From 289b07ea6d606f1184a235e7905d1b4290449a58 Mon Sep 17 00:00:00 2001 From: "imcommitbot@gmail.com" Date: Tue, 9 Apr 2024 01:10:30 +0000 Subject: [PATCH 1/4] PLPT-793 - Replace dyn-, self-hosted --- .../im-reusable-finish-build-workflow.yml | 434 +++++++------- .../im-reusable-setup-build-workflow.yml | 400 ++++++------- .../im-reusable-setup-deployment-workflow.yml | 302 +++++----- .../increment-version-and-kick-off-sync.yml | 138 ++--- workflow-templates/im-build-db-ci.yml | 536 +++++++++--------- workflow-templates/im-build-dotnet-ci.yml | 10 +- .../im-build-increment-version-on-merge.yml | 114 ++-- workflow-templates/im-build-npm-package.yml | 316 +++++------ workflow-templates/im-build-nuget-package.yml | 2 +- ...-build-tf-auto-plan-and-comment-on-prs.yml | 2 +- .../im-deploy-az-app-manually.yml | 2 +- workflow-templates/im-deploy-az-database.yml | 2 +- .../im-deploy-az-swap-app-slots.yml | 300 +++++----- .../im-deploy-files-to-az-storage-account.yml | 2 +- .../im-deploy-multiple-items-at-once.yml | 236 ++++---- .../im-deploy-on-prem-database.yml | 2 +- .../im-deploy-techdocs-site.yml | 186 +++--- ...loy-tf-auto-apply-main-to-dev-on-merge.yml | 2 +- .../im-deploy-tf-manual-apply.yml | 4 +- ...m-run-add-or-update-az-keyvault-secret.yml | 200 +++---- .../im-run-annotate-app-insights.yml | 234 ++++---- .../im-run-annotate-pagerduty-template.yml | 2 +- .../im-run-delete-azure-blob.yml | 184 +++--- workflow-templates/im-run-flyway-repair.yml | 346 +++++------ .../im-run-start-stop-restart-azure-app.yml | 248 ++++---- workflow-templates/im-run-tf-destroy.yml | 4 +- workflow-templates/im-run-tf-import.yml | 214 +++---- workflow-templates/im-run-tf-taint.yml | 212 +++---- workflow-templates/im-run-unlock-tf-state.yml | 202 +++---- .../im-run-validate-deployed-terraform.yml | 2 +- workflow-templates/im-test-k6-ci.yml | 2 +- workflow-templates/im-test-k6-manual.yml | 4 +- .../im-test-k6-operator-approval.yml | 8 +- workflow-templates/im-test-k6-operator.yml | 4 +- workflow-templates/im-test-postman.yml | 164 +++--- 35 files changed, 2510 insertions(+), 2510 deletions(-) diff --git a/.github/workflows/im-reusable-finish-build-workflow.yml b/.github/workflows/im-reusable-finish-build-workflow.yml index c386e3bc..896941b9 100644 --- a/.github/workflows/im-reusable-finish-build-workflow.yml +++ b/.github/workflows/im-reusable-finish-build-workflow.yml @@ -1,217 +1,217 @@ -# The purpose of this reusable job is to run the final steps of a CI build workflow -# which includes posting a status to teams, updating a PR comment and setting the final -# workflow outcome. - -# Example Usage in a repo's workflow: -# jobs: -# setup-deployment-workflow: -# uses: im-practices/.github/.github/workflows/im-reusable-finish-build-workflow.yml@v2 -# with: -# runs-on: im-linux -# next-version: ${{ needs.build-deployment-artifacts.outputs.NEXT_VERSION }} -# title-of-teams-post: 'My CI Build' -# is-merge-to-main: ${{ needs.examine-triggers.outputs.IS_MERGE_TO_MAIN }} -# timezone: america/denver -# additional-conclusions | -# [ -# { "name": "dotnet test", "conclusion" : "${{ needs.dotnet-build-and-test.outputs.test }}" }, -# { "name": "dotnet coverage", "conclusion" : "${{ needs.dotnet-build-and-test.outputs.coverage }}" } -# ] -# additional-pr-comment-content | -# - To test this version try running: -# ```bash -# npm install @/@${{ needs.build-deployment-artifacts.outputs.NEXT_VERSION }} -# ``` -# custom-facts-for-team-channel | -# [ -# { "name": "Workflow", "value": "${{ github.workflow }}" }, -# { "name": "Run", "value": "${{ github.run_id }}" }, -# { "name": "Actor", "value": "${{ github.actor }}" }, -# { "name": "Version", "value": "${{ needs.build-deployment-artifacts.outputs.NEXT_VERSION }}" } -# ] -# ms-teams-uri: ${{ vars.MS_TEAMS_URI }} # Use this input (preferred) or the secret - -on: - workflow_call: - inputs: - runs-on: - description: 'The runner that this workflow will run on.' - required: false - type: string - default: 'im-linux' - next-version: - description: The next generated version - type: string - required: false - default: 'N/A' - title-of-teams-post: - description: 'Title of the Teams post that reports the build status.' - required: true - type: string - is-merge-to-main: - description: Flag indicating whether this is a merge to the default branch. Expected `true` or `false`. - required: true - type: string - timezone: - description: 'Timezone for the project. Defaults to america/denver.' - required: false - type: string - default: 'america/denver' - additional-conclusions: - description: Valid JSON array of additional conclusion items that should be used to determine if the workflow succeeded or failed - required: false - type: string - default: '' - additional-pr-comment-content: - description: Additional PR comment content aside from workflow run and next version. - required: false - type: string - custom-facts-for-team-channel: - description: The custom facts that will be included in the post in the team's channel. By default Workflow, Run, Actor and Version are included. - required: false - type: string - ms-teams-uri: - description: The URI for the teams channel where a status will be posted. Either this value or the secret MS_TEAMS_URI must be provided. This input is the preferred way to provide the URI but the secret should be used instead if the value is defined as a secret. - required: false - type: string - - secrets: - MS_TEAMS_URI: - description: The URI for the teams channel where a status will be posted. Either this value or the input ms-teams-uri must be provided. The input is the preferred way to provide the URI but the secret should be used if the value is defined as a secret. - required: false - -jobs: - finish-build: - runs-on: ${{ inputs.runs-on }} - - steps: - - name: Check for missing inputs - uses: actions/github-script@v7 - with: - script: | - // Some teams have these as a secret and some as a var, allow both ways but check at least one is present - const teamsUri = '${{ inputs.ms-teams-uri || secrets.MS_TEAMS_URI }}'; - if (!teamsUri || teamsUri.trim().length === 0){ - core.setFailed('The MS_TEAMS_URI secret or the ms-teams-uri input (preferred) must be provided.'); - } - - - name: Print inputs - uses: actions/github-script@v7 - with: - script: | - function printInput(inputName, inputValue, isMultilineInput){ - if (!inputValue || inputValue.trim().length === 0){ - core.info(`${inputName}: Not Provided`); - } else if (isMultilineInput){ - console.log(`\n${inputName}:\n${inputValue}`); - } - else { - core.info(`${inputName}: ${inputValue}`); - } - } - - core.startGroup('Reusable workflow inputs'); - printInput('runs-on', '${{ inputs.runs-on }}'); - printInput('next-version', '${{ inputs.next-version }}'); - printInput('title-of-teams-post', '${{ inputs.title-of-teams-post }}'); - printInput('is-merge-to-main', '${{ inputs.is-merge-to-main }}'); - printInput('timezone', '${{ inputs.timezone }}'); - printInput('ms-teams-uri', '${{ inputs.ms-teams-uri }}'); - printInput('custom-facts-for-team-channel', process.env.FACTS, true); - printInput('additional-pr-comment-content', process.env.ADDITIONAL_CONTENT, true); - printInput('additional-conclusions', process.env.ADDITIONAL_CONCLUSIONS, true); - core.endGroup(); - - core.startGroup('Reusable workflow secrets'); - printInput('MS_TEAMS_URI', '${{ secrets.MS_TEAMS_URI }}'); - core.endGroup(); - env: - FACTS: ${{ inputs.custom-facts-for-team-channel }} - ADDITIONAL_CONTENT: ${{ inputs.additional-pr-comment-content }} - ADDITIONAL_CONCLUSIONS: ${{ inputs.additional-conclusions }} - - - uses: im-open/workflow-conclusion@v2.2 - id: conclusion - with: - github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - additional-conclusions: ${{ inputs.additional-conclusions }} - - - name: Configure facts for team's notification channel - if: always() - id: team-channel-facts - uses: actions/github-script@v7 - with: - script: | - const rawFacts = process.env.FACTS; - console.log(`"${rawFacts}"`); - let facts = rawFacts && rawFacts.trim().length > 0 ? JSON.parse(rawFacts) : null; - - if (!facts || facts.length === 0){ - console.log(`Custom facts were not provided for the Team's Notification channel, use the default facts:`); - facts = [ - { name: 'Workflow', value: '${{ github.workflow }}'}, - { name: 'Run', value: '${{ github.run_id }}'}, - { name: 'Actor', value: '${{ github.actor }}'}, - { name: 'Version', value: '${{ inputs.next-version }}'} - ] - } - else { - console.log(`Custom facts were supplied as an argument, using those in the Team's Notification channel:`); - } - - console.log(facts); - core.setOutput('facts', facts); - env: - FACTS: ${{ inputs.custom-facts-for-team-channel }} - - - name: Send status to team's notification channel - if: always() - continue-on-error: true - uses: im-open/post-status-to-teams-action@v1.4 - with: - title: ${{ inputs.title-of-teams-post }} - workflow-status: ${{ steps.conclusion.outputs.workflow_conclusion }} - workflow-type: Build - teams-uri: ${{ inputs.ms-teams-uri || secrets.MS_TEAMS_URI }} - timezone: ${{ inputs.timezone }} - custom-facts: ${{ steps.team-channel-facts.outputs.facts }} - - - name: Construct PR Comment - id: comment - uses: actions/github-script@v7 - with: - script: | - const isMergeToMain = '${{ inputs.is-merge-to-main }}' == 'true'; - const nextVersion = '${{ inputs.next-version }}'; - const orgAndRepo = '${{ github.repository }}'; - const conclusion = '${{ steps.conclusion.outputs.workflow_conclusion }}'; - const runId = '${{ github.run_id }}'; - - const workflowRunText = `[Workflow Run - ${conclusion}](https://github.com/${orgAndRepo}/actions/runs/${runId})`; - - const nextVersionText = isMergeToMain ? - `[Tag - ${nextVersion}](https://github.com/${orgAndRepo}/releases/tag/${nextVersion})` : - `Next Version - ${nextVersion}`; - - const prComment = ` - - ${workflowRunText} - - ${nextVersionText} - ${process.env.ADDITIONAL_CONTENT}` - core.setOutput('prComment', prComment); - env: - ADDITIONAL_CONTENT: ${{ inputs.additional-pr-comment-content }} - - - name: Comment on PR with version ${{ inputs.next-version}} - if: github.event_name == 'pull_request' - continue-on-error: true - uses: im-open/update-pr-comment@v1.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - comment-identifier: next-release-version - comment-content: ${{ steps.comment.outputs.prComment }} - - - name: Check for Workflow Failures - if: steps.conclusion.outputs.workflow_conclusion == 'failure' - run: | - echo "There were errors in the workflow. Check the workflow-conclusion step above for more details on what failed." - exit 1 +# The purpose of this reusable job is to run the final steps of a CI build workflow +# which includes posting a status to teams, updating a PR comment and setting the final +# workflow outcome. + +# Example Usage in a repo's workflow: +# jobs: +# setup-deployment-workflow: +# uses: im-practices/.github/.github/workflows/im-reusable-finish-build-workflow.yml@v2 +# with: +# runs-on: im-linux +# next-version: ${{ needs.build-deployment-artifacts.outputs.NEXT_VERSION }} +# title-of-teams-post: 'My CI Build' +# is-merge-to-main: ${{ needs.examine-triggers.outputs.IS_MERGE_TO_MAIN }} +# timezone: america/denver +# additional-conclusions | +# [ +# { "name": "dotnet test", "conclusion" : "${{ needs.dotnet-build-and-test.outputs.test }}" }, +# { "name": "dotnet coverage", "conclusion" : "${{ needs.dotnet-build-and-test.outputs.coverage }}" } +# ] +# additional-pr-comment-content | +# - To test this version try running: +# ```bash +# npm install @/@${{ needs.build-deployment-artifacts.outputs.NEXT_VERSION }} +# ``` +# custom-facts-for-team-channel | +# [ +# { "name": "Workflow", "value": "${{ github.workflow }}" }, +# { "name": "Run", "value": "${{ github.run_id }}" }, +# { "name": "Actor", "value": "${{ github.actor }}" }, +# { "name": "Version", "value": "${{ needs.build-deployment-artifacts.outputs.NEXT_VERSION }}" } +# ] +# ms-teams-uri: ${{ vars.MS_TEAMS_URI }} # Use this input (preferred) or the secret + +on: + workflow_call: + inputs: + runs-on: + description: 'The runner that this workflow will run on.' + required: false + type: string + default: 'im-linux' + next-version: + description: The next generated version + type: string + required: false + default: 'N/A' + title-of-teams-post: + description: 'Title of the Teams post that reports the build status.' + required: true + type: string + is-merge-to-main: + description: Flag indicating whether this is a merge to the default branch. Expected `true` or `false`. + required: true + type: string + timezone: + description: 'Timezone for the project. Defaults to america/denver.' + required: false + type: string + default: 'america/denver' + additional-conclusions: + description: Valid JSON array of additional conclusion items that should be used to determine if the workflow succeeded or failed + required: false + type: string + default: '' + additional-pr-comment-content: + description: Additional PR comment content aside from workflow run and next version. + required: false + type: string + custom-facts-for-team-channel: + description: The custom facts that will be included in the post in the team's channel. By default Workflow, Run, Actor and Version are included. + required: false + type: string + ms-teams-uri: + description: The URI for the teams channel where a status will be posted. Either this value or the secret MS_TEAMS_URI must be provided. This input is the preferred way to provide the URI but the secret should be used instead if the value is defined as a secret. + required: false + type: string + + secrets: + MS_TEAMS_URI: + description: The URI for the teams channel where a status will be posted. Either this value or the input ms-teams-uri must be provided. The input is the preferred way to provide the URI but the secret should be used if the value is defined as a secret. + required: false + +jobs: + finish-build: + runs-on: ${{ inputs.runs-on }} + + steps: + - name: Check for missing inputs + uses: actions/github-script@v7 + with: + script: | + // Some teams have these as a secret and some as a var, allow both ways but check at least one is present + const teamsUri = '${{ inputs.ms-teams-uri || secrets.MS_TEAMS_URI }}'; + if (!teamsUri || teamsUri.trim().length === 0){ + core.setFailed('The MS_TEAMS_URI secret or the ms-teams-uri input (preferred) must be provided.'); + } + + - name: Print inputs + uses: actions/github-script@v7 + with: + script: | + function printInput(inputName, inputValue, isMultilineInput){ + if (!inputValue || inputValue.trim().length === 0){ + core.info(`${inputName}: Not Provided`); + } else if (isMultilineInput){ + console.log(`\n${inputName}:\n${inputValue}`); + } + else { + core.info(`${inputName}: ${inputValue}`); + } + } + + core.startGroup('Reusable workflow inputs'); + printInput('runs-on', '${{ inputs.runs-on }}'); + printInput('next-version', '${{ inputs.next-version }}'); + printInput('title-of-teams-post', '${{ inputs.title-of-teams-post }}'); + printInput('is-merge-to-main', '${{ inputs.is-merge-to-main }}'); + printInput('timezone', '${{ inputs.timezone }}'); + printInput('ms-teams-uri', '${{ inputs.ms-teams-uri }}'); + printInput('custom-facts-for-team-channel', process.env.FACTS, true); + printInput('additional-pr-comment-content', process.env.ADDITIONAL_CONTENT, true); + printInput('additional-conclusions', process.env.ADDITIONAL_CONCLUSIONS, true); + core.endGroup(); + + core.startGroup('Reusable workflow secrets'); + printInput('MS_TEAMS_URI', '${{ secrets.MS_TEAMS_URI }}'); + core.endGroup(); + env: + FACTS: ${{ inputs.custom-facts-for-team-channel }} + ADDITIONAL_CONTENT: ${{ inputs.additional-pr-comment-content }} + ADDITIONAL_CONCLUSIONS: ${{ inputs.additional-conclusions }} + + - uses: im-open/workflow-conclusion@v2.2 + id: conclusion + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + additional-conclusions: ${{ inputs.additional-conclusions }} + + - name: Configure facts for team's notification channel + if: always() + id: team-channel-facts + uses: actions/github-script@v7 + with: + script: | + const rawFacts = process.env.FACTS; + console.log(`"${rawFacts}"`); + let facts = rawFacts && rawFacts.trim().length > 0 ? JSON.parse(rawFacts) : null; + + if (!facts || facts.length === 0){ + console.log(`Custom facts were not provided for the Team's Notification channel, use the default facts:`); + facts = [ + { name: 'Workflow', value: '${{ github.workflow }}'}, + { name: 'Run', value: '${{ github.run_id }}'}, + { name: 'Actor', value: '${{ github.actor }}'}, + { name: 'Version', value: '${{ inputs.next-version }}'} + ] + } + else { + console.log(`Custom facts were supplied as an argument, using those in the Team's Notification channel:`); + } + + console.log(facts); + core.setOutput('facts', facts); + env: + FACTS: ${{ inputs.custom-facts-for-team-channel }} + + - name: Send status to team's notification channel + if: always() + continue-on-error: true + uses: im-open/post-status-to-teams-action@v1.4 + with: + title: ${{ inputs.title-of-teams-post }} + workflow-status: ${{ steps.conclusion.outputs.workflow_conclusion }} + workflow-type: Build + teams-uri: ${{ inputs.ms-teams-uri || secrets.MS_TEAMS_URI }} + timezone: ${{ inputs.timezone }} + custom-facts: ${{ steps.team-channel-facts.outputs.facts }} + + - name: Construct PR Comment + id: comment + uses: actions/github-script@v7 + with: + script: | + const isMergeToMain = '${{ inputs.is-merge-to-main }}' == 'true'; + const nextVersion = '${{ inputs.next-version }}'; + const orgAndRepo = '${{ github.repository }}'; + const conclusion = '${{ steps.conclusion.outputs.workflow_conclusion }}'; + const runId = '${{ github.run_id }}'; + + const workflowRunText = `[Workflow Run - ${conclusion}](https://github.com/${orgAndRepo}/actions/runs/${runId})`; + + const nextVersionText = isMergeToMain ? + `[Tag - ${nextVersion}](https://github.com/${orgAndRepo}/releases/tag/${nextVersion})` : + `Next Version - ${nextVersion}`; + + const prComment = ` + - ${workflowRunText} + - ${nextVersionText} + ${process.env.ADDITIONAL_CONTENT}` + core.setOutput('prComment', prComment); + env: + ADDITIONAL_CONTENT: ${{ inputs.additional-pr-comment-content }} + + - name: Comment on PR with version ${{ inputs.next-version}} + if: github.event_name == 'pull_request' + continue-on-error: true + uses: im-open/update-pr-comment@v1.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + comment-identifier: next-release-version + comment-content: ${{ steps.comment.outputs.prComment }} + + - name: Check for Workflow Failures + if: steps.conclusion.outputs.workflow_conclusion == 'failure' + run: | + echo "There were errors in the workflow. Check the workflow-conclusion step above for more details on what failed." + exit 1 diff --git a/.github/workflows/im-reusable-setup-build-workflow.yml b/.github/workflows/im-reusable-setup-build-workflow.yml index cc769f46..a3403d8c 100644 --- a/.github/workflows/im-reusable-setup-build-workflow.yml +++ b/.github/workflows/im-reusable-setup-build-workflow.yml @@ -1,200 +1,200 @@ -# The purpose of this workflow is to print a workflow summary, examine the -# workflow triggers and set various outputs like whether to create a tag -# or whether the pull request event is a merge to main and generate -# the next tag version using git-version-lite. - -# Example Usage in a repo's workflow: -# jobs: -# setup-build-workflow: -# uses: im-practices/.github/.github/workflows/im-reusable-setup-build-workflow.yml@v2 -# with: -# default-branch: main -# tag-prefix: none -# workflow-summary: | -# |Workflow Item | Value| -# |Actor | ${{ github.actor }} | - -on: - workflow_call: - inputs: - runs-on: - description: 'The runner that this workflow will run on.' - required: false - type: string - default: 'im-linux' - default-branch: - description: Default branch of which contains the tag - required: false - type: string - default: main - tag-prefix: - description: 'Prefix for the tag git-version-lite will generate.' - type: string - default: '' - workflow-summary: - description: 'String that will override the default GitHub Summary when provided.' - type: string - required: false - - outputs: - CONTINUE_WORKFLOW: - description: Flag indicating whether subsequent build jobs should continue. - value: ${{ jobs.setup-build-workflow.outputs.CONTINUE_WORKFLOW }} - CREATE_RELEASE: - description: Flag indicating whether a release should be created for this pull_request event. - value: ${{ jobs.setup-build-workflow.outputs.CREATE_RELEASE }} - IS_PRERELEASE: - description: Flag indicating whether the pull_request event is for something other than a merge to main. Inverse of IS_MERGE_TO_MAIN. - value: ${{ jobs.setup-build-workflow.outputs.IS_PRERELEASE }} - IS_MERGE_TO_MAIN: - description: Flag indicating whether the pull_request event is a merge to the default branch. Inverse of IS_PRERELEASE. - value: ${{ jobs.setup-build-workflow.outputs.IS_MERGE_TO_MAIN }} - REF_TO_BUILD_AND_TAG: - description: String containing the reference to build and tag. - value: ${{ jobs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }} - DIST_TAG: - description: String containing the distribution reference. Value set to 'latest' for merges to main, otherwise set to the source ref. Primarily used with npm packages. - value: ${{ jobs.setup-build-workflow.outputs.DIST_TAG }} - IS_DEPENDABOT_PR: - description: Flag indicating whether a PR was created by Dependabot. - value: ${{ jobs.setup-build-workflow.outputs.IS_DEPENDABOT_PR }} - NEXT_VERSION: - description: The next version calculated by git-version-lite. - value: ${{ jobs.setup-build-workflow.outputs.NEXT_VERSION }} - NEXT_VERSION_NO_PREFIX: - description: The next version calculated by git-version-lite without a prefix. - value: ${{ jobs.setup-build-workflow.outputs.NEXT_VERSION_NO_PREFIX }} - -jobs: - setup-build-workflow: - runs-on: ${{ inputs.runs-on }} - - outputs: - CONTINUE_WORKFLOW: ${{ steps.set-vars.outputs.CONTINUE_WORKFLOW }} - CREATE_RELEASE: ${{ steps.set-vars.outputs.CREATE_RELEASE }} - IS_PRERELEASE: ${{ steps.set-vars.outputs.IS_PRERELEASE }} - IS_MERGE_TO_MAIN: ${{ steps.set-vars.outputs.IS_MERGE_TO_MAIN }} - REF_TO_BUILD_AND_TAG: ${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }} - DIST_TAG: ${{ steps.set-vars.outputs.DIST_TAG }} - IS_DEPENDABOT_PR: ${{ steps.actor_check.outputs.IS_DEPENDABOT_PR }} - NEXT_VERSION: ${{ steps.version.outputs.NEXT_VERSION }} - NEXT_VERSION_NO_PREFIX: ${{ steps.version.outputs.NEXT_VERSION_NO_PREFIX }} - - steps: - - name: Print inputs - uses: actions/github-script@v7 - with: - script: | - function printInput(inputName, inputValue, isMultilineInput){ - if (!inputValue || inputValue.trim().length === 0){ - core.info(`${inputName}: Not Provided`); - } else if (isMultilineInput){ - console.log(`\n${inputName}:\n${inputValue}`); - } - else { - core.info(`${inputName}: ${inputValue}`); - } - } - printInput('runs-on', '${{ inputs.runs-on }}'); - printInput('default-branch', '${{ inputs.default-branch }}'); - printInput('tag-prefix', '${{ inputs.tag-prefix }}'); - printInput('workflow-summary', process.env.SUMMARY, true); - env: - SUMMARY: ${{ inputs.workflow-summary }} - - - name: Set default env variables - id: set-vars - uses: actions/github-script@v7 - with: - script: | - const targetRef = '${{ github.base_ref }}'; - const sourceRef = '${{ github.head_ref }}'; - const mergeRef = '${{ github.ref }}'; - - const prIsDraft = '${{ github.event.pull_request.draft }}' === 'true'; - const prClosed = '${{ github.event.action }}' === 'closed'; - const prMerged = prClosed && '${{ github.event.pull_request.merged }}' === 'true'; - const prMergedToMain = prMerged && targetRef === '${{ inputs.default-branch }}'; - - const isPreRelease = !prMergedToMain; - - // For a detailed explanation of why we use different refs for different scenarios - // see https://docs.github.com/en/rest/reference/pulls#get-a-pull-request - const refToBuildAndTag = prMergedToMain ? mergeRef : sourceRef; - - const continueWorkflow = prClosed && !prMerged ? false : true; - const doTagRelease = continueWorkflow && !prIsDraft ? true : false; - const distTag = prMergedToMain ? 'latest' : sourceRef; - - Object.entries({ - CONTINUE_WORKFLOW: continueWorkflow, - CREATE_RELEASE: doTagRelease, - IS_PRERELEASE: isPreRelease, - IS_MERGE_TO_MAIN: prMergedToMain, - REF_TO_BUILD_AND_TAG: refToBuildAndTag, - DIST_TAG: distTag - }).forEach(pair => { - core.setOutput(...pair); - console.info(...pair); - }); - - - name: Check if Dependabot PR - id: actor_check - uses: actions/github-script@v7 - with: - script: | - const actor = '${{ github.actor}}'; - const knownDependabotNames = [ - 'dependabot[bot]', - 'dependabot' - ]; - const isDependabotPR = knownDependabotNames.includes(actor); - core.info(`Is Dependabot PR: ${isDependabotPR}`); - core.setOutput('IS_DEPENDABOT_PR', isDependabotPR); - - - name: Construct Workflow Summary - id: summary - uses: actions/github-script@v7 - with: - script: | - let summary = process.env.SUMMARY; - if (!summary || summary.trim().length === 0){ - console.log('A workflow summary was not provided. The default value will be constructed for this workflow run.'); - summary = ` - | Workflow Item | Value | - | --- | --- | - | Actor | \`${{ github.actor }}\` | - | Source Ref | \`${{ github.head_ref }}\` | - | Workflow Source | \`${{ github.ref_name }}\` - SHA: \`${{ github.sha }}\` | - | CONTINUE_WORKFLOW | \`${{ steps.set-vars.outputs.CONTINUE_WORKFLOW }}\` | - | CREATE_RELEASE | \`${{ steps.set-vars.outputs.CREATE_RELEASE}}\` | - | IS_PRERELEASE | \`${{ steps.set-vars.outputs.IS_PRERELEASE }}\` | - | IS_MERGE_TO_MAIN | \`${{ steps.set-vars.outputs.IS_MERGE_TO_MAIN }}\` | - | REF_TO_BUILD_AND_TAG | \`${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }}\` | - | DIST_TAG | \`${{ steps.set-vars.outputs.DIST_TAG }}\` | - | IS_DEPENDABOT_PR | \`${{ steps.actor_check.outputs.IS_DEPENDABOT_PR }}\` |`; - } else { - console.log('A workflow summary was provided and will be used instead of the default value.'); - } - console.log('Workflow Summary:'); - console.log(summary); - core.setOutput('summary', summary); - env: - SUMMARY: ${{ inputs.workflow-summary }} - - - run: echo '${{ steps.summary.outputs.summary }}' >> $GITHUB_STEP_SUMMARY - - - uses: actions/checkout@v4 - if: steps.set-vars.outputs.CONTINUE_WORKFLOW == 'true' - with: - ref: ${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }} - fetch-depth: 0 - - - name: Calculate next version - if: steps.set-vars.outputs.CONTINUE_WORKFLOW == 'true' - id: version - uses: im-open/git-version-lite@v3.0 - with: - calculate-prerelease-version: ${{ steps.set-vars.outputs.IS_PRERELEASE }} - branch-name: ${{ github.head_ref }} # This is only populated when the trigger is pull_request, otherwise it is empty - tag-prefix: ${{ inputs.tag-prefix }} +# The purpose of this workflow is to print a workflow summary, examine the +# workflow triggers and set various outputs like whether to create a tag +# or whether the pull request event is a merge to main and generate +# the next tag version using git-version-lite. + +# Example Usage in a repo's workflow: +# jobs: +# setup-build-workflow: +# uses: im-practices/.github/.github/workflows/im-reusable-setup-build-workflow.yml@v2 +# with: +# default-branch: main +# tag-prefix: none +# workflow-summary: | +# |Workflow Item | Value| +# |Actor | ${{ github.actor }} | + +on: + workflow_call: + inputs: + runs-on: + description: 'The runner that this workflow will run on.' + required: false + type: string + default: 'im-linux' + default-branch: + description: Default branch of which contains the tag + required: false + type: string + default: main + tag-prefix: + description: 'Prefix for the tag git-version-lite will generate.' + type: string + default: '' + workflow-summary: + description: 'String that will override the default GitHub Summary when provided.' + type: string + required: false + + outputs: + CONTINUE_WORKFLOW: + description: Flag indicating whether subsequent build jobs should continue. + value: ${{ jobs.setup-build-workflow.outputs.CONTINUE_WORKFLOW }} + CREATE_RELEASE: + description: Flag indicating whether a release should be created for this pull_request event. + value: ${{ jobs.setup-build-workflow.outputs.CREATE_RELEASE }} + IS_PRERELEASE: + description: Flag indicating whether the pull_request event is for something other than a merge to main. Inverse of IS_MERGE_TO_MAIN. + value: ${{ jobs.setup-build-workflow.outputs.IS_PRERELEASE }} + IS_MERGE_TO_MAIN: + description: Flag indicating whether the pull_request event is a merge to the default branch. Inverse of IS_PRERELEASE. + value: ${{ jobs.setup-build-workflow.outputs.IS_MERGE_TO_MAIN }} + REF_TO_BUILD_AND_TAG: + description: String containing the reference to build and tag. + value: ${{ jobs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }} + DIST_TAG: + description: String containing the distribution reference. Value set to 'latest' for merges to main, otherwise set to the source ref. Primarily used with npm packages. + value: ${{ jobs.setup-build-workflow.outputs.DIST_TAG }} + IS_DEPENDABOT_PR: + description: Flag indicating whether a PR was created by Dependabot. + value: ${{ jobs.setup-build-workflow.outputs.IS_DEPENDABOT_PR }} + NEXT_VERSION: + description: The next version calculated by git-version-lite. + value: ${{ jobs.setup-build-workflow.outputs.NEXT_VERSION }} + NEXT_VERSION_NO_PREFIX: + description: The next version calculated by git-version-lite without a prefix. + value: ${{ jobs.setup-build-workflow.outputs.NEXT_VERSION_NO_PREFIX }} + +jobs: + setup-build-workflow: + runs-on: ${{ inputs.runs-on }} + + outputs: + CONTINUE_WORKFLOW: ${{ steps.set-vars.outputs.CONTINUE_WORKFLOW }} + CREATE_RELEASE: ${{ steps.set-vars.outputs.CREATE_RELEASE }} + IS_PRERELEASE: ${{ steps.set-vars.outputs.IS_PRERELEASE }} + IS_MERGE_TO_MAIN: ${{ steps.set-vars.outputs.IS_MERGE_TO_MAIN }} + REF_TO_BUILD_AND_TAG: ${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }} + DIST_TAG: ${{ steps.set-vars.outputs.DIST_TAG }} + IS_DEPENDABOT_PR: ${{ steps.actor_check.outputs.IS_DEPENDABOT_PR }} + NEXT_VERSION: ${{ steps.version.outputs.NEXT_VERSION }} + NEXT_VERSION_NO_PREFIX: ${{ steps.version.outputs.NEXT_VERSION_NO_PREFIX }} + + steps: + - name: Print inputs + uses: actions/github-script@v7 + with: + script: | + function printInput(inputName, inputValue, isMultilineInput){ + if (!inputValue || inputValue.trim().length === 0){ + core.info(`${inputName}: Not Provided`); + } else if (isMultilineInput){ + console.log(`\n${inputName}:\n${inputValue}`); + } + else { + core.info(`${inputName}: ${inputValue}`); + } + } + printInput('runs-on', '${{ inputs.runs-on }}'); + printInput('default-branch', '${{ inputs.default-branch }}'); + printInput('tag-prefix', '${{ inputs.tag-prefix }}'); + printInput('workflow-summary', process.env.SUMMARY, true); + env: + SUMMARY: ${{ inputs.workflow-summary }} + + - name: Set default env variables + id: set-vars + uses: actions/github-script@v7 + with: + script: | + const targetRef = '${{ github.base_ref }}'; + const sourceRef = '${{ github.head_ref }}'; + const mergeRef = '${{ github.ref }}'; + + const prIsDraft = '${{ github.event.pull_request.draft }}' === 'true'; + const prClosed = '${{ github.event.action }}' === 'closed'; + const prMerged = prClosed && '${{ github.event.pull_request.merged }}' === 'true'; + const prMergedToMain = prMerged && targetRef === '${{ inputs.default-branch }}'; + + const isPreRelease = !prMergedToMain; + + // For a detailed explanation of why we use different refs for different scenarios + // see https://docs.github.com/en/rest/reference/pulls#get-a-pull-request + const refToBuildAndTag = prMergedToMain ? mergeRef : sourceRef; + + const continueWorkflow = prClosed && !prMerged ? false : true; + const doTagRelease = continueWorkflow && !prIsDraft ? true : false; + const distTag = prMergedToMain ? 'latest' : sourceRef; + + Object.entries({ + CONTINUE_WORKFLOW: continueWorkflow, + CREATE_RELEASE: doTagRelease, + IS_PRERELEASE: isPreRelease, + IS_MERGE_TO_MAIN: prMergedToMain, + REF_TO_BUILD_AND_TAG: refToBuildAndTag, + DIST_TAG: distTag + }).forEach(pair => { + core.setOutput(...pair); + console.info(...pair); + }); + + - name: Check if Dependabot PR + id: actor_check + uses: actions/github-script@v7 + with: + script: | + const actor = '${{ github.actor}}'; + const knownDependabotNames = [ + 'dependabot[bot]', + 'dependabot' + ]; + const isDependabotPR = knownDependabotNames.includes(actor); + core.info(`Is Dependabot PR: ${isDependabotPR}`); + core.setOutput('IS_DEPENDABOT_PR', isDependabotPR); + + - name: Construct Workflow Summary + id: summary + uses: actions/github-script@v7 + with: + script: | + let summary = process.env.SUMMARY; + if (!summary || summary.trim().length === 0){ + console.log('A workflow summary was not provided. The default value will be constructed for this workflow run.'); + summary = ` + | Workflow Item | Value | + | --- | --- | + | Actor | \`${{ github.actor }}\` | + | Source Ref | \`${{ github.head_ref }}\` | + | Workflow Source | \`${{ github.ref_name }}\` - SHA: \`${{ github.sha }}\` | + | CONTINUE_WORKFLOW | \`${{ steps.set-vars.outputs.CONTINUE_WORKFLOW }}\` | + | CREATE_RELEASE | \`${{ steps.set-vars.outputs.CREATE_RELEASE}}\` | + | IS_PRERELEASE | \`${{ steps.set-vars.outputs.IS_PRERELEASE }}\` | + | IS_MERGE_TO_MAIN | \`${{ steps.set-vars.outputs.IS_MERGE_TO_MAIN }}\` | + | REF_TO_BUILD_AND_TAG | \`${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }}\` | + | DIST_TAG | \`${{ steps.set-vars.outputs.DIST_TAG }}\` | + | IS_DEPENDABOT_PR | \`${{ steps.actor_check.outputs.IS_DEPENDABOT_PR }}\` |`; + } else { + console.log('A workflow summary was provided and will be used instead of the default value.'); + } + console.log('Workflow Summary:'); + console.log(summary); + core.setOutput('summary', summary); + env: + SUMMARY: ${{ inputs.workflow-summary }} + + - run: echo '${{ steps.summary.outputs.summary }}' >> $GITHUB_STEP_SUMMARY + + - uses: actions/checkout@v4 + if: steps.set-vars.outputs.CONTINUE_WORKFLOW == 'true' + with: + ref: ${{ steps.set-vars.outputs.REF_TO_BUILD_AND_TAG }} + fetch-depth: 0 + + - name: Calculate next version + if: steps.set-vars.outputs.CONTINUE_WORKFLOW == 'true' + id: version + uses: im-open/git-version-lite@v3.0 + with: + calculate-prerelease-version: ${{ steps.set-vars.outputs.IS_PRERELEASE }} + branch-name: ${{ github.head_ref }} # This is only populated when the trigger is pull_request, otherwise it is empty + tag-prefix: ${{ inputs.tag-prefix }} diff --git a/.github/workflows/im-reusable-setup-deployment-workflow.yml b/.github/workflows/im-reusable-setup-deployment-workflow.yml index f86f3a4a..d32a6cd7 100644 --- a/.github/workflows/im-reusable-setup-deployment-workflow.yml +++ b/.github/workflows/im-reusable-setup-deployment-workflow.yml @@ -1,151 +1,151 @@ -# The purpose of this workflow is to verify that the branch/tag/sha to deploy is a valid ref -# and for production deploys to verify that the tag is reachable from the default branch -# (meaning it has been reviewed and merged into main) and that the release is production -# ready (it is not a draft/pre-release). - -# Example Usage in a repo's workflow: -# jobs: -# setup-deployment-workflow: -# uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 -# with: -# runs-on: im-linux -# ref-to-deploy: v1.2.3 -# deployment-environment: prod -# production-environments: 'prod,prod-secondary' -# default-branch: main - -on: - workflow_call: - inputs: - runs-on: - description: 'The runner that this workflow will run on.' - required: false - type: string - default: 'im-linux' - ref-to-deploy: - description: The branch, tag or sha that will be deployed. - type: string - required: true - deployment-environment: - description: 'The environment that is being deployed to: dev, qa, stage, stage-secondary, uat, demo, prod, prod-secondary.' - required: true - type: string - production-environments: - description: Comma separated list of production environments to check against. Defaults to 'prod,prod-secondary' - required: false - type: string - default: 'prod,prod-secondary' - verify-release-production-ready: - description: Verify associated release is not draft or prerelease - required: false - type: boolean - default: true - default-branch: - description: Default branch of the repository - required: false - type: string - default: main - workflow-summary: - description: 'String that will override the default GitHub Summary when provided.' - type: string - required: false - -jobs: - setup-deployment-workflow: - runs-on: ${{ inputs.runs-on}} - - steps: - - name: Print inputs - uses: actions/github-script@v7 - with: - script: | - function printInput(inputName, inputValue, isMultilineInput){ - if (!inputValue || inputValue.trim().length === 0){ - core.info(`${inputName}: Not Provided`); - } else if (isMultilineInput){ - console.log(`\n${inputName}:\n${inputValue}`); - } - else { - core.info(`${inputName}: ${inputValue}`); - } - } - printInput('runs-on', '${{ inputs.runs-on }}'); - printInput('ref-to-deploy', '${{ inputs.ref-to-deploy }}'); - printInput('deployment-environment', '${{ inputs.deployment-environment }}'); - printInput('production-environments', '${{ inputs.production-environments }}'); - printInput('verify-release-production-ready', '${{ inputs.verify-release-production-ready }}'); - printInput('default-branch', '${{ inputs.default-branch }}'); - printInput('workflow-summary', process.env.SUMMARY, true); - - env: - SUMMARY: ${{ inputs.workflow-summary }} - - - name: Construct Workflow Summary - id: summary - uses: actions/github-script@v7 - with: - script: | - let summary = process.env.SUMMARY; - if (!summary || summary.trim().length === 0){ - console.log('A workflow summary was not provided. The default value will be constructed for this workflow run.'); - summary = ` - | Deployment Arguments | Value | - | --- | --- | - | Deployment Environment | \`${{ inputs.deployment-environment }}\` | - | Ref to Deploy | \`${{ inputs.ref-to-deploy }}\` | - | Actor | \`${{ github.actor }}\` | - | Workflow Source | \`${{ github.ref_name }}\` - SHA: \`${{ github.sha }}\` |`; - } else { - console.log('A workflow summary was provided and will be used instead of the default value.'); - } - console.log('Workflow Summary:'); - console.log(summary); - core.setOutput('summary', summary); - env: - SUMMARY: ${{ inputs.workflow-summary }} - - - run: echo '${{ steps.summary.outputs.summary }}' >> $GITHUB_STEP_SUMMARY - - # In this job, always checkout the default branch (not the tag that was provided as an input). - # Also use fetch-depth: 0 to retrieve the history and tags so we can check if a tag is - # exists, is reachable from the default branch and is production ready. - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: ${{ inputs.default-branch }} - fetch-depth: 0 - - - name: Verify Tag Exists - uses: im-open/verify-git-ref@v1.2 - with: - branch-tag-sha: ${{ inputs.ref-to-deploy }} - - - name: Determine if deployment is to Prod - id: check-env - uses: actions/github-script@v7 - with: - script: | - const prodEnvsRaw = '${{ inputs.production-environments }}'; - if (!prodEnvsRaw || prodEnvsRaw.length === 0){ - core.setFailure('A list of production environments must be provided.'); - return; - } - const prodEnvs = prodEnvsRaw.split(',').map(e => e.trim()); - const deploymentEnv = '${{ inputs.deployment-environment }}'.trim(); - - const isProd = prodEnvs.includes(deploymentEnv); - core.setOutput('IS_PROD', isProd); - - - uses: im-open/is-tag-reachable-from-default-branch@v1 - if: steps.check-env.outputs.IS_PROD == 'true' - with: - tag: ${{ inputs.ref-to-deploy }} - default-branch: ${{ inputs.default-branch }} - error-if-not-reachable: true # This only runs for prod environments, so if the tag is not in main, it should fail - - - uses: im-open/is-release-production-ready@v1 - if: steps.check-env.outputs.IS_PROD == 'true' && inputs.verify-release-production-ready == 'true' - with: - token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ inputs.ref-to-deploy }} - fail-for-prerelease: true # This only runs for prod environments, so if the release is not production ready it should fail +# The purpose of this workflow is to verify that the branch/tag/sha to deploy is a valid ref +# and for production deploys to verify that the tag is reachable from the default branch +# (meaning it has been reviewed and merged into main) and that the release is production +# ready (it is not a draft/pre-release). + +# Example Usage in a repo's workflow: +# jobs: +# setup-deployment-workflow: +# uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 +# with: +# runs-on: im-linux +# ref-to-deploy: v1.2.3 +# deployment-environment: prod +# production-environments: 'prod,prod-secondary' +# default-branch: main + +on: + workflow_call: + inputs: + runs-on: + description: 'The runner that this workflow will run on.' + required: false + type: string + default: 'im-linux' + ref-to-deploy: + description: The branch, tag or sha that will be deployed. + type: string + required: true + deployment-environment: + description: 'The environment that is being deployed to: dev, qa, stage, stage-secondary, uat, demo, prod, prod-secondary.' + required: true + type: string + production-environments: + description: Comma separated list of production environments to check against. Defaults to 'prod,prod-secondary' + required: false + type: string + default: 'prod,prod-secondary' + verify-release-production-ready: + description: Verify associated release is not draft or prerelease + required: false + type: boolean + default: true + default-branch: + description: Default branch of the repository + required: false + type: string + default: main + workflow-summary: + description: 'String that will override the default GitHub Summary when provided.' + type: string + required: false + +jobs: + setup-deployment-workflow: + runs-on: ${{ inputs.runs-on}} + + steps: + - name: Print inputs + uses: actions/github-script@v7 + with: + script: | + function printInput(inputName, inputValue, isMultilineInput){ + if (!inputValue || inputValue.trim().length === 0){ + core.info(`${inputName}: Not Provided`); + } else if (isMultilineInput){ + console.log(`\n${inputName}:\n${inputValue}`); + } + else { + core.info(`${inputName}: ${inputValue}`); + } + } + printInput('runs-on', '${{ inputs.runs-on }}'); + printInput('ref-to-deploy', '${{ inputs.ref-to-deploy }}'); + printInput('deployment-environment', '${{ inputs.deployment-environment }}'); + printInput('production-environments', '${{ inputs.production-environments }}'); + printInput('verify-release-production-ready', '${{ inputs.verify-release-production-ready }}'); + printInput('default-branch', '${{ inputs.default-branch }}'); + printInput('workflow-summary', process.env.SUMMARY, true); + + env: + SUMMARY: ${{ inputs.workflow-summary }} + + - name: Construct Workflow Summary + id: summary + uses: actions/github-script@v7 + with: + script: | + let summary = process.env.SUMMARY; + if (!summary || summary.trim().length === 0){ + console.log('A workflow summary was not provided. The default value will be constructed for this workflow run.'); + summary = ` + | Deployment Arguments | Value | + | --- | --- | + | Deployment Environment | \`${{ inputs.deployment-environment }}\` | + | Ref to Deploy | \`${{ inputs.ref-to-deploy }}\` | + | Actor | \`${{ github.actor }}\` | + | Workflow Source | \`${{ github.ref_name }}\` - SHA: \`${{ github.sha }}\` |`; + } else { + console.log('A workflow summary was provided and will be used instead of the default value.'); + } + console.log('Workflow Summary:'); + console.log(summary); + core.setOutput('summary', summary); + env: + SUMMARY: ${{ inputs.workflow-summary }} + + - run: echo '${{ steps.summary.outputs.summary }}' >> $GITHUB_STEP_SUMMARY + + # In this job, always checkout the default branch (not the tag that was provided as an input). + # Also use fetch-depth: 0 to retrieve the history and tags so we can check if a tag is + # exists, is reachable from the default branch and is production ready. + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ inputs.default-branch }} + fetch-depth: 0 + + - name: Verify Tag Exists + uses: im-open/verify-git-ref@v1.2 + with: + branch-tag-sha: ${{ inputs.ref-to-deploy }} + + - name: Determine if deployment is to Prod + id: check-env + uses: actions/github-script@v7 + with: + script: | + const prodEnvsRaw = '${{ inputs.production-environments }}'; + if (!prodEnvsRaw || prodEnvsRaw.length === 0){ + core.setFailure('A list of production environments must be provided.'); + return; + } + const prodEnvs = prodEnvsRaw.split(',').map(e => e.trim()); + const deploymentEnv = '${{ inputs.deployment-environment }}'.trim(); + + const isProd = prodEnvs.includes(deploymentEnv); + core.setOutput('IS_PROD', isProd); + + - uses: im-open/is-tag-reachable-from-default-branch@v1 + if: steps.check-env.outputs.IS_PROD == 'true' + with: + tag: ${{ inputs.ref-to-deploy }} + default-branch: ${{ inputs.default-branch }} + error-if-not-reachable: true # This only runs for prod environments, so if the tag is not in main, it should fail + + - uses: im-open/is-release-production-ready@v1 + if: steps.check-env.outputs.IS_PROD == 'true' && inputs.verify-release-production-ready == 'true' + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ inputs.ref-to-deploy }} + fail-for-prerelease: true # This only runs for prod environments, so if the release is not production ready it should fail diff --git a/.github/workflows/increment-version-and-kick-off-sync.yml b/.github/workflows/increment-version-and-kick-off-sync.yml index 4364f3ed..69a402d3 100644 --- a/.github/workflows/increment-version-and-kick-off-sync.yml +++ b/.github/workflows/increment-version-and-kick-off-sync.yml @@ -1,69 +1,69 @@ -# This is the workflow the repository uses to increment itself. It does not have a version. - -name: Increment Version & Kick off template sync -on: - # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - # - GitHub’s standard pull_request workflow trigger prevents write permissions and secrets - # access to the target repository from public forks. PRs from a branch in the same repo - # and forks of internal/private repos are not limited the same way for this trigger. - # - The pull_request_target trigger allows the workflow to relax some restrictions to a - # target repository so PRs from forks have write permission to the target repo and have - # secrets access (which we need in order to push a new tag in this workflow). - # - For this workflow, the elevated permissions should not be a problem because: - # - Our im-open repositories do not contain secrets, they are dumb actions - # - Require approval for all outside collaborators' is set at the org level so someone - # with Write access has a chance to review code before allowing any workflow runs - # - This workflow with elevated Write permissions will only run once the code has been - # reviewed, approved by a CODEOWNER and merged - pull_request_target: - types: [closed] - -jobs: - increment-version: - if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' - - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - - steps: - # Generally speaking, when the PR contents are treated as passive data, i.e. not in a - # position of influence over the build/testing process, it is safe to checkout the code - # on a pull_request_target. But we need to be extra careful not to trigger any script - # that may operate on PR controlled contents like in the case of npm install. - # Here we are just checking it out to calculate the next version - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: main - fetch-depth: 0 - - # See https://github.com/im-open/git-version-lite for more details around how to increment - # major/minor/patch through commit messages - - name: Increment the version - id: version - uses: im-open/git-version-lite@v3.0 - with: - default-release-type: major - - - name: Create version tag, create or update major, and minor tags - run: | - git config user.name github-actions - git config user.email github-actions@github.com - git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }} - git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }} - git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }} - git push origin ${{ steps.version.outputs.NEXT_VERSION }} - git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f - git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f - - - name: Tell github-management to sync templates - uses: actions/github-script@v7 - with: - # You have to use something with write access to the repo. GITHUB_TOKEN - # doesn't work because it doesn't have access to another repo. - github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org level secret - script: | - github.rest.repos.createDispatchEvent({ - owner: 'im-platform', - repo: 'github-management', - event_type: 'sync_workflows' - }); +# This is the workflow the repository uses to increment itself. It does not have a version. + +name: Increment Version & Kick off template sync +on: + # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + # - GitHub’s standard pull_request workflow trigger prevents write permissions and secrets + # access to the target repository from public forks. PRs from a branch in the same repo + # and forks of internal/private repos are not limited the same way for this trigger. + # - The pull_request_target trigger allows the workflow to relax some restrictions to a + # target repository so PRs from forks have write permission to the target repo and have + # secrets access (which we need in order to push a new tag in this workflow). + # - For this workflow, the elevated permissions should not be a problem because: + # - Our im-open repositories do not contain secrets, they are dumb actions + # - Require approval for all outside collaborators' is set at the org level so someone + # with Write access has a chance to review code before allowing any workflow runs + # - This workflow with elevated Write permissions will only run once the code has been + # reviewed, approved by a CODEOWNER and merged + pull_request_target: + types: [closed] + +jobs: + increment-version: + if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' + + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + + steps: + # Generally speaking, when the PR contents are treated as passive data, i.e. not in a + # position of influence over the build/testing process, it is safe to checkout the code + # on a pull_request_target. But we need to be extra careful not to trigger any script + # that may operate on PR controlled contents like in the case of npm install. + # Here we are just checking it out to calculate the next version + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: main + fetch-depth: 0 + + # See https://github.com/im-open/git-version-lite for more details around how to increment + # major/minor/patch through commit messages + - name: Increment the version + id: version + uses: im-open/git-version-lite@v3.0 + with: + default-release-type: major + + - name: Create version tag, create or update major, and minor tags + run: | + git config user.name github-actions + git config user.email github-actions@github.com + git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }} + git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }} + git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }} + git push origin ${{ steps.version.outputs.NEXT_VERSION }} + git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f + git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f + + - name: Tell github-management to sync templates + uses: actions/github-script@v7 + with: + # You have to use something with write access to the repo. GITHUB_TOKEN + # doesn't work because it doesn't have access to another repo. + github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org level secret + script: | + github.rest.repos.createDispatchEvent({ + owner: 'im-platform', + repo: 'github-management', + event_type: 'sync_workflows' + }); diff --git a/workflow-templates/im-build-db-ci.yml b/workflow-templates/im-build-db-ci.yml index ddff0dcf..a73de8dc 100644 --- a/workflow-templates/im-build-db-ci.yml +++ b/workflow-templates/im-build-db-ci.yml @@ -1,268 +1,268 @@ -# Workflow Code: GiddyBuzzard_v19 DO NOT REMOVE -# Purpose: -# The main purpose of this workflow is to verify that the database can be created, all of the migration scripts can be run, and any tests that exist pass. -# In addition to that, however, there are three other things this workflow template is set up to do. -# 1. Create snapshots. Snapshots are create sql object (table, view, sproc, etc.) scripts that show the shape of an object and can be -# useful for keeping a historical record in GitHub of the changes to them. -# 2. Create a backup of the database and store it for later consumption. The backup can then be used in a workflow to circumvent the need -# to spin up the database from scratch. Very helpful for decreasing build times. Please note however that this is only a backup of a local database. -# It does not take the place of backups that should be happening of Production databases. -# 3. Create mock sql objects that can be consumed by other database repos' CI processes. A flag on the build database step in this workflow can be set -# so that your database's dependencies are downloaded and installed. -# -# The need for creating snapshots and backups in this workflow is not a very common need. They are here in case you need them, but likely you won't. -# There are TODO's throughout this template that let you know when something isn't necessary if you don't want snapshots and/or backups created. -# -# Creating mock sql objects is a bit less rare of a need, but only if your database is a sectioned off part of the legacy ExtendHealth monolith. Again, -# there will be TODO's showing you where some items can be removed if you don't have any dependencies and/or don't need to create mock objects to be -# consumed by others. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Azure SQL Database (Core Template) -# - On-Prem Database (Core Template) - -name: Build Database CI -# TODO: Select the appropriate trigger, if push and pull are both included, two builds will be kicked off when a PR exists and a new commit is pushed to the corresponding branch. -on: - # This workflow will run for the PR events: - # opened/reopened: A PR is opened/re-opened, - # synchronize: The PR's head branch is updated (commits pushed, the base branch changed or the head is updated from the base branch) - # closed: A PR is merged or closed (The triggers job makes sure we only run if a merge happened, not when a close happens) - pull_request: - types: [opened, reopened, synchronize, closed] -env: - DB_NAME: '' # TODO: Fill in your repo's database name - DB_SERVER_NAME: 'localhost' - DB_SERVER_PORT: '1433' - DEFAULT_BRANCH: 'main' # TODO: verify default branch name - GITHUB_PACKAGE_URL: 'https://nuget.pkg.github.com' # TODO: This can be removed if your database doesn't have any dependency objects stored in GitHub Packages - GITHUB_PACKAGE_SOURCE_URL: '${{ env.GITHUB_PACKAGE_URL }}/${{ github.repository_owner }}/index.json' - - # TODO: The following are all for the snapshot step below and can be removed if it's not used - SNAPSHOT_PATH: './snapshot' # TODO: Verify this path is correct - EXCLUDED_DB_SNAPSHOT_OBJECTS: '' # TODO: Add some comma separated values to this - - # TODO: These next variables are for backing up the database. Remove if not needed. - BACKUP_PATH: '' # TODO: The path on the action runner to put the backup path - BACKUP_FILENAME: '' # TODO: The name to give the backup file - -jobs: - # TODO: If you don't need to create snapshots, backups, or mock objects then this whole job can be removed. Make sure to update the 'needs' of later jobs accordingly. - set-vars: - runs-on: ubuntu-latest - outputs: - last-commit-is-snapshot: ${{ steps.capture-branch-state.outputs.isSnapshot }} # TODO: Can be useful for if logic to skip steps. Remove if this isn't something you need to branch on. - current-branch-is-default: ${{ steps.capture-branch-state.outpus.isDefaultBranch }} # TODO: Can be useful for if logic to skip steps. Remove if your CI process is the same for all branches. - should-skip-remaining-workflow-jobs: ${{ steps.capture-branch-state.outputs.skip }} # TODO: This is only needed if your workflow is committing a snapshot and needs to skip running the CI for that commit. Remove this and its usages if not needed. - steps: - - uses: actions/checkout@v4 - - # TODO: Update or remove this if you aren't creating snapshots and/or are doing the same CI process for every branch. - - name: Capture branch details - id: capture-branch-state - shell: pwsh - run: | - $CurrentBranch = git rev-parse --abbrev-ref HEAD - $LastCommitBy = git --no-pager show -s --format="%aN" - $CurrentBranchIsDefault = ($CurrentBranch -eq "${{ env.DEFAULT_BRANCH }}") - $LastCommitIsSnapshot = ($LastCommitBy -eq "github-actions") - - "isDefaultBranch=$CurrentBranchIsDefault" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - "isSnapshot=$LastCommitIsSnapshot" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - - - if ($LastCommitIsSnapshot -and !$CurrentBranchIsDefault) - { - Write-Host "Snapshot was last commit, skipping the other jobs" - "skip=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - } - else - { - Write-Host "Snapshot was not the last commit, continuing with the other jobs" - "skip=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - } - - # TODO: Remove this linting job if your project doesn't need/want it - lint-migration-files: - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - needs: set-vars # TODO: Remove this if you deleted the set-vars job - if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v4 - with: - node-version: '14' # TODO: The current LTS version. Can be updated to something else if needed. - - - id: migration-folder - shell: pwsh - run: | - "folder=$($(Get-Date).Year).$($(Get-Date).Month.ToString("00"))" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - - name: SQL Lint - uses: im-open/tsql-lint-action@v1.1 - with: - tsqllint-version: 1.11.0 - path-to-sql-files: 'Database/src/SqlDatabase/Migrations/${{ steps.migration-folder.outputs.folder }}' # TODO: Update this path to wherever the files to lint live - file-name-filter: 'V9*.sql' # TODO: Update this if necessary - path-to-lint-config: ./.tsqllintrc # TODO: Update this with the path to your project's .tsllintrc file - - build-database: - runs-on: [self-hosted, im-linux] - needs: [set-vars, lint-migration-files] # TODO: Remove any jobs you deleted above - if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. - - env: - SQL_SERVER_PASSWORD: 'StrongPassword!1' - - services: - sqlserver: - image: mcr.microsoft.com/mssql/server:2022-latest - ports: - - 1433:1433 - options: -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=StrongPassword!1" - - steps: - - uses: actions/checkout@v4 - - - name: Install Flyway - uses: im-open/setup-flyway@v1.1 - with: - version: 7.2.0 # This version works with the current version of build-database-ci-action. Newer versions might, but they should be tested. - - - name: Build Database - uses: im-open/build-database-ci-action@v3.3 - with: - # TODO: These parameters are the most commonly used. They tell the action to create the repo's database on the Action Runner, - # validate and run the repo's migration scripts, run tests, and seed data into the database for future needs (like integration tests). - # There is more configuration for the action that can happen though, and more it can do. - # See https://github.com/im-open/build-database-ci-action for detailed documentation and examples. - db-server-name: ${{ env.DB_SERVER_NAME }} - db-name: ${{ env.DB_NAME }} - create-database-file: '' # TODO: Add the path to the create database file (often called Initialization.sql) - migration-files-path: '' # TODO: Add the path to the directory with your migration files - should-validate-migrations: true # This will make flyway validate the migration scripts before running them - run-tests: true - test-files-path: '' # TODO: Add the path to the directory with your test files - seed-data: true - seed-data-files-path: '' # TODO: Add the path to the directory with your seed data files - use-integrated-security: false - db-username: 'sa' # The default system administrator account that comes with SQL Server. This is the only account set up in our self hosted Action Runners' SQL Server instances. - db-password: ${{ env.SQL_SERVER_PASSWORD }} - - - ######################################################################################################################### - # The previous three steps are all that most builds will need. They will build your database on the Action Runner and run any tests you have. - # The following steps are for the three activities mentioned at the start of this template. - # 1. Creating snapshots - # 2. Creating mock sql objects - # 3. Creating a backup - # Remove the ones that are unnecessary for your repo's CI process. - ######################################################################################################################### - - # The next four steps can be removed if your build doesn't need to create snapshots of database objects. - # Otherwise they can be uncommented and the TODO's addressed. - # TODO: Replace what is in this step with what your build needs in order to determine what database objects have changed - # The output is a json string containing a list of objects with the following properties (see https://github.com/im-open/increment-database-object-snapshots#inputs for more information) - # * objectName - # * schemaName - # * objectType - # * operationType - # - name: Get db objects that have changed - # id: changed-objects - # shell: pwsh - # run: | - # $changedObjectsQuery = - # "SELECT - # objectId, - # schemaName, - # objectName, - # CASE objectType - # WHEN 'U' THEN 'Tables' - # WHEN 'V' THEN 'Views' - # WHEN 'P' THEN 'StoredProcedures' - # WHEN 'SO' THEN 'Sequences' - # WHEN 'TF' THEN 'UserDefinedFunctions' - # WHEN 'FN' THEN 'UserDefinedFunctions' - # WHEN 'IF' THEN 'UserDefinedFunctions' - # WHEN 'SN' THEN 'Synonyms' - # ELSE objectType - # END AS objectType, - # operationType - # FROM DBA.V_ChangedObjectsForSnapshot" - - # $changedObjects = Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" -Query $changedObjectsQuery - # $mappedObjects = $changedObjects | foreach-object { @{ schemaName=$_.schemaName; objectName=$_.objectName; objectType=$_.objectType; operationType=$_.operationType } } - # $objectsAsJson = $mappedObjects | ConvertTo-Json -Compress - - # "json=$objectsAsJson" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - - # - name: Increment snapshots - # uses: im-open/increment-database-object-snapshots@v1.0 - # with: - # db-name: ${{ env.DB_NAME }} - # instance-name: ${{ env.DB_SERVER_NAME }} - # snapshot-path: ${{ env.SNAPSHOT_PATH }} - # objects-to-increment: '${{ steps.changed-objects.outputs.json }}' - # excluded-db-objects: ${{ env.EXCLUDED_DB_SNAPSHOT_OBJECTS }} - - # - name: Setup git for snapshot commit - # run: | - # git config user.name github-actions - # git config user.email github-actions@github.com - - # TODO: Update the commit message if desired - # - name: Commit the snapshots - # run: | - # git add ${{ env.SNAPSHOT_PATH }} - # git commit -m "Automated Snapshot Commit" - # git push -f origin HEAD - - ##### End of snapshot steps ##### - - - # This allows the next steps to authenticate with and push to GitHub Packages. - # If you aren't using the steps below you can remove this one. - # - name: Authenticate with GitHub Packages - # uses: im-open/authenticate-with-gh-package-registries@v1.1 - # with: - # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - # orgs: 'im-practices,im-client' # TODO: Verify list of orgs packages will be pulled from - - # Remove this if you don't need to publish mock sql objects - # - name: Create and publish views from tables - # uses: im-open/sql-view-to-table-generator@v1.1 - # with: - # schema-names: 'dbo,CustomSchema' # TODO: Replace this with an actual list - # db-name: ${{ env.DB_NAME }} - # db-server: ${{ env.DB_SERVER_NAME }} - # default-branch: ${{ env.DEFAULT_BRANCH }} - # nuget-retrieval-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} - # publish-packages: true - # nuget-publish-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} - # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo - # repository-url: ${{ github.repositoryUrl }} - - # TODO: This is needed only if you have to update what objects have changed so it can be used in another step like changed-objects. - # Remove or update as needed. - # - name: Update database object versions - # shell: pwsh - # run: | - # $updateObjectVersionsSQL = "EXEC DBA.usp_UpdateCheckSumForChangedObjectDefinitions;" - # Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" $updateObjectVersionsSQL - - # TODO: Remove this if your build doesn't need to create/publish backup files - # - name: Create and publish backup files - # uses: im-open/create-and-publish-db-backup-file@v1.1 - # with: - # db-server: ${{ env.DB_SERVER_NAME }} - # db-name: ${{ env.DB_NAME }} - # backup-path: '${{ env.BACKUP_PATH }}' # This can be changed if needed - # backup-name: '${{ env.BACKUP_FILENAME }}' - # version: '1.1.${{ github.run_number }}' # TODO: Set to 1.1.*** in order to not conflict with previous versions from Teamcity. Update this if desired. - # nuget-source-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} - # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo - # repository-url: ${{ github.repositoryUrl }} - # authors: '' # TODO: This will get put in the .nuspec file. It should be updated with your team name or something similar. +# Workflow Code: GiddyBuzzard_v19 DO NOT REMOVE +# Purpose: +# The main purpose of this workflow is to verify that the database can be created, all of the migration scripts can be run, and any tests that exist pass. +# In addition to that, however, there are three other things this workflow template is set up to do. +# 1. Create snapshots. Snapshots are create sql object (table, view, sproc, etc.) scripts that show the shape of an object and can be +# useful for keeping a historical record in GitHub of the changes to them. +# 2. Create a backup of the database and store it for later consumption. The backup can then be used in a workflow to circumvent the need +# to spin up the database from scratch. Very helpful for decreasing build times. Please note however that this is only a backup of a local database. +# It does not take the place of backups that should be happening of Production databases. +# 3. Create mock sql objects that can be consumed by other database repos' CI processes. A flag on the build database step in this workflow can be set +# so that your database's dependencies are downloaded and installed. +# +# The need for creating snapshots and backups in this workflow is not a very common need. They are here in case you need them, but likely you won't. +# There are TODO's throughout this template that let you know when something isn't necessary if you don't want snapshots and/or backups created. +# +# Creating mock sql objects is a bit less rare of a need, but only if your database is a sectioned off part of the legacy ExtendHealth monolith. Again, +# there will be TODO's showing you where some items can be removed if you don't have any dependencies and/or don't need to create mock objects to be +# consumed by others. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Azure SQL Database (Core Template) +# - On-Prem Database (Core Template) + +name: Build Database CI +# TODO: Select the appropriate trigger, if push and pull are both included, two builds will be kicked off when a PR exists and a new commit is pushed to the corresponding branch. +on: + # This workflow will run for the PR events: + # opened/reopened: A PR is opened/re-opened, + # synchronize: The PR's head branch is updated (commits pushed, the base branch changed or the head is updated from the base branch) + # closed: A PR is merged or closed (The triggers job makes sure we only run if a merge happened, not when a close happens) + pull_request: + types: [opened, reopened, synchronize, closed] +env: + DB_NAME: '' # TODO: Fill in your repo's database name + DB_SERVER_NAME: 'localhost' + DB_SERVER_PORT: '1433' + DEFAULT_BRANCH: 'main' # TODO: verify default branch name + GITHUB_PACKAGE_URL: 'https://nuget.pkg.github.com' # TODO: This can be removed if your database doesn't have any dependency objects stored in GitHub Packages + GITHUB_PACKAGE_SOURCE_URL: '${{ env.GITHUB_PACKAGE_URL }}/${{ github.repository_owner }}/index.json' + + # TODO: The following are all for the snapshot step below and can be removed if it's not used + SNAPSHOT_PATH: './snapshot' # TODO: Verify this path is correct + EXCLUDED_DB_SNAPSHOT_OBJECTS: '' # TODO: Add some comma separated values to this + + # TODO: These next variables are for backing up the database. Remove if not needed. + BACKUP_PATH: '' # TODO: The path on the action runner to put the backup path + BACKUP_FILENAME: '' # TODO: The name to give the backup file + +jobs: + # TODO: If you don't need to create snapshots, backups, or mock objects then this whole job can be removed. Make sure to update the 'needs' of later jobs accordingly. + set-vars: + runs-on: ubuntu-latest + outputs: + last-commit-is-snapshot: ${{ steps.capture-branch-state.outputs.isSnapshot }} # TODO: Can be useful for if logic to skip steps. Remove if this isn't something you need to branch on. + current-branch-is-default: ${{ steps.capture-branch-state.outpus.isDefaultBranch }} # TODO: Can be useful for if logic to skip steps. Remove if your CI process is the same for all branches. + should-skip-remaining-workflow-jobs: ${{ steps.capture-branch-state.outputs.skip }} # TODO: This is only needed if your workflow is committing a snapshot and needs to skip running the CI for that commit. Remove this and its usages if not needed. + steps: + - uses: actions/checkout@v4 + + # TODO: Update or remove this if you aren't creating snapshots and/or are doing the same CI process for every branch. + - name: Capture branch details + id: capture-branch-state + shell: pwsh + run: | + $CurrentBranch = git rev-parse --abbrev-ref HEAD + $LastCommitBy = git --no-pager show -s --format="%aN" + $CurrentBranchIsDefault = ($CurrentBranch -eq "${{ env.DEFAULT_BRANCH }}") + $LastCommitIsSnapshot = ($LastCommitBy -eq "github-actions") + + "isDefaultBranch=$CurrentBranchIsDefault" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + "isSnapshot=$LastCommitIsSnapshot" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + + + if ($LastCommitIsSnapshot -and !$CurrentBranchIsDefault) + { + Write-Host "Snapshot was last commit, skipping the other jobs" + "skip=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + } + else + { + Write-Host "Snapshot was not the last commit, continuing with the other jobs" + "skip=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + } + + # TODO: Remove this linting job if your project doesn't need/want it + lint-migration-files: + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + needs: set-vars # TODO: Remove this if you deleted the set-vars job + if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: '14' # TODO: The current LTS version. Can be updated to something else if needed. + + - id: migration-folder + shell: pwsh + run: | + "folder=$($(Get-Date).Year).$($(Get-Date).Month.ToString("00"))" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + - name: SQL Lint + uses: im-open/tsql-lint-action@v1.1 + with: + tsqllint-version: 1.11.0 + path-to-sql-files: 'Database/src/SqlDatabase/Migrations/${{ steps.migration-folder.outputs.folder }}' # TODO: Update this path to wherever the files to lint live + file-name-filter: 'V9*.sql' # TODO: Update this if necessary + path-to-lint-config: ./.tsqllintrc # TODO: Update this with the path to your project's .tsllintrc file + + build-database: + runs-on: im-linux + needs: [set-vars, lint-migration-files] # TODO: Remove any jobs you deleted above + if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. + + env: + SQL_SERVER_PASSWORD: 'StrongPassword!1' + + services: + sqlserver: + image: mcr.microsoft.com/mssql/server:2022-latest + ports: + - 1433:1433 + options: -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=StrongPassword!1" + + steps: + - uses: actions/checkout@v4 + + - name: Install Flyway + uses: im-open/setup-flyway@v1.1 + with: + version: 7.2.0 # This version works with the current version of build-database-ci-action. Newer versions might, but they should be tested. + + - name: Build Database + uses: im-open/build-database-ci-action@v3.3 + with: + # TODO: These parameters are the most commonly used. They tell the action to create the repo's database on the Action Runner, + # validate and run the repo's migration scripts, run tests, and seed data into the database for future needs (like integration tests). + # There is more configuration for the action that can happen though, and more it can do. + # See https://github.com/im-open/build-database-ci-action for detailed documentation and examples. + db-server-name: ${{ env.DB_SERVER_NAME }} + db-name: ${{ env.DB_NAME }} + create-database-file: '' # TODO: Add the path to the create database file (often called Initialization.sql) + migration-files-path: '' # TODO: Add the path to the directory with your migration files + should-validate-migrations: true # This will make flyway validate the migration scripts before running them + run-tests: true + test-files-path: '' # TODO: Add the path to the directory with your test files + seed-data: true + seed-data-files-path: '' # TODO: Add the path to the directory with your seed data files + use-integrated-security: false + db-username: 'sa' # The default system administrator account that comes with SQL Server. This is the only account set up in our self hosted Action Runners' SQL Server instances. + db-password: ${{ env.SQL_SERVER_PASSWORD }} + + + ######################################################################################################################### + # The previous three steps are all that most builds will need. They will build your database on the Action Runner and run any tests you have. + # The following steps are for the three activities mentioned at the start of this template. + # 1. Creating snapshots + # 2. Creating mock sql objects + # 3. Creating a backup + # Remove the ones that are unnecessary for your repo's CI process. + ######################################################################################################################### + + # The next four steps can be removed if your build doesn't need to create snapshots of database objects. + # Otherwise they can be uncommented and the TODO's addressed. + # TODO: Replace what is in this step with what your build needs in order to determine what database objects have changed + # The output is a json string containing a list of objects with the following properties (see https://github.com/im-open/increment-database-object-snapshots#inputs for more information) + # * objectName + # * schemaName + # * objectType + # * operationType + # - name: Get db objects that have changed + # id: changed-objects + # shell: pwsh + # run: | + # $changedObjectsQuery = + # "SELECT + # objectId, + # schemaName, + # objectName, + # CASE objectType + # WHEN 'U' THEN 'Tables' + # WHEN 'V' THEN 'Views' + # WHEN 'P' THEN 'StoredProcedures' + # WHEN 'SO' THEN 'Sequences' + # WHEN 'TF' THEN 'UserDefinedFunctions' + # WHEN 'FN' THEN 'UserDefinedFunctions' + # WHEN 'IF' THEN 'UserDefinedFunctions' + # WHEN 'SN' THEN 'Synonyms' + # ELSE objectType + # END AS objectType, + # operationType + # FROM DBA.V_ChangedObjectsForSnapshot" + + # $changedObjects = Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" -Query $changedObjectsQuery + # $mappedObjects = $changedObjects | foreach-object { @{ schemaName=$_.schemaName; objectName=$_.objectName; objectType=$_.objectType; operationType=$_.operationType } } + # $objectsAsJson = $mappedObjects | ConvertTo-Json -Compress + + # "json=$objectsAsJson" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + + # - name: Increment snapshots + # uses: im-open/increment-database-object-snapshots@v1.0 + # with: + # db-name: ${{ env.DB_NAME }} + # instance-name: ${{ env.DB_SERVER_NAME }} + # snapshot-path: ${{ env.SNAPSHOT_PATH }} + # objects-to-increment: '${{ steps.changed-objects.outputs.json }}' + # excluded-db-objects: ${{ env.EXCLUDED_DB_SNAPSHOT_OBJECTS }} + + # - name: Setup git for snapshot commit + # run: | + # git config user.name github-actions + # git config user.email github-actions@github.com + + # TODO: Update the commit message if desired + # - name: Commit the snapshots + # run: | + # git add ${{ env.SNAPSHOT_PATH }} + # git commit -m "Automated Snapshot Commit" + # git push -f origin HEAD + + ##### End of snapshot steps ##### + + + # This allows the next steps to authenticate with and push to GitHub Packages. + # If you aren't using the steps below you can remove this one. + # - name: Authenticate with GitHub Packages + # uses: im-open/authenticate-with-gh-package-registries@v1.1 + # with: + # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + # orgs: 'im-practices,im-client' # TODO: Verify list of orgs packages will be pulled from + + # Remove this if you don't need to publish mock sql objects + # - name: Create and publish views from tables + # uses: im-open/sql-view-to-table-generator@v1.1 + # with: + # schema-names: 'dbo,CustomSchema' # TODO: Replace this with an actual list + # db-name: ${{ env.DB_NAME }} + # db-server: ${{ env.DB_SERVER_NAME }} + # default-branch: ${{ env.DEFAULT_BRANCH }} + # nuget-retrieval-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} + # publish-packages: true + # nuget-publish-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} + # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo + # repository-url: ${{ github.repositoryUrl }} + + # TODO: This is needed only if you have to update what objects have changed so it can be used in another step like changed-objects. + # Remove or update as needed. + # - name: Update database object versions + # shell: pwsh + # run: | + # $updateObjectVersionsSQL = "EXEC DBA.usp_UpdateCheckSumForChangedObjectDefinitions;" + # Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" $updateObjectVersionsSQL + + # TODO: Remove this if your build doesn't need to create/publish backup files + # - name: Create and publish backup files + # uses: im-open/create-and-publish-db-backup-file@v1.1 + # with: + # db-server: ${{ env.DB_SERVER_NAME }} + # db-name: ${{ env.DB_NAME }} + # backup-path: '${{ env.BACKUP_PATH }}' # This can be changed if needed + # backup-name: '${{ env.BACKUP_FILENAME }}' + # version: '1.1.