Merge pull request #113 from opencrvs/release-v1.5.0

Release v1.5.0
opencrvs · Jul 10, 2024 · 8c36386 · 8c36386
2 parents 68dc11e + 35c6e52
commit 8c36386
Show file tree

Hide file tree

Showing 95 changed files with 2,211 additions and 1,465 deletions.
diff --git a/.github/workflows/clear-environment.yml b/.github/workflows/clear-environment.yml
@@ -21,7 +21,7 @@ jobs:
   reset-data:
     name: 'Reset data'
     environment: ${{ github.event.inputs.environment }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 60
     steps:
       - name: Clone country config resource package
@@ -49,7 +49,12 @@ jobs:
           HOST: ${{ vars.DOMAIN }}
           ENV: ${{ vars.ENVIRONMENT_TYPE }}
           SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
+          # SSH_HOST was moved from a secret to a variable in OpenCRVS 1.5.0
+          # @todo @deprecated remove the fallback to secrets.SSH_HOST in OpenCRVS 1.7.0
+          SSH_HOST: ${{ vars.SSH_HOST || secrets.SSH_HOST }}
+          # SSH_PORT was moved from a secret to a variable in OpenCRVS 1.5.0
+          # @todo @deprecated remove the fallback to secrets.SSH_PORT in OpenCRVS 1.7.0
+          SSH_PORT: ${{ vars.SSH_PORT || secrets.SSH_PORT }}
           REPLICAS: ${{ vars.REPLICAS }}
           MONGODB_ADMIN_USER: ${{ secrets.MONGODB_ADMIN_USER }}
           MONGODB_ADMIN_PASSWORD: ${{ secrets.MONGODB_ADMIN_PASSWORD }}
@@ -58,7 +63,7 @@ jobs:
           MINIO_ROOT_PASSWORD: ${{ secrets.MINIO_ROOT_PASSWORD }}
           SSH_ARGS: ${{ vars.SSH_ARGS }}
         run: |
-          ssh $SSH_USER@$SSH_HOST $SSH_ARGS "
+          ssh -p $SSH_PORT $SSH_USER@$SSH_HOST $SSH_ARGS "
             ELASTICSEARCH_ADMIN_USER=elastic \
             ELASTICSEARCH_ADMIN_PASSWORD=$ELASTICSEARCH_SUPERUSER_PASSWORD \
             MONGODB_ADMIN_USER=$MONGODB_ADMIN_USER \
@@ -69,7 +74,7 @@ jobs:
 
           echo "Running migrations..."
           echo
-          ssh $SSH_USER@$SSH_HOST $SSH_ARGS "
+          ssh -p $SSH_PORT $SSH_USER@$SSH_HOST $SSH_ARGS "
               ELASTICSEARCH_ADMIN_USER=elastic \
               ELASTICSEARCH_ADMIN_PASSWORD=$ELASTICSEARCH_SUPERUSER_PASSWORD \
               /opt/opencrvs/infrastructure/run-migrations.sh"
diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
@@ -14,15 +14,15 @@ on:
       core-image-tag:
         description: Core DockerHub image tag
         required: true
-        default: 'v1.4.1'
+        default: 'v1.5.0'
       countryconfig-image-tag:
         description: Your Country Config DockerHub image tag
         required: true
 
 jobs:
   deploy:
     environment: ${{ github.event.inputs.environment }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 60
     steps:
       - uses: trstringer/manual-approval@v1
@@ -75,7 +75,7 @@ jobs:
           echo "KNOWN_HOSTS=" >> $GITHUB_ENV
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
@@ -142,7 +142,8 @@ jobs:
           --clear_data=no \
           --environment=${{ github.event.inputs.environment }} \
           --host=${{ vars.DOMAIN }} \
-          --ssh_host=${{ secrets.SSH_HOST }} \
+          --ssh_host=${{ vars.SSH_HOST || secrets.SSH_HOST }} \
+          --ssh_port=${{ vars.SSH_PORT || secrets.SSH_PORT }} \
           --ssh_user=${{ secrets.SSH_USER }} \
           --version=${{ github.event.inputs.core-image-tag }} \
           --country_config_version=${{ github.event.inputs.countryconfig-image-tag }} \

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -15,22 +15,18 @@ on:
       core-image-tag:
         description: Core DockerHub image tag
         required: true
-        default: 'v1.4.1'
+        default: 'v1.5.0'
       countryconfig-image-tag:
         description: Your Country Config DockerHub image tag
         required: true
       reset:
         type: boolean
         description: Reset the environment
         default: false
-      debug:
-        type: boolean
-        description: Open SSH session to the runner after deployment
-        default: false
 jobs:
   deploy:
     environment: ${{ github.event.inputs.environment }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     outputs:
       outcome: ${{ steps.deploy.outcome }}
     timeout-minutes: 60
@@ -77,7 +73,7 @@ jobs:
           echo "KNOWN_HOSTS=" >> $GITHUB_ENV
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
@@ -139,23 +135,19 @@ jobs:
 
