Skip to content

1839: Setting GAI IP restriction to deny #3274

1839: Setting GAI IP restriction to deny

1839: Setting GAI IP restriction to deny #3274

Workflow file for this run

name: Build authorization server
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
inputs:
deploy_to_production:
type: boolean
description: 'Deploy to production'
default: false
env:
CONTAINER_REGISTRY: ghcr.io
permissions:
checks: write
deployments: write
packages: write
pull-requests: write
jobs:
build:
name: Build & test
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
outputs:
authserver: ${{ steps.image_tags.outputs.authserver }}
testclient: ${{ steps.image_tags.outputs.testclient }}
services:
postgres:
image: postgres
env:
POSTGRES_DB: teacher_identity
POSTGRES_PASSWORD: teacher_identity
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- uses: actions/checkout@v3
with:
submodules: recursive
- uses: actions/setup-dotnet@v3
with:
dotnet-version: '7.0.202'
- name: Restore
run: dotnet restore
working-directory: dotnet-authserver
- name: Lint
if: github.event_name != 'push'
run: |
INCLUDE_ARG=""
if [ "$EVENT_NAME" == "pull_request" ]; then
git fetch origin main --quiet --depth=1
CHANGED_FILES=$(git diff --name-only origin/main $GITHUB_SHA | { grep -oP '^dotnet-authserver\/\K.*\.cs$' || true; })
if [ "$CHANGED_FILES" == "" ]; then
echo "::warning::No changes to lint"
exit 0
fi
INCLUDE_ARG="--include $(echo "$CHANGED_FILES" | tr '\n' ' ')"
echo "::notice::Linting changed files only"
else
echo "::notice::Linting entire codebase"
fi
dotnet tool install -g dotnet-format --version "7.*" --add-source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet7/nuget/v3/index.json >/dev/null
dotnet-format --no-restore --verify-no-changes $INCLUDE_ARG
env:
EVENT_NAME: ${{ github.event_name }}
working-directory: dotnet-authserver
- name: Install SASS
run: npm install -g sass
- name: Build
run: dotnet build --configuration Release --no-restore
working-directory: dotnet-authserver
- name: Unit tests
uses: ./.github/workflows/actions/test
if: github.event_name != 'push'
with:
test_project_path: dotnet-authserver/tests/TeacherIdentity.AuthServer.Tests
report_name: "Unit test results"
dotnet_test_args: '-e ConnectionStrings__DefaultConnection="Host=localhost;Username=postgres;Password=teacher_identity;Database=teacher_identity"'
- name: Install Playwright
run: pwsh ./tests/TeacherIdentity.AuthServer.EndToEndTests/bin/Release/net7.0/playwright.ps1 install
if: github.event_name != 'push'
working-directory: dotnet-authserver
- name: End-to-end tests
uses: ./.github/workflows/actions/test
if: github.event_name != 'push'
with:
test_project_path: dotnet-authserver/tests/TeacherIdentity.AuthServer.EndToEndTests
report_name: "End-to-end test results"
dotnet_test_args: '-e AuthorizationServer__ConnectionStrings__DefaultConnection="Host=localhost;Username=postgres;Password=teacher_identity;Database=teacher_identity"'
- name: Publish
run: |
dotnet publish --configuration Release --no-build src/TeacherIdentity.AuthServer/TeacherIdentity.AuthServer.csproj
dotnet publish --configuration Release --no-build src/TeacherIdentity.TestClient/TeacherIdentity.TestClient.csproj
working-directory: dotnet-authserver
- name: Get Docker image tags
id: image_tags
run: |
echo authserver=$CONTAINER_REGISTRY/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]'):authserver-$GITHUB_SHA >> $GITHUB_OUTPUT
echo testclient=$CONTAINER_REGISTRY/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]'):testclient-$GITHUB_SHA >> $GITHUB_OUTPUT
- name: Set KV environment variables
working-directory: terraform
if: github.actor != 'dependabot[bot]'
run: |
tf_vars_file=workspace_variables/dev.tfvars.json
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
- uses: azure/login@v1
if: github.actor != 'dependabot[bot]'
with:
creds: ${{ secrets.AZURE_CREDENTIALS_DEV }}
- name: Get MONITORING secret
uses: DfE-Digital/keyvault-yaml-secret@v1
id: get_monitoring_secret
with:
