diff --git a/.circleci/config.yml b/.circleci/config.yml index f607d9864..f1093e7f1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,11 +1,14 @@ version: 2.1 + orbs: hmpps: ministryofjustice/hmpps@7.1.0 slack: circleci/slack@4.12.1 + parameters: alerts-slack-channel: type: string default: pecs-dev + aliases: - ¬ify_slack_on_failure slack/notify: @@ -44,15 +47,111 @@ aliases: - ¬ify_slack_on_release_start slack/notify: channel: $BUILD_NOTIFICATIONS_CHANNEL_ID - custom: '{ "blocks": [ { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*API is being prepared for release :building_construction:*" } ] }, { "type": "section", "text": { "type": "mrkdwn", "text": "A new release was created by ${CIRCLE_USERNAME}" }, "fields": [ { "type": "mrkdwn", "text": "@here" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Changelog" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md" } ] } ] }' + custom: '{ + "blocks": [ + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*API is being prepared for release :building_construction:*" + } + ] + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "A new release was created by ${CIRCLE_USERNAME}" + }, + "fields": [ + { + "type": "mrkdwn", + "text": "@here" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "text": "Changelog" + }, + "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md" + } + ] + } + ] + }' - ¬ify_slack_of_approval slack/notify: channel: $BUILD_NOTIFICATIONS_CHANNEL_ID - custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "API release *requires your approval* before it can be deployed :eyes:" }, "fields": [ { "type": "mrkdwn", "text": "${BUILD_NOTIFICATIONS_MENTION_ID}" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Workflow" }, "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}" } ] } ] }' + custom: '{ + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "API release *requires your approval* before it can be deployed :eyes:" + }, + "fields": [ + { + "type": "mrkdwn", + "text": "${BUILD_NOTIFICATIONS_MENTION_ID}" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "text": "View Workflow" + }, + "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}" + } + ] + } + ] + }' - ¬ify_slack_on_release_end slack/notify: channel: $BUILD_NOTIFICATIONS_CHANNEL_ID - custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "*API has been deployed* :rocket:" }, "fields": [ { "type": "mrkdwn", "text": "@here This release was successfully deployed to production" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Release" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases" } ] } ] }' + custom: '{ + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "*API has been deployed* :rocket:" + }, + "fields": [ + { + "type": "mrkdwn", + "text": "@here This release was successfully deployed to production" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "text": "Release" + }, + "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases" + } + ] + } + ] + }' - &all_tags filters: tags: @@ -84,6 +183,7 @@ aliases: only: /^v.*/ branches: ignore: /.*/ + # Not so keen on using references, but keeping them for now in case they have DRYness benefits. # Likely to flatten then into the respective commands section. references: @@ -128,7 +228,11 @@ references: _load_wiremock_mappings: &load_wiremock_mappings run: name: Load mappings into wiremock - command: "echo \"Loading wiremock mappings...\"\nfind spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary \"@{}\" \\;\ncurl -vv http://localhost:8888/__admin/mappings \necho \"Done\"\n" + command: | + echo "Loading wiremock mappings..." + find spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary "@{}" \; + curl -vv http://localhost:8888/__admin/mappings + echo "Done" _notify_sentry_release: ¬ify_sentry_release run: name: Create release and notify Sentry of deploy @@ -156,16 +260,19 @@ references: _attach-tmp-workspace: &attach-tmp-workspace attach_workspace: at: . + executors: basic-executor: docker: - image: cimg/base:2022.11 + cloud-platform-executor: docker: - image: ${ECR_ENDPOINT}/cloud-platform/tools:circleci environment: GITHUB_TEAM_NAME_SLUG: book-a-secure-move REPO_NAME: hmpps-book-secure-move-api + test-executor: docker: # Check https://circleci.com/docs/2.0/language-ruby/ for more details @@ -185,6 +292,7 @@ executors: LANG: C.utf8 - image: wiremock/wiremock:2.32.0-alpine command: --port 8888 + commands: build-base: description: "Checkout app code and fetch dependencies for running tests" @@ -192,22 +300,26 @@ commands: - *restore-cache - *install-dependencies - *save-cache + seed-database: description: "Create and seed the Database" steps: - *create-db - *migrate-db + jobs: notify_of_approval: resource_class: small executor: basic-executor steps: - *notify_slack_of_approval + notify_of_release: resource_class: small executor: basic-executor steps: - *notify_slack_on_release_start + setup_test_environment: resource_class: small executor: test-executor @@ -216,6 +328,7 @@ jobs: - setup_remote_docker - build-base - seed-database + api_docs: resource_class: small executor: test-executor @@ -233,6 +346,7 @@ jobs: - swagger/v1/swagger.yaml - swagger/v2/swagger.yaml - *notify_slack_on_failure + rspec_tests: executor: test-executor parallelism: 1 @@ -246,6 +360,7 @@ jobs: - *wait-for-wiremock - *load_wiremock_mappings - *rspec + linters: resource_class: medium executor: test-executor @@ -254,32 +369,34 @@ jobs: - build-base - *attach-tmp-workspace - *rubocop + workflows: version: 2 + test-build-deploy: jobs: - notify_of_release: context: - hmpps-common-vars - !!merge <<: *only_deploy_tags + <<: *only_deploy_tags - setup_test_environment: - !!merge <<: *all_tags + <<: *all_tags - api_docs: context: - hmpps-common-vars - !!merge <<: *all_tags + <<: *all_tags requires: - setup_test_environment - rspec_tests: - !!merge <<: *all_tags + <<: *all_tags requires: - setup_test_environment - linters: - !!merge <<: *all_tags + <<: *all_tags requires: - setup_test_environment - hmpps/build_docker: - !!merge <<: *test_only + <<: *test_only requires: - api_docs - rspec_tests @@ -288,10 +405,14 @@ workflows: image_name: "quay.io/hmpps/hmpps-book-secure-move-api" publish: false additional_docker_build_args: > - --label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} - + --label build.git.sha=${CIRCLE_SHA1} + --label build.git.branch=${CIRCLE_BRANCH} + --label build.date=$(date -Is) + --build-arg APP_BUILD_DATE=$(date -Is) + --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} + --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} - hmpps/build_docker: - !!merge <<: *only_for_deployment + <<: *only_for_deployment requires: - api_docs - rspec_tests @@ -299,10 +420,14 @@ workflows: name: build_image image_name: "quay.io/hmpps/hmpps-book-secure-move-api" additional_docker_build_args: > - --label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} - + --label build.git.sha=${CIRCLE_SHA1} + --label build.git.branch=${CIRCLE_BRANCH} + --label build.date=$(date -Is) + --build-arg APP_BUILD_DATE=$(date -Is) + --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} + --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} - hmpps/deploy_env: - !!merge <<: *only_main + <<: *only_main name: deploy_staging env: "staging" context: @@ -311,7 +436,7 @@ workflows: requires: - build_image - hmpps/deploy_env: - !!merge <<: *only_deploy_tags + <<: *only_deploy_tags name: deploy_uat env: "uat" context: @@ -320,7 +445,7 @@ workflows: requires: - build_image - hmpps/deploy_env: - !!merge <<: *only_deploy_tags + <<: *only_deploy_tags name: deploy_preprod env: "preprod" context: @@ -329,18 +454,18 @@ workflows: requires: - build_image - hold_production: - !!merge <<: *only_deploy_tags + <<: *only_deploy_tags type: approval requires: - build_image - notify_of_approval: context: - hmpps-common-vars - !!merge <<: *only_deploy_tags + <<: *only_deploy_tags requires: - build_image - hmpps/deploy_env: - !!merge <<: *only_deploy_tags + <<: *only_deploy_tags name: deploy_production env: "production" context: @@ -348,3 +473,12 @@ workflows: - basm-api-production requires: - hold_production + + security: + triggers: + - schedule: + cron: "0 7 * * 1-5" + filters: + branches: + only: + - main \ No newline at end of file diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml deleted file mode 100644 index 59af6d4c6..000000000 --- a/.github/workflows/security_owasp.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: Security OWASP dependency check -on: - workflow_dispatch: - schedule: - - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC -jobs: - security-kotlin-owasp-check: - name: Kotlin security OWASP dependency check - uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@v0.5 # WORKFLOW_VERSION - with: - channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} - secrets: inherit diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml index 7059f6cdc..bf8ba8954 100644 --- a/.github/workflows/security_trivy.yml +++ b/.github/workflows/security_trivy.yml @@ -1,5 +1,9 @@ name: Security trivy dependency check -on: +env: + SECURITY_ALERTS_SLACK_CHANNEL_ID: C06L6KYABDJ +on: + push: + branches: [MAP-1652-migrate-CI-security-pipeline] workflow_dispatch: schedule: - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml index 17ab04a32..19aadbff7 100644 --- a/.github/workflows/security_veracode_pipeline_scan.yml +++ b/.github/workflows/security_veracode_pipeline_scan.yml @@ -1,5 +1,7 @@ name: Security veracode pipeline scan on: + push: + branches: [MAP-1652-migrate-CI-security-pipeline] workflow_dispatch: schedule: - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml index fc3f6f89d..bc2a6d613 100644 --- a/.github/workflows/security_veracode_policy_scan.yml +++ b/.github/workflows/security_veracode_policy_scan.yml @@ -1,5 +1,7 @@ name: Security veracode policy scan on: + push: + branches: [MAP-1652-migrate-CI-security-pipeline] workflow_dispatch: schedule: - cron: "58 6 * * 1" # Every Monday at 06:58 UTC @@ -10,3 +12,6 @@ jobs: with: channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} secrets: inherit + + +C06L6KYABDJ \ No newline at end of file