[AQTS-1165] Public email domain blocking on application forms #13126
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Deploy environment" | |
| required: true | |
| default: development | |
| type: environment | |
| docker-image-tag: | |
| description: "Docker image tag to deploy (optional)" | |
| required: true | |
| type: string | |
| pull-request-number: | |
| description: "Pull request number (required for review environment)" | |
| required: false | |
| type: string | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| types: | |
| - labeled | |
| - synchronize | |
| - reopened | |
| - opened | |
| jobs: | |
| docker: | |
| name: Build and push Docker image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| id-token: write | |
| if: contains(github.event.pull_request.labels.*.name, 'deploy') || (github.event_name != 'pull_request' && github.event_name != 'workflow_dispatch') | |
| outputs: | |
| image: ${{ steps.build-docker-image.outputs.image }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: DFE-Digital/github-actions/build-docker-image@master | |
| id: build-docker-image | |
| with: | |
| docker-repository: ghcr.io/dfe-digital/apply-for-qualified-teacher-status | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| snyk-token: ${{ secrets.SNYK_TOKEN }} | |
| max-cache: true | |
| rspec_system: | |
| name: Rspec System | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'workflow_dispatch' | |
| services: | |
| postgres: | |
| image: postgres | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_USER: postgres | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-retries 5 | |
| --health-timeout 5s | |
| redis: | |
| image: redis | |
| ports: | |
| - 6379:6379 | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| env: | |
| DATABASE_URL: postgres://postgres:postgres@localhost:5432/apply_for_qts_test | |
| RAILS_ENV: test | |
| REDIS_URL: redis://localhost:6379/0 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Prepare application environment | |
| uses: ./.github/actions/prepare-app-env | |
| - name: Build frontend | |
| run: yarn build && yarn build:css | |
| - name: Setup DB | |
| run: bin/rails db:test:prepare | |
| - name: Run DfE Analytics | |
| run: bin/bundle exec rails dfe:analytics:check | |
| - name: Run tests | |
| run: bundle exec rspec spec/system --format documentation --tag ~smoke_test | |
| rspec_other: | |
| name: Rspec Other | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'workflow_dispatch' | |
| services: | |
| postgres: | |
| image: postgres | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_USER: postgres | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-retries 5 | |
| --health-timeout 5s | |
| redis: | |
| image: redis | |
| ports: | |
| - 6379:6379 | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| env: | |
| DATABASE_URL: postgres://postgres:postgres@localhost:5432/apply_for_qts_test | |
| RAILS_ENV: test | |
| REDIS_URL: redis://localhost:6379/0 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Prepare application environment | |
| uses: ./.github/actions/prepare-app-env | |
| - name: Build frontend | |
| run: yarn build && yarn build:css | |
| - name: Setup DB | |
| run: bin/rails db:test:prepare | |
| - name: Run DfE Analytics | |
| run: bin/bundle exec rails dfe:analytics:check | |
| - name: Run tests | |
| run: bundle exec rspec spec/lib spec/forms spec/models spec/view_objects spec/components spec/controllers spec/policies spec/helpers spec/validators spec/jobs spec/mailers spec/views spec/requests spec/services --format documentation | |
| deploy_review: | |
| name: Deploy to review environment | |
| concurrency: deploy_review_${{ github.event.pull_request.number }} | |
| needs: [docker, rspec_system, rspec_other] | |
| runs-on: ubuntu-latest | |
| if: contains(github.event.pull_request.labels.*.name, 'deploy') | |
| environment: review | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: ./.github/actions/deploy-environment | |
| id: deploy | |
| with: | |
| environment: review | |
| docker-image: ${{ needs.docker.outputs.image }} | |
| pull-request-number: ${{ github.event.pull_request.number }} | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| - name: Post sticky pull request comment | |
| if: github.event_name == 'pull_request' | |
| uses: marocchino/sticky-pull-request-comment@v2 | |
| with: | |
| message: | | |
| Review app deployed to ${{ steps.deploy.outputs.url }}/personas | |
| deploy_non_production: | |
| name: Deploy to ${{ matrix.environment }} environment | |
| runs-on: ubuntu-latest | |
| needs: [docker, rspec_system, rspec_other] | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| concurrency: deploy_${{ matrix.environment }} | |
| strategy: | |
| max-parallel: 1 | |
| matrix: | |
