Merge pull request #6126 from NHSDigital/MAV-3850/speedup_deployment_to_testing_environments

TheOneFromNorway · web-flow · commit 69c838be28ff · 2026-03-12T11:48:54.000Z
Speed up deployment to testing environments
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
@@ -89,53 +89,24 @@ jobs:
             echo 'aws-roles=["arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure"]' >> "$GITHUB_OUTPUT"
           fi
         # yamllint enable rule:line-length
-  build:
-    needs: check-image-presence
+  build-and-push:
+    needs: [check-image-presence, define-matrix]
     if: >-
       needs.check-image-presence.outputs.webapp-build-needed == 'true' ||
-      needs.check-image-presence.outputs.ops-build-needed  == 'true'
+      needs.check-image-presence.outputs.ops-build-needed == 'true'
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+    strategy:
+      matrix:
+        aws-role: ${{ fromJSON(needs.define-matrix.outputs.aws-roles) }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
         with:
           ref: ${{ env.git_ref }}
       - name: Write build SHA
         run: git rev-parse HEAD > public/sha
-      - name: Build webapp docker image
-        run: docker build -t "mavis-webapp:latest" .
-      - name: Save web image
-        run: docker save -o image.tar mavis-webapp:latest
-      - name: Upload web image
-        uses: actions/upload-artifact@v7
-        with:
-          name: webapp-image
-          path: image.tar
-      - name: Build ops docker image
-        run: docker build -f ops.Dockerfile -t "mavis-ops:latest" .
-      - name: Save ops image
-        run: docker save -o image.tar mavis-ops:latest
-      - name: Upload ops image
-        uses: actions/upload-artifact@v7
-        with:
-          name: ops-image
-          path: image.tar
-  push:
-    runs-on: ubuntu-latest
-    needs: [build, define-matrix]
-    permissions:
-      id-token: write
-    strategy:
-      matrix:
-        aws-role: ${{ fromJSON(needs.define-matrix.outputs.aws-roles) }}
-        image_type: ["webapp", "ops"]
-    steps:
-      - name: Download Docker image
-        uses: actions/download-artifact@v8
-        with:
-          name: ${{ matrix.image_type }}-image
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
@@ -144,13 +115,34 @@ jobs:
       - name: Login to ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
-      - name: Load Docker image
-        run: docker load -i image.tar
-      - name: Tag Docker image
-        run: >-
-          docker tag mavis-${{ matrix.image_type }}:latest "${{ steps.login-ecr.outputs.registry
-          }}/mavis/${{ matrix.image_type }}":"$git_ref"
-      - name: Push Docker image
-        run: >-
-          docker push "${{ steps.login-ecr.outputs.registry }}/mavis/${{ matrix.image_type
-          }}":"$git_ref"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        # yamllint disable rule:line-length
+      - name: Build and push webapp image
+        if: needs.check-image-presence.outputs.webapp-build-needed == 'true'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ env.git_ref }}
+          cache-from:
+            type=registry,ref=${{ steps.login-ecr.outputs.registry }}/mavis/webapp:buildcache
+          cache-to:
+            type=registry,ref=${{ steps.login-ecr.outputs.registry
+            }}/mavis/webapp:buildcache,mode=max,image-manifest=true,oci-mediatypes=true
+      - name: Build and push ops image
+        if: needs.check-image-presence.outputs.ops-build-needed == 'true'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ops.Dockerfile
+          push: true
+          tags: ${{ steps.login-ecr.outputs.registry }}/mavis/ops:${{ env.git_ref }}
+          build-args: |
+            REPOSITORY=${{ steps.login-ecr.outputs.registry }}/mavis/webapp
+            IMAGE_TAG=${{ env.git_ref }}
+          cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/mavis/ops:buildcache
+          cache-to:
+            type=registry,ref=${{ steps.login-ecr.outputs.registry
+            }}/mavis/ops:buildcache,mode=max,image-manifest=true,oci-mediatypes=true
+            # yamllint enable rule:line-length
diff --git a/.github/workflows/continuous-deployment.yml b/.github/workflows/continuous-deployment.yml
@@ -12,7 +12,6 @@ jobs:
       id-token: write
     uses: ./.github/workflows/test.yml
   deploy:
-    needs: test
     strategy:
       fail-fast: false
       matrix:
@@ -23,6 +22,7 @@ jobs:
     with:
       environment: ${{ matrix.environment }}
       server_types: all
+      run_pre_deploy_migrations: false
   end-to-end-tests:
     needs: [deploy]
     if: ${{ contains(needs.deploy.result, 'success') && github.ref_name == 'next' }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -10,6 +10,10 @@ on:
       server_types:
         required: true
         type: string
+      run_pre_deploy_migrations:
+        required: false
+        type: boolean
+        default: true
   workflow_dispatch:
     inputs:
       git_ref_to_deploy:
@@ -42,6 +46,11 @@ on:
           - sidekiq
           - ops
         default: all
+      run_pre_deploy_migrations:
+        description: Run data migrations before service deployment.
+        required: false
+        type: boolean
+        default: true
 
 concurrency:
   group: deploy-${{ inputs.environment }}
@@ -57,8 +66,10 @@ env:
   app_version: ${{ inputs.git_ref_to_deploy == '' && github.ref_name || inputs.git_ref_to_deploy }}
 
 jobs:
-  validate-inputs:
+  validate-and-resolve-sha:
     runs-on: ubuntu-latest
+    outputs:
+      git-sha: ${{ steps.get-git-sha.outputs.git-sha }}
     steps:
       - name: Validate inputs
         run: |
@@ -68,12 +79,6 @@ jobs:
               exit 1
             fi
           fi
-  determine-git-sha:
-    runs-on: ubuntu-latest
-    needs: validate-inputs
-    outputs:
-      git-sha: ${{ steps.get-git-sha.outputs.git-sha }}
-    steps:
       - name: Checkout code
         uses: actions/checkout@v6
         with:
@@ -84,14 +89,14 @@ jobs:
   build-and-push-images:
     permissions:
       id-token: write
-    needs: determine-git-sha
+    needs: validate-and-resolve-sha
     uses: ./.github/workflows/build-and-push-image.yml
     with:
-      git_sha: ${{ needs.determine-git-sha.outputs.git-sha }}
+      git_sha: ${{ needs.validate-and-resolve-sha.outputs.git-sha }}
   prepare-deployment:
     name: Prepare deployment
     runs-on: ubuntu-latest
-    needs: [determine-git-sha, build-and-push-images]
+    needs: [validate-and-resolve-sha, build-and-push-images]
     permissions:
       id-token: write
     strategy:
@@ -107,7 +112,7 @@ jobs:
         uses: actions/checkout@v6
         id: checkout-code
         with:
-          ref: ${{ needs.determine-git-sha.outputs.git-sha }}
+          ref: ${{ needs.validate-and-resolve-sha.outputs.git-sha }}
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
@@ -116,7 +121,7 @@ jobs:
       - name: Get image digest
         id: get-image-digest
         env:
-          image_tag: ${{ needs.determine-git-sha.outputs.git-sha }}
+          image_tag: ${{ needs.validate-and-resolve-sha.outputs.git-sha }}
         run: |
           digest=$(aws ecr describe-images \
             --repository-name "$repository_name" \
