1839: Setting GAI IP restriction to deny #3274
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build authorization server | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
inputs: | |
deploy_to_production: | |
type: boolean | |
description: 'Deploy to production' | |
default: false | |
env: | |
CONTAINER_REGISTRY: ghcr.io | |
permissions: | |
checks: write | |
deployments: write | |
packages: write | |
pull-requests: write | |
jobs: | |
build: | |
name: Build & test | |
runs-on: ubuntu-latest | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
outputs: | |
authserver: ${{ steps.image_tags.outputs.authserver }} | |
testclient: ${{ steps.image_tags.outputs.testclient }} | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_DB: teacher_identity | |
POSTGRES_PASSWORD: teacher_identity | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- uses: actions/setup-dotnet@v3 | |
with: | |
dotnet-version: '7.0.202' | |
- name: Restore | |
run: dotnet restore | |
working-directory: dotnet-authserver | |
- name: Lint | |
if: github.event_name != 'push' | |
run: | | |
INCLUDE_ARG="" | |
if [ "$EVENT_NAME" == "pull_request" ]; then | |
git fetch origin main --quiet --depth=1 | |
CHANGED_FILES=$(git diff --name-only origin/main $GITHUB_SHA | { grep -oP '^dotnet-authserver\/\K.*\.cs$' || true; }) | |
if [ "$CHANGED_FILES" == "" ]; then | |
echo "::warning::No changes to lint" | |
exit 0 | |
fi | |
INCLUDE_ARG="--include $(echo "$CHANGED_FILES" | tr '\n' ' ')" | |
echo "::notice::Linting changed files only" | |
else | |
echo "::notice::Linting entire codebase" | |
fi | |
dotnet tool install -g dotnet-format --version "7.*" --add-source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet7/nuget/v3/index.json >/dev/null | |
dotnet-format --no-restore --verify-no-changes $INCLUDE_ARG | |
env: | |
EVENT_NAME: ${{ github.event_name }} | |
working-directory: dotnet-authserver | |
- name: Install SASS | |
run: npm install -g sass | |
- name: Build | |
run: dotnet build --configuration Release --no-restore | |
working-directory: dotnet-authserver | |
- name: Unit tests | |
uses: ./.github/workflows/actions/test | |
if: github.event_name != 'push' | |
with: | |
test_project_path: dotnet-authserver/tests/TeacherIdentity.AuthServer.Tests | |
report_name: "Unit test results" | |
dotnet_test_args: '-e ConnectionStrings__DefaultConnection="Host=localhost;Username=postgres;Password=teacher_identity;Database=teacher_identity"' | |
- name: Install Playwright | |
run: pwsh ./tests/TeacherIdentity.AuthServer.EndToEndTests/bin/Release/net7.0/playwright.ps1 install | |
if: github.event_name != 'push' | |
working-directory: dotnet-authserver | |
- name: End-to-end tests | |
uses: ./.github/workflows/actions/test | |
if: github.event_name != 'push' | |
with: | |
test_project_path: dotnet-authserver/tests/TeacherIdentity.AuthServer.EndToEndTests | |
report_name: "End-to-end test results" | |
dotnet_test_args: '-e AuthorizationServer__ConnectionStrings__DefaultConnection="Host=localhost;Username=postgres;Password=teacher_identity;Database=teacher_identity"' | |
- name: Publish | |
run: | | |
dotnet publish --configuration Release --no-build src/TeacherIdentity.AuthServer/TeacherIdentity.AuthServer.csproj | |
dotnet publish --configuration Release --no-build src/TeacherIdentity.TestClient/TeacherIdentity.TestClient.csproj | |
working-directory: dotnet-authserver | |
- name: Get Docker image tags | |
id: image_tags | |
run: | | |
echo authserver=$CONTAINER_REGISTRY/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]'):authserver-$GITHUB_SHA >> $GITHUB_OUTPUT | |
echo testclient=$CONTAINER_REGISTRY/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]'):testclient-$GITHUB_SHA >> $GITHUB_OUTPUT | |
- name: Set KV environment variables | |
working-directory: terraform | |
if: github.actor != 'dependabot[bot]' | |
run: | | |
tf_vars_file=workspace_variables/dev.tfvars.json | |
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV | |
- uses: azure/login@v1 | |
if: github.actor != 'dependabot[bot]' | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS_DEV }} | |
- name: Get MONITORING secret | |
uses: DfE-Digital/keyvault-yaml-secret@v1 | |
id: get_monitoring_secret | |
with: | |
keyvault: ${{ env.KEY_VAULT_NAME }} | |
secret: MONITORING | |
