Core key vault firewall should not be set to "Allow public access from all networks" #7603
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: pr_comment_bot | |
on: # yamllint disable-line rule:truthy | |
issue_comment: | |
types: [created] # only run on new comments | |
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#issue_comment | |
# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment | |
jobs: | |
pr_comment: | |
name: PR comment | |
# https://docs.github.com/en/graphql/reference/enums#commentauthorassociation | |
# (and https://docs.github.com/en/rest/reference/issues#comments) | |
# only allow commands where: | |
# - the comment is on a PR | |
# - the commenting user has write permissions (i.e. is OWNER or COLLABORATOR) | |
if: ${{ github.event.issue.pull_request }} | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
checks: write | |
contents: read | |
outputs: | |
command: ${{ steps.check_command.outputs.command }} | |
prRef: ${{ steps.check_command.outputs.prRef }} | |
prHeadSha: ${{ steps.check_command.outputs.prHeadSha }} | |
prRefId: ${{ steps.check_command.outputs.prRefId }} | |
branchRefId: ${{ steps.check_command.outputs.branchRefid }} | |
ciGitRef: ${{ steps.check_command.outputs.ciGitRef }} | |
steps: | |
# Ensure we have the script file for the github-script action to use | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# Determine whether the comment is a command | |
- id: check_command | |
name: Check for a command using GitHub script | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const script = require('./.github/scripts/build.js') | |
await script.getCommandFromComment({core, context, github}); | |
- name: Output PR details | |
run: | | |
echo "PR Details" | |
echo "==========" | |
echo "prRef : ${{ steps.check_command.outputs.prRef }}" | |
echo "prHeadSha : ${{ steps.check_command.outputs.prHeadSha }}" | |
echo "prRefId : ${{ steps.check_command.outputs.prRefId }}" | |
echo "ciGitRef : ${{ steps.check_command.outputs.ciGitRef }}" | |
echo "branchRefId : ${{ steps.check_command.outputs.prRefId }}" | |
# If we don't run the actual deploy (see the run_test job below) we won't receive a check-run status, | |
# and will have to send it "manually" | |
- name: Bypass E2E check-runs status | |
if: ${{ steps.check_command.outputs.command == 'test-force-approve' }} | |
uses: LouisBrunner/[email protected] | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
# the name must be identical to the one received by the real job | |
sha: ${{ steps.check_command.outputs.prHeadSha }} | |
name: "Deploy PR / Run E2E Tests (Smoke)" | |
status: "completed" | |
conclusion: "success" | |
destroy_pr_env: | |
needs: [pr_comment] | |
if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' }} | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
environment: CICD | |
name: Destroy PR env | |
steps: | |
# Ensure we have the script files | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# Perform az login for destroy env script to be able to run | |
- name: Azure Login | |
uses: azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} | |
- name: Run deployment cleanup | |
env: | |
PR_NUMBER: ${{ github.event.issue.number }} | |
REPO: ${{ github.event.repository.full_name }} | |
RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.prRefId) }} | |
RUN_ID: ${{ github.run_id }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }} | |
run: | | |
set -e | |
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying PR test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})" | |
devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}" | |
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "PR test environment destroy complete (RG: ${RG_NAME})" | |
destroy_branch_env: | |
needs: [pr_comment] | |
if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' && needs.pr_comment.outputs.branchRefId != '' }} | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
environment: CICD | |
name: Destroy branch env | |
steps: | |
# Ensure we have the script files | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# Perform az login for destroy env script to be able to run | |
- name: Azure Login | |
uses: azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} | |
- name: Run deployment cleanup | |
env: | |
PR_NUMBER: ${{ github.event.issue.number }} | |
REPO: ${{ github.event.repository.full_name }} | |
RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.branchRefId) }} | |
RUN_ID: ${{ github.run_id }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }} | |
run: | | |
set -e | |
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying branch test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})" | |
devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}" | |
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Branch test environment destroy complete (RG: ${RG_NAME})" | |
run_test: | |
# Run the tests with the re-usable workflow | |
needs: [pr_comment] | |
if: | | |
needs.pr_comment.outputs.command == 'run-tests' || | |
needs.pr_comment.outputs.command == 'run-tests-extended' || | |
needs.pr_comment.outputs.command == 'run-tests-extended-aad' || | |
needs.pr_comment.outputs.command == 'run-tests-shared-services' | |
name: Deploy PR | |
uses: ./.github/workflows/deploy_tre_reusable.yml | |
permissions: | |
checks: write | |
contents: read | |
pull-requests: write | |
with: | |
prRef: ${{ needs.pr_comment.outputs.prRef }} | |
prHeadSha: ${{ needs.pr_comment.outputs.prHeadSha }} | |
ciGitRef: ${{ needs.pr_comment.outputs.ciGitRef }} | |
e2eTestsCustomSelector: >- | |
${{ (needs.pr_comment.outputs.command == 'run-tests-extended' && 'extended') || | |
(needs.pr_comment.outputs.command == 'run-tests-extended-aad' && 'extended_aad') || | |
(needs.pr_comment.outputs.command == 'run-tests-shared-services' && 'shared_services') || | |
(needs.pr_comment.outputs.command == 'run-tests' && '') }} | |
environmentName: CICD | |
E2E_TESTS_NUMBER_PROCESSES: 1 | |
DEVCONTAINER_TAG: ${{ needs.pr_comment.outputs.prRefId }} | |
secrets: | |
AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }} | |
ACR_NAME: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }} | |
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS}} | |
API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }} | |
API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }} | |
APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }} | |
APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }} | |
MGMT_RESOURCE_GROUP_NAME: ${{ format('rg-tre{0}-mgmt', needs.pr_comment.outputs.prRefId) }} | |
MS_TEAMS_WEBHOOK_URI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }} | |
MGMT_STORAGE_ACCOUNT_NAME: ${{ format('tre{0}mgmt', needs.pr_comment.outputs.prRefId) }} | |
SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }} | |
TEST_APP_ID: ${{ secrets.TEST_APP_ID }} | |
TEST_WORKSPACE_APP_ID: ${{ secrets.TEST_WORKSPACE_APP_ID }} | |
TEST_WORKSPACE_APP_SECRET: "${{ secrets.TEST_WORKSPACE_APP_SECRET }}" | |
TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}" | |
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}" | |
TRE_ID: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }} | |
CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }} |