sbcq-202 : Keyclock Audit script #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pull Request Deploy | |
on: | |
pull_request: | |
push: | |
workflow_dispatch: | |
inputs: | |
pr-number: | |
description: "Pull Request Number:" | |
type: string | |
required: true | |
namespace: | |
description: "Deploy To:" | |
type: choice | |
required: true | |
options: | |
- The Q Dev | |
- QMS Dev | |
- The Q Test | |
jobs: | |
##### SETUP ################################################################## | |
parse-inputs: | |
name: refs/pull/${{ github.event.pull_request.number }}/head to ${{ github.event.inputs.namespace }} | |
runs-on: ubuntu-latest | |
outputs: | |
environment: ${{ steps.parse.outputs.environment }} | |
image-tag: ${{ steps.parse.outputs.image-tag }} | |
push-qms: ${{ steps.parse.outputs.push-qms }} | |
push-theq: ${{ steps.parse.outputs.push-theq }} | |
ref: ${{ steps.parse.outputs.ref }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v2 | |
# Use the input values to create more coding-friendly values. | |
- name: Parse Inputs | |
id: parse | |
run: | | |
# Gets "dev" or "test". | |
ENVIRONMENT=$(echo ${{ github.event.inputs.namespace }} | \ | |
awk -F' ' '{print $NF}' | tr '[:upper:]' '[:lower:]') | |
echo ENVIRONMENT:$ENVIRONMENT | |
echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT | |
IMAGE_TAG=${{ github.event.pull_request.number }} | |
echo IMAGE_TAG:$IMAGE_TAG | |
echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
if [ $GITHUB_REPOSITORY_OWNER != "bcgov" ]; then | |
# Never push in forks - useful and safer for development. | |
PUSH_QMS=false | |
PUSH_THEQ=false | |
elif [[ "${{ github.event.inputs.namespace }}" == QMS* ]]; then | |
PUSH_QMS=true | |
PUSH_THEQ=false | |
else | |
PUSH_QMS=false | |
PUSH_THEQ=true | |
fi | |
echo PUSH_QMS:$PUSH_QMS | |
echo "push-qms=$PUSH_QMS" >> $GITHUB_OUTPUT | |
echo PUSH_THEQ:$PUSH_THEQ | |
echo "push-theq=$PUSH_THEQ" >> $GITHUB_OUTPUT | |
REF=refs/pull/${{ github.event.pull_request.number }}/head | |
echo REF:$REF | |
echo "ref=$REF" >> $GITHUB_OUTPUT | |
##### TEST ################################################################### | |
appointment-frontend-cypress: | |
name: Appointment Frontend Cypress | |
needs: parse-inputs | |
uses: ./.github/workflows/tyu-reusable-appointment-frontend-cypress.yaml | |
secrets: | |
bceid-endpoint: ${{ secrets.CYPRESS_BCEID_ENDPOINT }} | |
bceid-password: ${{ secrets.CYPRESS_BCEID_PASSWORD }} | |
bceid-username: ${{ secrets.CYPRESS_BCEID_USERNAME }} | |
cypress-project-id: ${{ secrets.CYPRESS_PROJECT_ID }} | |
cypress-record-key: ${{ secrets.CYPRESS_RECORD_KEY }} | |
keycloak-auth-url: ${{ secrets.KEYCLOAK_AUTH_URL_DEV }}/auth/ | |
keycloak-client: ${{ secrets.KEYCLOAK_APPOINTMENTS_FRONTEND_CLIENT }} | |
keycloak-realm: ${{ secrets.KEYCLOAK_REALM }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
##### BUILD ################################################################## | |
appointment-frontend: | |
name: appointment-frontend | |
needs: [parse-inputs, appointment-frontend-cypress] | |
uses: ./.github/workflows/reusable-build-dockerfile.yaml | |
secrets: | |
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }} | |
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }} | |
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools | |
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }} | |
namespace-theq-username: ${{ secrets.SA_USERNAME }} | |
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools | |
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }} | |
namespace-qms-username: ${{ secrets.SA_USERNAME }} | |
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
directory: appointment-frontend | |
image-name: appointment-nginx-frontend | |
image-tags: ${{ needs.parse-inputs.outputs.image-tag }} | |
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }} | |
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }} | |
feedback-api: | |
name: feedback-api | |
needs: [parse-inputs, appointment-frontend-cypress] | |
uses: ./.github/workflows/reusable-build-s2i.yaml | |
secrets: | |
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools | |
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }} | |
namespace-theq-username: ${{ secrets.SA_USERNAME }} | |
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools | |
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }} | |
namespace-qms-username: ${{ secrets.SA_USERNAME }} | |
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
directory: feedback-api | |
image-name: feedback-api | |
image-tags: ${{ needs.parse-inputs.outputs.image-tag }} | |
