diff --git a/.github/workflows/build-no-cache.yml b/.github/workflows/build-no-cache.yml index ff67ce728c..e59933244f 100644 --- a/.github/workflows/build-no-cache.yml +++ b/.github/workflows/build-no-cache.yml @@ -16,19 +16,24 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK, SNYK-TOKEN - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + inlineScript: | + SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT + SNYK_TOKEN=$(az keyvault secret show --name "SNYK-TOKEN" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SNYK_TOKEN" + echo "SNYK_TOKEN=$SNYK_TOKEN" >> $GITHUB_OUTPUT - name: Set up Docker Buildx uses: docker/setup-buildx-action@master @@ -67,7 +72,7 @@ jobs: - name: Run Snyk to check Docker image for vulnerabilities uses: snyk/actions/docker@master env: - SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK-TOKEN }} + SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK_TOKEN }} with: image: ${{ env.DOCKER_REPOSITORY }}:master args: --severity-threshold=high --file=Dockerfile @@ -83,4 +88,4 @@ jobs: SLACK_COLOR: ${{ env.SLACK_ERROR }} SLACK_MESSAGE: 'There has been a failure building the application' SLACK_TITLE: 'Failure Building Application' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a282a89dbf..9a050e88ff 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,6 +27,8 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - name: Set up Docker Buildx id: buildx @@ -78,15 +80,17 @@ jobs: - uses: Azure/login@v1 if: failure() && github.ref == 'refs/heads/master' with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 + - name: Fetch secrets from key vault if: failure() && github.ref == 'refs/heads/master' - id: keyvault-yaml-secret + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK + inlineScript: | + SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT - name: Slack Notification if: failure() && github.ref == 'refs/heads/master' @@ -95,7 +99,7 @@ jobs: SLACK_COLOR: ${{env.SLACK_ERROR}} SLACK_MESSAGE: 'There has been a failure building the application' SLACK_TITLE: 'Failure Building Application' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} build_release: name: Build release image @@ -110,6 +114,8 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - name: Set up Docker Buildx id: buildx @@ -184,15 +190,17 @@ jobs: - uses: Azure/login@v1 if: failure() && github.ref == 'refs/heads/master' with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 + - name: Fetch secrets from key vault if: failure() && github.ref == 'refs/heads/master' - id: keyvault-yaml-secret + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK + inlineScript: | + SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT - name: Slack Notification if: failure() && github.ref == 'refs/heads/master' @@ -201,7 +209,7 @@ jobs: SLACK_COLOR: ${{env.SLACK_ERROR}} SLACK_MESSAGE: 'There has been a failure building the application' SLACK_TITLE: 'Failure Building Application' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} @@ -218,6 +226,8 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - name: Lint SCSS uses: actions-hub/stylelint@master @@ -261,6 +271,8 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - name: Run Javascript Tests run: |- @@ -297,17 +309,21 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK + inlineScript: | + SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT - name: Prepare DB run: |- @@ -351,17 +367,21 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SONAR-TOKEN + inlineScript: | + SONAR_TOKEN=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SONAR_TOKEN" + echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_OUTPUT - name: Setup sonarqube uses: warchant/setup-sonar-scanner@v7 @@ -384,7 +404,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: sonar-scanner - -Dsonar.login=${{ steps.keyvault-yaml-secret.outputs.SONAR-TOKEN }} + -Dsonar.login=${{ steps.keyvault-yaml-secret.outputs.SONAR_TOKEN }} -Dsonar.organization=dfe-digital -Dsonar.host.url=https://sonarcloud.io/ -Dsonar.projectKey=DFE-Digital_get-into-teaching-app @@ -397,56 +417,6 @@ jobs: -Dsonar.ruby.coverage.reportPaths=${{github.workspace}}/code_coverage/coverage.json -Dsonar.ruby.rubocop.reportPaths=${{github.workspace}}/rubocop_results/rubocop-result.json - review: - name: Review Deployment Process - needs: [ build_release ] - if: github.ref != 'refs/heads/master' - runs-on: ubuntu-latest - concurrency: Review_${{github.event.number}} - environment: - name: Review - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK - - - name: Deploy to Review - uses: ./.github/workflows/actions/deploy - id: deploy - with: - environment: Review - sha: ${{ github.sha }} - pr: ${{github.event.number}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - KEY_VAULT: ${{ secrets.KEY_VAULT }} - ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} - - - name: Post sticky pull request comment - uses: marocchino/sticky-pull-request-comment@v2 - with: - recreate: true - header: PAAS - message: Review app deployed to https://${{env.REVIEW_APPLICATION}}-${{github.event.number}}.${{env.DOMAIN}} - - - name: Add Review Label - if: contains(github.event.pull_request.user.login, 'dependabot') == false - uses: actions-ecosystem/action-add-labels@v1 - with: - labels: Review - review_aks: name: Review AKS Deployment Process needs: [ build_release ] @@ -713,81 +683,11 @@ jobs: HTTP_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.HTTP_PASSWORD }} MAILSAC_API_KEY: ${{ steps.keyvault-yaml-secret.outputs.MAILSAC_API_KEY }} - production: - name: Production Deployment - runs-on: ubuntu-latest - needs: [ integration_aks, development_aks ] - concurrency: Production - environment: - name: Production - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK, SLACK-RELEASE-NOTE-WEBHOOK - - - name: Get Release Id from Tag - id: tag_id - uses: DFE-Digital/github-actions/DraftReleaseByTag@master - with: - TAG: ${{needs.development.outputs.release_tag}} - TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish Release - if: steps.tag_id.outputs.release_id - uses: eregon/publish-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - release_id: ${{steps.tag_id.outputs.release_id}} - - - name: Deploy to Production - uses: ./.github/workflows/actions/deploy - id: deploy - with: - environment: Production - sha: ${{ github.sha }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - KEY_VAULT: ${{ secrets.KEY_VAULT }} - ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} - - - name: Slack Release Notification - if: steps.tag_id.outputs.release_id - uses: rtCamp/action-slack-notify@master - env: - SLACK_COLOR: ${{env.SLACK_SUCCESS}} - SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" - SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-RELEASE-NOTE-WEBHOOK }} - MSG_MINIMAL: true - - - name: Slack Notification - if: failure() - uses: rtCamp/action-slack-notify@master - env: - SLACK_COLOR: ${{env.SLACK_FAILURE}} - SLACK_TITLE: Production Release ${{github.event.title}} - SLACK_MESSAGE: Failure deploying Production release - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} - production_aks: name: Production AKS Deployment runs-on: ubuntu-latest needs: [ integration_aks, development_aks ] concurrency: production_aks - continue-on-error: true environment: name: production_aks steps: @@ -822,15 +722,13 @@ jobs: TAG: ${{needs.development_aks.outputs.release_tag}} TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Uncomment when migrated from PaaS - # - # - name: Publish Release - # if: steps.tag_id.outputs.release_id - # uses: eregon/publish-release@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # release_id: ${{steps.tag_id.outputs.release_id}} + - name: Publish Release + if: steps.tag_id.outputs.release_id + uses: eregon/publish-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + release_id: ${{steps.tag_id.outputs.release_id}} - name: Deploy to Production AKS uses: ./.github/workflows/actions/deploy_v2 @@ -842,17 +740,15 @@ jobs: KEY_VAULT: ${{ secrets.KEY_VAULT }} ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} - # Uncomment when migrated from PaaS - # - # - name: Slack Release Notification - # if: steps.tag_id.outputs.release_id - # uses: rtCamp/action-slack-notify@master - # env: - # SLACK_COLOR: ${{env.SLACK_SUCCESS}} - # SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" - # SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} - # SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-RELEASE-NOTE-WEBHOOK }} - # MSG_MINIMAL: true + - name: Slack Release Notification + if: steps.tag_id.outputs.release_id + uses: rtCamp/action-slack-notify@master + env: + SLACK_COLOR: ${{env.SLACK_SUCCESS}} + SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}" + SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }} + SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-RELEASE-NOTE-WEBHOOK }} + MSG_MINIMAL: true - name: Slack Notification if: failure() diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml deleted file mode 100644 index f41ebb520a..0000000000 --- a/.github/workflows/destroy.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Destroy Review Instance -on: - pull_request: - types: [closed] - -jobs: - destroy: - name: Destroy - environment: - name: Review - runs-on: ubuntu-latest - - concurrency: Review_${{github.event.number}} - - defaults: - run: - shell: bash - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - name: Setup Environment Variables - id: variables - run: | - echo "pr_name=${{env.REVIEW_APPLICATION}}-${{github.event.number}}" >> $GITHUB_OUTPUT - echo "TF_VAR_paas_app_route_name=${pr_name}" >> $GITHUB_ENV - - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.2.8 - - - name: Terraform Destroy - run: | - cd terraform/paas && pwd - terraform init -backend-config=review.bk.vars -backend-config="key=${{steps.variables.outputs.pr_name}}.tfstate" - terraform destroy -var-file=review.env.tfvars -auto-approve - env: - ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} - TF_VAR_AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Delete Terraform Storage File - run: az storage blob delete --container-name pass-tfstate --account-name s146d01sgtfstate --account-key ${{secrets.ARM_ACCESS_KEY}} -n ${{steps.variables.outputs.pr_name}}.tfstate diff --git a/.github/workflows/lychee.yml b/.github/workflows/lychee.yml index 09da6656eb..8fe20ac2b4 100644 --- a/.github/workflows/lychee.yml +++ b/.github/workflows/lychee.yml @@ -24,14 +24,16 @@ jobs: - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK + inlineScript: | + SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT - name: Read Lychee output into var id: lychee-output @@ -58,4 +60,4 @@ jobs: SLACK_MESSAGE: | ${{ steps.convert.outputs.text }} SLACK_TITLE: 'External link check results:' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} diff --git a/.github/workflows/pagespeed.yml b/.github/workflows/pagespeed.yml index bc3eb6e913..0d5f56adca 100644 --- a/.github/workflows/pagespeed.yml +++ b/.github/workflows/pagespeed.yml @@ -1,7 +1,5 @@ name: Run PageSpeed task on: - schedule: - - cron: '0 8 * * *' # 8am daily workflow_dispatch: jobs: diff --git a/.github/workflows/rm-developers.yml b/.github/workflows/rm-developers.yml deleted file mode 100644 index 7e479aa54e..0000000000 --- a/.github/workflows/rm-developers.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Check users in space developer role - -on: - workflow_dispatch: - schedule: # Midnight every day - - cron: '0 0 * * *' - -jobs: - CHECK-SPACE-USER: - runs-on: ubuntu-latest - environment: - Production - - steps: - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: PAAS-USERNAME, PAAS-PASSWORD, SLACK-WEBHOOK, PAAS-USER-WHITELIST, PAAS-SPACE - - - uses: DFE-Digital/github-actions/setup-cf-cli@master - with: - CF_USERNAME: ${{ steps.keyvault-yaml-secret.outputs.PAAS-USERNAME }} - CF_PASSWORD: ${{ steps.keyvault-yaml-secret.outputs.PAAS-PASSWORD }} - CF_SPACE_NAME: ${{ steps.keyvault-yaml-secret.outputs.PAAS-SPACE }} - CF_ORG_NAME: dfe - CF_API_URL: https://api.london.cloud.service.gov.uk - INSTALL_CONDUIT: false - - - name: Checkout Repo - uses: actions/checkout@v4 - with: - repository: DFE-Digital/bat-infrastructure - path: ./remote-checkout - - - name: Run powershell script - shell: pwsh - run: | - ./remote-checkout/scripts/check-users-in-space-developer-role.ps1 ` - -Space "${{ steps.keyvault-yaml-secret.outputs.PAAS-SPACE }}" ` - -SlackWebhook "${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }}" ` - -Unset ` - -Whitelist "${{ steps.keyvault-yaml-secret.outputs.PAAS-USER-WHITELIST }}" diff --git a/.github/workflows/sha.yml b/.github/workflows/sha.yml index 08695e7ab4..9e45090244 100644 --- a/.github/workflows/sha.yml +++ b/.github/workflows/sha.yml @@ -27,13 +27,15 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - name: Deploy to ${{github.event.inputs.environment}} - uses: ./.github/workflows/actions/deploy + uses: ./.github/workflows/actions/deploy_v2 id: deploy with: environment: ${{ github.event.inputs.environment }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 45966c8c69..cda4042e26 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -14,22 +14,29 @@ jobs: - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master + with: + var_file: .github/common_environment_aks.yml - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK, SNYK-TOKEN + inlineScript: | + SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT + SNYK_TOKEN=$(az keyvault secret show --name "SNYK-TOKEN" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$SNYK_TOKEN" + echo "SNYK_TOKEN=$SNYK_TOKEN" >> $GITHUB_OUTPUT - name: Run Snyk to check Docker image for vulnerabilities uses: snyk/actions/docker@master env: - SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK-TOKEN }} + SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK_TOKEN }} with: image: ${{ env.DOCKER_REPOSITORY }}:master args: --severity-threshold=high --file=Dockerfile --exclude-app-vulns @@ -45,4 +52,4 @@ jobs: SLACK_COLOR: ${{env.SLACK_ERROR}} SLACK_TITLE: Failure with Nightly Anchore Security Scan SLACK_MESSAGE: Failure Nightly Anchore Security Scan for ${{env.APPLICATION}} - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }} diff --git a/.github/workflows/trello.yml b/.github/workflows/trello.yml index 3e6e07efe2..38275702af 100644 --- a/.github/workflows/trello.yml +++ b/.github/workflows/trello.yml @@ -12,19 +12,24 @@ jobs: steps: - uses: Azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS_AKS_REVIEW }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: keyvault-yaml-secret with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: TRELLO-KEY , TRELLO-TOKEN + inlineScript: | + TRELLO_KEY=$(az keyvault secret show --name "TRELLO-KEY" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$TRELLO_KEY" + echo "TRELLO_KEY=$TRELLO_KEY" >> $GITHUB_OUTPUT + TRELLO_TOKEN=$(az keyvault secret show --name "TRELLO-TOKEN" --vault-name "${{ secrets.KEY_VAULT_AKS_REVIEW }}" --query "value" -o tsv) + echo "::add-mask::$TRELLO_TOKEN" + echo "TRELLO_TOKEN=$TRELLO_TOKEN" >> $GITHUB_OUTPUT - name: Add Trello Comment uses: DFE-Digital/github-actions/AddTrelloComment@master with: MESSAGE: ${{ github.event.pull_request.html_url }} CARD: "${{ github.event.pull_request.body }}" - TRELLO-KEY: ${{ steps.keyvault-yaml-secret.outputs.TRELLO-KEY }} - TRELLO-TOKEN: ${{ steps.keyvault-yaml-secret.outputs.TRELLO-TOKEN }} + TRELLO-KEY: ${{ steps.keyvault-yaml-secret.outputs.TRELLO_KEY }} + TRELLO-TOKEN: ${{ steps.keyvault-yaml-secret.outputs.TRELLO_TOKEN }} diff --git a/terraform/aks/config/production_aks.tfvars.json b/terraform/aks/config/production_aks.tfvars.json index 03ec99fddf..ba6758af88 100644 --- a/terraform/aks/config/production_aks.tfvars.json +++ b/terraform/aks/config/production_aks.tfvars.json @@ -3,7 +3,7 @@ "namespace": "git-production", "environment": "production", "internet_hostnames": [ "getintoteaching" ], - "basic_auth": 1, + "basic_auth": 0, "replicas": 6, "postgres_enable_high_availability": true, "postgres_flexible_server_sku": "GP_Standard_D2ds_v4", diff --git a/terraform/domains/environment_domains/config/production.tfvars.json b/terraform/domains/environment_domains/config/production.tfvars.json index 75bc2314d4..4ef376d109 100644 --- a/terraform/domains/environment_domains/config/production.tfvars.json +++ b/terraform/domains/environment_domains/config/production.tfvars.json @@ -10,7 +10,7 @@ "/packs/*" ], "environment_short": "pd", - "origin_hostname": "get-into-teaching-app-prod.london.cloudapps.digital", + "origin_hostname": "get-into-teaching-app-production.teacherservices.cloud", "null_host_header": false, "cnames": { "_868153fdedc73d7ab612304d7f6c2644": {