diff --git a/.circleci/config.yml b/.circleci/config.yml index 9f863a4f8..f607d9864 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,14 +1,11 @@ version: 2.1 - orbs: hmpps: ministryofjustice/hmpps@7.1.0 slack: circleci/slack@4.12.1 - parameters: alerts-slack-channel: type: string default: pecs-dev - aliases: - ¬ify_slack_on_failure slack/notify: @@ -47,111 +44,15 @@ aliases: - ¬ify_slack_on_release_start slack/notify: channel: $BUILD_NOTIFICATIONS_CHANNEL_ID - custom: '{ - "blocks": [ - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "*API is being prepared for release :building_construction:*" - } - ] - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "A new release was created by ${CIRCLE_USERNAME}" - }, - "fields": [ - { - "type": "mrkdwn", - "text": "@here" - } - ] - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": "Changelog" - }, - "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md" - } - ] - } - ] - }' + custom: '{ "blocks": [ { "type": "section", "fields": [ { "type": "mrkdwn", "text": "*API is being prepared for release :building_construction:*" } ] }, { "type": "section", "text": { "type": "mrkdwn", "text": "A new release was created by ${CIRCLE_USERNAME}" }, "fields": [ { "type": "mrkdwn", "text": "@here" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Changelog" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/CHANGELOG.md" } ] } ] }' - ¬ify_slack_of_approval slack/notify: channel: $BUILD_NOTIFICATIONS_CHANNEL_ID - custom: '{ - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "API release *requires your approval* before it can be deployed :eyes:" - }, - "fields": [ - { - "type": "mrkdwn", - "text": "${BUILD_NOTIFICATIONS_MENTION_ID}" - } - ] - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": "View Workflow" - }, - "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}" - } - ] - } - ] - }' + custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "API release *requires your approval* before it can be deployed :eyes:" }, "fields": [ { "type": "mrkdwn", "text": "${BUILD_NOTIFICATIONS_MENTION_ID}" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Workflow" }, "url": "https://circleci.com/workflow-run/${CIRCLE_WORKFLOW_ID}" } ] } ] }' - ¬ify_slack_on_release_end slack/notify: channel: $BUILD_NOTIFICATIONS_CHANNEL_ID - custom: '{ - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*API has been deployed* :rocket:" - }, - "fields": [ - { - "type": "mrkdwn", - "text": "@here This release was successfully deployed to production" - } - ] - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": "Release" - }, - "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases" - } - ] - } - ] - }' + custom: '{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "*API has been deployed* :rocket:" }, "fields": [ { "type": "mrkdwn", "text": "@here This release was successfully deployed to production" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "Release" }, "url": "https://github.com/ministryofjustice/hmpps-book-secure-move-api/releases" } ] } ] }' - &all_tags filters: tags: @@ -183,7 +84,6 @@ aliases: only: /^v.*/ branches: ignore: /.*/ - # Not so keen on using references, but keeping them for now in case they have DRYness benefits. # Likely to flatten then into the respective commands section. references: @@ -228,11 +128,7 @@ references: _load_wiremock_mappings: &load_wiremock_mappings run: name: Load mappings into wiremock - command: | - echo "Loading wiremock mappings..." - find spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary "@{}" \; - curl -vv http://localhost:8888/__admin/mappings - echo "Done" + command: "echo \"Loading wiremock mappings...\"\nfind spec/wiremock/prison-api/mappings/*.json -exec curl -vv --request POST --url http://localhost:8888/__admin/mappings --header 'content-type: application/json' --data-binary \"@{}\" \\;\ncurl -vv http://localhost:8888/__admin/mappings \necho \"Done\"\n" _notify_sentry_release: ¬ify_sentry_release run: name: Create release and notify Sentry of deploy @@ -260,19 +156,16 @@ references: _attach-tmp-workspace: &attach-tmp-workspace attach_workspace: at: . - executors: basic-executor: docker: - image: cimg/base:2022.11 - cloud-platform-executor: docker: - image: ${ECR_ENDPOINT}/cloud-platform/tools:circleci environment: GITHUB_TEAM_NAME_SLUG: book-a-secure-move REPO_NAME: hmpps-book-secure-move-api - test-executor: docker: # Check https://circleci.com/docs/2.0/language-ruby/ for more details @@ -292,7 +185,6 @@ executors: LANG: C.utf8 - image: wiremock/wiremock:2.32.0-alpine command: --port 8888 - commands: build-base: description: "Checkout app code and fetch dependencies for running tests" @@ -300,26 +192,22 @@ commands: - *restore-cache - *install-dependencies - *save-cache - seed-database: description: "Create and seed the Database" steps: - *create-db - *migrate-db - jobs: notify_of_approval: resource_class: small executor: basic-executor steps: - *notify_slack_of_approval - notify_of_release: resource_class: small executor: basic-executor steps: - *notify_slack_on_release_start - setup_test_environment: resource_class: small executor: test-executor @@ -328,7 +216,6 @@ jobs: - setup_remote_docker - build-base - seed-database - api_docs: resource_class: small executor: test-executor @@ -346,7 +233,6 @@ jobs: - swagger/v1/swagger.yaml - swagger/v2/swagger.yaml - *notify_slack_on_failure - rspec_tests: executor: test-executor parallelism: 1 @@ -360,7 +246,6 @@ jobs: - *wait-for-wiremock - *load_wiremock_mappings - *rspec - linters: resource_class: medium executor: test-executor @@ -369,34 +254,32 @@ jobs: - build-base - *attach-tmp-workspace - *rubocop - workflows: version: 2 - test-build-deploy: jobs: - notify_of_release: context: - hmpps-common-vars - <<: *only_deploy_tags + !!merge <<: *only_deploy_tags - setup_test_environment: - <<: *all_tags + !!merge <<: *all_tags - api_docs: context: - hmpps-common-vars - <<: *all_tags + !!merge <<: *all_tags requires: - setup_test_environment - rspec_tests: - <<: *all_tags + !!merge <<: *all_tags requires: - setup_test_environment - linters: - <<: *all_tags + !!merge <<: *all_tags requires: - setup_test_environment - hmpps/build_docker: - <<: *test_only + !!merge <<: *test_only requires: - api_docs - rspec_tests @@ -405,14 +288,10 @@ workflows: image_name: "quay.io/hmpps/hmpps-book-secure-move-api" publish: false additional_docker_build_args: > - --label build.git.sha=${CIRCLE_SHA1} - --label build.git.branch=${CIRCLE_BRANCH} - --label build.date=$(date -Is) - --build-arg APP_BUILD_DATE=$(date -Is) - --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} - --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} + --label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} + - hmpps/build_docker: - <<: *only_for_deployment + !!merge <<: *only_for_deployment requires: - api_docs - rspec_tests @@ -420,14 +299,10 @@ workflows: name: build_image image_name: "quay.io/hmpps/hmpps-book-secure-move-api" additional_docker_build_args: > - --label build.git.sha=${CIRCLE_SHA1} - --label build.git.branch=${CIRCLE_BRANCH} - --label build.date=$(date -Is) - --build-arg APP_BUILD_DATE=$(date -Is) - --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} - --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} + --label build.git.sha=${CIRCLE_SHA1} --label build.git.branch=${CIRCLE_BRANCH} --label build.date=$(date -Is) --build-arg APP_BUILD_DATE=$(date -Is) --build-arg APP_BUILD_TAG=${CIRCLE_BRANCH} --build-arg APP_GIT_COMMIT=${CIRCLE_SHA1} + - hmpps/deploy_env: - <<: *only_main + !!merge <<: *only_main name: deploy_staging env: "staging" context: @@ -436,7 +311,7 @@ workflows: requires: - build_image - hmpps/deploy_env: - <<: *only_deploy_tags + !!merge <<: *only_deploy_tags name: deploy_uat env: "uat" context: @@ -445,7 +320,7 @@ workflows: requires: - build_image - hmpps/deploy_env: - <<: *only_deploy_tags + !!merge <<: *only_deploy_tags name: deploy_preprod env: "preprod" context: @@ -454,18 +329,18 @@ workflows: requires: - build_image - hold_production: - <<: *only_deploy_tags + !!merge <<: *only_deploy_tags type: approval requires: - build_image - notify_of_approval: context: - hmpps-common-vars - <<: *only_deploy_tags + !!merge <<: *only_deploy_tags requires: - build_image - hmpps/deploy_env: - <<: *only_deploy_tags + !!merge <<: *only_deploy_tags name: deploy_production env: "production" context: @@ -473,26 +348,3 @@ workflows: - basm-api-production requires: - hold_production - - security: - triggers: - - schedule: - cron: "0 7 * * 1-5" - filters: - branches: - only: - - main - jobs: - - hmpps/gradle_owasp_dependency_check: - slack_channel: << pipeline.parameters.alerts-slack-channel >> - context: - - hmpps-common-vars - - hmpps/trivy_latest_scan: - slack_channel: << pipeline.parameters.alerts-slack-channel >> - context: - - hmpps-common-vars - - hmpps/veracode_policy_scan: - slack_channel: << pipeline.parameters.alerts-slack-channel >> - context: - - veracode-credentials - - hmpps-common-vars diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml new file mode 100644 index 000000000..59af6d4c6 --- /dev/null +++ b/.github/workflows/security_owasp.yml @@ -0,0 +1,12 @@ +name: Security OWASP dependency check +on: + workflow_dispatch: + schedule: + - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC +jobs: + security-kotlin-owasp-check: + name: Kotlin security OWASP dependency check + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@v0.5 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml new file mode 100644 index 000000000..7059f6cdc --- /dev/null +++ b/.github/workflows/security_trivy.yml @@ -0,0 +1,12 @@ +name: Security trivy dependency check +on: + workflow_dispatch: + schedule: + - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC +jobs: + security-kotlin-trivy-check: + name: Project security trivy dependency check + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@v0.5 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml new file mode 100644 index 000000000..17ab04a32 --- /dev/null +++ b/.github/workflows/security_veracode_pipeline_scan.yml @@ -0,0 +1,12 @@ +name: Security veracode pipeline scan +on: + workflow_dispatch: + schedule: + - cron: "38 6 * * MON-FRI" # Every weekday at 06:38 UTC +jobs: + security-veracode-pipeline-scan: + name: Project security veracode pipeline scan + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@v0.5 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml new file mode 100644 index 000000000..fc3f6f89d --- /dev/null +++ b/.github/workflows/security_veracode_policy_scan.yml @@ -0,0 +1,12 @@ +name: Security veracode policy scan +on: + workflow_dispatch: + schedule: + - cron: "58 6 * * 1" # Every Monday at 06:58 UTC +jobs: + security-veracode-policy-check: + name: Project security veracode policy scan + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@v0.5 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit