Merge pull request #199 from bcgov/feature/github-action

WIP checking github actions deploy to DEV build.

.github/workflows/ci-backend.test.yml

@@ -0,0 +1,66 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: CI Backend
+
+on:
+  workflow_dispatch:
+
+  push:
+    branches:
+      - master
+      - 'feature/**'
+      - 'Feature/**'
+      - 'fix/*'
+      - 'Fix/*'
+    paths: 
+      - 'backend/src/**'
+      - 'backend/tests/unit/**'
+  pull_request:
+    branches: [ master ]
+    paths: 
+      - 'backend/src/**'
+      - 'backend/tests/unit/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: backend
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '12.x'
+    - run: npm ci
+    - run: npm run lint:fix
+    - run: npm run test:unit
+      env:
+        NODE_ENV: 'test'
+
+  sonarcloud:
+    name: Build (Sonar Cloud)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting
+          fetch-depth: 0
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '12.x'
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        #with:
+          #args: >
+            #-Dsonar.exclusions=**/test/**,.github/**/*,*.md
+            #-Dsonar.organization=bcgov-sonarcloud
+            #-Dsonar.javascript.lcov.reportPaths=backend/coverage/lcov.info
+            #-Dsonar.project.monorepo.enabled=true
+            #-Dsonar.projectKey=${{ github.event.repository.name }}
+            #-Dsonar.sources=backend
+            #-Dsonar.tests=backend/tests

.github/workflows/ci-frontend.test.yml

@@ -0,0 +1,63 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: CI Frontend
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - 'feature/**'
+      - 'Feature/**'
+      - 'fix/*'
+      - 'Fix/*'
+    paths: 
+      - 'frontend/src/**'
+  pull_request:
+    branches: [ master ]
+    paths: 
+      - 'frontend/src/**'
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '12.x'
+    - run: npm ci
+    - run: npm run lint:fix
+
+  sonarcloud:
+    name: Build (Sonar Cloud)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting
+          fetch-depth: 0
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '12.x'
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        #with:
+          #args: >
+            #-Dsonar.exclusions=**/test/**,.github/**/*,*.md
+            #-Dsonar.organization=bcgov-sonarcloud
+            #-Dsonar.javascript.lcov.reportPaths=frontend/coverage/lcov.info
+            #-Dsonar.project.monorepo.enabled=true
+            #-Dsonar.projectKey=${{ github.event.repository.name }}
+            #-Dsonar.sources=frontend
+            #-Dsonar.tests=frontend/tests