       - name: Deploy to ${{ github.event.inputs.environment }}
         id: deploy
-        continue-on-error: ${{ github.event.inputs.debug == 'true' }}
         run: |
           cd ./${{ github.event.repository.name }}
           yarn deploy \
           --clear_data=no \
           --environment=${{ github.event.inputs.environment }} \
           --host=${{ vars.DOMAIN }} \
-          --ssh_host=${{ secrets.SSH_HOST }} \
+          --ssh_host=${{ vars.SSH_HOST || secrets.SSH_HOST }} \
+          --ssh_port=${{ vars.SSH_PORT || secrets.SSH_PORT }} \
           --ssh_user=${{ secrets.SSH_USER }} \
           --version=${{ github.event.inputs.core-image-tag }} \
           --country_config_version=${{ github.event.inputs.countryconfig-image-tag }} \
           --replicas=${{ vars.REPLICAS }}
 
-      - name: Setup tmate session
-        uses: mxschmitt/action-tmate@v3
-        if: ${{ github.event.inputs.debug == 'true' }}
-
   reset:
     needs: deploy
     if: ${{ github.event.inputs.reset == 'true' && needs.deploy.outputs.outcome == 'success' }}

diff --git a/.github/workflows/get-secret-from-environment.yml b/.github/workflows/get-secret-from-environment.yml
@@ -0,0 +1,87 @@
+name: Reusable Fetch Secret Workflow
+
+on:
+  workflow_call:
+    inputs:
+      secret_name:
+        required: true
+        type: string
+      env_name:
+        required: true
+        type: string
+    outputs:
+      secret_value:
+        description: 'Secret value, encrypted with the encryption key'
+        value: ${{ jobs.fetch-credentials.outputs.secret_value }}
+      environment_exists:
+        description: 'Whether the environment exists or not'
+        value: ${{ jobs.check-environment.outputs.environment_exists }}
+    secrets:
+      gh_token:
+        required: true
+      encryption_key:
+        required: true
+      # All secrets that are we want to allow access to need
+      # to be defined in this list
+      BACKUP_ENCRYPTION_PASSPHRASE:
+        required: false
+      SSH_KEY:
+        required: false
+
+jobs:
+  check-environment:
+    name: Check if Environment Exists
+    runs-on: ubuntu-22.04
+    outputs:
+      environment_exists: ${{ steps.check-env.outputs.exists }}
+    steps:
+      - name: Check if GITHUB_TOKEN is set
+        id: check-token
+        run: |
+          if [ -z "${{ secrets.gh_token }}" ]; then
+            echo "Environment secret GITHUB_TOKEN is not set. Make sure you add a correct Github API token before running this pipeline."
+            exit 1
+          fi
+
+      - name: Check if environment exists
+        id: check-env
+        run: |
+          ENV_NAME="${{ inputs.env_name }}"
+          RESPONSE=$(curl -s -H "Authorization: Bearer ${{ secrets.gh_token }}" \
+                            "https://api.github.com/repos/${{ github.repository }}/environments/$ENV_NAME")
+          if echo "$RESPONSE" | grep -q '"name": "'$ENV_NAME'"'; then
+            echo "Environment $ENV_NAME exists."
+            echo "::set-output name=exists::true"
+          else
+            echo "Environment $ENV_NAME does not exist."
+            echo "::set-output name=exists::false"
+          fi
+
+  fetch-credentials:
+    name: Fetch Secret
+    runs-on: ubuntu-22.04
+    environment: ${{ inputs.env_name }}
+    needs: check-environment
+    # Without this Github actions will create the environment when it doesnt exist
+    if: needs.check-environment.outputs.environment_exists == 'true'
+    outputs:
+      secret_value: ${{ steps.fetch-credentials.outputs.secret_value }}
+    steps:
+      - name: Fetch the secret
+        id: fetch-credentials
+        env:
+          SECRET_NAME: ${{ inputs.secret_name }}
+        run: |
+          SECRET_VALUE="${{ secrets[env.SECRET_NAME] }}"
+          if [ -z "$SECRET_VALUE" ]; then
+            echo "Secret ${{ inputs.secret_name }} is empty. Usually this means you have not explicitly stated the secrets"
+            echo "in both the workflow file get-secrets-from-environment and in the file you are using the reusable workflow from."
+            echo "Please make sure you have added the secret to the workflow files and retry."
+            exit 1
+          fi
+          echo -n "$SECRET_VALUE" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.encryption_key }}" -out encrypted_key.bin
+          ENCODED_ENCRYPTED_SECRET=$(base64 < encrypted_key.bin)
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "secret_value<<$EOF" >> $GITHUB_OUTPUT
+          echo "$ENCODED_ENCRYPTED_SECRET" >> $GITHUB_OUTPUT
+          echo "$EOF" >> $GITHUB_OUTPUT