Phil Lee
4 years ago
10 changed files with 424 additions and 4 deletions
@ -0,0 +1,158 @@
|
||||
name: Review app pipeline |
||||
|
||||
on: |
||||
pull_request: |
||||
types: |
||||
- opened |
||||
- synchronize |
||||
- reopened |
||||
workflow_dispatch: |
||||
|
||||
defaults: |
||||
run: |
||||
shell: bash |
||||
|
||||
jobs: |
||||
postgres: |
||||
name: Provision postgres |
||||
runs-on: ubuntu-latest |
||||
environment: staging |
||||
|
||||
steps: |
||||
- name: Install Cloud Foundry CLI |
||||
run: | |
||||
wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - |
||||
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list |
||||
sudo apt-get update |
||||
sudo apt-get install cf8-cli |
||||
|
||||
- name: Provision postgres |
||||
env: |
||||
CF_USERNAME: ${{ secrets.CF_USERNAME }} |
||||
CF_PASSWORD: ${{ secrets.CF_PASSWORD }} |
||||
CF_API_ENDPOINT: ${{ secrets.CF_API_ENDPOINT }} |
||||
CF_SPACE: dev |
||||
CF_ORG: ${{ secrets.CF_ORG }} |
||||
run: | |
||||
cf api $CF_API_ENDPOINT |
||||
cf auth |
||||
cf target -o $CF_ORG -s $CF_SPACE |
||||
cf create-service postgres tiny-unencrypted-13 dluhc-core-review-${{ github.event.pull_request.number }}-postgres --wait |
||||
|
||||
redis: |
||||
name: Provision redis |
||||
runs-on: ubuntu-latest |
||||
environment: staging |
||||
|
||||
steps: |
||||
- name: Install Cloud Foundry CLI |
||||
run: | |
||||
wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - |
||||
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list |
||||
sudo apt-get update |
||||
sudo apt-get install cf8-cli |
||||
|
||||
- name: Provision redis |
||||
env: |
||||
CF_USERNAME: ${{ secrets.CF_USERNAME }} |
||||
CF_PASSWORD: ${{ secrets.CF_PASSWORD }} |
||||
CF_API_ENDPOINT: ${{ secrets.CF_API_ENDPOINT }} |
||||
CF_SPACE: dev |
||||
CF_ORG: ${{ secrets.CF_ORG }} |
||||
run: | |
||||
cf api $CF_API_ENDPOINT |
||||
cf auth |
||||
cf target -o $CF_ORG -s $CF_SPACE |
||||
cf create-service redis micro-6.x dluhc-core-review-${{ github.event.pull_request.number }}-redis --wait |
||||
|
||||
deploy: |
||||
name: Deploy review app |
||||
runs-on: ubuntu-latest |
||||
environment: staging |
||||
needs: [postgres, redis] |
||||
|
||||
steps: |
||||
- name: Checkout code |
||||
uses: actions/checkout@v3 |
||||
|
||||
- name: Install Cloud Foundry CLI |
||||
run: | |
||||
wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - |
||||
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list |
||||
sudo apt-get update |
||||
sudo apt-get install cf8-cli |
||||
|
||||
- name: Setup review app without starting |
||||
env: |
||||
CF_USERNAME: ${{ secrets.CF_USERNAME }} |
||||
CF_PASSWORD: ${{ secrets.CF_PASSWORD }} |
||||
CF_API_ENDPOINT: ${{ secrets.CF_API_ENDPOINT }} |
||||
CF_SPACE: dev |
||||
CF_ORG: ${{ secrets.CF_ORG }} |
||||
APP_NAME: dluhc-core-review-${{ github.event.pull_request.number }} |
||||
run: | |
||||
cf api $CF_API_ENDPOINT |
||||
cf auth |
||||
cf target -o $CF_ORG -s $CF_SPACE |
||||
cf push $APP_NAME \ |
||||
--manifest ./config/cloud_foundry/review_manifest.yml \ |
||||
--no-start |
||||
|
||||
- name: Set environment variables |
||||
env: |
||||
APP_NAME: dluhc-core-review-${{ github.event.pull_request.number }} |
||||
API_USER: ${{ secrets.API_USER }} |
||||
API_KEY: ${{ secrets.API_KEY }} |
||||
GOVUK_NOTIFY_API_KEY: ${{ secrets.GOVUK_NOTIFY_API_KEY }} |
||||
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }} |
||||
IMPORT_PAAS_INSTANCE: ${{ secrets.IMPORT_PAAS_INSTANCE }} |
||||
EXPORT_PAAS_INSTANCE: ${{ secrets.EXPORT_PAAS_INSTANCE }} |
||||
S3_CONFIG: ${{ secrets.S3_CONFIG }} |
||||
CSV_DOWNLOAD_PAAS_INSTANCE: ${{ secrets.CSV_DOWNLOAD_PAAS_INSTANCE }} |
||||
SENTRY_DSN: ${{ secrets.SENTRY_DSN }} |
||||
run: | |
||||
cf set-env $APP_NAME API_USER $API_USER |
||||
cf set-env $APP_NAME API_KEY $API_KEY |
||||
cf set-env $APP_NAME GOVUK_NOTIFY_API_KEY $GOVUK_NOTIFY_API_KEY |
||||
cf set-env $APP_NAME RAILS_MASTER_KEY $RAILS_MASTER_KEY |
||||
cf set-env $APP_NAME IMPORT_PAAS_INSTANCE $IMPORT_PAAS_INSTANCE |
||||
cf set-env $APP_NAME EXPORT_PAAS_INSTANCE $EXPORT_PAAS_INSTANCE |
||||
cf set-env $APP_NAME S3_CONFIG $S3_CONFIG |
||||
cf set-env $APP_NAME CSV_DOWNLOAD_PAAS_INSTANCE $CSV_DOWNLOAD_PAAS_INSTANCE |
||||
cf set-env $APP_NAME SENTRY_DSN $SENTRY_DSN |
||||
|
||||
- name: Bind postgres service |
||||
env: |
||||
APP_NAME: dluhc-core-review-${{ github.event.pull_request.number }} |
||||
SERVICE_NAME: dluhc-core-review-${{ github.event.pull_request.number }}-postgres |
||||
run: | |
||||
cf bind-service $APP_NAME $SERVICE_NAME |
||||
|
||||
- name: Bind redis service |
||||
env: |
||||
APP_NAME: dluhc-core-review-${{ github.event.pull_request.number }} |
||||
SERVICE_NAME: dluhc-core-review-${{ github.event.pull_request.number }}-redis |
||||
run: | |
||||
cf bind-service $APP_NAME $SERVICE_NAME |
||||
|
||||
- name: Bind logit drain service |
||||
env: |
||||
APP_NAME: dluhc-core-review-${{ github.event.pull_request.number }} |
||||
SERVICE_NAME: logit-ssl-drain |
||||
run: | |
||||
cf bind-service $APP_NAME $SERVICE_NAME |
||||
|
||||
- name: Start review app |
||||
env: |
||||
APP_NAME: dluhc-core-review-${{ github.event.pull_request.number }} |
||||
run: | |
||||
cf restage $APP_NAME --strategy rolling |
||||
|
||||
- name: Comment on PR with URL |
||||
uses: unsplash/comment-on-pr@v1.3.0 |
||||
env: |
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
||||
with: |
||||
msg: "Created review app at https://dluhc-core-review-${{ github.event.pull_request.number }}.london.cloudapps.digital" |
||||
check_for_duplicate_msg: true |
||||
duplicate_msg_pattern: Created review app at* |
||||
@ -0,0 +1,92 @@
|
||||
name: Review app teardown pipeline |
||||
|
||||
on: |
||||
pull_request: |
||||
types: |
||||
- closed |
||||
workflow_dispatch: |
||||
|
||||
defaults: |
||||
run: |
||||
shell: bash |
||||
|
||||
jobs: |
||||
app: |
||||
name: Teardown app |
||||
runs-on: ubuntu-latest |
||||
environment: staging |
||||
|
||||
steps: |
||||
- name: Install Cloud Foundry CLI |
||||
run: | |
||||
wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - |
||||
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list |
||||
sudo apt-get update |
||||
sudo apt-get install cf8-cli |
||||
|
||||
- name: Teardown app |
||||
env: |
||||
CF_USERNAME: ${{ secrets.CF_USERNAME }} |
||||
CF_PASSWORD: ${{ secrets.CF_PASSWORD }} |
||||
CF_API_ENDPOINT: ${{ secrets.CF_API_ENDPOINT }} |
||||
CF_SPACE: dev |
||||
CF_ORG: ${{ secrets.CF_ORG }} |
||||
run: | |
||||
cf api $CF_API_ENDPOINT |
||||
cf auth |
||||
cf target -o $CF_ORG -s $CF_SPACE |
||||
cf delete dluhc-core-review-${{ github.event.pull_request.number }} -f -r |
||||
|
||||
postgres: |
||||
name: Teardown postgres |
||||
runs-on: ubuntu-latest |
||||
environment: staging |
||||
needs: [app] |
||||
|
||||
steps: |
||||
- name: Install Cloud Foundry CLI |
||||
run: | |
||||
wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - |
||||
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list |
||||
sudo apt-get update |
||||
sudo apt-get install cf8-cli |
||||
|
||||
- name: Teardown postgres |
||||
env: |
||||
CF_USERNAME: ${{ secrets.CF_USERNAME }} |
||||
CF_PASSWORD: ${{ secrets.CF_PASSWORD }} |
||||
CF_API_ENDPOINT: ${{ secrets.CF_API_ENDPOINT }} |
||||
CF_SPACE: dev |
||||
CF_ORG: ${{ secrets.CF_ORG }} |
||||
run: | |
||||
cf api $CF_API_ENDPOINT |
||||
cf auth |
||||
cf target -o $CF_ORG -s $CF_SPACE |
||||
cf delete-service dluhc-core-review-${{ github.event.pull_request.number }}-postgres --wait -f |
||||
|
||||
redis: |
||||
name: Teardown redis |
||||
runs-on: ubuntu-latest |
||||
environment: staging |
||||
needs: [app] |
||||
|
||||
steps: |
||||
- name: Install Cloud Foundry CLI |
||||
run: | |
||||
wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - |
||||
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list |
||||
sudo apt-get update |
||||
sudo apt-get install cf8-cli |
||||
|
||||
- name: Teardown redis |
||||
env: |
||||
CF_USERNAME: ${{ secrets.CF_USERNAME }} |
||||
CF_PASSWORD: ${{ secrets.CF_PASSWORD }} |
||||
CF_API_ENDPOINT: ${{ secrets.CF_API_ENDPOINT }} |
||||
CF_SPACE: dev |
||||
CF_ORG: ${{ secrets.CF_ORG }} |
||||
run: | |
||||
cf api $CF_API_ENDPOINT |
||||
cf auth |
||||
cf target -o $CF_ORG -s $CF_SPACE |
||||
cf delete-service dluhc-core-review-${{ github.event.pull_request.number }}-redis --wait -f |
||||
@ -0,0 +1,21 @@
|
||||
--- |
||||
defaults: &defaults |
||||
buildpacks: |
||||
- https://github.com/cloudfoundry/ruby-buildpack.git#v1.8.59 |
||||
processes: |
||||
- type: web |
||||
command: bundle exec rake cf:on_first_instance db:migrate db:seed && bin/rails server |
||||
instances: 1 |
||||
memory: 1G |
||||
- type: worker |
||||
command: bundle exec sidekiq |
||||
health-check-type: process |
||||
instances: 1 |
||||
health-check-type: http |
||||
health-check-http-endpoint: /health |
||||
|
||||
applications: |
||||
- name: dluhc-core-review |
||||
<<: *defaults |
||||
env: |
||||
RAILS_ENV: review |
||||
@ -0,0 +1,130 @@
|
||||
require "active_support/core_ext/integer/time" |
||||
|
||||
Rails.application.configure do |
||||
# Settings specified here will take precedence over those in config/application.rb. |
||||
|
||||
# Code is not reloaded between requests. |
||||
config.cache_classes = true |
||||
|
||||
# Eager load code on boot. This eager loads most of Rails and |
||||
# your application in memory, allowing both threaded web servers |
||||
# and those relying on copy on write to perform better. |
||||
# Rake tasks automatically ignore this option for performance. |
||||
config.eager_load = true |
||||
|
||||
# Full error reports are disabled and caching is turned on. |
||||
config.consider_all_requests_local = false |
||||
config.action_controller.perform_caching = true |
||||
|
||||
# Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"] |
||||
# or in config/master.key. This key is used to decrypt credentials (and other encrypted files). |
||||
# config.require_master_key = true |
||||
|
||||
# Disable serving static files from the `/public` folder by default since |
||||
# Apache or NGINX already handles this. |
||||
config.public_file_server.enabled = ENV["RAILS_SERVE_STATIC_FILES"].present? |
||||
|
||||
# Enable serving of images, stylesheets, and JavaScripts from an asset server. |
||||
# config.asset_host = 'http://assets.example.com' |
||||
|
||||
# Specifies the header that your server uses for sending files. |
||||
# config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache |
||||
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX |
||||
|
||||
# Store uploaded files on the local file system (see config/storage.yml for options). |
||||
config.active_storage.service = :local |
||||
|
||||
# Mount Action Cable outside main process or domain. |
||||
# config.action_cable.mount_path = nil |
||||
# config.action_cable.url = 'wss://example.com/cable' |
||||
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] |
||||
|
||||
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. |
||||
# config.force_ssl = true |
||||
|
||||
# Include generic and useful information about system operation, but avoid logging too much |
||||
# information to avoid inadvertent exposure of personally identifiable information (PII). |
||||
config.log_level = :info |
||||
|
||||
# Prepend all log lines with the following tags. |
||||
config.log_tags = [:request_id] |
||||
|
||||
# Use a different cache store in production. |
||||
# config.cache_store = :mem_cache_store |
||||
|
||||
# Use a real queuing backend for Active Job (and separate queues per environment). |
||||