| environment: [development, test, preproduction] | |
| environment: | |
| name: ${{ matrix.environment }} | |
| url: ${{ steps.deploy.outputs.url }} | |
| outputs: | |
| environment_name: ${{ matrix.environment }} | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: ./.github/actions/deploy-environment | |
| id: deploy | |
| with: | |
| environment: ${{ matrix.environment }} | |
| docker-image: ${{ needs.docker.outputs.image }} | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| deploy_production: | |
| name: Deploy to production environment | |
| needs: [docker, rspec_system, rspec_other, deploy_non_production] | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| environment: | |
| name: production | |
| url: ${{ steps.deploy.outputs.url }} | |
| concurrency: deploy_production | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: ./.github/actions/deploy-environment | |
| id: deploy | |
| with: | |
| environment: production | |
| docker-image: ${{ needs.docker.outputs.image }} | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| smoke-test-credentials-required: "false" | |
| notify_slack_of_failures: | |
| name: Notify Slack of failures | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| if: ${{ failure() && github.ref == 'refs/heads/main' && github.event_name == 'push' }} | |
| needs: [docker, rspec_system, rspec_other, deploy_non_production] | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Notify Slack channel on job failure | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_TITLE: Deployment of apply-for-qualified-teacher-status to ${{ needs.deploy_non_production.outputs.environment_name }} failed | |
| SLACK_MESSAGE: | | |
| Deployment to ${{ needs.deploy_non_production.outputs.environment_name }} environment failed | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| SLACK_COLOR: failure | |
| SLACK_FOOTER: Sent from notify_slack_of_failures job in deploy workflow | |
| deploy_domains_infra: | |
| name: Deploy Domains Infrastructure | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| concurrency: deploy_production | |
| needs: [deploy_production] | |
| environment: | |
| name: production | |
| permissions: | |
| id-token: write | |
| steps: | |
| - uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Fetch secrets from key vault | |
| uses: azure/CLI@v2 | |
| id: keyvault-secret | |
| with: | |
| inlineScript: | | |
| SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv) | |
| echo "::add-mask::$SLACK_WEBHOOK" | |
| echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
| - name: Deploy Domains Infrastructure | |
| id: deploy_domains_infra | |
| uses: DFE-Digital/github-actions/deploy-domains-infra@master | |
| with: | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| slack-webhook: ${{ steps.keyvault-secret.outputs.SLACK_WEBHOOK }} | |
| deploy_domains_env: | |
| name: Deploy Domains to ${{ matrix.domain_environment }} environment | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| concurrency: deploy_${{ matrix.domain_environment }} | |
| needs: [deploy_domains_infra] | |
| strategy: | |
| max-parallel: 1 | |
| matrix: | |
| domain_environment: [development, test, preproduction, production] | |
| environment: | |
| name: production | |
| permissions: | |
| id-token: write | |
| steps: | |
| - uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Fetch secrets from key vault | |
| uses: azure/CLI@v2 | |
| id: keyvault-secret | |
| with: | |
| inlineScript: | | |
| SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv) | |
| echo "::add-mask::$SLACK_WEBHOOK" | |
| echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT | |
| - name: Deploy Domains Environment | |
| id: deploy_domains_env | |
| uses: DFE-Digital/github-actions/deploy-domains-env@master | |
| with: | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| environment: ${{ matrix.domain_environment }} | |
| healthcheck: healthcheck/all | |
| slack-webhook: ${{ steps.keyvault-secret.outputs.SLACK_WEBHOOK }} | |
| deploy_custom: | |
| name: Custom deployment to ${{ inputs.environment }} | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'workflow_dispatch' | |
| environment: | |
| name: ${{ inputs.environment }} | |
| url: ${{ steps.deploy.outputs.url }} | |
| concurrency: deploy_${{ inputs.environment }} | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: ./.github/actions/deploy-environment | |
| id: deploy | |
| with: | |
| environment: ${{ inputs.environment }} | |
| docker-image: ghcr.io/dfe-digital/apply-for-qualified-teacher-status:${{ inputs.docker-image-tag }} | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| pull-request-number: ${{ inputs.environment == 'review' && inputs.pull-request-number || '' }} | |
| smoke-test-credentials-required: ${{ inputs.environment == 'production' && 'false' || 'true' }} |