Merge pull request #2782 from Opetushallitus/snyk-upgrade-45472b6c5bd… #1782
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test, build and deploy master | |
| on: | |
| push: | |
| branches: | |
| - master | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
| TZ: Europe/Helsinki | |
| jobs: | |
| tests: | |
| name: "👀 Tests" | |
| uses: ./.github/workflows/all_tests.yml | |
| build: | |
| name: Build and upload artifacts | |
| needs: [tests] | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Configure AWS credentials for artifact upload | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| role-to-assume: ${{ secrets.ECR_ROLE }} | |
| role-duration-seconds: 900 | |
| aws-region: eu-west-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| mask-password: 'true' | |
| - name: Set up SSH agent | |
| run: | | |
| ssh-agent -a $SSH_AUTH_SOCK > /dev/null | |
| ssh-add - <<< "${{ secrets.ARTIFACTORY_DIST_KEY }}" | |
| - name: Cache Maven packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Cache Node modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Set up Java 11 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: "11" | |
| architecture: "x64" | |
| distribution: "zulu" | |
| server-id: oph-sade-artifactory | |
| server-username: ARTIFACTORY_USERNAME | |
| server-password: ARTIFACTORY_PASSWORD | |
| - name: Build and upload to Artifactory | |
| env: | |
| ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
| ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
| run: make dist version=${{ github.sha }} | |
| - name: Build, tag, and push image to Amazon ECR | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_REPOSITORY: koski | |
| IMAGE_TAG: ${{ github.sha }} | |
| run: | | |
| docker build -f docker-build/Dockerfile -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG --build-arg KOSKI_VERSION=$IMAGE_TAG . | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| deploy_dev: | |
| name: Deploy to dev environment | |
| environment: | |
| name: dev | |
| needs: [build] | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Configure AWS credentials for DEV environment | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| role-to-assume: ${{ secrets.DEPLOY_ROLE }} | |
| role-duration-seconds: 3600 | |
| role-session-name: KoskiDeployment-DEV-${{ github.sha }} | |
| aws-region: eu-west-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| registries: ${{ secrets.ECR_ACCOUNT_ID }} | |
| mask-password: 'true' | |
| - name: Get task definition ARN | |
| id: get-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: task-definition.json | |
| container-name: KoskiContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Get AppSpec template | |
| run: | | |
| aws ssm get-parameter --name /koski/appspec-template --output text --query 'Parameter.Value' > appspec.json | |
| - name: Deploy using CodeDeploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.task-def.outputs.task-definition }} | |
| service: koski | |
| cluster: koski-cluster | |
| wait-for-service-stability: true | |
| codedeploy-appspec: appspec.json | |
| codedeploy-application: koski | |
| codedeploy-deployment-group: koski-deployment-group | |
| - name: Get raportointikanta-loader task definition ARN | |
| id: get-raportointikanta-loader-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/raportointikanta-loader/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-raportointikanta-loader-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > raportointikanta-loader-task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: raportointikanta-loader-task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: raportointikanta-loader-task-definition.json | |
| container-name: RaportointikantaLoaderContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Deploy Amazon ECS task definition | |
| id: raportointikanta-loader-taskdef-deploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.raportointikanta-loader-task-def.outputs.task-definition }} | |
| cluster: koski-cluster | |
| - name: Write task definition ARN to parameter store | |
| env: | |
| TASKDEF_ARN: ${{ steps.raportointikanta-loader-taskdef-deploy.outputs.task-definition-arn }} | |
| run: aws ssm put-parameter --overwrite --name /koski/raportointikanta-loader/task-definition --type String --value ${TASKDEF_ARN} | |
| - name: Get ytr-data-loader loader task definition ARN | |
| id: get-ytr-data-loader-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/ytr-data-loader/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-ytr-data-loader-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > ytr-data-loader-task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: ytr-data-loader-task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: ytr-data-loader-task-definition.json | |
| container-name: YtrDataLoaderContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Deploy Amazon ECS task definition | |
| id: ytr-data-loader-taskdef-deploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.ytr-data-loader-task-def.outputs.task-definition }} | |
| cluster: koski-cluster | |
| - name: Write task definition ARN to parameter store | |
| env: | |
| TASKDEF_ARN: ${{ steps.ytr-data-loader-taskdef-deploy.outputs.task-definition-arn }} | |
| run: aws ssm put-parameter --overwrite --name /koski/ytr-data-loader/task-definition --type String --value ${TASKDEF_ARN} | |
| deploy_qa: | |
| name: Deploy to qa environment | |
| environment: | |
| name: qa | |
| needs: [deploy_dev] | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Configure AWS credentials for QA environment | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| role-to-assume: ${{ secrets.DEPLOY_ROLE }} | |
| role-duration-seconds: 3600 | |
| role-session-name: KoskiDeployment-QA-${{ github.sha }} | |
| aws-region: eu-west-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| registries: ${{ secrets.ECR_ACCOUNT_ID }} | |
| mask-password: 'true' | |
| - name: Get task definition ARN | |
| id: get-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: task-definition.json | |
| container-name: KoskiContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Get AppSpec template | |
| run: | | |
| aws ssm get-parameter --name /koski/appspec-template --output text --query 'Parameter.Value' > appspec.json | |
| - name: Deploy using CodeDeploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.task-def.outputs.task-definition }} | |