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }} | |
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }} | |
notifications-api: | |
name: notifications-api | |
needs: [parse-inputs, appointment-frontend-cypress] | |
uses: ./.github/workflows/reusable-build-s2i.yaml | |
secrets: | |
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools | |
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }} | |
namespace-theq-username: ${{ secrets.SA_USERNAME }} | |
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools | |
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }} | |
namespace-qms-username: ${{ secrets.SA_USERNAME }} | |
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
directory: notifications-api | |
image-name: notifications-api | |
image-tags: ${{ needs.parse-inputs.outputs.image-tag }} | |
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }} | |
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }} | |
queue-management-api: | |
name: queue-management-api | |
needs: [parse-inputs, appointment-frontend-cypress] | |
uses: ./.github/workflows/reusable-build-s2i.yaml | |
secrets: | |
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }} | |
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }} | |
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools | |
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }} | |
namespace-theq-username: ${{ secrets.SA_USERNAME }} | |
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools | |
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }} | |
namespace-qms-username: ${{ secrets.SA_USERNAME }} | |
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
directory: api | |
image-name: queue-management-api | |
image-tags: ${{ needs.parse-inputs.outputs.image-tag }} | |
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }} | |
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }} | |
queue-management-frontend: | |
name: queue-management-frontend | |
needs: [parse-inputs, appointment-frontend-cypress] | |
uses: ./.github/workflows/reusable-build-dockerfile.yaml | |
secrets: | |
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }} | |
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }} | |
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools | |
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }} | |
namespace-theq-username: ${{ secrets.SA_USERNAME }} | |
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools | |
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }} | |
namespace-qms-username: ${{ secrets.SA_USERNAME }} | |
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
directory: frontend | |
image-name: queue-management-nginx-frontend | |
image-tags: ${{ needs.parse-inputs.outputs.image-tag }} | |
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }} | |
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }} | |
send-appointment-reminder-crond: | |
name: send-appointment-reminder-crond | |
needs: [parse-inputs, appointment-frontend-cypress] | |
uses: ./.github/workflows/reusable-build-dockerfile.yaml | |
secrets: | |
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }} | |
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }} | |
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }} | |
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools | |
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }} | |
namespace-theq-username: ${{ secrets.SA_USERNAME }} | |
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools | |
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }} | |
namespace-qms-username: ${{ secrets.SA_USERNAME }} | |
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }} | |
with: | |
ref: ${{ needs.parse-inputs.outputs.ref }} | |
directory: jobs/appointment_reminder | |
image-name: send-appointment-reminder-crond | |
image-tags: ${{ needs.parse-inputs.outputs.image-tag }} | |
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }} | |
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }} | |
##### DEPLOY ################################################################# | |
tag: | |
name: Tag | |
if: github.repository_owner == 'bcgov' | |
needs: [parse-inputs, appointment-frontend, feedback-api, notifications-api, queue-management-api, queue-management-frontend, send-appointment-reminder-crond] | |
uses: ./.github/workflows/reusable-tag-image.yaml | |
secrets: | |
licence-plate: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.LICENCE_PLATE_QMS || secrets.LICENCE_PLATE_THEQ }} | |
openshift-api: ${{ secrets.OPENSHIFT_API }} | |