key: SLACK_WEBHOOK | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Get INFRASTRUCTURE secret | |
uses: DFE-Digital/keyvault-yaml-secret@v1 | |
if: github.actor != 'dependabot[bot]' | |
id: get-secret | |
with: | |
keyvault: ${{ env.KEY_VAULT_NAME }} | |
secret: INFRASTRUCTURE | |
key: SNYK_TOKEN | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Auth server docker build | |
uses: docker/build-push-action@v4 | |
with: | |
context: dotnet-authserver/src/TeacherIdentity.AuthServer | |
push: false | |
tags: ${{ steps.image_tags.outputs.authserver }} | |
build-args: | | |
GIT_SHA=${{ github.sha }} | |
- name: Run Snyk to check auth server Docker image for vulnerabilities | |
if: github.actor != 'dependabot[bot]' | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }} | |
with: | |
image: ${{ steps.image_tags.outputs.authserver }} | |
args: --file=dotnet-authserver/src/TeacherIdentity.AuthServer/Dockerfile --severity-threshold=high | |
continue-on-error: true | |
- name: Push auth server docker image | |
run: docker image push ${{ steps.image_tags.outputs.authserver }} | |
- name: Test client docker build | |
uses: docker/build-push-action@v4 | |
with: | |
context: dotnet-authserver/src/TeacherIdentity.TestClient | |
push: true | |
tags: ${{ steps.image_tags.outputs.testclient }} | |
validate_terraform: | |
name: Validate Terraform | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: 1.0.10 | |
- name: Check formatting | |
run: terraform fmt -check | |
working-directory: terraform | |
- name: Validate | |
run: | | |
terraform init -backend=false | |
terraform validate -no-color | |
working-directory: terraform | |
- name: Lint | |
uses: reviewdog/action-tflint@master | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
tflint_rulesets: azurerm | |
working_directory: terraform | |
continue-on-error: true # temporary- we're getting sporadic 503 errors here in action setup | |
deploy_dev: | |
name: Deploy to dev environment | |
needs: [build, validate_terraform] | |
runs-on: ubuntu-latest | |
if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name == 'workflow_dispatch' | |
environment: | |
name: dev | |
url: ${{ steps.deploy.outputs.environment_url }} | |
concurrency: deploy_dev | |
outputs: | |
environment_url: ${{ steps.deploy.outputs.environment_url }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/workflows/actions/deploy-environment | |
id: deploy | |
with: | |
environment_name: dev | |
image_tag: ${{ github.sha }} | |
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
terraform_vars: workspace_variables/dev.tfvars.json | |
terraform_backend_vars: workspace_variables/dev.backend.tfvars | |
deploy_preprod: | |
name: Deploy to preprod environment | |
needs: [build] | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' | |
environment: | |
name: preprod | |
url: ${{ steps.deploy.outputs.environment_url }} | |
concurrency: deploy_preprod | |
outputs: | |
environment_url: ${{ steps.deploy.outputs.environment_url }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/workflows/actions/deploy-environment | |
id: deploy | |
with: | |
environment_name: preprod | |
image_tag: ${{ github.sha }} | |
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
terraform_vars: workspace_variables/preprod.tfvars.json | |
terraform_backend_vars: workspace_variables/preprod.backend.tfvars | |
deploy_production: | |
name: Deploy to production environment | |
needs: [build, deploy_preprod] | |
runs-on: ubuntu-latest | |
if: (github.ref == 'refs/heads/main' && github.event_name != 'workflow_dispatch') || (github.event_name == 'workflow_dispatch' && github.event.inputs.deploy_to_production == 'true') | |
environment: | |
name: production | |
url: ${{ steps.deploy.outputs.environment_url }} | |
concurrency: deploy_production | |
outputs: | |
environment_url: ${{ steps.deploy.outputs.environment_url }} | |
postgres_server_name: ${{ steps.deploy.outputs.postgres_server_name }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/workflows/actions/deploy-environment | |
id: deploy | |
with: | |
environment_name: production | |
image_tag: ${{ github.sha }} | |
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} | |
terraform_vars: workspace_variables/production.tfvars.json | |
terraform_backend_vars: workspace_variables/production.backend.tfvars |