| service: koski | |
| cluster: koski-cluster | |
| wait-for-service-stability: true | |
| codedeploy-appspec: appspec.json | |
| codedeploy-application: koski | |
| codedeploy-deployment-group: koski-deployment-group | |
| - name: Get raportointikanta-loader task definition ARN | |
| id: get-raportointikanta-loader-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/raportointikanta-loader/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-raportointikanta-loader-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > raportointikanta-loader-task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: raportointikanta-loader-task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: raportointikanta-loader-task-definition.json | |
| container-name: RaportointikantaLoaderContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Deploy Amazon ECS task definition | |
| id: raportointikanta-loader-taskdef-deploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.raportointikanta-loader-task-def.outputs.task-definition }} | |
| cluster: koski-cluster | |
| - name: Write task definition ARN to parameter store | |
| env: | |
| TASKDEF_ARN: ${{ steps.raportointikanta-loader-taskdef-deploy.outputs.task-definition-arn }} | |
| run: aws ssm put-parameter --overwrite --name /koski/raportointikanta-loader/task-definition --type String --value ${TASKDEF_ARN} | |
| - name: Get ytr-data-loader loader task definition ARN | |
| id: get-ytr-data-loader-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/ytr-data-loader/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-ytr-data-loader-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > ytr-data-loader-task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: ytr-data-loader-task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: ytr-data-loader-task-definition.json | |
| container-name: YtrDataLoaderContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Deploy Amazon ECS task definition | |
| id: ytr-data-loader-taskdef-deploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.ytr-data-loader-task-def.outputs.task-definition }} | |
| cluster: koski-cluster | |
| - name: Write task definition ARN to parameter store | |
| env: | |
| TASKDEF_ARN: ${{ steps.ytr-data-loader-taskdef-deploy.outputs.task-definition-arn }} | |
| run: aws ssm put-parameter --overwrite --name /koski/ytr-data-loader/task-definition --type String --value ${TASKDEF_ARN} | |
| deploy_prod: | |
| name: Deploy to prod environment | |
| environment: | |
| name: prod | |
| needs: [deploy_qa] | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Configure AWS credentials for PROD environment | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| role-to-assume: ${{ secrets.DEPLOY_ROLE }} | |
| role-duration-seconds: 3600 | |
| role-session-name: KoskiDeployment-PROD-${{ github.sha }} | |
| aws-region: eu-west-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| with: | |
| registries: ${{ secrets.ECR_ACCOUNT_ID }} | |
| mask-password: 'true' | |
| - name: Get task definition ARN | |
| id: get-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: task-definition.json | |
| container-name: KoskiContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Get AppSpec template | |
| run: | | |
| aws ssm get-parameter --name /koski/appspec-template --output text --query 'Parameter.Value' > appspec.json | |
| - name: Deploy using CodeDeploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.task-def.outputs.task-definition }} | |
| service: koski | |
| cluster: koski-cluster | |
| wait-for-service-stability: true | |
| codedeploy-appspec: appspec.json | |
| codedeploy-application: koski | |
| codedeploy-deployment-group: koski-deployment-group | |
| - name: Get raportointikanta-loader task definition ARN | |
| id: get-raportointikanta-loader-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/raportointikanta-loader/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-raportointikanta-loader-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > raportointikanta-loader-task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: raportointikanta-loader-task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: raportointikanta-loader-task-definition.json | |
| container-name: RaportointikantaLoaderContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Deploy Amazon ECS task definition | |
| id: raportointikanta-loader-taskdef-deploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.raportointikanta-loader-task-def.outputs.task-definition }} | |
| cluster: koski-cluster | |
| - name: Write task definition ARN to parameter store | |
| env: | |
| TASKDEF_ARN: ${{ steps.raportointikanta-loader-taskdef-deploy.outputs.task-definition-arn }} | |
| run: aws ssm put-parameter --overwrite --name /koski/raportointikanta-loader/task-definition --type String --value ${TASKDEF_ARN} | |
| - name: Get ytr-data-loader loader task definition ARN | |
| id: get-ytr-data-loader-taskdef-arn | |
| run: | | |
| echo "taskdef-arn=$(aws ssm get-parameter --name /koski/ytr-data-loader/task-definition-skeleton --output text --query 'Parameter.Value')" >> $GITHUB_OUTPUT | |
| - name: Get task definition skeleton | |
| run: | | |
| aws ecs describe-task-definition --task-definition ${{ steps.get-ytr-data-loader-taskdef-arn.outputs.taskdef-arn }} --query 'taskDefinition' > ytr-data-loader-task-definition.json | |
| - name: Render Amazon ECS task definition | |
| id: ytr-data-loader-task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: ytr-data-loader-task-definition.json | |
| container-name: YtrDataLoaderContainer | |
| image: ${{ steps.login-ecr.outputs.registry }}/koski:${{ github.sha }} | |
| - name: Deploy Amazon ECS task definition | |
| id: ytr-data-loader-taskdef-deploy | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: ${{ steps.ytr-data-loader-task-def.outputs.task-definition }} | |
| cluster: koski-cluster | |
| - name: Write task definition ARN to parameter store | |
| env: | |
| TASKDEF_ARN: ${{ steps.ytr-data-loader-taskdef-deploy.outputs.task-definition-arn }} | |
| run: aws ssm put-parameter --overwrite --name /koski/ytr-data-loader/task-definition --type String --value ${TASKDEF_ARN} | |
| - name: Report task ready | |
| uses: ravsamhq/notify-slack-action@v1 | |
| if: always() | |
| with: | |
| status: ${{ job.status }} | |
| notification_title: "Prod install {status_message}" | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |