diff --git a/.github/actions/build-test-and-deploy/cloud-platform-deploy/action.yml b/.github/actions/build-test-and-deploy/cloud-platform-deploy/action.yml index 356b33f..ceec0b9 100644 --- a/.github/actions/build-test-and-deploy/cloud-platform-deploy/action.yml +++ b/.github/actions/build-test-and-deploy/cloud-platform-deploy/action.yml @@ -29,7 +29,7 @@ runs: steps: - uses: actions/checkout@v4 - name: Authenticate - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/cloud-platform-auth@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/cloud-platform-auth@v2 # WORKFLOW_VERSION with: api: ${{ inputs.api }} cert: ${{ inputs.cert }} diff --git a/.github/actions/slack_failure_results/action.yml b/.github/actions/slack_failure_results/action.yml index d19816d..4dfce66 100644 --- a/.github/actions/slack_failure_results/action.yml +++ b/.github/actions/slack_failure_results/action.yml @@ -15,7 +15,7 @@ runs: using: "composite" steps: - name: process slack message results # returns SLACK_TXT - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_prepare_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_prepare_results@v2 # WORKFLOW_VERSION id: slack_message_result with: input_file: ${{ inputs.input_file }} diff --git a/.github/workflows/deploy_env.yml b/.github/workflows/deploy_env.yml index 29bea41..ec153c5 100644 --- a/.github/workflows/deploy_env.yml +++ b/.github/workflows/deploy_env.yml @@ -29,7 +29,7 @@ jobs: id: install with: version: latest - - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/cloud-platform-deploy@v1 # WORKFLOW_VERSION + - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/cloud-platform-deploy2 # WORKFLOW_VERSION id: deploy with: environment: ${{ inputs.environment }} @@ -44,7 +44,7 @@ jobs: # Notification bit - always send prod releases to dps-releases - CVA3MKDTR - if: ${{ inputs.environment == 'prod' || inputs.environment == 'production' }} id: prod-dps-slack - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_release_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_release_results@v2 # WORKFLOW_VERSION with: channel_id: 'CVA3MKDTR' environment: ${{ inputs.environment }} @@ -56,7 +56,7 @@ jobs: # Optional prod releases slack channel (using PROD_RELEASES_SLACK_CHANNEL variable) - if: ${{ ( inputs.environment == 'prod' || inputs.environment == 'production' ) && vars.PROD_RELEASES_SLACK_CHANNEL != '' }} id: prod-slack - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_release_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_release_results@v2 # WORKFLOW_VERSION with: channel_id: ${{ vars.PROD_RELEASES_SLACK_CHANNEL }} environment: ${{ inputs.environment }} @@ -67,7 +67,7 @@ jobs: # Optional non-prod releases slack channel (using NONPROD_RELEASES_SLACK_CHANNEL variable) - if: ${{ (inputs.environment != 'prod' && inputs.environment != 'production') && vars.NONPROD_RELEASES_SLACK_CHANNEL != '' }} id: nonprod-slack - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_release_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_release_results@v2 # WORKFLOW_VERSION with: channel_id: ${{ vars.NONPROD_RELEASES_SLACK_CHANNEL }} environment: ${{ inputs.environment }} diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml index 1b18afa..f321cdb 100644 --- a/.github/workflows/docker_build.yml +++ b/.github/workflows/docker_build.yml @@ -49,8 +49,8 @@ jobs: steps: - id: app_version name: Application version creators - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/create_app_version@v1 # WORKFLOW_VERSION - - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_docker@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/create_app_version@v2 # WORKFLOW_VERSION + - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_docker@v2 # WORKFLOW_VERSION if: ${{ ( inputs.docker_registry == 'ghcr.io' ) && ( ! inputs.docker_multiplatform )}} with: repository_name: ${{ github.event.repository.name }} @@ -60,7 +60,7 @@ jobs: push: ${{ inputs.push }} app_version: ${{ steps.app_version.outputs.version }} - - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_docker@v1 # WORKFLOW_VERSION + - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_docker@v2 # WORKFLOW_VERSION if: ${{ ( inputs.docker_registry == 'quay.io' ) && ( ! inputs.docker_multiplatform )}} with: repository_name: ${{ github.event.repository.name }} @@ -74,7 +74,7 @@ jobs: # git_head_ref: ${{ github.head_ref }} # git_branch_ref: ${{ github.ref_name }} - - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_multiplatform_docker@v1 # WORKFLOW_VERSION + - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_multiplatform_docker@v2 # WORKFLOW_VERSION if: ${{ ( inputs.docker_registry == 'ghcr.io' ) && ( inputs.docker_multiplatform )}} with: repository_name: ${{ github.event.repository.name }} @@ -84,7 +84,7 @@ jobs: push: ${{ inputs.push }} app_version: ${{ steps.app_version.outputs.version }} - - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_multiplatform_docker@v1 # WORKFLOW_VERSION + - uses: ministryofjustice/hmpps-github-actions/.github/actions/build-test-and-deploy/build_multiplatform_docker@v2 # WORKFLOW_VERSION if: ${{ ( inputs.docker_registry == 'quay.io' ) && ( inputs.docker_multiplatform )}} with: repository_name: ${{ github.event.repository.name }} diff --git a/.github/workflows/security_npm_dependency.yml b/.github/workflows/security_npm_dependency.yml index 28d0c2e..f949c6c 100644 --- a/.github/workflows/security_npm_dependency.yml +++ b/.github/workflows/security_npm_dependency.yml @@ -174,11 +174,11 @@ jobs: - name: Process slack message results from npm better audit # returns SLACK_TXT id: slack-message-result if: steps.npm-better.outcome == 'failure' && inputs.channel_id != 'NO_SLACK' - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_prepare_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_prepare_results@v2 # WORKFLOW_VERSION with: input_file: npm-security-check-reports.txt - name: npm audit slack notification - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v2 # WORKFLOW_VERSION if: (failure() || steps.npm.outcome == 'failure' || steps.npm-better.outcome == 'failure') && inputs.channel_id != 'NO_SLACK' with: title: "npm dependency scan" diff --git a/.github/workflows/security_npm_outdated.yml b/.github/workflows/security_npm_outdated.yml index 8e41ba2..28aa16e 100644 --- a/.github/workflows/security_npm_outdated.yml +++ b/.github/workflows/security_npm_outdated.yml @@ -53,7 +53,7 @@ jobs: id: npm run: npm outdated ${{ inputs.dependencies_to_check }} > npm-outdated-reports.txt continue-on-error: true - - uses: ministryofjustice/hmpps-github-actions/.github/actions/security_npm_outdated@v1 # WORKFLOW_VERSION + - uses: ministryofjustice/hmpps-github-actions/.github/actions/security_npm_outdated@v2 # WORKFLOW_VERSION if: steps.npm.outcome == 'failure' with: channel_id: ${{ inputs.channel_id }} diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml index 00ec02b..11430d9 100644 --- a/.github/workflows/security_owasp.yml +++ b/.github/workflows/security_owasp.yml @@ -49,7 +49,7 @@ jobs: name: gradle-owasp-dependency-check-${{ inputs.subproject == '' && github.event.repository.name || inputs.subproject }} path: ${{ inputs.subproject == '' && '.' || inputs.subproject }}/build/reports/dependency-check-report.html - name: Gradle OWASP slack notification - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v2 # WORKFLOW_VERSION if: (failure() || steps.owasp-analyse.outcome == 'failure') && inputs.channel_id != 'NO_SLACK' with: title: "Gradle OWASP" diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml index a4a8dae..d0f0ae5 100644 --- a/.github/workflows/security_trivy.yml +++ b/.github/workflows/security_trivy.yml @@ -61,7 +61,7 @@ jobs: sarif_file: 'trivy-results.sarif' category: trivy-dependency-check - name: Trivy slack notification - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_codescan_notification@v2 # WORKFLOW_VERSION if: (failure() || steps.trivy-analyse.outcome == 'failure') && inputs.channel_id != 'NO_SLACK' with: title: "Trivy" diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml index 24af1bd..557c188 100644 --- a/.github/workflows/security_veracode_pipeline_scan.yml +++ b/.github/workflows/security_veracode_pipeline_scan.yml @@ -65,7 +65,7 @@ jobs: java-version: '21' distribution: 'temurin' - name: prepare assets - uses: ministryofjustice/hmpps-github-actions/.github/actions/security_veracode_prepare_artifacts@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/security_veracode_prepare_artifacts@v2 # WORKFLOW_VERSION - name: "Download/Extract pipeline scanner" shell: bash run: | @@ -138,7 +138,7 @@ jobs: path: results.txt - name: send a failure slack message if: steps.veracode-pipeline-scan.outcome == 'failure' && inputs.channel_id != 'NO_SLACK' - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_failure_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_failure_results@v2 # WORKFLOW_VERSION with: SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }} channel_id: ${{ inputs.channel_id }} diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml index 85dee61..75306ac 100644 --- a/.github/workflows/security_veracode_policy_scan.yml +++ b/.github/workflows/security_veracode_policy_scan.yml @@ -70,7 +70,7 @@ jobs: java-version: '21' distribution: 'temurin' - name: prepare assets - uses: ministryofjustice/hmpps-github-actions/.github/actions/security_veracode_prepare_artifacts@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/security_veracode_prepare_artifacts@v2 # WORKFLOW_VERSION - name: "Download/Extract veracode agent" run: wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/22.9.10.3/vosp-api-wrappers-java-22.9.10.3.jar -O VeracodeJavaAPI.jar - name: "Upload to Veracode" @@ -113,7 +113,7 @@ jobs: path: output.txt - name: send a failure slack message if: failure() && inputs.channel_id != 'NO_SLACK' - uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_failure_results@v1 # WORKFLOW_VERSION + uses: ministryofjustice/hmpps-github-actions/.github/actions/slack_failure_results@v2 # WORKFLOW_VERSION with: SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }} channel_id: ${{ inputs.channel_id }} diff --git a/README.md b/README.md index 44a71d3..2655e97 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,17 @@ Workflows and actions are referred to by the tags associated with the current re When a new release is issued, all of these referred workflows (as well as the calling ones within applications) will need to be updated as well. +### Releasing + +To perform a release: + +* Update the WORKFLOW_VERSION across the project +* Ensure the `CHANGELOG.md` has been updated +* Create a pull request and get it merged +* Create tags for `vx`, `vx.y` and `vx.y.z`, e.g: `git tag v2`, `v2.0` and `v2.0.1` +* Force push all three tags to the repo +* Create a github release from the `vx.y.z` tag + ### TODO - Update the discovery tool to scan the version of Github Actions Workflows