keyvault: ${{ env.KEY_VAULT_NAME }}
secret: MONITORING
key: SLACK_WEBHOOK
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get INFRASTRUCTURE secret
uses: DFE-Digital/keyvault-yaml-secret@v1
if: github.actor != 'dependabot[bot]'
id: get-secret
with:
keyvault: ${{ env.KEY_VAULT_NAME }}
secret: INFRASTRUCTURE
key: SNYK_TOKEN
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Auth server docker build
uses: docker/build-push-action@v4
with:
context: dotnet-authserver/src/TeacherIdentity.AuthServer
push: false
tags: ${{ steps.image_tags.outputs.authserver }}
build-args: |
GIT_SHA=${{ github.sha }}
- name: Run Snyk to check auth server Docker image for vulnerabilities
if: github.actor != 'dependabot[bot]'
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }}
with:
image: ${{ steps.image_tags.outputs.authserver }}
args: --file=dotnet-authserver/src/TeacherIdentity.AuthServer/Dockerfile --severity-threshold=high
continue-on-error: true
- name: Push auth server docker image
run: docker image push ${{ steps.image_tags.outputs.authserver }}
- name: Test client docker build
uses: docker/build-push-action@v4
with:
context: dotnet-authserver/src/TeacherIdentity.TestClient
push: true
tags: ${{ steps.image_tags.outputs.testclient }}
validate_terraform:
name: Validate Terraform
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.0.10
- name: Check formatting
run: terraform fmt -check
working-directory: terraform
- name: Validate
run: |
terraform init -backend=false
terraform validate -no-color
working-directory: terraform
- name: Lint
uses: reviewdog/action-tflint@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
tflint_rulesets: azurerm
working_directory: terraform
continue-on-error: true # temporary- we're getting sporadic 503 errors here in action setup
deploy_dev:
name: Deploy to dev environment
needs: [build, validate_terraform]
runs-on: ubuntu-latest
if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name == 'workflow_dispatch'
environment:
name: dev
url: ${{ steps.deploy.outputs.environment_url }}
concurrency: deploy_dev
outputs:
environment_url: ${{ steps.deploy.outputs.environment_url }}
steps:
- uses: actions/checkout@v3
- uses: ./.github/workflows/actions/deploy-environment
id: deploy
with:
environment_name: dev
image_tag: ${{ github.sha }}
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
terraform_vars: workspace_variables/dev.tfvars.json
terraform_backend_vars: workspace_variables/dev.backend.tfvars
deploy_preprod:
name: Deploy to preprod environment
needs: [build]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
environment:
name: preprod
url: ${{ steps.deploy.outputs.environment_url }}
concurrency: deploy_preprod
outputs:
environment_url: ${{ steps.deploy.outputs.environment_url }}
steps:
- uses: actions/checkout@v3
- uses: ./.github/workflows/actions/deploy-environment
id: deploy
with:
environment_name: preprod
image_tag: ${{ github.sha }}
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
terraform_vars: workspace_variables/preprod.tfvars.json
terraform_backend_vars: workspace_variables/preprod.backend.tfvars
deploy_production:
name: Deploy to production environment
needs: [build, deploy_preprod]
runs-on: ubuntu-latest
if: (github.ref == 'refs/heads/main' && github.event_name != 'workflow_dispatch') || (github.event_name == 'workflow_dispatch' && github.event.inputs.deploy_to_production == 'true')
environment:
name: production
url: ${{ steps.deploy.outputs.environment_url }}
concurrency: deploy_production
outputs:
environment_url: ${{ steps.deploy.outputs.environment_url }}
postgres_server_name: ${{ steps.deploy.outputs.postgres_server_name }}
steps:
- uses: actions/checkout@v3
- uses: ./.github/workflows/actions/deploy-environment
id: deploy
with:
environment_name: production
image_tag: ${{ github.sha }}
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
terraform_vars: workspace_variables/production.tfvars.json
terraform_backend_vars: workspace_variables/production.backend.tfvars