Move to using managed identity for auth to CosmosDB. #5879

Workflow file for this run

.github/workflows/pr_comment_bot.yml at 7b9927c

	---
	name: pr_comment_bot

	on: # yamllint disable-line rule:truthy
	issue_comment:
	types: [created] # only run on new comments
	# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#issue_comment
	# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment

	jobs:
	pr_comment:
	name: PR comment
	# https://docs.github.com/en/graphql/reference/enums#commentauthorassociation
	# (and https://docs.github.com/en/rest/reference/issues#comments)

	# only allow commands where:
	# - the comment is on a PR
	# - the commenting user has write permissions (i.e. is OWNER or COLLABORATOR)
	if: ${{ github.event.issue.pull_request }}
	runs-on: ubuntu-latest
	outputs:
	command: ${{ steps.check_command.outputs.command }}
	prRef: ${{ steps.check_command.outputs.prRef }}
	prHeadSha: ${{ steps.check_command.outputs.prHeadSha }}
	prRefId: ${{ steps.check_command.outputs.prRefId }}
	branchRefId: ${{ steps.check_command.outputs.branchRefid }}
	ciGitRef: ${{ steps.check_command.outputs.ciGitRef }}
	steps:
	# Ensure we have the script file for the github-script action to use
	- name: Checkout
	uses: actions/checkout@v3
	with:
	persist-credentials: false

	# Determine whether the comment is a command
	- id: check_command
	name: Check for a command using GitHub script
	uses: actions/github-script@v6
	with:
	script: \|
	const script = require('./.github/scripts/build.js')
	await script.getCommandFromComment({core, context, github});

	- name: Output PR details
	run: \|
	echo "PR Details"
	echo "=========="
	echo "prRef : ${{ steps.check_command.outputs.prRef }}"
	echo "prHeadSha : ${{ steps.check_command.outputs.prHeadSha }}"
	echo "prRefId : ${{ steps.check_command.outputs.prRefId }}"
	echo "ciGitRef : ${{ steps.check_command.outputs.ciGitRef }}"
	echo "branchRefId : ${{ steps.check_command.outputs.prRefId }}"

	# If we don't run the actual deploy (see the run_test job below) we won't receive a check-run status,
	# and will have to send it "manually"
	- name: Bypass E2E check-runs status
	if: ${{ steps.check_command.outputs.command == 'test-force-approve' }}
	uses: LouisBrunner/checks-action@v1.6.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	# the name must be identical to the one received by the real job
	sha: ${{ steps.check_command.outputs.prHeadSha }}
	name: "Deploy PR / Run E2E Tests (Smoke)"
	status: "completed"
	conclusion: "success"

	destroy_pr_env:
	needs: [pr_comment]
	if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' }}
	runs-on: ubuntu-latest
	environment: CICD
	name: Destroy PR env
	steps:
	# Ensure we have the script files
	- name: Checkout
	uses: actions/checkout@v3
	with:
	persist-credentials: false

	# Perform az login for destroy env script to be able to run
	- name: Azure Login
	uses: azure/login@v1
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS }}
	environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) \|\| 'AzureCloud' }}

	- name: Run deployment cleanup
	env:
	PR_NUMBER: ${{ github.event.issue.number }}
	REPO: ${{ github.event.repository.full_name }}
	RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.prRefId) }}
	RUN_ID: ${{ github.run_id }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }}
	run: \|
	set -e
	gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying PR test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})"
	devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}"
	gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "PR test environment destroy complete (RG: ${RG_NAME})"

	destroy_branch_env:
	needs: [pr_comment]
	if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' && needs.pr_comment.outputs.branchRefId != '' }}
	runs-on: ubuntu-latest
	environment: CICD
	name: Destroy branch env
	steps:
	# Ensure we have the script files
	- name: Checkout
	uses: actions/checkout@v3
	with:
	persist-credentials: false

	# Perform az login for destroy env script to be able to run
	- name: Azure Login
	uses: azure/login@v1
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS }}
	environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) \|\| 'AzureCloud' }}

	- name: Run deployment cleanup
	env:
	PR_NUMBER: ${{ github.event.issue.number }}
	REPO: ${{ github.event.repository.full_name }}
	RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.branchRefId) }}
	RUN_ID: ${{ github.run_id }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }}
	run: \|
	set -e
	gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying branch test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})"
	devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}"
	gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Branch test environment destroy complete (RG: ${RG_NAME})"

	run_test:
	# Run the tests with the re-usable workflow
	needs: [pr_comment]
	if: \|
	needs.pr_comment.outputs.command == 'run-tests' \|\|
	needs.pr_comment.outputs.command == 'run-tests-extended' \|\|
	needs.pr_comment.outputs.command == 'run-tests-extended-aad' \|\|
	needs.pr_comment.outputs.command == 'run-tests-shared-services'
	name: Deploy PR
	uses: ./.github/workflows/deploy_tre_reusable.yml
	with:
	prRef: ${{ needs.pr_comment.outputs.prRef }}
	prHeadSha: ${{ needs.pr_comment.outputs.prHeadSha }}
	ciGitRef: ${{ needs.pr_comment.outputs.ciGitRef }}
	e2eTestsCustomSelector: >-
	${{ (needs.pr_comment.outputs.command == 'run-tests-extended' && 'extended') \|\|
	(needs.pr_comment.outputs.command == 'run-tests-extended-aad' && 'extended_aad') \|\|
	(needs.pr_comment.outputs.command == 'run-tests-shared-services' && 'shared_services') \|\|
	(needs.pr_comment.outputs.command == 'run-tests' && '') }}
	environmentName: CICD
	E2E_TESTS_NUMBER_PROCESSES: 1
	DEVCONTAINER_TAG: ${{ needs.pr_comment.outputs.prRefId }}
	secrets:
	AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
	ACR_NAME: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
	AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS}}
	API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
	API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
	APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}
	APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}
	MGMT_RESOURCE_GROUP_NAME: ${{ format('rg-tre{0}-mgmt', needs.pr_comment.outputs.prRefId) }}
	MS_TEAMS_WEBHOOK_URI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
	MGMT_STORAGE_ACCOUNT_NAME: ${{ format('tre{0}mgmt', needs.pr_comment.outputs.prRefId) }}
	SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }}
	TEST_APP_ID: ${{ secrets.TEST_APP_ID }}
	TEST_WORKSPACE_APP_ID: ${{ secrets.TEST_WORKSPACE_APP_ID }}
	TEST_WORKSPACE_APP_SECRET: "${{ secrets.TEST_WORKSPACE_APP_SECRET }}"
	TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}"
	TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
	TRE_ID: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
	CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Move to using managed identity for auth to CosmosDB. #5879

Workflow file

Move to using managed identity for auth to CosmosDB. #5879

Jobs

Run details

Workflow file for this run