# config.active_job.queue_adapter = :resque |
||||
# config.active_job.queue_name_prefix = "data_collector_production" |
||||
|
||||
config.action_mailer.perform_caching = false |
||||
|
||||
config.action_mailer.default_url_options = { host: ENV["APP_HOST"] } |
||||
config.action_mailer.delivery_method = :smtp |
||||
config.action_mailer.smtp_settings = { |
||||
address: "smtp.gmail.com", |
||||
port: 465, |
||||
domain: "gmail.com", |
||||
user_name: ENV["CORE_EMAIL_USERNAME"], |
||||
password: ENV["CORE_EMAIL_PASSWORD"], |
||||
authentication: "plain", |
||||
enable_starttls_auto: true, |
||||
ssl: true, |
||||
} |
||||
|
||||
# Ignore bad email addresses and do not raise email delivery errors. |
||||
# Set this to true and configure the email server for immediate delivery to raise delivery errors. |
||||
# config.action_mailer.raise_delivery_errors = false |
||||
|
||||
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to |
||||
# the I18n.default_locale when a translation cannot be found). |
||||
config.i18n.fallbacks = true |
||||
|
||||
# Send deprecation notices to registered listeners. |
||||
config.active_support.deprecation = :notify |
||||
|
||||
# Log disallowed deprecations. |
||||
config.active_support.disallowed_deprecation = :log |
||||
|
||||
# Tell Active Support which deprecation messages to disallow. |
||||
config.active_support.disallowed_deprecation_warnings = [] |
||||
|
||||
# Use default logging formatter so that PID and timestamp are not suppressed. |
||||
config.log_formatter = ::Logger::Formatter.new |
||||
|
||||
# Use a different logger for distributed setups. |
||||
# require "syslog/logger" |
||||
# config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name') |
||||
|
||||
if ENV["RAILS_LOG_TO_STDOUT"].present? |
||||
logger = ActiveSupport::Logger.new($stdout) |
||||
logger.formatter = config.log_formatter |
||||
config.logger = ActiveSupport::TaggedLogging.new(logger) |
||||
end |
||||
|
||||
# Do not dump schema after migrations. |
||||
config.active_record.dump_schema_after_migration = false |
||||
|
||||
# Inserts middleware to perform automatic connection switching. |
||||
# The `database_selector` hash is used to pass options to the DatabaseSelector |
||||
# middleware. The `delay` is used to determine how long to wait after a write |
||||
# to send a subsequent read to the primary. |
||||
# |
||||
# The `database_resolver` class is used by the middleware to determine which |
||||
# database is appropriate to use based on the time delay. |
||||
# |
||||
# The `database_resolver_context` class is used by the middleware to set |
||||
# timestamps for the last write to the primary. The resolver uses the context |
||||
# class timestamps to determine how long to wait before reading from the |
||||
# replica. |
||||
# |
||||
# By default Rails will store a last write timestamp in the session. The |
||||
# DatabaseSelector middleware is designed as such you can define your own |
||||
# strategy for connection switching and pass that into the middleware through |
||||
# these configuration options. |
||||
# config.active_record.database_selector = { delay: 2.seconds } |
||||
# config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver |
||||
# config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session |
||||
|
||||
# see https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017 |
||||
config.active_record.yaml_column_permitted_classes = [Time] |
||||
end |
||||
@ -1,5 +1,5 @@
|
||||
Sentry.init do |config| |
||||
config.breadcrumbs_logger = %i[active_support_logger http_logger] |
||||
config.enabled_environments = %w[production staging] |
||||
config.enabled_environments = %w[production staging review] |
||||
config.traces_sample_rate = 0.2 |
||||
end |
||||
|
||||
Loading…
Reference in new issue