diff --git a/.github/actions/build-and-test/action.yml b/.github/actions/build-and-test/action.yml index 7b97c9899c..dc466c4e5e 100644 --- a/.github/actions/build-and-test/action.yml +++ b/.github/actions/build-and-test/action.yml @@ -1,5 +1,11 @@ name: 'Build and test' description: 'Checkout, download java and assemble and test' + +inputs: + gradle-arguments: + required: false + description: 'Gradle arguments to pass to gradle build' + default: build runs: using: "composite" steps: @@ -9,4 +15,4 @@ runs: uses: gradle/gradle-build-action@v2.8.0 with: gradle-version: wrapper - arguments: build + arguments: ${{ inputs.gradle-arguments }} diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml index 99e2efce50..5978005a66 100644 --- a/.github/actions/deploy/action.yml +++ b/.github/actions/deploy/action.yml @@ -2,15 +2,24 @@ name: 'Deploy' description: 'Deploy' inputs: - nav-environment: - required: true - description: 'dev or prod' NAIS_DEPLOY_APIKEY: required: true description: 'secrets.NAIS_DEPLOY_APIKEY' - image: + cluster: required: true - description: 'full image url' + description: 'dev-fss/prod-fss' + var: + required: false + description: 'Optional, default empty, format: key1=value1,key2=value2' + default: '' + resource: + required: false + description: 'path to nais.yml' + default: 'nais.yml' + vars: + required: false + description: 'Optional, default empty, path to nais-dev.json/nais-prod.json' + default: '' runs: using: "composite" @@ -20,7 +29,7 @@ runs: - uses: nais/deploy/actions/deploy@v1 env: APIKEY: ${{ inputs.NAIS_DEPLOY_APIKEY }} - CLUSTER: ${{ inputs.nav-environment }}-fss - RESOURCE: nais.yml - VARS: nais-${{ inputs.nav-environment }}.json - VAR: image=${{ inputs.image }} + CLUSTER: ${{ inputs.cluster }} + RESOURCE: ${{ inputs.resource }} + VARS: ${{ inputs.vars }} + VAR: ${{ inputs.var }} diff --git a/.github/actions/push-image/action.yml b/.github/actions/push-image/action.yml index 6ca6d0ab1f..1bf4326f10 100644 --- a/.github/actions/push-image/action.yml +++ b/.github/actions/push-image/action.yml @@ -11,6 +11,14 @@ inputs: tag: required: true description: 'github.sha' + dockerfile: + required: false + description: 'Optional dockerfile path, default: Dockerfile + default: 'Dockerfile' + image_suffix: + required: false + description: 'Optional, default empty' + default: '' outputs: image: description: "Docker image in GAR" @@ -26,3 +34,6 @@ runs: tag: ${{ inputs.tag }} identity_provider: ${{ inputs.identity_provider }} project_id: ${{ inputs.project_id }} + dockerfile: ${{ inputs.dockerfile }} + image_suffix: ${{ inputs.image_suffix }} + diff --git a/.github/workflows/alerts-deploy.yml b/.github/workflows/alerts-deploy.yml index 2250ffc8ad..6dc4aa1d03 100644 --- a/.github/workflows/alerts-deploy.yml +++ b/.github/workflows/alerts-deploy.yml @@ -6,24 +6,25 @@ on: paths: - 'alerts.yml' - '.github/workflows/alerts-deploy.yml' + +permissions: { } + jobs: - apply-alerts: - name: Apply alerts to cluster - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: deploy to dev - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-fss - RESOURCE: alerts.yml - VAR: SLACK_ALERTS_CHANNEL=#su_alerts_dev,LOGS_URL=https://logs.adeo.no/goto/10065d0eff34c88407beb46993e0d729 - - name: deploy to prod - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-fss - RESOURCE: alerts.yml - VAR: SLACK_ALERTS_CHANNEL=#su_alerts,LOGS_URL=https://logs.adeo.no/goto/6af62b00d098b7ef2d7cb769c53379b5 + deploy_to_dev: + name: Deploy to dev + uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master + with: + var: SLACK_ALERTS_CHANNEL=#su_alerts_dev,LOGS_URL=https://logs.adeo.no/goto/10065d0eff34c88407beb46993e0d729 + cluster: dev-fss + resource: alerts.yml + secrets: + NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} + deploy_to_prod: + name: Deploy to prod + uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master + with: + var: SLACK_ALERTS_CHANNEL=#su_alerts,LOGS_URL=https://logs.adeo.no/goto/6af62b00d098b7ef2d7cb769c53379b5 + cluster: prod-fss + resource: alerts.yml + secrets: + NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} diff --git a/.github/workflows/branch-deploy.yml b/.github/workflows/branch-deploy.yml deleted file mode 100644 index 19b1e86d82..0000000000 --- a/.github/workflows/branch-deploy.yml +++ /dev/null @@ -1,80 +0,0 @@ -name: Deploy branch to dev-fss [manual deploy] -# If you want to deploy a branch (feature branch or even redeploy master/main) to dev-fss (preprod) we use github actions workflow_dispatch -# Goto https://github.com/navikt/su-se-bakover/actions/workflows/branch-deploy.yml choose a branch and deploy it -# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch -on: workflow_dispatch - -env: - IMAGE: ghcr.io/${{ github.repository }}/su-se-bakover:${{ github.sha }} - -jobs: - verify-master-is-ancestor: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - run: | # git merge-base returns 0 when master is ancestor, 1 if it is not (other positive numbers on error) - set +e - origin_master="$(git rev-parse origin/master)" - head="$(git rev-parse HEAD)" - echo "Hash for origin master: ${origin_master}. Hash for HEAD: ${head}." - merge_base="$(git merge-base $origin_master HEAD)" - echo "Merge-base: ${merge_base}" - git merge-base --is-ancestor $origin_master HEAD - return_code=$? - echo "Return code of 'git merge-base': ${return_code}" - if [[ return_code -gt 0 ]]; then - echo "You have to merge origin/master before you can deploy a branch." - exit 1 - fi - - build: - name: Gradle test build and conditional docker build push - needs: verify-master-is-ancestor - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/cache@v3 - with: - path: | - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-${{ hashFiles('gradle.properties', 'settings.gradle.kts', '**/build.gradle.kts', 'gradle/wrapper/gradle-wrapper.properties') }} - restore-keys: | - ${{ runner.os }}-gradle- - - uses: actions/setup-java@v3 - with: - java-version: '19' - distribution: 'temurin' - - name: test and build - run: ./gradlew --no-build-cache test build - env: - ORG_GRADLE_PROJECT_githubUser: x-access-token - ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }} - - name: Login to DockerHub - uses: docker/login-action@v2.2.0 - with: - registry: ghcr.io - username: ${{ github.repository }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and publish Docker image - uses: docker/build-push-action@v4.1.1 - with: - context: . - push: true - pull: true - tags: ${{env.IMAGE}} - - deploy_to_dev: - name: Deploy branch to dev-fss - needs: build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-fss - RESOURCE: nais.yml - VARS: nais-dev.json diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml deleted file mode 100644 index e686f39e65..0000000000 --- a/.github/workflows/branch.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Build non-master/main branches on push. -# If you want to deploy your branch see branch-deploy.yml -on: - push: - branches: - - '*' # matches every branch that doesn't contain a '/' - - '*/*' # matches every branch containing a single '/' - - '**' # matches every branch - - '!master' # excludes master - - '!main' # excludes main (will probably replace master) - paths-ignore: - - '.github/workflows/datapakker.yml' - - '.github/workflows/codeql.yml' - - '.github/workflows/alerts-deploy.yml' - - 'datapakker/**' - -env: - IMAGE: ghcr.io/${{ github.repository }}/su-se-bakover:${{ github.sha }} - -jobs: - build: - name: Run Gradle test and build steps - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/cache@v3 - with: - path: | - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-${{ hashFiles('gradle.properties', 'settings.gradle.kts', '**/build.gradle.kts', 'gradle/wrapper/gradle-wrapper.properties') }} - restore-keys: | - ${{ runner.os }}-gradle- - - uses: actions/setup-java@v3 - with: - java-version: '19' - distribution: 'temurin' - - name: test and build - run: ./gradlew --no-build-cache test build - env: - ORG_GRADLE_PROJECT_githubUser: x-access-token - ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/datapakker.yml b/.github/workflows/datapakker.yml index 7d453945ee..b66883332e 100644 --- a/.github/workflows/datapakker.yml +++ b/.github/workflows/datapakker.yml @@ -1,4 +1,3 @@ - on: push: branches: @@ -6,12 +5,12 @@ on: paths: - '.github/workflows/datapakker.yml' - 'datapakker/**' + - 'common/**' -env: - IMAGE: ghcr.io/${{ github.repository }}/datapakker/soknad:${{ github.sha }} +permissions: {} jobs: - build: + build-test-push-image: name: Build and push Docker container runs-on: ubuntu-latest permissions: @@ -20,62 +19,39 @@ jobs: id-token: 'write' steps: - uses: actions/checkout@v3 - - uses: actions/cache@v3 - with: - path: | - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-gradle-v2-${{ hashFiles('gradle.properties', 'settings.gradle.kts', '**/build.gradle.kts', 'gradle/wrapper/gradle-wrapper.properties') }} - restore-keys: | - ${{ runner.os }}-gradle- - - uses: actions/setup-java@v3 - with: - java-version: '19' - distribution: 'temurin' - - name: test and build - run: ./gradlew --no-build-cache :datapakker:soknad:build - env: - ORG_GRADLE_PROJECT_githubUser: x-access-token - ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }} - - name: Login to DockerHub - uses: docker/login-action@v2.2.0 + - name: Build and test + uses: ./.github/actions/build-and-test with: - registry: ghcr.io - username: ${{ github.repository }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and publish Docker image - uses: docker/build-push-action@v4.1.1 + gradle-arguments: :datapakker:soknad:build + - name: Push image + uses: ./.github/actions/push-image with: - context: . - file: ./datapakker/soknad/Dockerfile - push: true - pull: true - tags: ${{env.IMAGE}} + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + tag: ${{ github.sha }} + dockerfile: ./datapakker/soknad/Dockerfile + image_suffix: 'datapakker-job' deploy_to_dev: name: Deploy to dev - needs: build - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-fss - RESOURCE: datapakker/soknad/nais.yml - VARS: datapakker/soknad/nais-dev.json + uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master + needs: build-test-push-image + with: + tag: ${{ github.sha }} + cluster: dev-fss + vars: datapakker/soknad/nais-dev.json + resource: datapakker/soknad/nais.yml + secrets: + NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} deploy_to_prod: name: Deploy to prod - needs: build - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-fss - RESOURCE: datapakker/soknad/nais.yml - VARS: datapakker/soknad/nais-prod.json \ No newline at end of file + uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master + needs: build-test-push-image + with: + tag: ${{ github.sha }} + cluster: prod-fss + vars: datapakker/soknad/nais-prod.json + resource: datapakker/soknad/nais.yml + secrets: + NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml deleted file mode 100644 index d54e654fcf..0000000000 --- a/.github/workflows/prod-deploy.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Deploy to prod automatically on published release - -on: - release: - types: [published] - -env: - IMAGE: ghcr.io/${{ github.repository }}/su-se-bakover:${{ github.sha }} - -jobs: - deploy_to_prod: - name: Deploy to prod - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-fss - RESOURCE: nais.yml - VARS: nais-prod.json \ No newline at end of file diff --git a/.github/workflows/reusable-codeql.yml b/.github/workflows/reusable-codeql.yml index a0d79c1940..0c1617613a 100644 --- a/.github/workflows/reusable-codeql.yml +++ b/.github/workflows/reusable-codeql.yml @@ -3,6 +3,8 @@ name: CodeQL on: workflow_call: +permissions: {} + jobs: draft-release: permissions: diff --git a/.github/workflows/reusable-deploy.yml b/.github/workflows/reusable-deploy.yml index 27d42e1362..d3bd59da8c 100644 --- a/.github/workflows/reusable-deploy.yml +++ b/.github/workflows/reusable-deploy.yml @@ -3,18 +3,32 @@ name: Deploy on: workflow_call: inputs: - nav-environment: + cluster: required: true - description: 'dev or prod' + description: 'dev-fss/prod-fss' type: string - tag: - required: true - description: 'github.sha' + var: + required: false + description: 'Optional, default empty, format: key1=value1,key2=value2' + type: string + default: '' + resource: + required: false + description: 'Optional, default nais.yml, path to nais.yml' + default: 'nais.yml' + type: string + vars: + required: false + description: 'Optional, default empty, path to nais-dev.json/nais-prod.json' + default: '' type: string secrets: NAIS_DEPLOY_APIKEY: required: true description: 'secrets.NAIS_DEPLOY_APIKEY' + +permissions: {} + jobs: deploy: runs-on: ubuntu-latest @@ -24,6 +38,8 @@ jobs: - name: Deploy to ${{ inputs.nav-environment }} uses: ./.github/actions/deploy with: - nav-environment: ${{ inputs.nav-environment }} NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - image: europe-north1-docker.pkg.dev/nais-management-233d/supstonad/su-se-bakover:${{ inputs.tag }} + cluster: ${{ inputs.cluster }} + var: ${{ inputs.var }} + vars: ${{ inputs.vars }} + resource: ${{ inputs.resource }} diff --git a/.github/workflows/reusable-draft-release.yml b/.github/workflows/reusable-draft-release.yml index 0a24525f2b..59853bee76 100644 --- a/.github/workflows/reusable-draft-release.yml +++ b/.github/workflows/reusable-draft-release.yml @@ -6,6 +6,9 @@ on: GITHUB_TOKEN: required: true description: 'secrets.GITHUB_TOKEN' + +permissions: {} + jobs: draft-release: permissions: diff --git a/.github/workflows/reusable-submit-dependency-graph.yml b/.github/workflows/reusable-submit-dependency-graph.yml index eca722464f..3405c201c2 100644 --- a/.github/workflows/reusable-submit-dependency-graph.yml +++ b/.github/workflows/reusable-submit-dependency-graph.yml @@ -3,6 +3,8 @@ name: Submit dependency graph on: workflow_call: +permissions: {} + jobs: submit-dependency-graph: runs-on: ubuntu-latest diff --git a/.github/workflows/su-se-bakover-branch-deploy.yml b/.github/workflows/su-se-bakover-branch-deploy.yml new file mode 100644 index 0000000000..da292ef9aa --- /dev/null +++ b/.github/workflows/su-se-bakover-branch-deploy.yml @@ -0,0 +1,57 @@ +name: Deploy branch to dev-fss [manual deploy] +# If you want to deploy a branch (feature branch or even redeploy master/main) to dev-fss (preprod) we use Github actions workflow_dispatch +# Goto https://github.com/navikt/su-se-bakover/actions/workflows/su-se-bakover-branch-deploy.yml choose a branch and deploy it +# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch +on: workflow_dispatch + +permissions: {} + +jobs: + verify-master-is-ancestor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - run: | # git merge-base returns 0 when master is ancestor, 1 if it is not (other positive numbers on error) + set +e + origin_master="$(git rev-parse origin/master)" + head="$(git rev-parse HEAD)" + echo "Hash for origin master: ${origin_master}. Hash for HEAD: ${head}." + merge_base="$(git merge-base $origin_master HEAD)" + echo "Merge-base: ${merge_base}" + git merge-base --is-ancestor $origin_master HEAD + return_code=$? + echo "Return code of 'git merge-base': ${return_code}" + if [[ return_code -gt 0 ]]; then + echo "You have to merge origin/master before you can deploy a branch." + exit 1 + fi + + build-test-push-image: + name: Build, test and push image + needs: verify-master-is-ancestor + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # needed for push-image + steps: + - uses: actions/checkout@v3 + - name: Build and test + uses: ./.github/actions/build-and-test + - name: Push image + uses: ./.github/actions/push-image + with: + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + tag: ${{ github.sha }} + image_suffix: 'app' + deploy-to-preprod: + needs: build-test-push-image + name: Deploy to preprod + uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master + with: + nav-environment: dev + tag: ${{ github.sha }} + secrets: + NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} \ No newline at end of file diff --git a/.github/workflows/su-se-bakover-branch.yml b/.github/workflows/su-se-bakover-branch.yml new file mode 100644 index 0000000000..e0f85d6b6d --- /dev/null +++ b/.github/workflows/su-se-bakover-branch.yml @@ -0,0 +1,40 @@ +name: Build branch/PR +# If you want to deploy your branch see branch-deploy.yml +on: + push: + branches: + - '*' # matches every branch that doesn't contain a '/' + - '*/*' # matches every branch containing a single '/' + - '**' # matches every branch + - '!master' # excludes master + - '!main' # excludes main (will probably replace master) + paths-ignore: + - '.github/**' + - '!.github/workflows/su-se-bakover-branch.yml' + - '!.github/actions/build-and-test/**' + - '.idea/**' + - 'datapakker/**' + - 'local-db-scripts/**' + - 'scripts/**' + - '.editorconfig' + - '*.template' + - '.gitignore' + - 'alerts.yml' + - '*.sh' + - 'CODEOWNERS' + - 'docker-compose.yml' + - 'LICENSE' + - '*.md' + +permissions: {} + +jobs: + build-and-test: + name: Build and test + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v3 + - name: Build and test + uses: ./.github/actions/build-and-test diff --git a/.github/workflows/master.yml b/.github/workflows/su-se-bakover-master.yml similarity index 80% rename from .github/workflows/master.yml rename to .github/workflows/su-se-bakover-master.yml index a02bd15797..07dbd05c47 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/su-se-bakover-master.yml @@ -7,17 +7,24 @@ on: branches: - master paths-ignore: - - '.github/workflows/datapakker.yml' - - '.github/workflows/codeql.yml' - - '.github/workflows/alerts-deploy.yml' - - 'alerts.yml' - - 'README.md' - - 'docker-compose.yml' + - '.github/**' + - '!.github/workflows/su-se-bakover-master.yml' + - '!.github/actions/**' + - '.idea/**' - 'datapakker/**' - 'local-db-scripts/**' - 'scripts/**' - '.editorconfig' - - '.env*' + - '*.template' + - '.gitignore' + - 'alerts.yml' + - '*.sh' + - 'CODEOWNERS' + - 'docker-compose.yml' + - 'LICENSE' + - '*.md' + +permissions: {} jobs: build-test-push-image: @@ -36,6 +43,7 @@ jobs: identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} tag: ${{ github.sha }} + image_suffix: 'app' submit-dependency-graph: name: Submit dependency graph permissions: @@ -46,8 +54,9 @@ jobs: name: Deploy to preprod uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master with: - nav-environment: dev - tag: ${{ github.sha }} + cluster: dev-fss + vars: nais-dev.json + var: image=europe-north1-docker.pkg.dev/nais-management-233d/supstonad/su-se-bakover:${{ inputs.tag }} secrets: NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} draft-release: diff --git a/.github/workflows/su-se-bakover-prod-deploy.yml b/.github/workflows/su-se-bakover-prod-deploy.yml new file mode 100644 index 0000000000..059ba36aa0 --- /dev/null +++ b/.github/workflows/su-se-bakover-prod-deploy.yml @@ -0,0 +1,18 @@ +name: Deploy to prod automatically on published release + +on: + release: + types: [published] + +permissions: {} + +jobs: + deploy_to_prod: + name: Deploy to prod + uses: navikt/su-se-bakover/.github/workflows/reusable-deploy.yml@master + with: + var: image=europe-north1-docker.pkg.dev/nais-management-233d/supstonad/su-se-bakover:${{ inputs.tag }} + cluster: prod-fss + vars: nais-prod.json + secrets: + NAIS_DEPLOY_APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} \ No newline at end of file