.github/workflows/deploy-to.openshift-dev.yml

@@ -0,0 +1,221 @@
+name: Build & Deploy to DEV
+
+env:
+  # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
+  # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
+  # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
+  OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
+  OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+  OPENSHIFT_NAMESPACE_DEV: ${{ secrets.PEN_NAMESPACE_NO_ENV }}-dev
+
+  SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}
+  CA_CERT: ${{ secrets.CA_CERT }}
+  CERTIFICATE: ${{ secrets.CERT }}
+  PRIVATE_KEY: ${{ secrets.PRIV_KEY }}
+
+  # 🖊️ EDIT to change the image registry settings.
+  # Registries such as GHCR, Quay.io, and Docker Hub are supported.
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_REGISTRY_USER: ${{ github.actor }}
+  IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
+
+  # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below.
+  IMAGE_TAGS: ""
+
+  IMAGE_NAME: student-profile-master
+  DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
+  ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca
+
+  APP_NAME: "student-profile"
+  REPO_NAME: "educ-student-profile"
+  BRANCH: "master"
+  APP_NAME_BACKEND: "student-profile-backend-master"
+  APP_NAME_FRONTEND: "student-profile-frontend"
+#  TODO check APP_NAME_FULL
+#  APP_NAME_FULL: "student-profile-master"
+  NAMESPACE: ${{ secrets.PEN_NAMESPACE_NO_ENV }}
+  NAMESPACE_TOOLS: ${{ secrets.EDX_NAMESPACE_NO_ENV }}-tools
+  COMMON_NAMESPACE: ${{ secrets.COMMON_NAMESPACE_NO_ENV }}
+  TAG: "latest"
+  MIN_REPLICAS_DEV: "1"
+  MAX_REPLICAS_DEV: "1"
+  MIN_CPU: "150m"
+  MAX_CPU: "300m"
+  MIN_MEM: "250Mi"
+  MAX_MEM: "500Mi"
+  # SITE_URL should have no scheme or port. It will be prepended with https://
+  HOST_ROUTE: ${{ secrets.SITE_URL }}
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy-dev:
+    name: Build and deploy to OpenShift DEV
+    # ubuntu-20.04 can also be used.
+    runs-on: ubuntu-20.04
+    environment: dev
+
+    outputs:
+      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
+
+    steps:
+      - name: Check for required secrets
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const secrets = {
+              OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
+              OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
+            };
+            const GHCR = "ghcr.io";
+            if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
+              core.info(`Image registry is ${GHCR} - no registry password required`);
+            }
+            else {
+              core.info("A registry password is required");
+              secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
+            }
+            const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
+              if (value.length === 0) {
+                core.error(`Secret "${name}" is not set`);
+                return true;
+              }
+              core.info(`✔️ Secret "${name}" is set`);
+              return false;
+            });
+            if (missingSecrets.length > 0) {
+              core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
+                "You can add it using:\n" +
+                "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
+                "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
+                "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
+            }
+            else {
+              core.info(`✅ All the required secrets are set`);
+            }
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      - name: Determine app name
+        if: env.APP_NAME_BACKEND == ''
+        run: |
+          echo "APP_NAME_BACKEND=$(basename $PWD)" | tee -a $GITHUB_ENV
+
+      - name: Determine image tags
+        if: env.IMAGE_TAGS == ''
+        run: |
+          echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.DOCKER_ARTIFACTORY_REPO }}
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      # https://github.com/redhat-actions/buildah-build#readme
+      - name: Build backend from Dockerfile
+        id: build-image-backend
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ env.APP_NAME_BACKEND }}
+          tags: ${{ env.IMAGE_TAGS }}
+
+          # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
+          # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
+          # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
+          dockerfiles: |
+            ./backend/Dockerfile
+          context: ./backend
+
+      # https://github.com/redhat-actions/push-to-registry#readme
+      - name: Push backend to registry
+        id: push-image-backend
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image-backend.outputs.image }}
+          tags: ${{ steps.build-image-backend.outputs.tags }}
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ env.IMAGE_REGISTRY_USER }}
+          password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
+
+      - name: Build frontend from Dockerfile
+        id: build-image-frontend
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: ${{ env.APP_NAME_FRONTEND }}
+          tags: ${{ env.IMAGE_TAGS }}
+
+          # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
+          # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
+          # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
+          dockerfiles: |
+            ./frontend/Dockerfile
+          context: ./frontend
+
+        # https://github.com/redhat-actions/push-to-registry#readme
+      - name: Push frontend to registry
+        id: push-image-frontend
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image-frontend.outputs.image }}
+          tags: ${{ steps.build-image-frontend.outputs.tags }}
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ env.IMAGE_REGISTRY_USER }}
+          password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
+
+      # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }}
+
+      - name: Install oc
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: 4
+
+        # https://github.com/redhat-actions/oc-login#readme
+      - uses: actions/checkout@v3
+
+      - name: Deploy
+        run: |
+          set -eux
+          # Login to OpenShift and select project
+          oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
+          oc project ${{ env.OPENSHIFT_NAMESPACE_DEV }}
+          # Cancel any rollouts in progress
+          oc rollout cancel dc/${{ env.APP_NAME_BACKEND }} 2> /dev/null \
+          || true && echo "No rollout in progress"
+          
+          # Create the image stream if it doesn't exist
+          oc create imagestream ${{ env.REPO_NAME }}-backend-${{ env.BRANCH }} 2> /dev/null || true && echo "Backend image stream in place"
+          oc create imagestream ${{ env.REPO_NAME }}-frontend-static 2> /dev/null || true && echo "Frontend image stream in place"
+          
+          oc tag ${{ steps.push-image-backend.outputs.registry-path }} ${{ env.REPO_NAME }}-backend-${{ env.BRANCH }}:${{ env.TAG }}
+          oc tag ${{ steps.push-image-frontend.outputs.registry-path }} ${{ env.REPO_NAME }}-frontend-static:${{ env.TAG }}
+
+          # Process and apply backend deployment template
+          oc process -f tools/openshift/backend.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }}\
+          | oc apply -f -
+        
+          # Process and apply frontend deployment template
+          oc process -f tools/openshift/frontend-static.dc.yaml -p APP_NAME=${{ env.APP_NAME }} -p REPO_NAME=${{ env.REPO_NAME }} -p BRANCH=${{ env.BRANCH }} -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE_DEV }} -p TAG=${{ env.TAG }} -p MIN_REPLICAS=${{ env.MIN_REPLICAS_DEV }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS_DEV }} -p MIN_CPU=${{ env.MIN_CPU }} -p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} -p HOST_ROUTE=${{ env.HOST_ROUTE }} -p CA_CERT="${{ env.CA_CERT }}" -p CERTIFICATE="${{ env.CERTIFICATE }}" -p PRIVATE_KEY="${{ env.PRIVATE_KEY }}"\
+          | oc apply -f -
+          
+          curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/master/tools/config/update-configmap.sh | bash /dev/stdin dev ${{ env.APP_NAME }} ${{ env.NAMESPACE }} ${{ env.COMMON_NAMESPACE }} ${{ env.DB_JDBC_CONNECT_STRING }} ${{ env.DB_PWD }} ${{ env.DB_USER }} ${{ env.SPLUNK_TOKEN }}
+          
+          # Start rollout (if necessary) and follow it
+          oc rollout latest dc/${{ env.APP_NAME_BACKEND }} 2> /dev/null \
+          || true && echo "Rollout in progress"
+          oc logs -f dc/${{ env.APP_NAME_BACKEND }}
+               
+          oc rollout latest dc/${{ env.APP_NAME_FRONTEND_MASTER }} 2> /dev/null \
+          || true && echo "Rollout in progress"
+          # Get status, returns 0 if rollout is successful
+          oc rollout status dc/${{ env.APP_NAME_BACKEND }}
+      - name: ZAP Scan
+        uses: zaproxy/action-api-scan@v0.3.0
+        with:
+          target: 'https://${{ env.HOST_ROUTE }}'