token: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.SA_PASSWORD_QMS_TOOLS || secrets.SA_PASSWORD_THEQ_TOOLS }} | |
with: | |
image-names: appointment-nginx-frontend feedback-api notifications-api queue-management-api queue-management-nginx-frontend send-appointment-reminder-crond | |
tag-from: ${{ needs.parse-inputs.outputs.image-tag }} | |
tag-to: ${{ needs.parse-inputs.outputs.environment }} | |
wait-for-rollouts: | |
name: Wait for Rollouts | |
if: github.repository_owner == 'bcgov' | |
needs: [parse-inputs, tag] | |
uses: ./.github/workflows/reusable-wait-for-rollouts.yaml | |
secrets: | |
licence-plate: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.LICENCE_PLATE_QMS || secrets.LICENCE_PLATE_THEQ }} | |
openshift-api: ${{ secrets.OPENSHIFT_API }} | |
token: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.SA_PASSWORD_QMS_DEV || ( needs.parse-inputs.outputs.environment == 'dev' && secrets.SA_PASSWORD_THEQ_DEV || secrets.SA_PASSWORD_THEQ_TEST ) }} | |
with: | |
image-names: appointment-nginx-frontend feedback-api notifications-api queue-management-api queue-management-nginx-frontend send-appointment-reminder-crond-${{ needs.parse-inputs.outputs.environment }} | |
tag-to: ${{ needs.parse-inputs.outputs.environment }} | |
##### TEST ################################################################### | |
# Only run Newman for The Q dev - other environments will fail due to data. | |
newman-theq-dev: | |
name: Newman Tests | |
if: github.event.inputs.namespace == 'The Q Dev' | |
needs: [parse-inputs, wait-for-rollouts] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out | |
uses: actions/checkout@v2 | |
- name: NPM Install | |
run: | | |
cd api/postman | |
npm install newman | |
- name: Run Newman Tests | |
run: | | |
cd api/postman | |
node_modules/newman/bin/newman.js run API_Test_TheQ_Booking.json \ | |
-e postman_env.json \ | |
--delay-request 250 \ | |
--global-var 'auth_url=${{ vars.POSTMAN_AUTH_URL_DEV }}' \ | |
--global-var 'client_secret=${{ secrets.POSTMAN_CLIENT_SECRET_DEV }}' \ | |
--global-var 'clientid=${{ vars.POSTMAN_CLIENTID_DEV }}' \ | |
--global-var 'password=${{ secrets.POSTMAN_PASSWORD }}' \ | |
--global-var 'password_nonqtxn=${{ secrets.POSTMAN_PASSWORD_NONQTXN }}' \ | |
--global-var 'public_url=${{ vars.POSTMAN_PUBLIC_API_URL_THEQ_DEV }}' \ | |
--global-var 'public_user_id=${{ vars.POSTMAN_PUBLIC_USERID }}' \ | |
--global-var 'public_user_password=${{ secrets.POSTMAN_PASSWORD_PUBLIC_USER }}' \ | |
--global-var 'realm=${{ vars.POSTMAN_REALM }}' \ | |
--global-var 'url=${{ vars.POSTMAN_API_URL_THEQ_DEV }}' \ | |
--global-var 'userid=${{ vars.POSTMAN_USERID }}' \ | |
--global-var 'userid_nonqtxn=${{ vars.POSTMAN_USERID_NONQTXN }}' | |
owasp-staff: | |
name: OWASP ZAP Scan of Staff Frontend | |
needs: [parse-inputs, wait-for-rollouts] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get Parameters | |
run: | | |
if [ ${{ needs.parse-inputs.outputs.push-qms }} == true ]; then | |
echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_QMS_DEV }}" >> $GITHUB_ENV | |
elif [ ${{ needs.parse-inputs.outputs.environment }} == dev ]; then | |
echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_THEQ_DEV }}" >> $GITHUB_ENV | |
else | |
echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_THEQ_TEST }}" >> $GITHUB_ENV | |
fi | |
- name: OWASP ZAP Scan | |
uses: zaproxy/[email protected] | |
with: | |
allow_issue_writing: false | |
cmd_options: '-z "-config scanner.threadPerHost=20"' | |
target: ${{ env.ZAP_URL }} | |
- name: Upload Report as Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: OWASP ZAP - Staff Front End Report | |
path: report_html.html | |
owasp-appointment: | |
name: OWASP ZAP Scan of Appointment Frontend | |
needs: [parse-inputs, wait-for-rollouts] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get Parameters | |
run: | | |
if [ ${{ needs.parse-inputs.outputs.push-qms }} == true ]; then | |
echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_QMS_DEV }}" >> $GITHUB_ENV | |
elif [ ${{ needs.parse-inputs.outputs.environment }} == dev ]; then | |
echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_THEQ_DEV }}" >> $GITHUB_ENV | |
else | |
echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_THEQ_TEST }}" >> $GITHUB_ENV | |
fi | |
- name: OWASP ZAP Scan | |
uses: zaproxy/[email protected] | |
with: | |
allow_issue_writing: false | |
cmd_options: '-z "-config scanner.threadPerHost=20"' | |
target: ${{ env.ZAP_URL }} | |
- name: Upload Report as Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: OWASP ZAP - Appointment Front End Report | |
path: report_html.html |