de4ca9bafeb470a · NHSDigital/manage-vaccinations-in-schools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Deploy
run-name: Deploy ${{ inputs.git_ref_to_deploy || github.ref_name }} to ${{ inputs.environment }}

concurrency:
  group: deploy-${{ inputs.environment }}

on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string
      server_types:
        required: true
        type: string
  workflow_dispatch:
    inputs:
      git_ref_to_deploy:
        description:
          | # Use blank unicode character (U+2800) to force line-break
          Use code from: ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
          (Git ref to deploy, for example, a tag, branch name or commit SHA. Will use workflow ref if not provided.)
        type: string
      environment:
        description: Deployment environment
        required: true
        type: choice
        options:
          - qa
          - test
          - preview
          - training
          - production
          - sandbox-alpha
          - sandbox-beta
          - performance
          - pentest
      server_types:
        description: Server types to deploy
        required: true
        type: choice
        options:
          - all
          - web
          - sidekiq
          - ops
          - none
        default: all

env:
  git_ref_to_deploy: ${{ inputs.git_ref_to_deploy }}
  environment: ${{ inputs.environment }}
  server_types: ${{ inputs.server_types }}
  account_id: ${{ inputs.environment == 'production' && '820242920762' || '393416225559' }}

jobs:
  validate-inputs:
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - name: Validate inputs
        run: |
          if [[ "$environment" == "preview" || "$environment" == "production" ]]; then
            if [[ -z "$git_ref_to_deploy" ]]; then
              echo "Error: git_ref_to_deploy is required for preview and production environments."
              exit 1
            fi
          fi
  determine-git-sha:
    runs-on: ubuntu-latest
    permissions: {}
    needs: validate-inputs
    outputs:
      git-sha: ${{ steps.get-git-sha.outputs.git-sha }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.git_ref_to_deploy || github.sha }}
      - name: Get git sha
        id: get-git-sha
        run: echo "git-sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
  validate-permissions:
    needs: validate-inputs
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./terraform
    permissions:
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          ref: ${{ github.ref_name }}
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: arn:aws:iam::${{ env.account_id }}:role/GithubDeployMavisAndInfrastructure
          aws-region: eu-west-2
      - name: Compare permissions
        id: compare-permissions
        run: |
          source ./scripts/validate-github-actions-policy.sh
          validate_policies "arn:aws:iam::$account_id:policy/DeployMavisResources" ./account/resources/iam_policy_DeployMavisResources.json
          exit $?
  update-permissions:
    runs-on: ubuntu-latest
    needs: validate-permissions
    if: ${{ !cancelled() && (inputs.environment == 'production' || inputs.environment == 'preview') && needs.validate-permissions.result == 'failure' }}
    environment: ${{ inputs.environment }}
    defaults:
      run:
        working-directory: ./terraform
    permissions:
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          ref: ${{ github.ref_name }}
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: arn:aws:iam::${{ env.account_id }}:role/GithubDeployMavisAndInfrastructure
          aws-region: eu-west-2
      - name: Update IAM policy
        run: ./scripts/update-github-actions-policy.sh "arn:aws:iam::$account_id:policy/DeployMavisResources" ./account/resources/iam_policy_DeployMavisResources.json
  deploy-infrastructure:
    permissions:
      id-token: write
    needs:
      [
        determine-git-sha,
        validate-permissions,
        update-permissions,
      ]
    if: ${{ !cancelled() &&
      ((inputs.environment != 'production' && inputs.environment != 'preview') ||
      needs.validate-permissions.result == 'success' || needs.update-permissions.result == 'success') }}
    uses: ./.github/workflows/deploy-infrastructure.yml
    with:
      environment: ${{ inputs.environment }}
      git_ref_to_deploy: ${{ needs.determine-git-sha.outputs.git-sha }}
  deploy-application:
    permissions:
      id-token: write
    needs: [deploy-infrastructure, determine-git-sha]
    if: ${{ !cancelled() && inputs.server_types != 'none' && needs.deploy-infrastructure.result == 'success' }}
    uses: ./.github/workflows/deploy-application.yml
    with:
      environment: ${{ inputs.environment }}
      server_types: ${{ inputs.server_types }}
      git_ref_to_deploy: ${{ needs.determine-git-sha.outputs.git-sha }}
      app_version: ${{ inputs.git_ref_to_deploy == '' && github.ref_name || inputs.git_ref_to_deploy }}
    secrets: inherit