diff --git a/.github/workflows/_build-and-push.yml b/.github/workflows/_build-and-push.yml index db113ff119..e7bdf24ac3 100644 --- a/.github/workflows/_build-and-push.yml +++ b/.github/workflows/_build-and-push.yml @@ -83,14 +83,6 @@ jobs: - name: install aws cli uses: unfor19/install-aws-cli-action@27d6061dae5d39e89be4d2246824f15e111a7e06 # pin@v1.0.3 - - name: configure OIDC AWS credentials for ECR push - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 - with: - role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push - role-session-name: github-actions-ecr-push - role-duration-seconds: 900 - aws-region: eu-west-1 - - name: download resources artifact uses: actions/download-artifact@d0ce8fd1167ed839810201de977912a090ab10a7 with: @@ -136,6 +128,14 @@ jobs: rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache + - name: configure OIDC AWS credentials for ECR push + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 + with: + role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push + role-session-name: github-actions-ecr-push + role-duration-seconds: 900 + aws-region: eu-west-1 + - name: ecr login id: login_ecr uses: aws-actions/amazon-ecr-login@bfbd05a2dcf76451041cbd4b9d11cff82489a1ee # pin@v1.5.1 @@ -192,3 +192,10 @@ jobs: docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME:main-$IMAGE_TAG fi docker push --all-tags $ECR_REGISTRY/$ECR_REGISTRY_ALIAS/$IMAGE_NAME + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_codecov.yml b/.github/workflows/_codecov.yml index 0cc249ce25..afb94ee203 100644 --- a/.github/workflows/_codecov.yml +++ b/.github/workflows/_codecov.yml @@ -6,6 +6,9 @@ defaults: on: workflow_call: + secrets: + codecov_token: + required: true jobs: code_coverage: @@ -44,7 +47,7 @@ jobs: fail_ci_if_error: true flags: client verbose: true - token: ${{ secrets.CODECOV_TOKEN }} + token: ${{ secrets.codecov_token }} - name: service api codecov upload uses: codecov/codecov-action@v3 @@ -54,4 +57,4 @@ jobs: fail_ci_if_error: true flags: api verbose: true - token: ${{ secrets.CODECOV_TOKEN }} + token: ${{ secrets.codecov_token }} diff --git a/.github/workflows/_cycle-secrets.yml b/.github/workflows/_cycle-secrets.yml index 881e25daa4..23a51fbc1a 100644 --- a/.github/workflows/_cycle-secrets.yml +++ b/.github/workflows/_cycle-secrets.yml @@ -33,3 +33,10 @@ jobs: AWS_REGION: eu-west-1 working-directory: terraform/environment/scripts/cycle_secrets run: python3 cycle_secrets.py ${ACCOUNT_ENVIRONMENT} + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_ecr-scanning.yml b/.github/workflows/_ecr-scanning.yml index 2d095fc307..48a5908069 100644 --- a/.github/workflows/_ecr-scanning.yml +++ b/.github/workflows/_ecr-scanning.yml @@ -17,14 +17,6 @@ jobs: steps: - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # pin@v3 - - name: configure OIDC AWS credentials for ECR scanning - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 - with: - role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-scan - role-session-name: github-actions-ecr-scan - role-duration-seconds: 1800 - aws-region: eu-west-1 - - name: install python uses: actions/setup-python@55aad42e4674b58b2b2fb7d8e7552402d922b4e7 # pin@v4.2.0 with: @@ -34,7 +26,22 @@ jobs: - name: install requirements run: pip install -r ./scripts/pipeline/ecrscan/requirements.txt + - name: configure OIDC AWS credentials for ECR scanning + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 + with: + role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-scan + role-session-name: github-actions-ecr-scan + role-duration-seconds: 1800 + aws-region: eu-west-1 + - name: Check ECR scan results env: TAG: ${{ inputs.tag }} run: python ./scripts/pipeline/ecrscan/ecr_scan_results.py --search digideps --tag ${TAG} --print_to_terminal --fail_pipe + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_latest-deployed-image.yml b/.github/workflows/_latest-deployed-image.yml index d4dcce4683..86ad03cb99 100644 --- a/.github/workflows/_latest-deployed-image.yml +++ b/.github/workflows/_latest-deployed-image.yml @@ -1,5 +1,8 @@ on: workflow_call: + secrets: + ssh_private_key: + required: true inputs: terraform_path: description: "The name of the terraform path" @@ -27,24 +30,21 @@ jobs: with: fetch-depth: "0" - - name: parse terraform version - id: tf_version_setup - run: | - if [ -f ./versions.tf ]; then - terraform_version=$(cat ./versions.tf | ../../scripts/pipeline/terraform/terraform-version.sh) - echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY - echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT - fi - working-directory: terraform/${{ inputs.terraform_path }} - - - name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" - run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" + - id: terraform_version + name: get terraform version + uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v3.1.0 + with: + terraform_directory: terraform/${{ inputs.terraform_path }} - uses: hashicorp/setup-terraform@344fef46b6edc7c46ce8b3b8b0a3ece7e77e05f0 # pin@v2.0.0 with: - terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }} + terraform_version: ${{ steps.terraform_version.outputs.version }} terraform_wrapper: false + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 + with: + ssh-private-key: ${{ secrets.ssh_private_key }} + - name: configure OIDC AWS credentials for latest deployment uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 with: @@ -53,10 +53,6 @@ jobs: role-duration-seconds: 900 aws-region: eu-west-1 - - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 - with: - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} - - name: terraform init run: terraform init -input=false working-directory: terraform/${{ inputs.terraform_path }} @@ -69,3 +65,10 @@ jobs: export IMAGE_TAG=$(terraform show -json | head -n 2 | tail -n 1 | jq -r '.values.root_module.child_modules[].resources[] | select(.address == "module.eu_west_1[0].aws_ecs_task_definition.front") | .values.container_definitions | fromjson[].image | split(":")[1]' | tail -n 1 2>/dev/null) echo "image_tag=$(echo ${IMAGE_TAG})" >> $GITHUB_OUTPUT working-directory: terraform/${{ inputs.terraform_path }} + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_lint-terraform.yml b/.github/workflows/_lint-terraform.yml index 8c2a174b5f..20ae82c34f 100644 --- a/.github/workflows/_lint-terraform.yml +++ b/.github/workflows/_lint-terraform.yml @@ -6,6 +6,9 @@ defaults: on: workflow_call: + secrets: + ssh_private_key: + required: true inputs: workspace: description: "Terraform workspace" @@ -33,6 +36,14 @@ jobs: terraform_version: ${{ steps.terraform_version.outputs.version }} terraform_wrapper: false + - name: terraform fmt ${{ matrix.folder }} check + run: terraform fmt -check -recursive + working-directory: terraform/${{ matrix.folder }} + + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 + with: + ssh-private-key: ${{ secrets.ssh_private_key }} + - name: configure OIDC AWS credentials for terraform uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 with: @@ -41,14 +52,6 @@ jobs: role-duration-seconds: 900 aws-region: eu-west-1 - - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 - with: - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} - - - name: terraform fmt ${{ matrix.folder }} check - run: terraform fmt -check -recursive - working-directory: terraform/${{ matrix.folder }} - - name: terraform validate ${{ inputs.workspace }} env: TF_WORKSPACE: default @@ -59,6 +62,13 @@ jobs: terraform validate working-directory: terraform/${{ matrix.folder }} + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV + - name: configure OIDC AWS credentials for Trivy DB Ecr uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 with: @@ -86,3 +96,10 @@ jobs: TRIVY_TIMEOUT: 15m TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_run-task.yml b/.github/workflows/_run-task.yml index 05ab1ba4b1..ac2e021cbc 100644 --- a/.github/workflows/_run-task.yml +++ b/.github/workflows/_run-task.yml @@ -1,5 +1,8 @@ on: workflow_call: + secrets: + ssh_private_key: + required: true inputs: workspace: description: "Workspace" @@ -45,6 +48,25 @@ jobs: terraform_version: ${{ steps.terraform_version.outputs.version }} terraform_wrapper: false + - name: cache ecs-helper + id: cache-ecs-helper + uses: actions/cache@v3 + with: + path: ecs-helper + key: ecs-helper-${{ env.HELPER_VERSION }} + + - name: get ecs-helper + if: steps.cache-ecs-helper.outputs.cache-hit != 'true' + run: | + wget "https://github.com/ministryofjustice/opg-ecs-helper/releases/download/v$HELPER_VERSION/opg-ecs-helper_Linux_x86_64.tar.gz" + mkdir ecs-helper + tar -xvf opg-ecs-helper_Linux_x86_64.tar.gz -C ecs-helper + chmod +x ecs-helper/ecs-runner + + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 + with: + ssh-private-key: ${{ secrets.ssh_private_key }} + - name: configure OIDC AWS credentials for terraform uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 with: @@ -53,10 +75,6 @@ jobs: role-duration-seconds: 3600 aws-region: eu-west-1 - - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 - with: - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} - - name: terraform init env: TF_WORKSPACE: ${{ inputs.workspace }} @@ -71,21 +89,6 @@ jobs: terraform output -json > terraform.output.json working-directory: terraform/environment - - name: cache ecs-helper - id: cache-ecs-helper - uses: actions/cache@v3 - with: - path: ecs-helper - key: ecs-helper-${{ env.HELPER_VERSION }} - - - name: get ecs-helper - if: steps.cache-ecs-helper.outputs.cache-hit != 'true' - run: | - wget "https://github.com/ministryofjustice/opg-ecs-helper/releases/download/v$HELPER_VERSION/opg-ecs-helper_Linux_x86_64.tar.gz" - mkdir ecs-helper - tar -xvf opg-ecs-helper_Linux_x86_64.tar.gz -C ecs-helper - chmod +x ecs-helper/ecs-runner - - name: run task env: OVERRIDE: ${{ inputs.override }} @@ -102,3 +105,10 @@ jobs: ../../ecs-helper/ecs-runner -task ${TASK_NAME} -timeout ${TIMEOUT} -override ${OVERRIDE} fi working-directory: terraform/environment + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_run-terraform.yml b/.github/workflows/_run-terraform.yml index 3b5e2c48f5..4fb7241b30 100644 --- a/.github/workflows/_run-terraform.yml +++ b/.github/workflows/_run-terraform.yml @@ -1,5 +1,8 @@ on: workflow_call: + secrets: + ssh_private_key: + required: true inputs: terraform_path: description: "The name of the terraform path" @@ -58,6 +61,15 @@ jobs: terraform_version: ${{ steps.terraform_version.outputs.version }} terraform_wrapper: false + - name: build redeployer + if: inputs.terraform_path == 'account' + run: GOARCH=amd64 GOOS=linux go build -o bootstrap ./main.go + working-directory: terraform/account/region/go_redeployer + + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 + with: + ssh-private-key: ${{ secrets.ssh_private_key }} + - name: configure OIDC AWS credentials for terraform uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 with: @@ -66,15 +78,6 @@ jobs: role-duration-seconds: 7400 aws-region: eu-west-1 - - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 - with: - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} - - - name: build redeployer - if: inputs.terraform_path == 'account' - run: GOARCH=amd64 GOOS=linux go build -o bootstrap ./main.go - working-directory: terraform/account/region/go_redeployer - - name: terraform init for account if: inputs.terraform_path == 'account' run: terraform init -input=false @@ -116,3 +119,10 @@ jobs: run: | terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30 working-directory: terraform/${{ inputs.terraform_path }} + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_scale-services.yml b/.github/workflows/_scale-services.yml index e52637158c..6630764448 100644 --- a/.github/workflows/_scale-services.yml +++ b/.github/workflows/_scale-services.yml @@ -46,3 +46,10 @@ jobs: aws ecs update-service --service admin-${TF_WORKSPACE} --cluster ${TF_WORKSPACE} --desired-count ${REPLICAS} aws ecs update-service --service api-${TF_WORKSPACE} --cluster ${TF_WORKSPACE} --desired-count ${REPLICAS} aws rds modify-db-cluster --db-cluster-identifier api-${TF_WORKSPACE} --serverless-v2-scaling-configuration MinCapacity=0.5,MaxCapacity=${ACU} + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/_slack-notification.yml b/.github/workflows/_slack-notification.yml index 743c820d7a..63e613ae32 100644 --- a/.github/workflows/_slack-notification.yml +++ b/.github/workflows/_slack-notification.yml @@ -31,14 +31,6 @@ jobs: steps: - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # pin@v3 - - name: configure OIDC AWS credentials for slack notification - uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 - with: - role-to-assume: arn:aws:iam::${{ inputs.account }}:role/digideps-gh-actions-slack-notifier - role-session-name: github-actions-slack-notifier - role-duration-seconds: 900 - aws-region: eu-west-1 - - name: install python uses: actions/setup-python@55aad42e4674b58b2b2fb7d8e7552402d922b4e7 # pin@v4.2.0 with: @@ -48,6 +40,14 @@ jobs: - name: install requirements run: pip install -r lambdas/functions/monitor_notify_lambda/requirements.txt + - name: configure OIDC AWS credentials for slack notification + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 + with: + role-to-assume: arn:aws:iam::${{ inputs.account }}:role/digideps-gh-actions-slack-notifier + role-session-name: github-actions-slack-notifier + role-duration-seconds: 900 + aws-region: eu-west-1 + - name: Notify Slack env: BRANCH: ${{ inputs.branch }} @@ -60,3 +60,10 @@ jobs: --branch "${BRANCH}" \ --scheduled_task "${SCHEDULED_TASK}" working-directory: lambdas/functions/monitor_notify_lambda/app + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/manual-spin-up-development.yml b/.github/workflows/manual-spin-up-development.yml index bbb12fc1f8..a38d55c4b4 100644 --- a/.github/workflows/manual-spin-up-development.yml +++ b/.github/workflows/manual-spin-up-development.yml @@ -23,7 +23,8 @@ jobs: workspace: training terraform_path: environment account_name: preproduction - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} terraform_apply_development: name: development environment apply terraform @@ -37,7 +38,8 @@ jobs: account_name: development container_version: ${{ needs.latest_deployed_image.outputs.image_tag }} pull_request_path: true - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} reset_database: name: reset development database @@ -49,7 +51,8 @@ jobs: account_name: development task_name: "reset_database" timeout: "500" - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} slack_notify_success: name: notify of success @@ -61,7 +64,6 @@ jobs: branch: main account: 515688267891 scheduled_task: "Development Environment Spun Up" - secrets: inherit slack_notify_failure: name: notify of failure @@ -74,4 +76,3 @@ jobs: branch: main account: 515688267891 scheduled_task: "Development Environment Spun Up" - secrets: inherit diff --git a/.github/workflows/scheduled-cycle-secrets.yml b/.github/workflows/scheduled-cycle-secrets.yml index 742486bc8c..362a2da886 100644 --- a/.github/workflows/scheduled-cycle-secrets.yml +++ b/.github/workflows/scheduled-cycle-secrets.yml @@ -26,7 +26,8 @@ jobs: workspace: training terraform_path: environment account_name: preproduction - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} rotate_secrets_preproduction: name: rotate secrets for preproduction account @@ -35,7 +36,6 @@ jobs: - latest_deployed_image with: account_environment: preproduction - secrets: inherit terraform_apply_integration: name: integration environment apply terraform @@ -49,7 +49,8 @@ jobs: apply: true account_name: preproduction container_version: ${{ needs.latest_deployed_image.outputs.image_tag }} - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} terraform_apply_training: name: training environment apply terraform @@ -63,7 +64,8 @@ jobs: apply: true account_name: preproduction container_version: ${{ needs.latest_deployed_image.outputs.image_tag }} - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} terraform_apply_preproduction: name: preproduction environment apply terraform @@ -77,7 +79,8 @@ jobs: apply: true account_name: preproduction container_version: ${{ needs.latest_deployed_image.outputs.image_tag }} - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} rotate_secrets_production: name: rotate secrets for production account @@ -88,7 +91,6 @@ jobs: - terraform_apply_integration with: account_environment: production - secrets: inherit terraform_apply_production: name: production environment apply terraform @@ -103,7 +105,8 @@ jobs: apply: true account_name: production container_version: ${{ needs.latest_deployed_image.outputs.image_tag }} - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} slack_notify_failure: name: notify of failure @@ -116,4 +119,3 @@ jobs: branch: main account: 515688267891 scheduled_task: "Cycle AWS Secrets" - secrets: inherit diff --git a/.github/workflows/scheduled-disaster-recovery-test.yml b/.github/workflows/scheduled-disaster-recovery-test.yml index ebe5eba5c2..d5ddcbcc78 100644 --- a/.github/workflows/scheduled-disaster-recovery-test.yml +++ b/.github/workflows/scheduled-disaster-recovery-test.yml @@ -31,6 +31,11 @@ jobs: python-version: "3.11" cache: "pip" + - name: install requirements + id: requirements + run: pip install -r requirements.txt + working-directory: disaster-recovery/restore + - name: configure OIDC AWS credentials for terraform uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 with: @@ -39,11 +44,6 @@ jobs: role-duration-seconds: 7200 aws-region: eu-west-1 - - name: install requirements - id: requirements - run: pip install -r requirements.txt - working-directory: disaster-recovery/restore - - name: restore to a point in time id: restore run: | @@ -54,6 +54,13 @@ jobs: --pitr "${TEN_MINS_AGO}" working-directory: disaster-recovery/restore + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV + restore_from_remote_backup: runs-on: ubuntu-latest name: restore from cross account backup @@ -68,6 +75,11 @@ jobs: python-version: "3.11" cache: "pip" + - name: install requirements + id: requirements + run: pip install -r requirements.txt + working-directory: disaster-recovery/restore + - name: configure OIDC AWS credentials for terraform uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 with: @@ -76,11 +88,6 @@ jobs: role-duration-seconds: 7200 aws-region: eu-west-1 - - name: install requirements - id: requirements - run: pip install -r requirements.txt - working-directory: disaster-recovery/restore - - name: get latest integration snapshot id id: snapshot run: | @@ -100,6 +107,13 @@ jobs: --snapshot_id ${SNAPSHOT_ID} working-directory: disaster-recovery/restore + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV + slack_notify_success: name: notify of result uses: ./.github/workflows/_slack-notification.yml @@ -109,7 +123,6 @@ jobs: success: yes branch: integration account: 248804316466 - secrets: inherit slack_notify_failure: name: notify of failure @@ -121,4 +134,3 @@ jobs: success: no branch: integration account: 248804316466 - secrets: inherit diff --git a/.github/workflows/scheduled-resilience-tests.yml b/.github/workflows/scheduled-resilience-tests.yml index ac11075689..544e6becf4 100644 --- a/.github/workflows/scheduled-resilience-tests.yml +++ b/.github/workflows/scheduled-resilience-tests.yml @@ -27,7 +27,6 @@ jobs: acu: 8 account_id: 454262938596 workspace: integration - secrets: inherit resilience_tests_integration: name: resilience tests on integration @@ -39,7 +38,8 @@ jobs: account_name: preproduction task_name: "resilience_tests" timeout: "3600" - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} scale_services_down: if: always() @@ -52,4 +52,3 @@ jobs: acu: 4 account_id: 454262938596 workspace: integration - secrets: inherit diff --git a/.github/workflows/scheduled-restore-anon-preprod.yml b/.github/workflows/scheduled-restore-anon-preprod.yml index 53f1610959..bb7ba7c00b 100644 --- a/.github/workflows/scheduled-restore-anon-preprod.yml +++ b/.github/workflows/scheduled-restore-anon-preprod.yml @@ -27,7 +27,8 @@ jobs: # account_name: production # task_name: "backup" # timeout: "700" - # secrets: inherit + # secrets: + # ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} # restore_to_preproduction: # name: restore to preproduction @@ -39,7 +40,8 @@ jobs: # account_name: preproduction # task_name: "restore_from_production" # timeout: "3600" - # secrets: inherit + # secrets: + # ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} slack_notify_failure: name: notify of failure @@ -52,4 +54,3 @@ jobs: branch: main account: 454262938596 scheduled_task: "Restore and Anonymise Preproduction" - secrets: inherit diff --git a/.github/workflows/scheduled-update-training-environment.yml b/.github/workflows/scheduled-update-training-environment.yml index cc72c1f2ff..241aa7f35d 100644 --- a/.github/workflows/scheduled-update-training-environment.yml +++ b/.github/workflows/scheduled-update-training-environment.yml @@ -27,7 +27,8 @@ jobs: account_name: preproduction task_name: "reset_database" timeout: "500" - secrets: inherit + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} slack_notify_failure: name: notify of failure @@ -40,4 +41,3 @@ jobs: branch: main account: 515688267891 scheduled_task: "Reset Training Environment" - secrets: inherit diff --git a/.github/workflows/scheduled-workspace-cleanup.yml b/.github/workflows/scheduled-workspace-cleanup.yml index 7e25d97074..7440173094 100644 --- a/.github/workflows/scheduled-workspace-cleanup.yml +++ b/.github/workflows/scheduled-workspace-cleanup.yml @@ -35,6 +35,18 @@ jobs: terraform_version: ${{ steps.terraform_version.outputs.version }} terraform_wrapper: false + - name: install workspace manager + run: | + wget https://github.com/ministryofjustice/opg-terraform-workspace-manager/releases/download/v0.3.2/opg-terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz + sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin + sudo chmod +x /usr/local/bin/terraform-workspace-manager + + - name: install python + uses: actions/setup-python@55aad42e4674b58b2b2fb7d8e7552402d922b4e7 # pin@v4.2.0 + with: + python-version: "3.10" + cache: "pip" + - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # pin@v0.5.4 with: ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} @@ -47,12 +59,6 @@ jobs: role-duration-seconds: 7400 aws-region: eu-west-1 - - name: install workspace manager - run: | - wget https://github.com/ministryofjustice/opg-terraform-workspace-manager/releases/download/v0.3.2/opg-terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz - sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin - sudo chmod +x /usr/local/bin/terraform-workspace-manager - - name: terraform init run: terraform init -input=false working-directory: terraform/environment @@ -63,12 +69,6 @@ jobs: ./scripts/workspace_cleanup.sh $(terraform-workspace-manager -protected-workspaces=true -aws-account-id=248804316466 -aws-iam-role=digideps-ci) working-directory: terraform/environment - - name: install python - uses: actions/setup-python@55aad42e4674b58b2b2fb7d8e7552402d922b4e7 # pin@v4.2.0 - with: - python-version: "3.10" - cache: "pip" - - name: clean up old task definitions env: REGION: eu-west-1 @@ -77,6 +77,13 @@ jobs: python cleanup_task_definitions.py working-directory: scripts/pipeline/cleanup_task_definitions + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV + slack_notify_failure: name: notify of failure uses: ./.github/workflows/_slack-notification.yml @@ -88,4 +95,3 @@ jobs: branch: main account: 454262938596 scheduled_task: "Environment Cleanup" - secrets: inherit diff --git a/.github/workflows/workflow-destroy-on-merge.yml b/.github/workflows/workflow-destroy-on-merge.yml index 78e1754a6a..93f197bb71 100644 --- a/.github/workflows/workflow-destroy-on-merge.yml +++ b/.github/workflows/workflow-destroy-on-merge.yml @@ -80,3 +80,10 @@ jobs: run: | echo "Running script against ${WORKSPACE}" ./scripts/destroy_workspace.sh ${WORKSPACE} + + - name: Unset AWS variables + if: always() + run: | + echo "AWS_SECRET_ACCESS_KEY=" >> $GITHUB_ENV + echo "AWS_ACCESS_KEY_ID=" >> $GITHUB_ENV + echo "AWS_SESSION_TOKEN=" >> $GITHUB_ENV diff --git a/.github/workflows/workflow-path-to-live.yml b/.github/workflows/workflow-path-to-live.yml index 7c08037049..e6c46bec79 100644 --- a/.github/workflows/workflow-path-to-live.yml +++ b/.github/workflows/workflow-path-to-live.yml @@ -60,7 +60,6 @@ jobs: build_web_resources: name: build web resources uses: ./.github/workflows/_web-resources.yml - secrets: inherit docker_build_scan_push: name: build, scan and push @@ -72,7 +71,6 @@ jobs: tag: ${{ needs.workflow_variables.outputs.version_tag }} branch_name: ${{ needs.workflow_variables.outputs.build_identifier }} push_to_ecr: true - secrets: inherit api_unit_tests_1: name: api unit tests 1 @@ -111,12 +109,13 @@ jobs: codecov: name: upload to codecov uses: ./.github/workflows/_codecov.yml + secrets: + codecov_token: ${{ secrets.CODECOV_TOKEN }} needs: - client_unit_tests - api_unit_tests_1 - api_unit_tests_2 - api_unit_tests_3 - secrets: inherit miscellaneous_unit_tests: name: miscellaneous unit tests @@ -129,13 +128,14 @@ jobs: uses: ./.github/workflows/_run-terraform.yml needs: - workflow_variables + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: development terraform_path: account apply: true account_name: development container_version: ${{ needs.workflow_variables.outputs.version_tag }} - secrets: inherit terraform_apply_account_preproduction: name: preproduction account apply terraform @@ -149,13 +149,14 @@ jobs: - api_unit_tests_1 - api_unit_tests_2 - api_unit_tests_3 + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: preproduction terraform_path: account apply: true account_name: preproduction container_version: ${{ needs.workflow_variables.outputs.version_tag }} - secrets: inherit terraform_apply_integration: name: integration environment apply terraform @@ -163,13 +164,14 @@ jobs: needs: - terraform_apply_account_preproduction - workflow_variables + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration terraform_path: environment apply: true account_name: preproduction container_version: ${{ needs.workflow_variables.outputs.version_tag }} - secrets: inherit scale_services_up: name: scale up integration services @@ -182,7 +184,6 @@ jobs: acu: 16 account_id: 454262938596 workspace: integration - secrets: inherit reset_database: name: reset integration database @@ -190,12 +191,13 @@ jobs: needs: - workflow_variables - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "reset_database" timeout: "500" - secrets: inherit integration_tests_1: name: integration tests frontend 1 @@ -203,13 +205,14 @@ jobs: needs: - workflow_variables - reset_database + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_reporting_1,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_2: name: integration tests frontend 2 @@ -217,13 +220,14 @@ jobs: needs: - workflow_variables - reset_database + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_reporting_2,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_admin: name: integration tests admin @@ -231,13 +235,14 @@ jobs: needs: - workflow_variables - reset_database + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_admin,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_sequential_1: name: integration tests sequential 1 @@ -245,13 +250,14 @@ jobs: needs: - workflow_variables - reset_database + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_1,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_sequential_2: name: integration tests sequential 2 @@ -259,13 +265,14 @@ jobs: needs: - workflow_variables - reset_database + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_2,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_sequential_3: name: integration tests sequential 3 @@ -273,13 +280,14 @@ jobs: needs: - workflow_variables - reset_database + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: integration account_name: preproduction task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_3,--profile,v2-tests-browserkit" - secrets: inherit scale_services_down: if: always() @@ -298,7 +306,6 @@ jobs: acu: 4 account_id: 454262938596 workspace: integration - secrets: inherit terraform_apply_preproduction: name: preproduction environment apply terraform @@ -312,13 +319,14 @@ jobs: - integration_tests_admin - integration_tests_1 - integration_tests_2 + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: preproduction terraform_path: environment apply: true account_name: preproduction container_version: ${{ needs.workflow_variables.outputs.version_tag }} - secrets: inherit terraform_apply_training: name: training environment apply terraform @@ -326,13 +334,14 @@ jobs: needs: - terraform_apply_preproduction - workflow_variables + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: training terraform_path: environment apply: true account_name: preproduction container_version: ${{ needs.workflow_variables.outputs.version_tag }} - secrets: inherit terraform_apply_account_production: name: production account apply terraform @@ -340,13 +349,14 @@ jobs: needs: - workflow_variables - terraform_apply_preproduction + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: production terraform_path: account apply: true account_name: production container_version: ${{ needs.workflow_variables.outputs.version_tag }} - secrets: inherit terraform_apply_production: name: production environment apply terraform @@ -354,13 +364,14 @@ jobs: needs: - terraform_apply_account_production - workflow_variables + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: production02 terraform_path: environment apply: true container_version: ${{ needs.workflow_variables.outputs.version_tag }} account_name: production - secrets: inherit smoke_tests_production: name: smoke tests on production @@ -368,12 +379,13 @@ jobs: needs: - workflow_variables - terraform_apply_production + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: production02 account_name: production task_name: "smoke_tests" timeout: "900" - secrets: inherit end_of_workflow: name: end of workflow @@ -399,7 +411,6 @@ jobs: success: yes branch: ${{ needs.workflow_variables.outputs.build_identifier }} account: 515688267891 - secrets: inherit slack_notify_failure: name: notify of failure @@ -412,4 +423,3 @@ jobs: success: no branch: ${{ needs.workflow_variables.outputs.build_identifier }} account: 515688267891 - secrets: inherit diff --git a/.github/workflows/workflow-pull-request-path.yml b/.github/workflows/workflow-pull-request-path.yml index 4239032a9d..0aeec90ac4 100644 --- a/.github/workflows/workflow-pull-request-path.yml +++ b/.github/workflows/workflow-pull-request-path.yml @@ -77,16 +77,16 @@ jobs: build_web_resources: name: build web resources uses: ./.github/workflows/_web-resources.yml - secrets: inherit terraform_lint: name: lint terraform code uses: ./.github/workflows/_lint-terraform.yml needs: - workflow_variables + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} - secrets: inherit test_js: name: test javascript code @@ -104,7 +104,6 @@ jobs: tag: ${{ needs.workflow_variables.outputs.version_tag }} branch_name: ${{ needs.workflow_variables.outputs.build_identifier }} push_to_ecr: true - secrets: inherit api_unit_tests_1: name: api unit tests 1 @@ -143,13 +142,14 @@ jobs: codecov: name: upload to codecov uses: ./.github/workflows/_codecov.yml + secrets: + codecov_token: ${{ secrets.CODECOV_TOKEN }} needs: - client_unit_tests - miscellaneous_unit_tests - api_unit_tests_1 - api_unit_tests_2 - api_unit_tests_3 - secrets: inherit miscellaneous_unit_tests: name: miscellaneous unit tests @@ -163,12 +163,13 @@ jobs: needs: - workflow_variables - terraform_lint + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: development terraform_path: account container_version: ${{ needs.workflow_variables.outputs.version_tag }} account_name: development - secrets: inherit terraform_apply_environment: name: environment apply terraform @@ -177,6 +178,8 @@ jobs: - docker_build_scan_push - terraform_lint - workflow_variables + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} terraform_path: environment @@ -184,7 +187,6 @@ jobs: container_version: ${{ needs.workflow_variables.outputs.version_tag }} account_name: development pull_request_path: true - secrets: inherit ecr_scan_results: name: ecr scan results @@ -194,7 +196,6 @@ jobs: needs: - terraform_apply_environment - workflow_variables - secrets: inherit scale_services_up: name: scale up services @@ -207,7 +208,6 @@ jobs: acu: 16 account_id: 248804316466 workspace: ${{ needs.workflow_variables.outputs.build_identifier }} - secrets: inherit reset_database: name: reset database @@ -215,12 +215,13 @@ jobs: needs: - workflow_variables - terraform_apply_environment + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "reset_database" timeout: "500" - secrets: inherit smoke_tests: name: smoke tests @@ -229,12 +230,13 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "smoke_tests" timeout: "900" - secrets: inherit integration_tests_1: name: integration tests frontend 1 @@ -243,13 +245,14 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_reporting_1,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_2: name: integration tests frontend 2 @@ -258,13 +261,14 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_reporting_2,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_admin: name: integration tests admin @@ -273,13 +277,14 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests-parallel.sh,--tags,@v2_admin,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_sequential_1: name: integration tests sequential 1 @@ -288,13 +293,14 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_1,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_sequential_2: name: integration tests sequential 2 @@ -303,13 +309,14 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_2,--profile,v2-tests-browserkit" - secrets: inherit integration_tests_sequential_3: name: integration tests sequential 3 @@ -318,13 +325,14 @@ jobs: - workflow_variables - reset_database - scale_services_up + secrets: + ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }} with: workspace: ${{ needs.workflow_variables.outputs.build_identifier }} account_name: development task_name: "integration_test_v2" timeout: "1200" override: "sh,./tests/Behat/run-tests.sh,--tags,@v2_sequential_3,--profile,v2-tests-browserkit" - secrets: inherit scale_services_down: if: always() @@ -343,7 +351,6 @@ jobs: acu: 4 account_id: 248804316466 workspace: ${{ needs.workflow_variables.outputs.build_identifier }} - secrets: inherit end_of_workflow: name: end of workflow @@ -389,7 +396,6 @@ jobs: success: yes branch: ${{ needs.workflow_variables.outputs.build_identifier }} account: 248804316466 - secrets: inherit slack_notify_failure: name: notify of failure @@ -402,4 +408,3 @@ jobs: success: no branch: ${{ needs.workflow_variables.outputs.build_identifier }} account: 248804316466 - secrets: inherit