Skip to content

fix(deps): update dependency jsonwebtoken to v9 [security] #3932

fix(deps): update dependency jsonwebtoken to v9 [security]

fix(deps): update dependency jsonwebtoken to v9 [security] #3932

name: Deploy test admin environment
on:
pull_request:
branches:
- main
types:
- labeled
- opened
- reopened
- synchronize
env:
AWS_DEFAULT_REGION: ca-central-1
FUNCTION_NAME: "notify-admin-pr"
IMAGE: notify/admin
REGISTRY: 239043911459.dkr.ecr.ca-central-1.amazonaws.com
ROLE_ARN: arn:aws:iam::239043911459:role/notify-admin-pr
jobs:
build-and-push-container:
if: ${{ !contains(github.event.pull_request.labels.*.name, 'Renovate') }}
runs-on: ubuntu-latest
steps:
- name: Set envs
run: echo "PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Configure AWS credentials
id: aws-creds
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@fc3959cb4cf5a821ab7a5a636ea4f1e855b05180 # v1.6.2
- name: Move dockerignore
run: |
mv ci/Dockerfile.lambda.dockerignore .
- name: Build Docker image
run: |
docker build \
--build-arg GIT_SHA=${{ github.sha }} \
-t ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.PR_NUMBER }} \
-f ci/Dockerfile.lambda .
- name: Push Docker image to ECR
run: |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.PR_NUMBER }}
- name: Delete old images
run: |
IMAGES_TO_DELETE="$(aws ecr list-images --repository-name $IMAGE --filter "tagStatus=UNTAGGED" --query 'imageIds[*]' --output json)"
aws ecr batch-delete-image \
--repository-name $IMAGE \
--image-ids "$IMAGES_TO_DELETE" || true
- name: Logout of Amazon ECR
run: docker logout $REGISTRY
deploy-test-admin:
if: ${{ !contains(github.event.pull_request.labels.*.name, 'Renovate') }}
runs-on: ubuntu-latest
outputs:
LAMBDA_URL: ${{ steps.create-update-lambda.outputs.pr_url }}
needs: build-and-push-container
steps:
- name: Set envs
run: echo "PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")" >> $GITHUB_ENV
- name: Configure AWS credentials
id: aws-creds
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1
- name: Create/Update lambda function
id: create-update-lambda
run: |
if aws lambda get-function --function-name $FUNCTION_NAME-$PR_NUMBER > /dev/null 2>&1; then
aws lambda update-function-code \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--image-uri $REGISTRY/$IMAGE:$PR_NUMBER > /dev/null 2>&1
else
aws lambda create-function \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--package-type Image \
--role $ROLE_ARN \
--timeout 15 \
--memory-size 1024 \
--code ImageUri=$REGISTRY/$IMAGE:$PR_NUMBER \
--description "$GITHUB_REPOSITORY/pull/$PR_NUMBER" \
--vpc-config SubnetIds=${{ secrets.PR_REVIEW_ENV_SUBNET_IDS }},SecurityGroupIds=${{ secrets.PR_REVIEW_ENV_SECURITY_GROUP_IDS }} > /dev/null 2>&1
aws lambda wait function-active --function-name $FUNCTION_NAME-$PR_NUMBER
aws lambda add-permission \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--statement-id FunctionURLAllowPublicAccess \
--action lambda:InvokeFunctionUrl \
--principal "*" \
--function-url-auth-type NONE > /dev/null 2>&1
URL="$(aws lambda create-function-url-config --function-name $FUNCTION_NAME-$PR_NUMBER --auth-type NONE | jq .FunctionUrl)"
echo "URL=$URL" >> $GITHUB_ENV
aws lambda update-function-configuration \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--environment "Variables={\
NOTIFY_ENVIRONMENT=staging,\
FLASK_APP=application.py,\
IP_GEOLOCATE_SERVICE=False,\
REDIS_ENABLED=True,\
SENDING_DOMAIN=staging.notification.cdssandbox.xyz,\
API_HOST_NAME=https://api.staging.notification.cdssandbox.xyz,\
ADMIN_BASE_URL=$URL
}" > /dev/null 2>&1
aws logs create-log-group --log-group-name /aws/lambda/$FUNCTION_NAME-$PR_NUMBER > /dev/null 2>&1
aws logs put-retention-policy --log-group-name /aws/lambda/$FUNCTION_NAME-$PR_NUMBER --retention-in-days 14 > /dev/null 2>&1
fi
aws lambda wait function-updated --function-name $FUNCTION_NAME-$PR_NUMBER
aws lambda put-function-concurrency \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--reserved-concurrent-executions 5
PR_URL=$(aws lambda get-function-url-config --function-name $FUNCTION_NAME-$PR_NUMBER --query 'FunctionUrl' --output text)
echo "pr_url=$PR_URL" >> $GITHUB_OUTPUT
- name: Update PR
if: env.URL != ''
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## :test_tube: Review environment\n${process.env.URL.slice(1, -1)}`
})
cypress-tests:
runs-on: ubuntu-latest
needs: deploy-test-admin
continue-on-error: true
steps:
- env:
CYPRESS_BASE_URL: ${{needs.deploy-test-admin.outputs.LAMBDA_URL}}
run: echo HEY "$CYPRESS_BASE_URL"
- name: checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
with:
node-version: '16.x'
- name: Write the cypress.env.json file
# use quotes around the secret, as its value
# is simply inserted as a string into the command
run: |
echo '${{ secrets.CYPRESS_ENV_JSON }}' > tests_cypress/cypress.env.json
- name: Run the cypress tests
uses: cypress-io/github-action@d79d2d530a66e641eb4a5f227e13bc985c60b964 # v4.2.2
env:
CYPRESS_BASE_URL: ${{needs.deploy-test-admin.outputs.LAMBDA_URL}}
with:
record: false
config: "video=false,screenshotOnRunFailure=false"
build: npx cypress info
working-directory: tests_cypress
spec: |
cypress/e2e/admin/a11y/app_pages.cy.js