${{ github.run_number }}' # TODO: Set to 1.1.*** in order to not conflict with previous versions from Teamcity. Update this if desired. + # nuget-source-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} + # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo + # repository-url: ${{ github.repositoryUrl }} + # authors: '' # TODO: This will get put in the .nuspec file. It should be updated with your team name or something similar. diff --git a/workflow-templates/im-build-dotnet-ci.yml b/workflow-templates/im-build-dotnet-ci.yml index a1f49aa9..17f4a2d1 100644 --- a/workflow-templates/im-build-dotnet-ci.yml +++ b/workflow-templates/im-build-dotnet-ci.yml @@ -62,7 +62,7 @@ jobs: # TODO: Remove this job and references to this job if the project does not use npm npm-cache: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [setup-build-workflow] if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' @@ -125,7 +125,7 @@ jobs: if: steps.has-cache.outputs.cache-hit != 'true' nuget-cache: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [setup-build-workflow] if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' @@ -191,7 +191,7 @@ jobs: if: steps.has-cache.outputs.cache-hit != 'true' dotnet-test: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [setup-build-workflow, nuget-cache] if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' @@ -351,7 +351,7 @@ jobs: # TODO: Remove this job if you do not have jest tests jest: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [setup-build-workflow, npm-cache] if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' @@ -460,7 +460,7 @@ jobs: retention-days: 15 # Cannot exceed 30 days. build-deployment-artifacts: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [setup-build-workflow, npm-cache, nuget-cache] if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' && needs.setup-build-workflow.outputs.CREATE_RELEASE == 'true' diff --git a/workflow-templates/im-build-increment-version-on-merge.yml b/workflow-templates/im-build-increment-version-on-merge.yml index e016dca7..56e1cdbd 100644 --- a/workflow-templates/im-build-increment-version-on-merge.yml +++ b/workflow-templates/im-build-increment-version-on-merge.yml @@ -1,57 +1,57 @@ -# Workflow Code: AngryGoose_v15 DO NOT REMOVE -# Purpose: -# Automatically calculates the next semantic version and creates a tag on the repository -# when a PR is merged. The tag is used in later workflows to deploy the tf or db. -# -# Note: -# This workflow should not be used to tag repos that have CI workflows that create their own releases, like -# the dotnet ci build because this workflow would conflict with that. This workflow is recommended for -# things like infrastructure repositories or database projects that do not have a CI build which increments -# their versions. -# -# Frequency: -# This workflow should only be used once per repository -# If the repo has multiple projects that need this workflow (like db and tf), multiple tags can be generated with -# with this workflow by duplicating the increment version step and including different 'tag-prefix' args. -# -# Projects to use this Template with: -# - Azure SQL Database (Core Template) -# - On-Prem Database (Core Template) -# - Storage Account Deployments (Core Template) -# - Terraform (Core Template) - -name: Increment Version on Merge -on: - pull_request: - types: [closed] - -jobs: - increment-version: - if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' # TODO: verify default branch name - - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - # Because this is running only on merged PRs, the default behavior of always checking out the merge commit is correct here. - - # See https://github.com/im-open/git-version-lite for more details around how to increment major/minor/patch through commit messages - - name: Increment the version - id: calculate_version - uses: im-open/git-version-lite@v3.0 - with: - default-release-type: major # This means if the action cannot find a tag, it will start at v1.0.0 - - - name: Create version tag on GitHub - uses: actions/github-script@v7 - with: - script: | - github.rest.git.createRef({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: 'refs/tags/${{ steps.calculate_version.outputs.NEXT_VERSION}}', - sha: context.sha // context.sha is the SHA of the merge commit - }) +# Workflow Code: AngryGoose_v15 DO NOT REMOVE +# Purpose: +# Automatically calculates the next semantic version and creates a tag on the repository +# when a PR is merged. The tag is used in later workflows to deploy the tf or db. +# +# Note: +# This workflow should not be used to tag repos that have CI workflows that create their own releases, like +# the dotnet ci build because this workflow would conflict with that. This workflow is recommended for +# things like infrastructure repositories or database projects that do not have a CI build which increments +# their versions. +# +# Frequency: +# This workflow should only be used once per repository +# If the repo has multiple projects that need this workflow (like db and tf), multiple tags can be generated with +# with this workflow by duplicating the increment version step and including different 'tag-prefix' args. +# +# Projects to use this Template with: +# - Azure SQL Database (Core Template) +# - On-Prem Database (Core Template) +# - Storage Account Deployments (Core Template) +# - Terraform (Core Template) + +name: Increment Version on Merge +on: + pull_request: + types: [closed] + +jobs: + increment-version: + if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' # TODO: verify default branch name + + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + # Because this is running only on merged PRs, the default behavior of always checking out the merge commit is correct here. + + # See https://github.com/im-open/git-version-lite for more details around how to increment major/minor/patch through commit messages + - name: Increment the version + id: calculate_version + uses: im-open/git-version-lite@v3.0 + with: + default-release-type: major # This means if the action cannot find a tag, it will start at v1.0.0 + + - name: Create version tag on GitHub + uses: actions/github-script@v7 + with: + script: | + github.rest.git.createRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'refs/tags/${{ steps.calculate_version.outputs.NEXT_VERSION}}', + sha: context.sha // context.sha is the SHA of the merge commit + }) diff --git a/workflow-templates/im-build-npm-package.yml b/workflow-templates/im-build-npm-package.yml index 8a2dd619..bf918dae 100644 --- a/workflow-templates/im-build-npm-package.yml +++ b/workflow-templates/im-build-npm-package.yml @@ -1,158 +1,158 @@ -# Workflow Code: GloomyBadger_v33 DO NOT REMOVE -# Purpose: -# Automatically calculates the next semantic version, runs an npm ci, an npm run tests -# if there is one, an npm publish and then pushes a latest tag for main builds. When the -# PR is merged, the package versions created for each branch commit in the PR are removed. -# -# Frequency: This workflow should be duplicated once per npm package in the repository -# -# Projects to use this Template with: -# - npm Package (Core Template) -# -# TODO: Prerequisites: -# - Update the package.json file required values for GH Packages (name, version, repository, publishConfig.registry) -# https://github.com/im-practices/git-er-done/blob/main/packages/publish-npm.md -# - This workflow uses the elevated GH_PACKAGES_TOKEN secret to read/write/delete packages. This is an org-level secret but is -# only available to select repos. To use this let a member of SWAT or Infra-Purple know and it can be enabled for your repo. - -name: 'Build and Publish npm Package' - -on: - # This workflow will run for the PR events: - # opened/reopened: A PR is opened/re-opened, - # synchronize: The PR's head branch is updated (commits pushed, the base branch changed or the head is updated from the base branch) - # closed: A PR is merged or closed (The setup-build-workflow job makes sure we only run if a merge happened, not when a close happens) - pull_request: - # TODO: This will create a new npm package for each push to the PR, determine if that is the desired behavior or if you only - # want a package created when a merge to main happens. - types: [opened, reopened, synchronize, closed] - - # TODO: If there are multiple projects in the repo, add the path to the npm package project so changes to those projects don't trigger this workflow - # If the repo only contains the npm package project, delete the paths: - paths: - - '' - -env: - TIMEZONE: 'america/denver' - REPO_URL: '${{ github.server_url }}/${{ github.repository }}' - -jobs: - # This job utilizes a reusable workflow which will: - # 1 - Examine the triggers and set various flags for subsequent jobs to use when evaluating whether to run - # 2 - Print a workflow summary - # 3 - Generate the next version for the repo - setup-build-workflow: - uses: im-practices/.github/.github/workflows/im-reusable-setup-build-workflow.yml@v2 - with: - tag-prefix: 'none' # TODO: verify your prefix, the new ci workflows add v automatically but npm packages typically won't have a prefix - # default-branch: main # TODO: Update and include this argument if default branch is different - # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. - - build-and-publish-to-gpr: - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - needs: [setup-build-workflow] - if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' - - env: - NEXT_VERSION: ${{ needs.setup-build-workflow.outputs.NEXT_VERSION }} - IS_PRERELEASE: ${{ needs.setup-build-workflow.outputs.IS_PRERELEASE }} - CREATE_RELEASE: ${{ needs.setup-build-workflow.outputs.CREATE_RELEASE }} - DIST_TAG: ${{ needs.setup-build-workflow.outputs.DIST_TAG }} - REF_TO_BUILD_AND_TAG: ${{ needs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }} - - defaults: - run: - shell: bash - working-directory: '' # TODO: Add the path to the npm package project - - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ env.REF_TO_BUILD_AND_TAG }} - - - uses: actions/setup-node@v4 - with: - node-version: 16 # TODO: verify node version - registry-url: https://npm.pkg.github.com/ - - # TODO: If the project contains dependencies to other npm packages in GitHub's npm package registry, uncomment this step, otherwise delete - # - name: Authenticate with GitHub Packages for Restoring Packages - # uses: im-open/authenticate-with-gh-package-registries@v1.1 - # with: - # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from - - # TODO: Add any additional flags you need to version your project like --allow-same-version - - run: npm version ${{ env.NEXT_VERSION }} - - # TODO: Add any additional flags you need to restore packages in your project like --ignore-scripts - # TODO: For some projects you may need several commands, one to do this at the root, one to change directories and one to do it in the package dir - - run: npm ci - - # TODO: If you have tests that run for the npm package, add a new run step with the appropriate npm command - # - run: npm run tests - - - name: reset .npmrc for publishing - run: npm set //npm.pkg.github.com/:_authToken '${{ secrets.GITHUB_TOKEN }}' - - - run: npm publish --tag ${{ env.DIST_TAG }} - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - - - name: Create GitHub Tag and Release - if: env.CREATE_RELEASE == 'true' - id: create_release - uses: im-open/create-release@v3.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - delete-existing-release: true # Handy when you hit 're-run jobs' on a workflow run - tag-name: ${{ env.NEXT_VERSION }} - prerelease: ${{ env.IS_PRERELEASE }} - commitish: ${{ env.REF_TO_BUILD_AND_TAG }} - - cleanup-prereleases: - if: always() && github.event.action == 'closed' - runs-on: ubuntu-latest - steps: - - name: Cleanup the branch pre-releases for all closed PRs - uses: im-open/delete-prereleases-for-branch@v1.2 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - branch-name: ${{ github.head_ref }} - - - name: Cleanup pre-release packages - if: always() - uses: im-open/delete-branch-package-versions@v3.1 - with: - github-token: ${{ secrets.GH_PACKAGES_TOKEN }} # This is a special org-level secret that needs to be authorized for this repo - organization: ${{ github.repository_owner }} - branch-name: ${{ github.head_ref }} - package-type: 'npm' - package-names: '' # TODO: Add comma separated list of packages to delete (the base name without any versions, like IdentityCient or Mktp.Logging) - - # This job utilizes a reusable workflow which will: - # 1 - Send a status to a teams channel - # 2 - Add a comment to the PR with the status/next version - # 3 - Check for workflow failures - finish-build: - if: always() && needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' - needs: [setup-build-workflow, build-and-publish-to-gpr] - uses: im-practices/.github/.github/workflows/im-reusable-finish-build-workflow.yml@v2 - with: - next-version: ${{ needs.build-and-publish-to-gpr.outputs.NEXT_VERSION }} - title-of-teams-post: 'Build and Publish to GH Packages' # TODO: Replace - is-merge-to-main: ${{ needs.setup-build-workflow.outputs.IS_MERGE_TO_MAIN }} - additional-pr-comment-content: | # TODO: Replace / below with actual values - - To test this version try running: - ```bash - npm install @/@${{ needs.build-and-publish-to-gpr.outputs.NEXT_VERSION }} - ``` - ms-teams-uri: ${{ vars.MS_TEAMS_URI }} - # timezone: 'america/denver' # TODO: Include this argument and update if your timezone is not america/denver - # custom-facts-for-team-channel: | # TODO: These are the custom facts that will be included the different Teams posts by default. If adjusting the facts that are supplied, they must be a valid JSON array. - # [ - # { "name": "Workflow", "value": "${{ github.workflow }}" }, - # { "name": "Run", "value": "${{ github.run_id }}" }, - # { "name": "Actor", "value": "${{ github.actor }}" }, - # { "name": "Version", "value": "${{ needs.build-and-publish-to-gpr.outputs.NEXT_VERSION }}" } - # ] +# Workflow Code: GloomyBadger_v33 DO NOT REMOVE +# Purpose: +# Automatically calculates the next semantic version, runs an npm ci, an npm run tests +# if there is one, an npm publish and then pushes a latest tag for main builds. When the +# PR is merged, the package versions created for each branch commit in the PR are removed. +# +# Frequency: This workflow should be duplicated once per npm package in the repository +# +# Projects to use this Template with: +# - npm Package (Core Template) +# +# TODO: Prerequisites: +# - Update the package.json file required values for GH Packages (name, version, repository, publishConfig.registry) +# https://github.com/im-practices/git-er-done/blob/main/packages/publish-npm.md +# - This workflow uses the elevated GH_PACKAGES_TOKEN secret to read/write/delete packages. This is an org-level secret but is +# only available to select repos. To use this let a member of SWAT or Infra-Purple know and it can be enabled for your repo. + +name: 'Build and Publish npm Package' + +on: + # This workflow will run for the PR events: + # opened/reopened: A PR is opened/re-opened, + # synchronize: The PR's head branch is updated (commits pushed, the base branch changed or the head is updated from the base branch) + # closed: A PR is merged or closed (The setup-build-workflow job makes sure we only run if a merge happened, not when a close happens) + pull_request: + # TODO: This will create a new npm package for each push to the PR, determine if that is the desired behavior or if you only + # want a package created when a merge to main happens. + types: [opened, reopened, synchronize, closed] + + # TODO: If there are multiple projects in the repo, add the path to the npm package project so changes to those projects don't trigger this workflow + # If the repo only contains the npm package project, delete the paths: + paths: + - '' + +env: + TIMEZONE: 'america/denver' + REPO_URL: '${{ github.server_url }}/${{ github.repository }}' + +jobs: + # This job utilizes a reusable workflow which will: + # 1 - Examine the triggers and set various flags for subsequent jobs to use when evaluating whether to run + # 2 - Print a workflow summary + # 3 - Generate the next version for the repo + setup-build-workflow: + uses: im-practices/.github/.github/workflows/im-reusable-setup-build-workflow.yml@v2 + with: + tag-prefix: 'none' # TODO: verify your prefix, the new ci workflows add v automatically but npm packages typically won't have a prefix + # default-branch: main # TODO: Update and include this argument if default branch is different + # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. + + build-and-publish-to-gpr: + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + needs: [setup-build-workflow] + if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' + + env: + NEXT_VERSION: ${{ needs.setup-build-workflow.outputs.NEXT_VERSION }} + IS_PRERELEASE: ${{ needs.setup-build-workflow.outputs.IS_PRERELEASE }} + CREATE_RELEASE: ${{ needs.setup-build-workflow.outputs.CREATE_RELEASE }} + DIST_TAG: ${{ needs.setup-build-workflow.outputs.DIST_TAG }} + REF_TO_BUILD_AND_TAG: ${{ needs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }} + + defaults: + run: + shell: bash + working-directory: '' # TODO: Add the path to the npm package project + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ env.REF_TO_BUILD_AND_TAG }} + + - uses: actions/setup-node@v4 + with: + node-version: 16 # TODO: verify node version + registry-url: https://npm.pkg.github.com/ + + # TODO: If the project contains dependencies to other npm packages in GitHub's npm package registry, uncomment this step, otherwise delete + # - name: Authenticate with GitHub Packages for Restoring Packages + # uses: im-open/authenticate-with-gh-package-registries@v1.1 + # with: + # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from + + # TODO: Add any additional flags you need to version your project like --allow-same-version + - run: npm version ${{ env.NEXT_VERSION }} + + # TODO: Add any additional flags you need to restore packages in your project like --ignore-scripts + # TODO: For some projects you may need several commands, one to do this at the root, one to change directories and one to do it in the package dir + - run: npm ci + + # TODO: If you have tests that run for the npm package, add a new run step with the appropriate npm command + # - run: npm run tests + + - name: reset .npmrc for publishing + run: npm set //npm.pkg.github.com/:_authToken '${{ secrets.GITHUB_TOKEN }}' + + - run: npm publish --tag ${{ env.DIST_TAG }} + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + + - name: Create GitHub Tag and Release + if: env.CREATE_RELEASE == 'true' + id: create_release + uses: im-open/create-release@v3.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + delete-existing-release: true # Handy when you hit 're-run jobs' on a workflow run + tag-name: ${{ env.NEXT_VERSION }} + prerelease: ${{ env.IS_PRERELEASE }} + commitish: ${{ env.REF_TO_BUILD_AND_TAG }} + + cleanup-prereleases: + if: always() && github.event.action == 'closed' + runs-on: ubuntu-latest + steps: + - name: Cleanup the branch pre-releases for all closed PRs + uses: im-open/delete-prereleases-for-branch@v1.2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + branch-name: ${{ github.head_ref }} + + - name: Cleanup pre-release packages + if: always() + uses: im-open/delete-branch-package-versions@v3.1 + with: + github-token: ${{ secrets.GH_PACKAGES_TOKEN }} # This is a special org-level secret that needs to be authorized for this repo + organization: ${{ github.repository_owner }} + branch-name: ${{ github.head_ref }} + package-type: 'npm' + package-names: '' # TODO: Add comma separated list of packages to delete (the base name without any versions, like IdentityCient or Mktp.Logging) + + # This job utilizes a reusable workflow which will: + # 1 - Send a status to a teams channel + # 2 - Add a comment to the PR with the status/next version + # 3 - Check for workflow failures + finish-build: + if: always() && needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' + needs: [setup-build-workflow, build-and-publish-to-gpr] + uses: im-practices/.github/.github/workflows/im-reusable-finish-build-workflow.yml@v2 + with: + next-version: ${{ needs.build-and-publish-to-gpr.outputs.NEXT_VERSION }} + title-of-teams-post: 'Build and Publish to GH Packages' # TODO: Replace + is-merge-to-main: ${{ needs.setup-build-workflow.outputs.IS_MERGE_TO_MAIN }} + additional-pr-comment-content: | # TODO: Replace / below with actual values + - To test this version try running: + ```bash + npm install @/@${{ needs.build-and-publish-to-gpr.outputs.NEXT_VERSION }} + ``` + ms-teams-uri: ${{ vars.MS_TEAMS_URI }} + # timezone: 'america/denver' # TODO: Include this argument and update if your timezone is not america/denver + # custom-facts-for-team-channel: | # TODO: These are the custom facts that will be included the different Teams posts by default. If adjusting the facts that are supplied, they must be a valid JSON array. + # [ + # { "name": "Workflow", "value": "${{ github.workflow }}" }, + # { "name": "Run", "value": "${{ github.run_id }}" }, + # { "name": "Actor", "value": "${{ github.actor }}" }, + # { "name": "Version", "value": "${{ needs.build-and-publish-to-gpr.outputs.NEXT_VERSION }}" } + # ] diff --git a/workflow-templates/im-build-nuget-package.yml b/workflow-templates/im-build-nuget-package.yml index 76c2d58c..e474e0cd 100644 --- a/workflow-templates/im-build-nuget-package.yml +++ b/workflow-templates/im-build-nuget-package.yml @@ -51,7 +51,7 @@ jobs: # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. build-test-publish: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [setup-build-workflow] if: needs.setup-build-workflow.outputs.CONTINUE_WORKFLOW == 'true' diff --git a/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml b/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml index b6a1f1bd..4c9da8f7 100644 --- a/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml +++ b/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml @@ -29,7 +29,7 @@ permissions: jobs: auto-plan-the-tf: - runs-on: [self-hosted, im-linux] + runs-on: im-linux strategy: matrix: diff --git a/workflow-templates/im-deploy-az-app-manually.yml b/workflow-templates/im-deploy-az-app-manually.yml index 10d1f2fa..7a979bdf 100644 --- a/workflow-templates/im-deploy-az-app-manually.yml +++ b/workflow-templates/im-deploy-az-app-manually.yml @@ -212,7 +212,7 @@ jobs: deploy-code: needs: [set-vars, stakeholder-approval, attestor-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} env: diff --git a/workflow-templates/im-deploy-az-database.yml b/workflow-templates/im-deploy-az-database.yml index fd4ae1be..5625423a 100644 --- a/workflow-templates/im-deploy-az-database.yml +++ b/workflow-templates/im-deploy-az-database.yml @@ -168,7 +168,7 @@ jobs: deploy-az-db: needs: [set-vars, stakeholder-approval, attestor-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} outputs: DB_NAME: ${{ steps.db-vars.outputs.DB_NAME }} diff --git a/workflow-templates/im-deploy-az-swap-app-slots.yml b/workflow-templates/im-deploy-az-swap-app-slots.yml index 5e9f458c..80ab24bf 100644 --- a/workflow-templates/im-deploy-az-swap-app-slots.yml +++ b/workflow-templates/im-deploy-az-swap-app-slots.yml @@ -1,150 +1,150 @@ -# Workflow Code: IrritatedHyena_v21 DO NOT REMOVE -# Purpose: -# Swaps deployment slots in a specified environment for an Azure App Service -# or Function outside of a deployment when someone kicks it off manually. -# -# Frequency: -# - This workflow can be duplicated once per app service or function -# -# Projects to use this Template with: -# - Azure App Service or Function (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Swap Azure App Slots -run-name: Swap ${{ inputs.environment }} AZ App Slots -# This workflow can be kicked off manually and it can also be kicked off automatically from -# another workflow by using the repository_dispatch event trigger. This workflow is designed -# to know about each of your environments, so the only thing you need to input is the -# environment where slots will be toggled. - -on: - workflow_dispatch: - inputs: - environment: - description: The environment where slots are being swapped - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - open-pagerduty-window: - description: Open a pagerduty maintenance window - required: true - default: 'false' - type: boolean - # When using repository dispatch, the payload must have the following properties: - # { environment: 'dev|qa|stage|demo|uat|prod', 'open-pagerduty-window': 'true|false'} - repository_dispatch: - types: [swap_slots] - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - - -jobs: - swap-slots: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment || github.event.client_payload.environment }} - env: - PAGERDUTY_WINDOW_IN_MIN: 30 # TODO: Verify the length of your PD Maintenance Window - PAGERDUTY_WINDOW_DESC: 'Deploying Code to ${{ github.event.inputs.environment }} from GitHub Actions' # TODO: Verify this PD Maintenance Window Description - TARGET_SLOT: 'Production' # TODO: Verify that this is correct. This is the name azure uses by default. If you are using a different slot for your main site, update it here - SOURCE_SLOT: '' # TODO: Add the name of the source slot - AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function, change this value to functionapp - ENVIRONMENT: ${{ github.event.inputs.environment || github.event.client_payload.environment }} - OPEN_WINDOW: ${{ github.event.inputs.open-pagerduty-window || github.event.client_payload.open-pagerduty-window }} - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Target Slot | `${{ env.TARGET_SLOT }}` | - | Source Slot | `${{ env.SOURCE_SLOT }}` | - | Open PD Window | `${{ env.OPEN_WINDOW }}` |' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ env.ENVIRONMENT }} - env: - # TODO: For the following inputs, fill in the value if you have the environment and delete the environment if it does not exist - # This variable is used to swap and delete slots - RESOURCE_GROUP@dev: '' - RESOURCE_GROUP@qa: '' - RESOURCE_GROUP@stage: '' - RESOURCE_GROUP@demo: '' - RESOURCE_GROUP@uat: '' - RESOURCE_GROUP@prod: '' - # This variable is used to swap and delete slots - AZ_APP_NAME@dev: '' - AZ_APP_NAME@qa: '' - AZ_APP_NAME@stage: '' - AZ_APP_NAME@demo: '' - AZ_APP_NAME@uat: '' - AZ_APP_NAME@prod: '' - - - name: Open a PagerDuty Maintenance Window - if: env.OPEN_WINDOW == 'true' - id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.3 - with: - pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret - description: '${{ env.PAGERDUTY_WINDOW_DESC }}' - minutes: ${{ env.PAGERDUTY_WINDOW_IN_MIN }} - service-id: ${{ vars.PAGERDUTY_SERVICE_ID }} # This is an env-level variable - #service-ids: '' # TODO: Provide a comma separated list if there are multiple ids. 'PD01,PD02,PD03' - - - name: AZ Login - id: login - uses: azure/login@v2 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - - name: Swap - # ARM_SUBSCRIPTION_ID is an env-level variable - run: | - az ${{ env.AZ_APP_TYPE }} deployment slot swap \ - --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ - --resource-group ${{ env.RESOURCE_GROUP }} \ - --name ${{ env.AZ_APP_NAME }} \ - --slot ${{ env.SOURCE_SLOT }} \ - --target-slot ${{ env.TARGET_SLOT }} - - # TODO: Uncomment if you want to destroy the slot after swap. Delete if you don't. - # ARM_SUBSCRIPTION_ID is an env-level variable - # - run: | - # az ${{ env.AZ_APP_TYPE }} deployment slot delete \ - # --slot ${{ env.SOURCE_SLOT }} \ - # --name ${{ env.AZ_APP_NAME }} \ - # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ - # --resource-group ${{ env.RESOURCE_GROUP }} - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear - - - name: Close the PagerDuty Maintenance Window - if: always() && env.OPEN_WINDOW == 'true' && steps.open-window.outcome == 'success' - uses: im-open/close-pagerduty-maintenance-window@v1.2 - with: - pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret - maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} +# Workflow Code: IrritatedHyena_v21 DO NOT REMOVE +# Purpose: +# Swaps deployment slots in a specified environment for an Azure App Service +# or Function outside of a deployment when someone kicks it off manually. +# +# Frequency: +# - This workflow can be duplicated once per app service or function +# +# Projects to use this Template with: +# - Azure App Service or Function (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Swap Azure App Slots +run-name: Swap ${{ inputs.environment }} AZ App Slots +# This workflow can be kicked off manually and it can also be kicked off automatically from +# another workflow by using the repository_dispatch event trigger. This workflow is designed +# to know about each of your environments, so the only thing you need to input is the +# environment where slots will be toggled. + +on: + workflow_dispatch: + inputs: + environment: + description: The environment where slots are being swapped + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + open-pagerduty-window: + description: Open a pagerduty maintenance window + required: true + default: 'false' + type: boolean + # When using repository dispatch, the payload must have the following properties: + # { environment: 'dev|qa|stage|demo|uat|prod', 'open-pagerduty-window': 'true|false'} + repository_dispatch: + types: [swap_slots] + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + + +jobs: + swap-slots: + runs-on: im-linux + environment: ${{ github.event.inputs.environment || github.event.client_payload.environment }} + env: + PAGERDUTY_WINDOW_IN_MIN: 30 # TODO: Verify the length of your PD Maintenance Window + PAGERDUTY_WINDOW_DESC: 'Deploying Code to ${{ github.event.inputs.environment }} from GitHub Actions' # TODO: Verify this PD Maintenance Window Description + TARGET_SLOT: 'Production' # TODO: Verify that this is correct. This is the name azure uses by default. If you are using a different slot for your main site, update it here + SOURCE_SLOT: '' # TODO: Add the name of the source slot + AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function, change this value to functionapp + ENVIRONMENT: ${{ github.event.inputs.environment || github.event.client_payload.environment }} + OPEN_WINDOW: ${{ github.event.inputs.open-pagerduty-window || github.event.client_payload.open-pagerduty-window }} + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Target Slot | `${{ env.TARGET_SLOT }}` | + | Source Slot | `${{ env.SOURCE_SLOT }}` | + | Open PD Window | `${{ env.OPEN_WINDOW }}` |' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ env.ENVIRONMENT }} + env: + # TODO: For the following inputs, fill in the value if you have the environment and delete the environment if it does not exist + # This variable is used to swap and delete slots + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + # This variable is used to swap and delete slots + AZ_APP_NAME@dev: '' + AZ_APP_NAME@qa: '' + AZ_APP_NAME@stage: '' + AZ_APP_NAME@demo: '' + AZ_APP_NAME@uat: '' + AZ_APP_NAME@prod: '' + + - name: Open a PagerDuty Maintenance Window + if: env.OPEN_WINDOW == 'true' + id: open-window + uses: im-open/open-pagerduty-maintenance-window@v1.3 + with: + pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret + description: '${{ env.PAGERDUTY_WINDOW_DESC }}' + minutes: ${{ env.PAGERDUTY_WINDOW_IN_MIN }} + service-id: ${{ vars.PAGERDUTY_SERVICE_ID }} # This is an env-level variable + #service-ids: '' # TODO: Provide a comma separated list if there are multiple ids. 'PD01,PD02,PD03' + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + - name: Swap + # ARM_SUBSCRIPTION_ID is an env-level variable + run: | + az ${{ env.AZ_APP_TYPE }} deployment slot swap \ + --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ + --resource-group ${{ env.RESOURCE_GROUP }} \ + --name ${{ env.AZ_APP_NAME }} \ + --slot ${{ env.SOURCE_SLOT }} \ + --target-slot ${{ env.TARGET_SLOT }} + + # TODO: Uncomment if you want to destroy the slot after swap. Delete if you don't. + # ARM_SUBSCRIPTION_ID is an env-level variable + # - run: | + # az ${{ env.AZ_APP_TYPE }} deployment slot delete \ + # --slot ${{ env.SOURCE_SLOT }} \ + # --name ${{ env.AZ_APP_NAME }} \ + # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ + # --resource-group ${{ env.RESOURCE_GROUP }} + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear + + - name: Close the PagerDuty Maintenance Window + if: always() && env.OPEN_WINDOW == 'true' && steps.open-window.outcome == 'success' + uses: im-open/close-pagerduty-maintenance-window@v1.2 + with: + pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret + maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} diff --git a/workflow-templates/im-deploy-files-to-az-storage-account.yml b/workflow-templates/im-deploy-files-to-az-storage-account.yml index a90e8185..85f1ebc6 100644 --- a/workflow-templates/im-deploy-files-to-az-storage-account.yml +++ b/workflow-templates/im-deploy-files-to-az-storage-account.yml @@ -57,7 +57,7 @@ env: jobs: deploy-to-azure: - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: diff --git a/workflow-templates/im-deploy-multiple-items-at-once.yml b/workflow-templates/im-deploy-multiple-items-at-once.yml index 2569744c..2be8a7fa 100644 --- a/workflow-templates/im-deploy-multiple-items-at-once.yml +++ b/workflow-templates/im-deploy-multiple-items-at-once.yml @@ -1,118 +1,118 @@ -# Workflow Code: MercifulLlama_v17 DO NOT REMOVE -# Purpose: -# This is only required when teams have separate deployable artifacts (db/mfe/api/etc.) -# but they need each item to be deployed together. -# -# This workflow coordinates setting up environment variables, getting various stakeholder -# and attestor approvals, ensuring the tag is valid for prod deployments and then initiates -# individual deployments via repository_dispatch events. -# -# Note: -# This workflow is intended to be used with repos that have multiple deployable artifacts which are deployed together. It is not -# intended for repos that have a single deployable or repos with multiple deployable artifacts that are deployed independently. -# This workflow initiates multiple deployments but each deployable item should have their own streamlined deployment workflow set up. -# The streamlined deployment uses the normal workflow (app service/function, database, windows service, iis site, etc) but has -# instructions above the repository_dispatch trigger around the changes that need to be made. -# -# Frequency: -# - This workflow can be duplicated. A new workflow should be setup -# for each distinct group of items that needs to be deployed together. -# -# Projects to use this Template with: -# - Any project that needs to be deployed at the same time as others - -name: Deploy Multiple Items -run-name: Deploy ${{ inputs.tag }} to ${{ inputs.environment }} -on: - workflow_dispatch: - inputs: - tag: - description: The tag for the release that will be deployed. For Production, only tags reachable by the default branch will be accepted. - required: true - environment: - description: The environment to deploy to - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -env: - ENVIRONMENT: ${{ inputs.environment }} - RELEASE_TAG: ${{ inputs.tag }} # This is the tag that we'll be deploying - -jobs: - # This job utilizes a reusable workflow which will: - # 1 - Verify the tag provided is a valid ref. - # 2 - If deploying to a production environment, verify the tag is reachable from the default branch - # and that the corresponding release is production ready (not pre-release or a draft). - setup-deployment-workflow: - uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 - with: - ref-to-deploy: ${{ inputs.tag }} - deployment-environment: ${{ inputs.environment }} - # production-environments: 'prod,prod-secondary' # TODO: Adjust and include the production-environments if necessary (some apps may need to add stage/stage-secondary to this list) - # default-branch: main # TODO: Update and include this arg if the default branch is not main - # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. - - # Each env has their own stakeholder approval environment. If no required reviewers are set for - # that environment, the workflow will continue without requiring anyone to approve the deployment. - stakeholder-approval: - needs: [setup-deployment-workflow] - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - environment: '${{ github.event.inputs.environment }} Stakeholder Approval' # Use inputs context because env context is not available to environment: - steps: - - run: | - echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - echo "Stakeholder approval was received or no required reviewers were set for this environment." - - # Each env has their own attestor approval environment (meant for QA Attestations). If no required reviewers are set for - # that environment, the workflow will continue without requiring anyone to approve the deployment. - attestor-approval: - needs: [setup-deployment-workflow] - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - environment: '${{ github.event.inputs.environment }} Attestor Approval' # Use inputs context because env context is not available to environment: - steps: - - run: | - echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - echo "Attestor approval was received or no required reviewers were set for this environment." - - initiate-deployments: - needs: [stakeholder-approval, attestor-approval] - runs-on: [self-hosted, im-linux] - - steps: - - run: echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - - # The 'start deployment' blocks below will initiate the deployment of a single item by creating a repository dispatch event that tells GitHub to - # kick off a particular workflow. Each deployable item that will be started this way should have a streamlined copy of the appropriate workflow - # (app service/function, database, windows service, iis site, etc). The streamlined copy has a repository_dispatch event of a certain type that - # should match what is specified here. The streamlined workflow also won't have any of the tag verification/approvals/etc. - # - # Something to keep in mind is Actions doesn't wait for the streamlined workflow to finish, it will move on as soon as GitHub indicates the - # request has been received. If your use case is to have one streamlined deployment completely finish before starting the next one, the - # 'start deployment' block below should be copied to the bottom of the workflow that acts as a gate to the next deployment workflow. - - # TODO: Add a 'start deployment' block for each item that needs to be deployed. This is a 'fire and forget' method - - name: Start Deployment for # TODO: Add the name of the deployable - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org-level secret #TODO: make sure im-pipeline-bot has at least write access to your repo - script: | - github.rest.repos.createDispatchEvent({ - owner: context.repo.owner, - repo: context.repo.repo, - event_type: "", // TODO: Get the type from the streamlined workflow that will be kicked off. This is listed in the types:[] under the repository_dispatch trigger. - client_payload: { - environment: "${{ env.ENVIRONMENT }}", - tag: "${{ env.RELEASE_TAG }}" - } - }); - - # TODO: If you need one deployment to wait for one to finish before it begins, consider - # using reusable workflows rather than the repository_dispatch event above - # https://docs.github.com/en/actions/learn-github-actions/reusing-workflows +# Workflow Code: MercifulLlama_v17 DO NOT REMOVE +# Purpose: +# This is only required when teams have separate deployable artifacts (db/mfe/api/etc.) +# but they need each item to be deployed together. +# +# This workflow coordinates setting up environment variables, getting various stakeholder +# and attestor approvals, ensuring the tag is valid for prod deployments and then initiates +# individual deployments via repository_dispatch events. +# +# Note: +# This workflow is intended to be used with repos that have multiple deployable artifacts which are deployed together. It is not +# intended for repos that have a single deployable or repos with multiple deployable artifacts that are deployed independently. +# This workflow initiates multiple deployments but each deployable item should have their own streamlined deployment workflow set up. +# The streamlined deployment uses the normal workflow (app service/function, database, windows service, iis site, etc) but has +# instructions above the repository_dispatch trigger around the changes that need to be made. +# +# Frequency: +# - This workflow can be duplicated. A new workflow should be setup +# for each distinct group of items that needs to be deployed together. +# +# Projects to use this Template with: +# - Any project that needs to be deployed at the same time as others + +name: Deploy Multiple Items +run-name: Deploy ${{ inputs.tag }} to ${{ inputs.environment }} +on: + workflow_dispatch: + inputs: + tag: + description: The tag for the release that will be deployed. For Production, only tags reachable by the default branch will be accepted. + required: true + environment: + description: The environment to deploy to + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +env: + ENVIRONMENT: ${{ inputs.environment }} + RELEASE_TAG: ${{ inputs.tag }} # This is the tag that we'll be deploying + +jobs: + # This job utilizes a reusable workflow which will: + # 1 - Verify the tag provided is a valid ref. + # 2 - If deploying to a production environment, verify the tag is reachable from the default branch + # and that the corresponding release is production ready (not pre-release or a draft). + setup-deployment-workflow: + uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 + with: + ref-to-deploy: ${{ inputs.tag }} + deployment-environment: ${{ inputs.environment }} + # production-environments: 'prod,prod-secondary' # TODO: Adjust and include the production-environments if necessary (some apps may need to add stage/stage-secondary to this list) + # default-branch: main # TODO: Update and include this arg if the default branch is not main + # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. + + # Each env has their own stakeholder approval environment. If no required reviewers are set for + # that environment, the workflow will continue without requiring anyone to approve the deployment. + stakeholder-approval: + needs: [setup-deployment-workflow] + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + environment: '${{ github.event.inputs.environment }} Stakeholder Approval' # Use inputs context because env context is not available to environment: + steps: + - run: | + echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." + echo "Stakeholder approval was received or no required reviewers were set for this environment." + + # Each env has their own attestor approval environment (meant for QA Attestations). If no required reviewers are set for + # that environment, the workflow will continue without requiring anyone to approve the deployment. + attestor-approval: + needs: [setup-deployment-workflow] + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + environment: '${{ github.event.inputs.environment }} Attestor Approval' # Use inputs context because env context is not available to environment: + steps: + - run: | + echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." + echo "Attestor approval was received or no required reviewers were set for this environment." + + initiate-deployments: + needs: [stakeholder-approval, attestor-approval] + runs-on: im-linux + + steps: + - run: echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." + + # The 'start deployment' blocks below will initiate the deployment of a single item by creating a repository dispatch event that tells GitHub to + # kick off a particular workflow. Each deployable item that will be started this way should have a streamlined copy of the appropriate workflow + # (app service/function, database, windows service, iis site, etc). The streamlined copy has a repository_dispatch event of a certain type that + # should match what is specified here. The streamlined workflow also won't have any of the tag verification/approvals/etc. + # + # Something to keep in mind is Actions doesn't wait for the streamlined workflow to finish, it will move on as soon as GitHub indicates the + # request has been received. If your use case is to have one streamlined deployment completely finish before starting the next one, the + # 'start deployment' block below should be copied to the bottom of the workflow that acts as a gate to the next deployment workflow. + + # TODO: Add a 'start deployment' block for each item that needs to be deployed. This is a 'fire and forget' method + - name: Start Deployment for # TODO: Add the name of the deployable + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org-level secret #TODO: make sure im-pipeline-bot has at least write access to your repo + script: | + github.rest.repos.createDispatchEvent({ + owner: context.repo.owner, + repo: context.repo.repo, + event_type: "", // TODO: Get the type from the streamlined workflow that will be kicked off. This is listed in the types:[] under the repository_dispatch trigger. + client_payload: { + environment: "${{ env.ENVIRONMENT }}", + tag: "${{ env.RELEASE_TAG }}" + } + }); + + # TODO: If you need one deployment to wait for one to finish before it begins, consider + # using reusable workflows rather than the repository_dispatch event above + # https://docs.github.com/en/actions/learn-github-actions/reusing-workflows diff --git a/workflow-templates/im-deploy-on-prem-database.yml b/workflow-templates/im-deploy-on-prem-database.yml index d17057ad..473392a4 100644 --- a/workflow-templates/im-deploy-on-prem-database.yml +++ b/workflow-templates/im-deploy-on-prem-database.yml @@ -116,7 +116,7 @@ jobs: deploy-on-prem-db: needs: [stakeholder-approval, attestor-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ inputs.environment }} # Use inputs context because env context is not available to environment: outputs: DB_NAME: ${{ steps.environment-specific-vars.outputs.DB_NAME }} diff --git a/workflow-templates/im-deploy-techdocs-site.yml b/workflow-templates/im-deploy-techdocs-site.yml index 461e052e..3e4e5589 100644 --- a/workflow-templates/im-deploy-techdocs-site.yml +++ b/workflow-templates/im-deploy-techdocs-site.yml @@ -1,93 +1,93 @@ -# Workflow Code: SparklyToad_v3 DO NOT REMOVE -# Purpose: -# Publishes a techdocs site to the storage account where TechHub -# looks for TechDocs. -# -# Frequency: -# - This workflow can be used once per TechDocs site or can be combined -# to publish multiple docs at once -# -# Projects to use this Template with: -# - Any project with TechDocs - -name: Publish TechDocs Site - -# TODO: Select the appropriate triggers for when TechDocs should be published -on: - # push: - # workflow_dispatch: - # pull_request: - # types: [closed] - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -jobs: - publish-techdocs-site: - runs-on: [self-hosted, im-techdocs] - - # TODO: Uncomment if you need this, otherwise remove it - # services: - # kroki: - # image: yuzutech/kroki - # ports: - # - 8000:8000 - - environment: dev - - env: - # These items will remain the same for all workflows - ACCOUNT_NAME: bdaimpna26techhubsa - CONTAINER_NAME: techdocs - - # This is project dependent. - # TODO: Replace kind and entity name based on the entity this techdocs site will belong to. - # The name can be found in catalog-info.yaml. - ENTITY_NAME: 'default//' - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - # All SPs that are owners of their rgrp's have access to publish to bdaimpna26techhubsa. - # Use the credentials for your SP to login and publish to the storage account. - - name: AZ Login - uses: azure/login@v2 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} # TODO: Verify this secret is set - # TODO: If the repo you are publishing from has federated access to the techdocs RGRP, you can use the secretless - # pattern below for accessing the rgrp, otherwise, you need to provide azure credentials for publishing the docs. - # # This is an org-level variable - # tenant-id: ${{ vars.ARM_TENANT_ID }} - # # These are env-level variables - # subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - # client-id: ${{ vars.ARM_CLIENT_ID }} - - - # The im-techdocs runner used in this workflow contains the TechDocs CLI & several plugins, see the installed items here: - # https://github.com/im-practices/coldstone-configs/blob/main/configs/im-techdocs.cold.json - # If additional plugins are needed, follow the same format as below or submit to modify the im-techdocs runner. - # - name: Install additional mkdocs plugins - # run: python -m pip install mkdocs-newsletter==1.* - - - name: Generate & Publish TechDocs Site - working-directory: '' # TODO: specify the working directory where the mkdocs.yaml file is located - run: | - techdocs-cli generate --no-docker --verbose - techdocs-cli publish --publisher-type azureBlobStorage --azureAccountName ${{ env.ACCOUNT_NAME }} --storage-name ${{ env.CONTAINER_NAME }} --entity ${{ env.ENTITY_NAME }} - - # TODO: To publish additional sites: - # 1 - Duplicate the 'Generate & Publish TechDocs Site' step - # 2 - Give each step a more specific name - # 3 - Update the working directory to the location of the additional site - # 4 - Update the --entity argument with the name of the additional site - - - name: Azure logout - if: always() - run: | - az logout - az cache purge - az account clear - \ No newline at end of file +# Workflow Code: SparklyToad_v3 DO NOT REMOVE +# Purpose: +# Publishes a techdocs site to the storage account where TechHub +# looks for TechDocs. +# +# Frequency: +# - This workflow can be used once per TechDocs site or can be combined +# to publish multiple docs at once +# +# Projects to use this Template with: +# - Any project with TechDocs + +name: Publish TechDocs Site + +# TODO: Select the appropriate triggers for when TechDocs should be published +on: + # push: + # workflow_dispatch: + # pull_request: + # types: [closed] + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +jobs: + publish-techdocs-site: + runs-on: im-techdocs + + # TODO: Uncomment if you need this, otherwise remove it + # services: + # kroki: + # image: yuzutech/kroki + # ports: + # - 8000:8000 + + environment: dev + + env: + # These items will remain the same for all workflows + ACCOUNT_NAME: bdaimpna26techhubsa + CONTAINER_NAME: techdocs + + # This is project dependent. + # TODO: Replace kind and entity name based on the entity this techdocs site will belong to. + # The name can be found in catalog-info.yaml. + ENTITY_NAME: 'default//' + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # All SPs that are owners of their rgrp's have access to publish to bdaimpna26techhubsa. + # Use the credentials for your SP to login and publish to the storage account. + - name: AZ Login + uses: azure/login@v2 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} # TODO: Verify this secret is set + # TODO: If the repo you are publishing from has federated access to the techdocs RGRP, you can use the secretless + # pattern below for accessing the rgrp, otherwise, you need to provide azure credentials for publishing the docs. + # # This is an org-level variable + # tenant-id: ${{ vars.ARM_TENANT_ID }} + # # These are env-level variables + # subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + # client-id: ${{ vars.ARM_CLIENT_ID }} + + + # The im-techdocs runner used in this workflow contains the TechDocs CLI & several plugins, see the installed items here: + # https://github.com/im-practices/coldstone-configs/blob/main/configs/im-techdocs.cold.json + # If additional plugins are needed, follow the same format as below or submit to modify the im-techdocs runner. + # - name: Install additional mkdocs plugins + # run: python -m pip install mkdocs-newsletter==1.* + + - name: Generate & Publish TechDocs Site + working-directory: '' # TODO: specify the working directory where the mkdocs.yaml file is located + run: | + techdocs-cli generate --no-docker --verbose + techdocs-cli publish --publisher-type azureBlobStorage --azureAccountName ${{ env.ACCOUNT_NAME }} --storage-name ${{ env.CONTAINER_NAME }} --entity ${{ env.ENTITY_NAME }} + + # TODO: To publish additional sites: + # 1 - Duplicate the 'Generate & Publish TechDocs Site' step + # 2 - Give each step a more specific name + # 3 - Update the working directory to the location of the additional site + # 4 - Update the --entity argument with the name of the additional site + + - name: Azure logout + if: always() + run: | + az logout + az cache purge + az account clear + diff --git a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml index b94dee21..3caaf514 100644 --- a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml +++ b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml @@ -59,7 +59,7 @@ jobs: auto-apply-tf: if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' # TODO: verify default branch name - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: 'Dev' diff --git a/workflow-templates/im-deploy-tf-manual-apply.yml b/workflow-templates/im-deploy-tf-manual-apply.yml index 47a36283..ad52c1d0 100644 --- a/workflow-templates/im-deploy-tf-manual-apply.yml +++ b/workflow-templates/im-deploy-tf-manual-apply.yml @@ -161,7 +161,7 @@ jobs: tf-plan: needs: [set-vars, stakeholder-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} env: PAGERDUTY_WINDOW_IN_MIN: 30 # TODO: Verify the length of your PD Maintenance Window @@ -290,7 +290,7 @@ jobs: tf-apply: needs: [set-vars, tf-plan, tf-plan-manual-approval, stakeholder-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} defaults: diff --git a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml index e273942a..0ea5ac7b 100644 --- a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml +++ b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml @@ -1,100 +1,100 @@ -# Workflow Code: CockySquirrel_v16 DO NOT REMOVE -# Purpose: -# Adds or updates an azure KeyVault secret in the specified -# environment when someone kicks it off manually. -# -# Frequency: -# - This workflow can be duplicated for each keyvault this repository contains -# -# Projects to use this Template with: -# - Terraform (Optional Template) -# - Azure App Service or Function (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Add or update azure keyvault secret # TODO: You may wish to add the name of the key vault to this name and the file name if there are multiple key vaults this repository can add secrets to -run-name: Add or Update ${{ inputs.secret_name }} in ${{ inputs.environment }} -on: - workflow_dispatch: - inputs: - secret_name: - description: The name of the secret to add, azure requires it conform to the following pattern - ^[0-9a-zA-Z-]+$ - required: true - secret_value: - description: The value of the secret - required: true - environment: - description: The environment to add the secret to - required: true - default: prod - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -jobs: - set-secret: - runs-on: [self-hosted, im-linux] - - environment: ${{ github.event.inputs.environment }} - - steps: - - name: Mask the secret value - uses: actions/github-script@v7 - with: - script: | - core.info(`Masking the value for ${context.payload.inputs.secret_name} so it is not exposed.`); - core.setSecret(context.payload.inputs.secret_value); - - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ github.event.inputs.environment }}` | - | Secret Name | `${{ github.event.inputs.secret_name }}` |' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ github.event.inputs.environment }} - env: - # TODO: For the following keyvault name inputs, fill in the value if you have the environment and delete the environment if it does not exist - KEYVAULT_NAME@dev: '' - KEYVAULT_NAME@qa: '' - KEYVAULT_NAME@stage: '' - KEYVAULT_NAME@demo: '' - KEYVAULT_NAME@uat: '' - KEYVAULT_NAME@prod: '' - - - name: AZ Login - id: login - uses: azure/login@v2 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - - name: keyvault add or update secret - # ARM_SUBSCRIPTION_ID is an env-level variable - run: az keyvault secret set --name ${{ github.event.inputs.secret_name }} --vault-name ${{ env.KEYVAULT_NAME }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} --value "${{ github.event.inputs.secret_value }}" - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: CockySquirrel_v16 DO NOT REMOVE +# Purpose: +# Adds or updates an azure KeyVault secret in the specified +# environment when someone kicks it off manually. +# +# Frequency: +# - This workflow can be duplicated for each keyvault this repository contains +# +# Projects to use this Template with: +# - Terraform (Optional Template) +# - Azure App Service or Function (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Add or update azure keyvault secret # TODO: You may wish to add the name of the key vault to this name and the file name if there are multiple key vaults this repository can add secrets to +run-name: Add or Update ${{ inputs.secret_name }} in ${{ inputs.environment }} +on: + workflow_dispatch: + inputs: + secret_name: + description: The name of the secret to add, azure requires it conform to the following pattern - ^[0-9a-zA-Z-]+$ + required: true + secret_value: + description: The value of the secret + required: true + environment: + description: The environment to add the secret to + required: true + default: prod + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +jobs: + set-secret: + runs-on: im-linux + + environment: ${{ github.event.inputs.environment }} + + steps: + - name: Mask the secret value + uses: actions/github-script@v7 + with: + script: | + core.info(`Masking the value for ${context.payload.inputs.secret_name} so it is not exposed.`); + core.setSecret(context.payload.inputs.secret_value); + + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ github.event.inputs.environment }}` | + | Secret Name | `${{ github.event.inputs.secret_name }}` |' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ github.event.inputs.environment }} + env: + # TODO: For the following keyvault name inputs, fill in the value if you have the environment and delete the environment if it does not exist + KEYVAULT_NAME@dev: '' + KEYVAULT_NAME@qa: '' + KEYVAULT_NAME@stage: '' + KEYVAULT_NAME@demo: '' + KEYVAULT_NAME@uat: '' + KEYVAULT_NAME@prod: '' + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + - name: keyvault add or update secret + # ARM_SUBSCRIPTION_ID is an env-level variable + run: az keyvault secret set --name ${{ github.event.inputs.secret_name }} --vault-name ${{ env.KEYVAULT_NAME }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} --value "${{ github.event.inputs.secret_value }}" + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-annotate-app-insights.yml b/workflow-templates/im-run-annotate-app-insights.yml index d1e28203..ce0ed6d6 100644 --- a/workflow-templates/im-run-annotate-app-insights.yml +++ b/workflow-templates/im-run-annotate-app-insights.yml @@ -1,117 +1,117 @@ -# Workflow Code: EmpatheticDolphin_v18 DO NOT REMOVE -# Purpose: -# Creates an ad hoc app insights annotation for a specified -# environment when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository assuming -# there is only one app insights instance set up per env -# -# Projects to use this Template with: -# - Azure App Service or Function (Optional Template) -# - Azure SQL Database (Optional Template) -# - Terraform (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Annotate App Insights -run-name: Annotate ${{ inputs.eventName }} in ${{ inputs.environment }} App Insights -on: - workflow_dispatch: - inputs: - environment: - description: The environment the service is in - required: true - default: prod - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - category: - description: The category of the annotation - required: false - default: 'Deployment' - eventName: - description: The name of the release/tag that will be deployed or the event that will be annotated. If there are multiple deployables in the repo you should include the project it is for. - required: true - customMetadata: - description: 'The comma separated custom metadata pairs. Format: name1=value1,name2=value2' - required: false - default: '' - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - -jobs: - create-annotation: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Category | `${{ github.event.inputs.category }}` | - | EventName | `${{ github.event.inputs.eventName }}` | - | Custom Metadata | `${{ github.event.inputs.customMetadata }}`|' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - id: set-variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ github.event.inputs.environment }} - env: - # This variable is used to upload and download blobs from blob storage - RESOURCE_GROUP@dev: '' - RESOURCE_GROUP@qa: '' - RESOURCE_GROUP@stage: '' - RESOURCE_GROUP@demo: '' - RESOURCE_GROUP@uat: '' - RESOURCE_GROUP@prod: '' - # TODO: For the following app insights name inputs, fill in the value if you have the environment and delete the environment if it does not exist - APP_INSIGHTS_NAME@dev: '' - APP_INSIGHTS_NAME@qa: '' - APP_INSIGHTS_NAME@stage: '' - APP_INSIGHTS_NAME@demo: '' - APP_INSIGHTS_NAME@uat: '' - APP_INSIGHTS_NAME@prod: '' - - - name: AZ Login - id: login - uses: azure/login@v2 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - - name: annotate - uses: im-open/create-app-insights-annotation@v1.0 - with: - subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable - resourceGroupName: ${{ env.RESOURCE_GROUP }} - appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' - releaseName: ${{ github.event.inputs.eventName }} - category: ${{ github.event.inputs.category }} - customMetadata: ${{ github.event.inputs.customMetadata }} - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: EmpatheticDolphin_v18 DO NOT REMOVE +# Purpose: +# Creates an ad hoc app insights annotation for a specified +# environment when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository assuming +# there is only one app insights instance set up per env +# +# Projects to use this Template with: +# - Azure App Service or Function (Optional Template) +# - Azure SQL Database (Optional Template) +# - Terraform (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Annotate App Insights +run-name: Annotate ${{ inputs.eventName }} in ${{ inputs.environment }} App Insights +on: + workflow_dispatch: + inputs: + environment: + description: The environment the service is in + required: true + default: prod + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + category: + description: The category of the annotation + required: false + default: 'Deployment' + eventName: + description: The name of the release/tag that will be deployed or the event that will be annotated. If there are multiple deployables in the repo you should include the project it is for. + required: true + customMetadata: + description: 'The comma separated custom metadata pairs. Format: name1=value1,name2=value2' + required: false + default: '' + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + +jobs: + create-annotation: + runs-on: im-linux + environment: ${{ github.event.inputs.environment }} + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Category | `${{ github.event.inputs.category }}` | + | EventName | `${{ github.event.inputs.eventName }}` | + | Custom Metadata | `${{ github.event.inputs.customMetadata }}`|' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ github.event.inputs.environment }} + env: + # This variable is used to upload and download blobs from blob storage + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + # TODO: For the following app insights name inputs, fill in the value if you have the environment and delete the environment if it does not exist + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + - name: annotate + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + releaseName: ${{ github.event.inputs.eventName }} + category: ${{ github.event.inputs.category }} + customMetadata: ${{ github.event.inputs.customMetadata }} + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-annotate-pagerduty-template.yml b/workflow-templates/im-run-annotate-pagerduty-template.yml index 12108d17..c1937952 100644 --- a/workflow-templates/im-run-annotate-pagerduty-template.yml +++ b/workflow-templates/im-run-annotate-pagerduty-template.yml @@ -43,7 +43,7 @@ env: jobs: create-annotation: - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ github.event.inputs.environment }} steps: - run: | diff --git a/workflow-templates/im-run-delete-azure-blob.yml b/workflow-templates/im-run-delete-azure-blob.yml index 30c1a9c2..b214a383 100644 --- a/workflow-templates/im-run-delete-azure-blob.yml +++ b/workflow-templates/im-run-delete-azure-blob.yml @@ -1,92 +1,92 @@ -# Workflow Code: ScornfulFlamingo_v7 DO NOT REMOVE -# Purpose: -# Deletes a blob from a specified Azure Storage Account when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Storage Account Deployments (Core Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. -# - The SP used in this workflow needs an additional permission (StorageBlob Data Contributor) so it can delete blobs -# https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal - -name: Delete Azure Blob -run-name: Delete ${{ inputs.environment }} blob ${{ inputs.blob-name }} -# TODO: Evaluate the appropriate triggers -on: - workflow_dispatch: - inputs: - storage-account-name: - description: The name of the storage account where the blob to delete lives - required: true - container-name: - description: The name of the storage account container where the blob to delete lives - required: true - blob-name: - description: The name of the blob to delete - required: true - environment: - description: The environment to delete the blob from - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -jobs: - delete-blob: - runs-on: [self-hosted, im-linux] - - environment: ${{ github.event.inputs.environment }} - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ github.event.inputs.environment }}` | - | Storage Acct | `${{ github.event.inputs.storage-account-name }}` | - | Container | `${{ github.event.inputs.container-name }}` | - | Blob Name | `${{ github.event.inputs.blob-name }}` |' >> $GITHUB_STEP_SUMMARY - - - name: AZ Login - id: login - uses: azure/login@v2 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - # This call uses RBAC (--auth-mode login) to delete files from the azure storage account. - # No other key or connection string is needed. In order to delete files from a stg account - # the SP that authenticates in the step above needs an additional permission (Storage - # Blob Data Contributor). Without that permission, this call will not succeed. - # https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal - - name: Delete Blob - run: | - az storage blob delete \ - --auth-mode login \ - --account-name '${{ github.event.inputs.storage-account-name }}' \ - --container-name '${{ github.event.inputs.container-name }}' \ - --name '${{ github.event.inputs.blob-name }}' - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: ScornfulFlamingo_v7 DO NOT REMOVE +# Purpose: +# Deletes a blob from a specified Azure Storage Account when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Storage Account Deployments (Core Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. +# - The SP used in this workflow needs an additional permission (StorageBlob Data Contributor) so it can delete blobs +# https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal + +name: Delete Azure Blob +run-name: Delete ${{ inputs.environment }} blob ${{ inputs.blob-name }} +# TODO: Evaluate the appropriate triggers +on: + workflow_dispatch: + inputs: + storage-account-name: + description: The name of the storage account where the blob to delete lives + required: true + container-name: + description: The name of the storage account container where the blob to delete lives + required: true + blob-name: + description: The name of the blob to delete + required: true + environment: + description: The environment to delete the blob from + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +jobs: + delete-blob: + runs-on: im-linux + + environment: ${{ github.event.inputs.environment }} + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ github.event.inputs.environment }}` | + | Storage Acct | `${{ github.event.inputs.storage-account-name }}` | + | Container | `${{ github.event.inputs.container-name }}` | + | Blob Name | `${{ github.event.inputs.blob-name }}` |' >> $GITHUB_STEP_SUMMARY + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + # This call uses RBAC (--auth-mode login) to delete files from the azure storage account. + # No other key or connection string is needed. In order to delete files from a stg account + # the SP that authenticates in the step above needs an additional permission (Storage + # Blob Data Contributor). Without that permission, this call will not succeed. + # https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal + - name: Delete Blob + run: | + az storage blob delete \ + --auth-mode login \ + --account-name '${{ github.event.inputs.storage-account-name }}' \ + --container-name '${{ github.event.inputs.container-name }}' \ + --name '${{ github.event.inputs.blob-name }}' + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-flyway-repair.yml b/workflow-templates/im-run-flyway-repair.yml index c0c196eb..ed9e31dd 100644 --- a/workflow-templates/im-run-flyway-repair.yml +++ b/workflow-templates/im-run-flyway-repair.yml @@ -1,173 +1,173 @@ -# Workflow Code: SpiritedGnat_v20 DO NOT REMOVE -# Purpose: -# Runs a flyway repair command against an Azure SQL or -# On-Prem Database when someone kicks it off manually. -# -# Frequency: -# - This workflow can be duplicated once per database in the repository. -# -# Projects to use this Template with: -# - Azure Sql Database (Optional Template) -# - On-Prem Database (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Flyway Repair -run-name: Repair ${{ inputs.environment }} with ${{ inputs.branch-tag-sha }} -on: - workflow_dispatch: - inputs: - environment: - description: The environment the database is in - required: true - default: dev - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - branch-tag-sha: - description: The branch, tag or sha of the flyway scripts that should be repaired. - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - DB_SERVER_PORT: '1433' # TODO: Verify that this is correct - MIGRATIONS_HISTORY_TABLE: 'MigrationHistory' # TODO: Verify this table name - PATH_TO_MIGRATION_FILES: '' # TODO: Add the path to the migrations folder - VAULT_URL: 'https://vault.mktp.io:8200/' # TODO: Remove this if this workflow is run against an azure database - -jobs: - repair-database-migrations: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GITHUB_REF }} - - - name: Install Flyway - uses: im-open/setup-flyway@v1.1 - with: - version: 7.9.2 - - # TODO: Remove this step if this workflow is run against an on-prem database - # or if your database uses Azure Active Directory Authentication - - - name: AZ Login - id: login - uses: azure/login@v2 - with: - # TODO: If repairing an on prem database's migration history, the Service Principal these credentials are for needs to be given access to login to Vault. - # See this git-er-done article for more information: - # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup - - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - # TODO: Use this for any variables that change per environment - - name: Set Database Vars - id: db-vars - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ env.ENVIRONMENT }} - create-output-variables: true - input-file: '' # TODO: if you have an input file with your variable substitutions, add them here - env: - DB_NAME@dev: '' - DB_NAME@qa: '' - DB_NAME@stage demo: '' - DB_NAME@prod: '' - DB_SERVER_NAME@dev: '' - DB_SERVER_NAME@qa: '' - DB_SERVER_NAME@stage demo: '' - DB_SERVER_NAME@prod: '' - # TODO: Remove this if this workflow is run against an on-prem database - AZURE_KEY_VAULT@dev: '' - AZURE_KEY_VAULT@qa: '' - AZURE_KEY_VAULT@stage demo: '' - AZURE_KEY_VAULT@prod: '' - - # TODO: Remove this step if this workflow is run against an on-prem database - # or if your database uses Azure Active Directory Authentication - # Get the Azure SQL Creds from Key Vault - - name: Get Azure SQL Credentials - run: | - sqlUser=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqluser" --query value) - sqlPassword=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqlpassword" --query value) - echo "::add-mask::$sqlPassword" - # trim quotes added by az keyvault command - sqlUser=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlUser") - sqlPassword=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlPassword") - echo "SQL_USER=$sqlUser" >> $GITHUB_ENV - echo "SQL_PASSWORD=$sqlPassword" >> $GITHUB_ENV - - # TODO: Uncomment this step if this workflow is run against an on-prem database - # - name: Get Vault Token - # id: vault_token - # uses: im-open/get-vault-token-for-azure-user@v1.1 - # with: - # # TODO: Add the Azure Auth Method Role that was setup in Vault and has access to your secrets. - # # See this git-er-done article for more information: - # # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup - # vault-role: '' - # vault-url: '${{ env.VAULT_URL }}' - - # TODO: Uncomment this step if this workflow is run against an on-prem database - # - name: Import Secrets - # id: vault-secrets - # uses: hashicorp/vault-action@v3 - # with: - # url: '${{ env.VAULT_URL }}' - # token: '${{ steps.vault_token.outputs.client_token }}' - # # Warning! The formatting on the secrets parameter is intentional. The spaces, pipe, and semi-colon. Every secret, except the last one, needs a semi-colon at the end of the line. - # # See the action's documentation for more information: https://github.com/hashicorp/vault-action - # # TODO: Update (including the brackets) with your database Vault role name (see https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup). - # secrets: | - # database/static-creds/ username | SQL_USERNAME ; - # database/static-creds/ password | SQL_PASSWORD - - # TODO: If your database uses Azure Active Directory Authentication then you can login with a Service Principal - # instead of using the username and password of an account stored in Key Vault. - # See https://github.com/im-open/run-flyway-command for details. - - name: Flyway repair - uses: im-open/run-flyway-command@v1.5 - with: - flyway-command: 'repair' - db-server-name: ${{ steps.db-vars.outputs.DB_SERVER_NAME }} - db-server-port: ${{ env.DB_SERVER_PORT }} - db-name: ${{ steps.db-vars.outputs.DB_NAME }} - migration-history-table: ${{ env.MIGRATIONS_HISTORY_TABLE }} - migration-files-path: ${{ env.PATH_TO_MIGRATION_FILES }} - use-integrated-security: false - # These will be set by the step above this one, either by querying Azure Key Vault for Azure db's or Hashicorp Vault for on-prem db's - username: '${{ env.SQL_USER }}' - password: '${{ env.SQL_PASSWORD }}' - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: SpiritedGnat_v20 DO NOT REMOVE +# Purpose: +# Runs a flyway repair command against an Azure SQL or +# On-Prem Database when someone kicks it off manually. +# +# Frequency: +# - This workflow can be duplicated once per database in the repository. +# +# Projects to use this Template with: +# - Azure Sql Database (Optional Template) +# - On-Prem Database (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Flyway Repair +run-name: Repair ${{ inputs.environment }} with ${{ inputs.branch-tag-sha }} +on: + workflow_dispatch: + inputs: + environment: + description: The environment the database is in + required: true + default: dev + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + branch-tag-sha: + description: The branch, tag or sha of the flyway scripts that should be repaired. + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + DB_SERVER_PORT: '1433' # TODO: Verify that this is correct + MIGRATIONS_HISTORY_TABLE: 'MigrationHistory' # TODO: Verify this table name + PATH_TO_MIGRATION_FILES: '' # TODO: Add the path to the migrations folder + VAULT_URL: 'https://vault.mktp.io:8200/' # TODO: Remove this if this workflow is run against an azure database + +jobs: + repair-database-migrations: + runs-on: im-linux + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + - name: Install Flyway + uses: im-open/setup-flyway@v1.1 + with: + version: 7.9.2 + + # TODO: Remove this step if this workflow is run against an on-prem database + # or if your database uses Azure Active Directory Authentication + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # TODO: If repairing an on prem database's migration history, the Service Principal these credentials are for needs to be given access to login to Vault. + # See this git-er-done article for more information: + # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup + + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + # TODO: Use this for any variables that change per environment + - name: Set Database Vars + id: db-vars + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ env.ENVIRONMENT }} + create-output-variables: true + input-file: '' # TODO: if you have an input file with your variable substitutions, add them here + env: + DB_NAME@dev: '' + DB_NAME@qa: '' + DB_NAME@stage demo: '' + DB_NAME@prod: '' + DB_SERVER_NAME@dev: '' + DB_SERVER_NAME@qa: '' + DB_SERVER_NAME@stage demo: '' + DB_SERVER_NAME@prod: '' + # TODO: Remove this if this workflow is run against an on-prem database + AZURE_KEY_VAULT@dev: '' + AZURE_KEY_VAULT@qa: '' + AZURE_KEY_VAULT@stage demo: '' + AZURE_KEY_VAULT@prod: '' + + # TODO: Remove this step if this workflow is run against an on-prem database + # or if your database uses Azure Active Directory Authentication + # Get the Azure SQL Creds from Key Vault + - name: Get Azure SQL Credentials + run: | + sqlUser=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqluser" --query value) + sqlPassword=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqlpassword" --query value) + echo "::add-mask::$sqlPassword" + # trim quotes added by az keyvault command + sqlUser=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlUser") + sqlPassword=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlPassword") + echo "SQL_USER=$sqlUser" >> $GITHUB_ENV + echo "SQL_PASSWORD=$sqlPassword" >> $GITHUB_ENV + + # TODO: Uncomment this step if this workflow is run against an on-prem database + # - name: Get Vault Token + # id: vault_token + # uses: im-open/get-vault-token-for-azure-user@v1.1 + # with: + # # TODO: Add the Azure Auth Method Role that was setup in Vault and has access to your secrets. + # # See this git-er-done article for more information: + # # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup + # vault-role: '' + # vault-url: '${{ env.VAULT_URL }}' + + # TODO: Uncomment this step if this workflow is run against an on-prem database + # - name: Import Secrets + # id: vault-secrets + # uses: hashicorp/vault-action@v3 + # with: + # url: '${{ env.VAULT_URL }}' + # token: '${{ steps.vault_token.outputs.client_token }}' + # # Warning! The formatting on the secrets parameter is intentional. The spaces, pipe, and semi-colon. Every secret, except the last one, needs a semi-colon at the end of the line. + # # See the action's documentation for more information: https://github.com/hashicorp/vault-action + # # TODO: Update (including the brackets) with your database Vault role name (see https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup). + # secrets: | + # database/static-creds/ username | SQL_USERNAME ; + # database/static-creds/ password | SQL_PASSWORD + + # TODO: If your database uses Azure Active Directory Authentication then you can login with a Service Principal + # instead of using the username and password of an account stored in Key Vault. + # See https://github.com/im-open/run-flyway-command for details. + - name: Flyway repair + uses: im-open/run-flyway-command@v1.5 + with: + flyway-command: 'repair' + db-server-name: ${{ steps.db-vars.outputs.DB_SERVER_NAME }} + db-server-port: ${{ env.DB_SERVER_PORT }} + db-name: ${{ steps.db-vars.outputs.DB_NAME }} + migration-history-table: ${{ env.MIGRATIONS_HISTORY_TABLE }} + migration-files-path: ${{ env.PATH_TO_MIGRATION_FILES }} + use-integrated-security: false + # These will be set by the step above this one, either by querying Azure Key Vault for Azure db's or Hashicorp Vault for on-prem db's + username: '${{ env.SQL_USER }}' + password: '${{ env.SQL_PASSWORD }}' + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-start-stop-restart-azure-app.yml b/workflow-templates/im-run-start-stop-restart-azure-app.yml index b6d31051..f5966187 100644 --- a/workflow-templates/im-run-start-stop-restart-azure-app.yml +++ b/workflow-templates/im-run-start-stop-restart-azure-app.yml @@ -1,124 +1,124 @@ -# Workflow Code: NeedyPig_v17 DO NOT REMOVE -# Purpose: -# Performs a start, stop or restart on an app service in the -# specified environment when someone kicks it off manually. -# -# Frequency: -# - This workflow should be duplicated once per app service/function in the repo. -# -# Projects to use this Template with: -# - Azure App Service or Function (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Start, stop or restart Azure App -run-name: ${{ inputs.action }} Azure App in ${{ inputs.environment }} -#TODO: You may wish to add the name of the app service/function to the names above and the file name if there are multiple app services or functions within the repository - -on: - workflow_dispatch: - inputs: - action: - description: The action that should be taken. - required: true - default: restart - type: choice - options: - - start - - stop - - restart - environment: - description: The environment the app is in - required: true - default: prod - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - ACTION: ${{ github.event.inputs.action }} - -jobs: - start-stop-restart: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - env: - AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function change the value to 'functionapp' - - steps: - - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}`| - | Action | `${{ env.ACTION }}` |' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - id: set-variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ env.ENVIRONMENT }} - env: - # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist - RESOURCE_GROUP@dev: '' - RESOURCE_GROUP@qa: '' - RESOURCE_GROUP@stage: '' - RESOURCE_GROUP@demo: '' - RESOURCE_GROUP@uat: '' - RESOURCE_GROUP@prod: '' - APP_NAME@dev: '' - APP_NAME@qa: '' - APP_NAME@stage: '' - APP_NAME@demo: '' - APP_NAME@uat: '' - APP_NAME@prod: '' - # TODO: If this workflow is restarting a slot update these values, otherwise delete this section. - # TODO: If the slot has the same name in all environments, delete this section and populate the env.SLOT_NAME in the job below with the single value - # SLOT_NAME@dev: '' - # SLOT_NAME@qa: '' - # SLOT_NAME@stage: '' - # SLOT_NAME@demo: '' - # SLOT_NAME@uat: '' - # SLOT_NAME@prod: '' - - - run: echo "'${{ env.ACTION }}' will be peformed on ${{ env.ENVIRONMENT }} ${{ env.APP_NAME }}" - - - name: AZ Login - id: login - uses: azure/login@v2 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - # TODO: if you wish to perform any of the following actions on a slot, append the following to each of the commands: --slot ${{ env.SLOT_NAME }} - - # ARM_SUBSCRIPTION_ID is an env-level variable - - name: ${{ env.ACTION }} ${{ env.AZ_APP_TYPE }} - run: az ${{ env.AZ_APP_TYPE }} ${{ env.ACTION }} --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} - - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: NeedyPig_v17 DO NOT REMOVE +# Purpose: +# Performs a start, stop or restart on an app service in the +# specified environment when someone kicks it off manually. +# +# Frequency: +# - This workflow should be duplicated once per app service/function in the repo. +# +# Projects to use this Template with: +# - Azure App Service or Function (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Start, stop or restart Azure App +run-name: ${{ inputs.action }} Azure App in ${{ inputs.environment }} +#TODO: You may wish to add the name of the app service/function to the names above and the file name if there are multiple app services or functions within the repository + +on: + workflow_dispatch: + inputs: + action: + description: The action that should be taken. + required: true + default: restart + type: choice + options: + - start + - stop + - restart + environment: + description: The environment the app is in + required: true + default: prod + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + ACTION: ${{ github.event.inputs.action }} + +jobs: + start-stop-restart: + runs-on: im-linux + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + env: + AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function change the value to 'functionapp' + + steps: + + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}`| + | Action | `${{ env.ACTION }}` |' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ env.ENVIRONMENT }} + env: + # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_NAME@dev: '' + APP_NAME@qa: '' + APP_NAME@stage: '' + APP_NAME@demo: '' + APP_NAME@uat: '' + APP_NAME@prod: '' + # TODO: If this workflow is restarting a slot update these values, otherwise delete this section. + # TODO: If the slot has the same name in all environments, delete this section and populate the env.SLOT_NAME in the job below with the single value + # SLOT_NAME@dev: '' + # SLOT_NAME@qa: '' + # SLOT_NAME@stage: '' + # SLOT_NAME@demo: '' + # SLOT_NAME@uat: '' + # SLOT_NAME@prod: '' + + - run: echo "'${{ env.ACTION }}' will be peformed on ${{ env.ENVIRONMENT }} ${{ env.APP_NAME }}" + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + # TODO: if you wish to perform any of the following actions on a slot, append the following to each of the commands: --slot ${{ env.SLOT_NAME }} + + # ARM_SUBSCRIPTION_ID is an env-level variable + - name: ${{ env.ACTION }} ${{ env.AZ_APP_TYPE }} + run: az ${{ env.AZ_APP_TYPE }} ${{ env.ACTION }} --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} + + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-tf-destroy.yml b/workflow-templates/im-run-tf-destroy.yml index 5da3121c..fe7ec9f8 100644 --- a/workflow-templates/im-run-tf-destroy.yml +++ b/workflow-templates/im-run-tf-destroy.yml @@ -153,7 +153,7 @@ jobs: tf-plan: needs: [set-vars, stakeholder-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} defaults: @@ -269,7 +269,7 @@ jobs: tf-apply: needs: [set-vars, tf-plan, tf-plan-manual-approval, stakeholder-approval] - runs-on: [self-hosted, im-linux] + runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} defaults: diff --git a/workflow-templates/im-run-tf-import.yml b/workflow-templates/im-run-tf-import.yml index bf76e6fa..dcb4f5b5 100644 --- a/workflow-templates/im-run-tf-import.yml +++ b/workflow-templates/im-run-tf-import.yml @@ -1,107 +1,107 @@ -# Workflow Code: DrearyBuck_v21 DO NOT REMOVE - -# Purpose: -# Imports a specified resource into the terraform state when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Optional Template) -# -# TODO Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Import Terraform State -run-name: Import ${{ inputs.environment }} ${{ inputs.tf-resource-address }} -on: - workflow_dispatch: - inputs: - environment: - description: The environment the import should be done in. - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - branch-tag-sha: - description: The branch, tag or sha of the terraform that has the configuration for the resource(s) to import. - required: true - tf-resource-address: - description: The address of the resource to import. E.g. module.common.azurerm_mssql_server.server - required: true - tf-resource-id: - description: The id of the resource to import. It should look something like /subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/{provider_name}/{...etc...}. - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } - ] - -jobs: - tf-import-state: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | - | Resource Address | `${{ github.event.inputs.tf-resource-address }}` | - | Resource ID | `${{ github.event.inputs.tf-resource-id }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GITHUB_REF }} - - # Allows pulling modules from the repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - - name: Terraform Init - run: terraform init - - - name: Terraform Import - # TODO: Add any additional parameters that are needed - run: terraform import ${{ github.event.inputs.tf-resource-address }} ${{ github.event.inputs.tf-resource-id }} +# Workflow Code: DrearyBuck_v21 DO NOT REMOVE + +# Purpose: +# Imports a specified resource into the terraform state when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Optional Template) +# +# TODO Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Import Terraform State +run-name: Import ${{ inputs.environment }} ${{ inputs.tf-resource-address }} +on: + workflow_dispatch: + inputs: + environment: + description: The environment the import should be done in. + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + branch-tag-sha: + description: The branch, tag or sha of the terraform that has the configuration for the resource(s) to import. + required: true + tf-resource-address: + description: The address of the resource to import. E.g. module.common.azurerm_mssql_server.server + required: true + tf-resource-id: + description: The id of the resource to import. It should look something like /subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/{provider_name}/{...etc...}. + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } + ] + +jobs: + tf-import-state: + runs-on: im-linux + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | + | Resource Address | `${{ github.event.inputs.tf-resource-address }}` | + | Resource ID | `${{ github.event.inputs.tf-resource-id }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + # Allows pulling modules from the repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + - name: Terraform Init + run: terraform init + + - name: Terraform Import + # TODO: Add any additional parameters that are needed + run: terraform import ${{ github.event.inputs.tf-resource-address }} ${{ github.event.inputs.tf-resource-id }} diff --git a/workflow-templates/im-run-tf-taint.yml b/workflow-templates/im-run-tf-taint.yml index 9f865640..ee3f3a0f 100644 --- a/workflow-templates/im-run-tf-taint.yml +++ b/workflow-templates/im-run-tf-taint.yml @@ -1,106 +1,106 @@ -# Workflow Code: GratefulTermite_v18 DO NOT REMOVE -# Purpose: -# Taints a specified terraform resource when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Optional Template) -# -# TODO Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Taint Terraform Resource -run-name: Taint ${{ inputs.environment }} resource${{ inputs.tf-resource-address }} -on: - workflow_dispatch: - inputs: - environment: - description: The environment the taint should be done in. - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - # This is required because a tf init has to be performed before the terraform taint command - branch-tag-sha: - description: The branch, tag or sha of the terraform that has the configuration for the resource to taint. - required: true - tf-resource-address: - description: The address of the resource to taint. E.g. module.my-module.azurerm_mssql_server.server - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } - ] - -jobs: - tf-taint-resource: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | - | TF Resource Address | `${{ github.event.inputs.tf-resource-address }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GITHUB_REF }} - - # Allows pulling modules from the respective github repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - # A terraform init is required before a terraform taint can be run - - name: Terraform Init - run: terraform init - - - name: Terraform Taint - # TODO: Add any additional parameters that are needed (-allow-missing, -lock=false, -lock-timeout=90s) - # https://www.terraform.io/docs/cli/commands/taint.html#usage - run: terraform taint ${{ github.event.inputs.tf-resource-address }} - +# Workflow Code: GratefulTermite_v18 DO NOT REMOVE +# Purpose: +# Taints a specified terraform resource when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Optional Template) +# +# TODO Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Taint Terraform Resource +run-name: Taint ${{ inputs.environment }} resource${{ inputs.tf-resource-address }} +on: + workflow_dispatch: + inputs: + environment: + description: The environment the taint should be done in. + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + # This is required because a tf init has to be performed before the terraform taint command + branch-tag-sha: + description: The branch, tag or sha of the terraform that has the configuration for the resource to taint. + required: true + tf-resource-address: + description: The address of the resource to taint. E.g. module.my-module.azurerm_mssql_server.server + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } + ] + +jobs: + tf-taint-resource: + runs-on: im-linux + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | + | TF Resource Address | `${{ github.event.inputs.tf-resource-address }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + # Allows pulling modules from the respective github repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + # A terraform init is required before a terraform taint can be run + - name: Terraform Init + run: terraform init + + - name: Terraform Taint + # TODO: Add any additional parameters that are needed (-allow-missing, -lock=false, -lock-timeout=90s) + # https://www.terraform.io/docs/cli/commands/taint.html#usage + run: terraform taint ${{ github.event.inputs.tf-resource-address }} + diff --git a/workflow-templates/im-run-unlock-tf-state.yml b/workflow-templates/im-run-unlock-tf-state.yml index baefbed6..7120ad48 100644 --- a/workflow-templates/im-run-unlock-tf-state.yml +++ b/workflow-templates/im-run-unlock-tf-state.yml @@ -1,101 +1,101 @@ -# Workflow Code: FrazzledFerret_v24 DO NOT REMOVE -# Purpose: -# Removes a lock from the terraform state when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Core Template) -# -# TODO Prerequisites -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Unlock Terraform State -run-name: Unlock state in ${{ inputs.environment }} with id ${{ inputs.lock-id }} -on: - workflow_dispatch: - inputs: - lock-id: - description: The lock ID that needs to be removed. Terraform provides this value (lock info.ID) in the message indicating there was an error acquiring the state lock. - required: true - environment: - description: The environment the lock should be removed in - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - branch-tag-sha: - description: The branch, tag or sha of the terraform that is currently in the environment where the lock is. This is needed to do a terraform init with the appropriate code. - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } - ] - -jobs: - tf-unlock-state: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Lock ID | `${{ github.event.inputs.lock-id }}` | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v4 - with: - ref: ${{ env.GITHUB_REF }} - - # Allows pulling modules from the repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - - name: Terraform Init - run: terraform init - - - name: Terraform Unlock State - run: terraform force-unlock -force ${{ github.event.inputs.lock-id }} +# Workflow Code: FrazzledFerret_v24 DO NOT REMOVE +# Purpose: +# Removes a lock from the terraform state when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Core Template) +# +# TODO Prerequisites +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Unlock Terraform State +run-name: Unlock state in ${{ inputs.environment }} with id ${{ inputs.lock-id }} +on: + workflow_dispatch: + inputs: + lock-id: + description: The lock ID that needs to be removed. Terraform provides this value (lock info.ID) in the message indicating there was an error acquiring the state lock. + required: true + environment: + description: The environment the lock should be removed in + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + branch-tag-sha: + description: The branch, tag or sha of the terraform that is currently in the environment where the lock is. This is needed to do a terraform init with the appropriate code. + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } + ] + +jobs: + tf-unlock-state: + runs-on: im-linux + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Lock ID | `${{ github.event.inputs.lock-id }}` | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + # Allows pulling modules from the repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + - name: Terraform Init + run: terraform init + + - name: Terraform Unlock State + run: terraform force-unlock -force ${{ github.event.inputs.lock-id }} diff --git a/workflow-templates/im-run-validate-deployed-terraform.yml b/workflow-templates/im-run-validate-deployed-terraform.yml index 2c12258f..4c4508d6 100644 --- a/workflow-templates/im-run-validate-deployed-terraform.yml +++ b/workflow-templates/im-run-validate-deployed-terraform.yml @@ -33,7 +33,7 @@ permissions: jobs: auto-plan-the-tf: - runs-on: [self-hosted, im-linux] + runs-on: im-linux strategy: matrix: diff --git a/workflow-templates/im-test-k6-ci.yml b/workflow-templates/im-test-k6-ci.yml index 31302cb9..e69e65c9 100644 --- a/workflow-templates/im-test-k6-ci.yml +++ b/workflow-templates/im-test-k6-ci.yml @@ -39,7 +39,7 @@ env: jobs: k6_test: - runs-on: [self-hosted, im-linux] + runs-on: im-linux steps: - name: Checkout diff --git a/workflow-templates/im-test-k6-manual.yml b/workflow-templates/im-test-k6-manual.yml index b4c8230f..46c8ca77 100644 --- a/workflow-templates/im-test-k6-manual.yml +++ b/workflow-templates/im-test-k6-manual.yml @@ -65,7 +65,7 @@ env: jobs: matrix-setup: - runs-on: [self-hosted, im-linux] + runs-on: im-linux outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} @@ -109,7 +109,7 @@ jobs: core.notice(`${output}`); k6_test: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [matrix-setup] defaults: diff --git a/workflow-templates/im-test-k6-operator-approval.yml b/workflow-templates/im-test-k6-operator-approval.yml index 68311404..77abbd4d 100644 --- a/workflow-templates/im-test-k6-operator-approval.yml +++ b/workflow-templates/im-test-k6-operator-approval.yml @@ -98,7 +98,7 @@ env: jobs: # TODO: Delete if you don't build your k6 tests npm-cache: - runs-on: [self-hosted, im-linux] + runs-on: im-linux if: inputs.run-npm-build defaults: @@ -185,7 +185,7 @@ jobs: enableCrossOsArchive: true start-k6-operator-test: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [npm-cache] environment: ${{ inputs.env }} @@ -402,7 +402,7 @@ jobs: run: echo "Approval on cleaning up the test run." stop-k6-operator-test: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [start-k6-operator-test, k6-operator-approval] environment: ${{ inputs.env }} @@ -492,7 +492,7 @@ jobs: rm -rf ${{ steps.kube-config.outputs.kube-config-file }} send-teams-notification: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [start-k6-operator-test, stop-k6-operator-test] environment: ${{ inputs.env }} if: always() diff --git a/workflow-templates/im-test-k6-operator.yml b/workflow-templates/im-test-k6-operator.yml index 8e596f9e..65090948 100644 --- a/workflow-templates/im-test-k6-operator.yml +++ b/workflow-templates/im-test-k6-operator.yml @@ -108,7 +108,7 @@ env: jobs: # TODO: Delete if you don't build your k6 tests npm-cache: - runs-on: [self-hosted, im-linux] + runs-on: im-linux if: inputs.run-npm-build defaults: @@ -199,7 +199,7 @@ jobs: enableCrossOsArchive: true run_k6_operator: - runs-on: [self-hosted, im-linux] + runs-on: im-linux needs: [npm-cache] # TODO: Delete if you don't build your k6 tests environment: ${{ inputs.env }} diff --git a/workflow-templates/im-test-postman.yml b/workflow-templates/im-test-postman.yml index a3383b7f..010d4520 100644 --- a/workflow-templates/im-test-postman.yml +++ b/workflow-templates/im-test-postman.yml @@ -1,82 +1,82 @@ -# Workflow Code: GuiltyBison_v15 DO NOT REMOVE -# Purpose: -# Runs the Postman script specified in the workflow when someone -# manually kicks it off or when another workflow triggers it. -# -# Frequency: -# - This workflow can be duplicated for each Postman project in the repository -# or it can be modified to run multiple projects. -# -# Projects to use this Template with: -# - App Service or Function (Optional Template) -# - On Prem Site (Optional Template) -# - On Prem Service (Optional Template) -# -# TODO: Prerequisites: -# - If the project contains a local nuget.config remove it. It interferes with restoring packages on the GitHub Action runners. -# - Make the following npm package changes: -# npm uninstall newman-reporter-teamcity -# - Update the reporters an options in your package.json script. For instance: -# old script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,teamcity", -# new script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,json --reporter-json-export postman-results.json", - -name: Run Postman Tests - -# TODO: Verify Triggers -on: - # For manually kicking off the tests - workflow_dispatch: - # For programatically kicking off tests, like when a deploy finishes - repository_dispatch: - types: [postman] - -env: - READ_PKG_TOKEN: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - PACKAGE_JSON_DIR: '' # TODO: Add the directory containing package.json - POSTMAN_NPM_SCRIPT_NAME: '' # TODO: Add postman npm script name - POSTMAN_RESULTS_NAME: '' # TODO: Add the name of the results file, set in npm script - -jobs: - run-postman: - runs-on: [self-hosted, im-linux] - - defaults: - run: - shell: bash - working-directory: ${{ env.PACKAGE_JSON_DIR }} - - steps: - - uses: actions/checkout@v4 - - # TODO: If you are using any nuget/npm packages from GitHub Packages uncomment this step - # - name: Authenticate with GitHub Packages - # uses: im-open/authenticate-with-gh-package-registries@v1.1 - # with: - # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from - - - name: Restore npm packages - run: npm install - - - name: Run Postman Tests - id: postman - continue-on-error: true - run: npm run ${{ env.POSTMAN_NPM_SCRIPT_NAME }} - - - name: Create Status check based on postman results - id: process-postman - uses: im-open/process-postman-test-results@v2.3 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - results-file: ${{ env.PACKAGE_JSON_DIR }}/${{ env.POSTMAN_RESULTS_NAME }} - timezone: 'america/denver' # TODO: Verify timezone - # TODO: Verify whether you want status checks, pr comments or both with the results of the tests. - create-status-check: true - # update-comment-if-one-exists: false # TODO: By default this creates one comment and updates it for each run. Uncomment if you wish to have one new comment for every workflow run. - create-pr-comment: true - - - name: Fail if postman errors - if: steps.postman.outcome == 'failure' - run: | - echo "The postman tests have failures" - exit 1 +# Workflow Code: GuiltyBison_v15 DO NOT REMOVE +# Purpose: +# Runs the Postman script specified in the workflow when someone +# manually kicks it off or when another workflow triggers it. +# +# Frequency: +# - This workflow can be duplicated for each Postman project in the repository +# or it can be modified to run multiple projects. +# +# Projects to use this Template with: +# - App Service or Function (Optional Template) +# - On Prem Site (Optional Template) +# - On Prem Service (Optional Template) +# +# TODO: Prerequisites: +# - If the project contains a local nuget.config remove it. It interferes with restoring packages on the GitHub Action runners. +# - Make the following npm package changes: +# npm uninstall newman-reporter-teamcity +# - Update the reporters an options in your package.json script. For instance: +# old script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,teamcity", +# new script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,json --reporter-json-export postman-results.json", + +name: Run Postman Tests + +# TODO: Verify Triggers +on: + # For manually kicking off the tests + workflow_dispatch: + # For programatically kicking off tests, like when a deploy finishes + repository_dispatch: + types: [postman] + +env: + READ_PKG_TOKEN: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + PACKAGE_JSON_DIR: '' # TODO: Add the directory containing package.json + POSTMAN_NPM_SCRIPT_NAME: '' # TODO: Add postman npm script name + POSTMAN_RESULTS_NAME: '' # TODO: Add the name of the results file, set in npm script + +jobs: + run-postman: + runs-on: im-linux + + defaults: + run: + shell: bash + working-directory: ${{ env.PACKAGE_JSON_DIR }} + + steps: + - uses: actions/checkout@v4 + + # TODO: If you are using any nuget/npm packages from GitHub Packages uncomment this step + # - name: Authenticate with GitHub Packages + # uses: im-open/authenticate-with-gh-package-registries@v1.1 + # with: + # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from + + - name: Restore npm packages + run: npm install + + - name: Run Postman Tests + id: postman + continue-on-error: true + run: npm run ${{ env.POSTMAN_NPM_SCRIPT_NAME }} + + - name: Create Status check based on postman results + id: process-postman + uses: im-open/process-postman-test-results@v2.3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + results-file: ${{ env.PACKAGE_JSON_DIR }}/${{ env.POSTMAN_RESULTS_NAME }} + timezone: 'america/denver' # TODO: Verify timezone + # TODO: Verify whether you want status checks, pr comments or both with the results of the tests. + create-status-check: true + # update-comment-if-one-exists: false # TODO: By default this creates one comment and updates it for each run. Uncomment if you wish to have one new comment for every workflow run. + create-pr-comment: true + + - name: Fail if postman errors + if: steps.postman.outcome == 'failure' + run: | + echo "The postman tests have failures" + exit 1 From 34599ead79858f37c6d6657a32fa353ed311dc99 Mon Sep 17 00:00:00 2001 From: Adam Hernandez Date: Tue, 9 Apr 2024 08:57:10 -0600 Subject: [PATCH 2/4] increment workflow code version numbers by 1 --- workflow-templates/im-build-dotnet-ci.yml | 2 +- workflow-templates/im-build-nuget-package.yml | 2 +- .../im-build-tf-auto-plan-and-comment-on-prs.yml | 6 +++--- workflow-templates/im-deploy-az-app-manually.yml | 2 +- workflow-templates/im-deploy-az-database.yml | 2 +- workflow-templates/im-deploy-az-swap-app-slots.yml | 4 ++-- .../im-deploy-files-to-az-storage-account.yml | 2 +- workflow-templates/im-deploy-multiple-items-at-once.yml | 4 ++-- workflow-templates/im-deploy-on-prem-database.yml | 2 +- .../im-deploy-tf-auto-apply-main-to-dev-on-merge.yml | 2 +- workflow-templates/im-deploy-tf-manual-apply.yml | 2 +- .../im-run-add-or-update-az-keyvault-secret.yml | 6 +++--- workflow-templates/im-run-annotate-app-insights.yml | 4 ++-- workflow-templates/im-run-annotate-pagerduty-template.yml | 6 +++--- workflow-templates/im-run-delete-azure-blob.yml | 4 ++-- workflow-templates/im-run-flyway-repair.yml | 6 +++--- .../im-run-start-stop-restart-azure-app.yml | 8 ++++---- workflow-templates/im-run-tf-destroy.yml | 2 +- workflow-templates/im-run-tf-import.yml | 4 ++-- workflow-templates/im-run-tf-taint.yml | 4 ++-- workflow-templates/im-run-unlock-tf-state.yml | 6 +++--- workflow-templates/im-run-validate-deployed-terraform.yml | 4 ++-- workflow-templates/im-test-k6-ci.yml | 2 +- workflow-templates/im-test-k6-manual.yml | 2 +- workflow-templates/im-test-k6-operator-approval.yml | 2 +- workflow-templates/im-test-k6-operator.yml | 4 ++-- workflow-templates/im-test-postman.yml | 2 +- 27 files changed, 48 insertions(+), 48 deletions(-) diff --git a/workflow-templates/im-build-dotnet-ci.yml b/workflow-templates/im-build-dotnet-ci.yml index 17f4a2d1..d8844ada 100644 --- a/workflow-templates/im-build-dotnet-ci.yml +++ b/workflow-templates/im-build-dotnet-ci.yml @@ -1,4 +1,4 @@ -# Workflow Code: LoathsomeSnipe_v53 DO NOT REMOVE +# Workflow Code: LoathsomeSnipe_v54 DO NOT REMOVE # Purpose: # Automatically checks out the code, builds, run tests and creates artifacts # which are uploaded to a GH release when commits are pushed to a PR. In the diff --git a/workflow-templates/im-build-nuget-package.yml b/workflow-templates/im-build-nuget-package.yml index e474e0cd..b39ac6de 100644 --- a/workflow-templates/im-build-nuget-package.yml +++ b/workflow-templates/im-build-nuget-package.yml @@ -1,4 +1,4 @@ -# Workflow Code: TrustingCockroach_v43 DO NOT REMOVE +# Workflow Code: TrustingCockroach_v44 DO NOT REMOVE # Purpose: # Automatically builds the project and runs tests with code coverage. If # everything is green, a new semantic version is calculated and a new package diff --git a/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml b/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml index 4c9da8f7..d5153503 100644 --- a/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml +++ b/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml @@ -1,4 +1,4 @@ -# Workflow Code: DeterminedPorcupine_v24 DO NOT REMOVE +# Workflow Code: DeterminedPorcupine_v25 DO NOT REMOVE # Purpose: # Automatically runs a terraform plan against the specified environments and # comments on the PR with the expected changes when commits are pushed to a PR. @@ -108,14 +108,14 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo script: | - const output = `### Format, Init and Plan Results for ${{ matrix.environment }} + const output = `### Format, Init and Plan Results for ${{ matrix.environment }} #### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
Show Plan ${process.env.PLAN}
- + __Pusher__: @${{ github.actor }} __Action__: \`${{ github.event_name }}\``; github.rest.issues.createComment({ diff --git a/workflow-templates/im-deploy-az-app-manually.yml b/workflow-templates/im-deploy-az-app-manually.yml index 7a979bdf..7196caa7 100644 --- a/workflow-templates/im-deploy-az-app-manually.yml +++ b/workflow-templates/im-deploy-az-app-manually.yml @@ -1,4 +1,4 @@ -# Workflow Code: AmbitiousLizard_v49 DO NOT REMOVE +# Workflow Code: AmbitiousLizard_v50 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release # with the specified tags, makes changes to any configuration files for the specified diff --git a/workflow-templates/im-deploy-az-database.yml b/workflow-templates/im-deploy-az-database.yml index 5625423a..a7a8ef93 100644 --- a/workflow-templates/im-deploy-az-database.yml +++ b/workflow-templates/im-deploy-az-database.yml @@ -1,4 +1,4 @@ -# Workflow Code: BetrayedCod_v34 DO NOT REMOVE +# Workflow Code: BetrayedCod_v35 DO NOT REMOVE # Purpose: # Gathers the required approvals from stakeholders and attestors, ensures # tags are valid for production deployments and runs the migrations against diff --git a/workflow-templates/im-deploy-az-swap-app-slots.yml b/workflow-templates/im-deploy-az-swap-app-slots.yml index 80ab24bf..a63ca5f8 100644 --- a/workflow-templates/im-deploy-az-swap-app-slots.yml +++ b/workflow-templates/im-deploy-az-swap-app-slots.yml @@ -1,4 +1,4 @@ -# Workflow Code: IrritatedHyena_v21 DO NOT REMOVE +# Workflow Code: IrritatedHyena_v22 DO NOT REMOVE # Purpose: # Swaps deployment slots in a specified environment for an Azure App Service # or Function outside of a deployment when someone kicks it off manually. @@ -71,7 +71,7 @@ jobs: | Target Slot | `${{ env.TARGET_SLOT }}` | | Source Slot | `${{ env.SOURCE_SLOT }}` | | Open PD Window | `${{ env.OPEN_WINDOW }}` |' >> $GITHUB_STEP_SUMMARY - + # For more information and best practices on the usage and options available # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - name: Set Variables diff --git a/workflow-templates/im-deploy-files-to-az-storage-account.yml b/workflow-templates/im-deploy-files-to-az-storage-account.yml index 85f1ebc6..e730a950 100644 --- a/workflow-templates/im-deploy-files-to-az-storage-account.yml +++ b/workflow-templates/im-deploy-files-to-az-storage-account.yml @@ -1,4 +1,4 @@ -# Workflow Code: BubblyGreyhound_v27 DO NOT REMOVE +# Workflow Code: BubblyGreyhound_v28 DO NOT REMOVE # Purpose: # Checks out the repository and deploys a directory to the # specified storage account when someone kicks it off manually. diff --git a/workflow-templates/im-deploy-multiple-items-at-once.yml b/workflow-templates/im-deploy-multiple-items-at-once.yml index 2be8a7fa..c414f078 100644 --- a/workflow-templates/im-deploy-multiple-items-at-once.yml +++ b/workflow-templates/im-deploy-multiple-items-at-once.yml @@ -1,4 +1,4 @@ -# Workflow Code: MercifulLlama_v17 DO NOT REMOVE +# Workflow Code: MercifulLlama_v18 DO NOT REMOVE # Purpose: # This is only required when teams have separate deployable artifacts (db/mfe/api/etc.) # but they need each item to be deployed together. @@ -48,7 +48,7 @@ env: jobs: # This job utilizes a reusable workflow which will: # 1 - Verify the tag provided is a valid ref. - # 2 - If deploying to a production environment, verify the tag is reachable from the default branch + # 2 - If deploying to a production environment, verify the tag is reachable from the default branch # and that the corresponding release is production ready (not pre-release or a draft). setup-deployment-workflow: uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 diff --git a/workflow-templates/im-deploy-on-prem-database.yml b/workflow-templates/im-deploy-on-prem-database.yml index 473392a4..1f1c3bc6 100644 --- a/workflow-templates/im-deploy-on-prem-database.yml +++ b/workflow-templates/im-deploy-on-prem-database.yml @@ -1,4 +1,4 @@ -# Workflow Code: AmazedPiglet_v35 DO NOT REMOVE +# Workflow Code: AmazedPiglet_v36 DO NOT REMOVE # Purpose: # Gathers the required approvals from stakeholders and attestors, ensures tags # are valid for production deployments and runs the migrations against an on-prem diff --git a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml index 3caaf514..a4acff49 100644 --- a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml +++ b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml @@ -1,4 +1,4 @@ -# Workflow Code: IrritableEagle_v36 DO NOT REMOVE +# Workflow Code: IrritableEagle_v37 DO NOT REMOVE # Purpose: # Automatically runs a terraform apply -auto-approve with the changes # in the PR against the dev environment when a PR is merged to main. diff --git a/workflow-templates/im-deploy-tf-manual-apply.yml b/workflow-templates/im-deploy-tf-manual-apply.yml index ad52c1d0..84a73da4 100644 --- a/workflow-templates/im-deploy-tf-manual-apply.yml +++ b/workflow-templates/im-deploy-tf-manual-apply.yml @@ -1,4 +1,4 @@ -# Workflow Code: InsaneHamster_v48 DO NOT REMOVE +# Workflow Code: InsaneHamster_v49 DO NOT REMOVE # Purpose: # Deploys the terraform from a specified root module at a # specified when someone kicks off the workflow manually. diff --git a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml index 0ea5ac7b..9096de5f 100644 --- a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml +++ b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml @@ -1,4 +1,4 @@ -# Workflow Code: CockySquirrel_v16 DO NOT REMOVE +# Workflow Code: CockySquirrel_v17 DO NOT REMOVE # Purpose: # Adds or updates an azure KeyVault secret in the specified # environment when someone kicks it off manually. @@ -55,14 +55,14 @@ jobs: script: | core.info(`Masking the value for ${context.payload.inputs.secret_name} so it is not exposed.`); core.setSecret(context.payload.inputs.secret_value); - + - run: | echo $' | Build Arguments | Value | | --- | --- | | Environment | `${{ github.event.inputs.environment }}` | | Secret Name | `${{ github.event.inputs.secret_name }}` |' >> $GITHUB_STEP_SUMMARY - + # For more information and best practices on the usage and options available # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - name: Set Variables diff --git a/workflow-templates/im-run-annotate-app-insights.yml b/workflow-templates/im-run-annotate-app-insights.yml index ce0ed6d6..acd24857 100644 --- a/workflow-templates/im-run-annotate-app-insights.yml +++ b/workflow-templates/im-run-annotate-app-insights.yml @@ -1,4 +1,4 @@ -# Workflow Code: EmpatheticDolphin_v18 DO NOT REMOVE +# Workflow Code: EmpatheticDolphin_v19 DO NOT REMOVE # Purpose: # Creates an ad hoc app insights annotation for a specified # environment when someone kicks it off manually. @@ -65,7 +65,7 @@ jobs: | Category | `${{ github.event.inputs.category }}` | | EventName | `${{ github.event.inputs.eventName }}` | | Custom Metadata | `${{ github.event.inputs.customMetadata }}`|' >> $GITHUB_STEP_SUMMARY - + # For more information and best practices on the usage and options available # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - name: Set Variables diff --git a/workflow-templates/im-run-annotate-pagerduty-template.yml b/workflow-templates/im-run-annotate-pagerduty-template.yml index c1937952..2d90a3de 100644 --- a/workflow-templates/im-run-annotate-pagerduty-template.yml +++ b/workflow-templates/im-run-annotate-pagerduty-template.yml @@ -1,4 +1,4 @@ -# Workflow Code: FierceRabbit_v2 DO NOT REMOVE +# Workflow Code: FierceRabbit_v3 DO NOT REMOVE # Purpose: # Creates an ad hoc PagerDuty event annotation for a specified # service when someone kicks it off manually. @@ -33,7 +33,7 @@ on: - demo - uat - prod - + event: description: The event description to record required: true @@ -52,7 +52,7 @@ jobs: | --- | --- | | Environment | `${{ env.ENVIRONMENT }}` | | Event | `${{ github.event.inputs.event }}` |' >> $GITHUB_STEP_SUMMARY - + - name: Create a change event uses: im-open/pagerduty-change-events-action@v1 diff --git a/workflow-templates/im-run-delete-azure-blob.yml b/workflow-templates/im-run-delete-azure-blob.yml index b214a383..357fb06f 100644 --- a/workflow-templates/im-run-delete-azure-blob.yml +++ b/workflow-templates/im-run-delete-azure-blob.yml @@ -1,4 +1,4 @@ -# Workflow Code: ScornfulFlamingo_v7 DO NOT REMOVE +# Workflow Code: ScornfulFlamingo_v8 DO NOT REMOVE # Purpose: # Deletes a blob from a specified Azure Storage Account when someone kicks it off manually. # @@ -60,7 +60,7 @@ jobs: | Storage Acct | `${{ github.event.inputs.storage-account-name }}` | | Container | `${{ github.event.inputs.container-name }}` | | Blob Name | `${{ github.event.inputs.blob-name }}` |' >> $GITHUB_STEP_SUMMARY - + - name: AZ Login id: login uses: azure/login@v2 diff --git a/workflow-templates/im-run-flyway-repair.yml b/workflow-templates/im-run-flyway-repair.yml index ed9e31dd..b243767f 100644 --- a/workflow-templates/im-run-flyway-repair.yml +++ b/workflow-templates/im-run-flyway-repair.yml @@ -1,4 +1,4 @@ -# Workflow Code: SpiritedGnat_v20 DO NOT REMOVE +# Workflow Code: SpiritedGnat_v21 DO NOT REMOVE # Purpose: # Runs a flyway repair command against an Azure SQL or # On-Prem Database when someone kicks it off manually. @@ -58,7 +58,7 @@ jobs: | --- | --- | | Environment | `${{ env.ENVIRONMENT }}` | | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - + - name: Checkout Repository uses: actions/checkout@v4 with: @@ -71,7 +71,7 @@ jobs: # TODO: Remove this step if this workflow is run against an on-prem database # or if your database uses Azure Active Directory Authentication - + - name: AZ Login id: login uses: azure/login@v2 diff --git a/workflow-templates/im-run-start-stop-restart-azure-app.yml b/workflow-templates/im-run-start-stop-restart-azure-app.yml index f5966187..dffd6f7d 100644 --- a/workflow-templates/im-run-start-stop-restart-azure-app.yml +++ b/workflow-templates/im-run-start-stop-restart-azure-app.yml @@ -1,4 +1,4 @@ -# Workflow Code: NeedyPig_v17 DO NOT REMOVE +# Workflow Code: NeedyPig_v18 DO NOT REMOVE # Purpose: # Performs a start, stop or restart on an app service in the # specified environment when someone kicks it off manually. @@ -59,14 +59,14 @@ jobs: AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function change the value to 'functionapp' steps: - + - run: | echo $' | Build Arguments | Value | | --- | --- | | Environment | `${{ env.ENVIRONMENT }}`| | Action | `${{ env.ACTION }}` |' >> $GITHUB_STEP_SUMMARY - + # For more information and best practices on the usage and options available # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - name: Set Variables @@ -115,7 +115,7 @@ jobs: - name: ${{ env.ACTION }} ${{ env.AZ_APP_TYPE }} run: az ${{ env.AZ_APP_TYPE }} ${{ env.ACTION }} --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} - + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-run-tf-destroy.yml b/workflow-templates/im-run-tf-destroy.yml index fe7ec9f8..2b320596 100644 --- a/workflow-templates/im-run-tf-destroy.yml +++ b/workflow-templates/im-run-tf-destroy.yml @@ -1,4 +1,4 @@ -# Workflow Code: HostileMacaw_v27 DO NOT REMOVE +# Workflow Code: HostileMacaw_v28 DO NOT REMOVE # Purpose: # Destroys the resources created by a terraform configuration when someone kicks it off manually. # diff --git a/workflow-templates/im-run-tf-import.yml b/workflow-templates/im-run-tf-import.yml index dcb4f5b5..50cf72a1 100644 --- a/workflow-templates/im-run-tf-import.yml +++ b/workflow-templates/im-run-tf-import.yml @@ -1,4 +1,4 @@ -# Workflow Code: DrearyBuck_v21 DO NOT REMOVE +# Workflow Code: DrearyBuck_v22 DO NOT REMOVE # Purpose: # Imports a specified resource into the terraform state when someone kicks it off manually. @@ -82,7 +82,7 @@ jobs: | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | | Resource Address | `${{ github.event.inputs.tf-resource-address }}` | | Resource ID | `${{ github.event.inputs.tf-resource-id }}` |' >> $GITHUB_STEP_SUMMARY - + - name: Checkout Repository uses: actions/checkout@v4 with: diff --git a/workflow-templates/im-run-tf-taint.yml b/workflow-templates/im-run-tf-taint.yml index ee3f3a0f..b8e4f86f 100644 --- a/workflow-templates/im-run-tf-taint.yml +++ b/workflow-templates/im-run-tf-taint.yml @@ -1,4 +1,4 @@ -# Workflow Code: GratefulTermite_v18 DO NOT REMOVE +# Workflow Code: GratefulTermite_v19 DO NOT REMOVE # Purpose: # Taints a specified terraform resource when someone kicks it off manually. # @@ -78,7 +78,7 @@ jobs: | Environment | `${{ env.ENVIRONMENT }}` | | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | | TF Resource Address | `${{ github.event.inputs.tf-resource-address }}` |' >> $GITHUB_STEP_SUMMARY - + - name: Checkout Repository uses: actions/checkout@v4 with: diff --git a/workflow-templates/im-run-unlock-tf-state.yml b/workflow-templates/im-run-unlock-tf-state.yml index 7120ad48..36fa67de 100644 --- a/workflow-templates/im-run-unlock-tf-state.yml +++ b/workflow-templates/im-run-unlock-tf-state.yml @@ -1,4 +1,4 @@ -# Workflow Code: FrazzledFerret_v24 DO NOT REMOVE +# Workflow Code: FrazzledFerret_v25 DO NOT REMOVE # Purpose: # Removes a lock from the terraform state when someone kicks it off manually. # @@ -76,8 +76,8 @@ jobs: | --- | --- | | Lock ID | `${{ github.event.inputs.lock-id }}` | | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + - name: Checkout Repository uses: actions/checkout@v4 with: diff --git a/workflow-templates/im-run-validate-deployed-terraform.yml b/workflow-templates/im-run-validate-deployed-terraform.yml index 4c4508d6..bc7dd12d 100644 --- a/workflow-templates/im-run-validate-deployed-terraform.yml +++ b/workflow-templates/im-run-validate-deployed-terraform.yml @@ -1,4 +1,4 @@ -# Workflow Code: ShinySQUIRREL_v24 DO NOT REMOVE +# Workflow Code: ShinySQUIRREL_v25 DO NOT REMOVE # Purpose: # Validates that the deployed terraform matches what is supposed to be deployed # when it runs at a scheduled time or when someone kicks it off manually. @@ -119,7 +119,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ steps.get-latest.outputs.VERSION }} - + # Allows pulling modules from the repo instead of artifactory - name: Setup SSH Keys and known_hosts uses: im-open/setup-deploy-keys@v1.1 diff --git a/workflow-templates/im-test-k6-ci.yml b/workflow-templates/im-test-k6-ci.yml index e69e65c9..fdddeb38 100644 --- a/workflow-templates/im-test-k6-ci.yml +++ b/workflow-templates/im-test-k6-ci.yml @@ -1,4 +1,4 @@ -# Workflow Code: TroubledJaguar_v5 DO NOT REMOVE +# Workflow Code: TroubledJaguar_v6 DO NOT REMOVE # Purpose: # Uses a container to run K6 with the file specified in # the workflow when commits are pushed to the main branch. diff --git a/workflow-templates/im-test-k6-manual.yml b/workflow-templates/im-test-k6-manual.yml index 46c8ca77..f2994cee 100644 --- a/workflow-templates/im-test-k6-manual.yml +++ b/workflow-templates/im-test-k6-manual.yml @@ -1,4 +1,4 @@ -# Workflow Code: ZestyFlamingo_v22 DO NOT REMOVE +# Workflow Code: ZestyFlamingo_v23 DO NOT REMOVE # Purpose: # Uses a container to run a K6 stress test against the environment and # with the test file the user specifies when they kick it off manually. diff --git a/workflow-templates/im-test-k6-operator-approval.yml b/workflow-templates/im-test-k6-operator-approval.yml index 77abbd4d..84255fcf 100644 --- a/workflow-templates/im-test-k6-operator-approval.yml +++ b/workflow-templates/im-test-k6-operator-approval.yml @@ -1,4 +1,4 @@ -# Workflow Code: ZestyCrocodile_v9 DO NOT REMOVE +# Workflow Code: ZestyCrocodile_v10 DO NOT REMOVE # Purpose: # Runs K6 tests at scale in Azure Kubernetes. # With the workflow the user specifies when they kick it off manually. diff --git a/workflow-templates/im-test-k6-operator.yml b/workflow-templates/im-test-k6-operator.yml index 65090948..49c7e234 100644 --- a/workflow-templates/im-test-k6-operator.yml +++ b/workflow-templates/im-test-k6-operator.yml @@ -1,4 +1,4 @@ -# Workflow Code: ZestyAligator_v30 DO NOT REMOVE +# Workflow Code: ZestyAligator_v31 DO NOT REMOVE # Purpose: # Runs K6 tests at scale in Azure Kubernetes. # With the workflow the user specifies when they kick it off manually. @@ -182,7 +182,7 @@ jobs: # with: # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret # orgs: '' - + - name: NPM Install if: steps.has-cache.outputs.cache-hit != 'true' working-directory: ${{ env.WORKING_DIRECTORY }} diff --git a/workflow-templates/im-test-postman.yml b/workflow-templates/im-test-postman.yml index 010d4520..d02e12ef 100644 --- a/workflow-templates/im-test-postman.yml +++ b/workflow-templates/im-test-postman.yml @@ -1,4 +1,4 @@ -# Workflow Code: GuiltyBison_v15 DO NOT REMOVE +# Workflow Code: GuiltyBison_v16 DO NOT REMOVE # Purpose: # Runs the Postman script specified in the workflow when someone # manually kicks it off or when another workflow triggers it. From 6a6f2c816df7149d1a56772665e1a5f9137f915e Mon Sep 17 00:00:00 2001 From: Adam Hernandez Date: Tue, 9 Apr 2024 08:58:13 -0600 Subject: [PATCH 3/4] increment workflow code version numbers by 1 --- workflow-templates/im-build-db-ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/workflow-templates/im-build-db-ci.yml b/workflow-templates/im-build-db-ci.yml index a73de8dc..3164fed5 100644 --- a/workflow-templates/im-build-db-ci.yml +++ b/workflow-templates/im-build-db-ci.yml @@ -1,4 +1,4 @@ -# Workflow Code: GiddyBuzzard_v19 DO NOT REMOVE +# Workflow Code: GiddyBuzzard_v20 DO NOT REMOVE # Purpose: # The main purpose of this workflow is to verify that the database can be created, all of the migration scripts can be run, and any tests that exist pass. # In addition to that, however, there are three other things this workflow template is set up to do. @@ -113,17 +113,17 @@ jobs: runs-on: im-linux needs: [set-vars, lint-migration-files] # TODO: Remove any jobs you deleted above if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. - + env: SQL_SERVER_PASSWORD: 'StrongPassword!1' - + services: sqlserver: image: mcr.microsoft.com/mssql/server:2022-latest ports: - 1433:1433 options: -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=StrongPassword!1" - + steps: - uses: actions/checkout@v4 @@ -222,7 +222,7 @@ jobs: ##### End of snapshot steps ##### - + # This allows the next steps to authenticate with and push to GitHub Packages. # If you aren't using the steps below you can remove this one. # - name: Authenticate with GitHub Packages From b3623e926e1c25e6af2329fe297834b758f195c7 Mon Sep 17 00:00:00 2001 From: Adam Hernandez Date: Tue, 9 Apr 2024 08:59:40 -0600 Subject: [PATCH 4/4] increment workflow code version numbers by 1 --- workflow-templates/im-deploy-techdocs-site.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/workflow-templates/im-deploy-techdocs-site.yml b/workflow-templates/im-deploy-techdocs-site.yml index 3e4e5589..cafe4cac 100644 --- a/workflow-templates/im-deploy-techdocs-site.yml +++ b/workflow-templates/im-deploy-techdocs-site.yml @@ -1,4 +1,4 @@ -# Workflow Code: SparklyToad_v3 DO NOT REMOVE +# Workflow Code: SparklyToad_v4 DO NOT REMOVE # Purpose: # Publishes a techdocs site to the storage account where TechHub # looks for TechDocs. @@ -8,7 +8,7 @@ # to publish multiple docs at once # # Projects to use this Template with: -# - Any project with TechDocs +# - Any project with TechDocs name: Publish TechDocs Site @@ -42,11 +42,11 @@ jobs: ACCOUNT_NAME: bdaimpna26techhubsa CONTAINER_NAME: techdocs - # This is project dependent. + # This is project dependent. # TODO: Replace kind and entity name based on the entity this techdocs site will belong to. # The name can be found in catalog-info.yaml. ENTITY_NAME: 'default//' - + steps: - name: Checkout code uses: actions/checkout@v4 @@ -90,4 +90,4 @@ jobs: az logout az cache purge az account clear - +