From 55323acdb5eb357805399d460984d54d58c62e2b Mon Sep 17 00:00:00 2001 From: Maxim Rychkov Date: Fri, 19 Dec 2025 13:58:51 +0500 Subject: [PATCH 1/5] ci: migrate workflow from items-api to sync and use the actual version --- .dockerignore | 75 +++++--- .../.reusable-docker-build-and-push.yml | 180 ++++++++++++++++++ .../.reusable-e2e-tests-against-prod.yml | 35 ++++ .../workflows/deploy-to-prod-from-default.yml | 46 +++++ .github/workflows/docker-build-and-push.yml | 57 ------ .../workflows/e2e-tests-on-pull-request.yml | 67 +++++++ .../karate-tests-on-pull-request.yml | 101 ---------- .github/workflows/prod-docker-publish.yml | 48 ----- e2e/check-employeeId-in-token.feature | 6 +- 9 files changed, 379 insertions(+), 236 deletions(-) create mode 100644 .github/workflows/.reusable-docker-build-and-push.yml create mode 100644 .github/workflows/.reusable-e2e-tests-against-prod.yml create mode 100644 .github/workflows/deploy-to-prod-from-default.yml delete mode 100644 .github/workflows/docker-build-and-push.yml create mode 100644 .github/workflows/e2e-tests-on-pull-request.yml delete mode 100644 .github/workflows/karate-tests-on-pull-request.yml delete mode 100644 .github/workflows/prod-docker-publish.yml diff --git a/.dockerignore b/.dockerignore index b17789a..15056b7 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,43 +1,64 @@ -# Git files -**/.git -**/.gitignore - -# Build results -**/[Bb]in/ -**/[Oo]bj/ - -# Visual Studio 2015 cache/options directory -**/.vs/ -**/.vs -**/.vscode -**/*.*proj.user - -# Settings for local pgadmin -**/.pgadmin4/ - -# Docker -**/Dockerfile* -**/docker-compose* -**/.dockerignore - -# CI -WbAnalyticsApi/ci/ -**/.gitlab-ci.yml - -# Other **/.classpath +**/.dockerignore **/.env +**/.git +**/.gitignore **/.project **/.settings **/.toolstarget +**/.vs +**/.vscode +**/*.*proj.user **/*.dbmdl **/*.jfm **/azds.yaml +**/bin **/charts +**/docker-compose* +**/Dockerfile* **/node_modules **/npm-debug.log **/obj **/secrets.dev.yaml **/values.dev.yaml LICENSE +README.md +!**/.gitignore +!.git/HEAD +!.git/config +!.git/packed-refs +!.git/refs/heads/** + +# we don't need tests and their related code in production +**/*Tests.cs +**/*TestsRelated.cs + +**/bin/* +**/obj/* +**/.vs/* +**/.vscode/* +**.user +**.http + +**/appsettings.** +# need to include these files for tests execution in docker compose even though these maigh not be used in prod +!**/appsettings.json +!**/appsettings.MockForPullRequest.json + +**/Dockerfile +**/lib/* + +.devcontainer/ +.github/ +target/ +ci/ +e2e/ + +.dockerignore +.editorconfig +.gitattributes +.gitignore +docker-compose.yml +LICENSE +pgAdmin.json README.md \ No newline at end of file diff --git a/.github/workflows/.reusable-docker-build-and-push.yml b/.github/workflows/.reusable-docker-build-and-push.yml new file mode 100644 index 0000000..2d32c99 --- /dev/null +++ b/.github/workflows/.reusable-docker-build-and-push.yml @@ -0,0 +1,180 @@ +name: Publish Docker image + +# !!! NEVER add on push when there is on workflow_call +# if you do that the workflow can run multiple times +# for instance if you re-use this docker build workflow for prod deployment and for local-env in PR +# it will build the docker image it twice +# if you build => deploy => run e2e against prod it will build the image 3 times! +on: + # to allow to wait for a docker image to be published to proceed in another workflow + workflow_call: + +jobs: + build-amd64: + runs-on: ubuntu-24.04 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + # this is needed to address this issue according to the comment https://github.com/devcontainers/ci/issues/271#issuecomment-2301764487 + # otherwise our TourmalineCore org name cannot be used in docker image names, only tourmalinecore + - name: Add Registry Image Env Var With Lowercase Organization and Repo Name + run: | + echo "REGISTRY_IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + - name: Prepare + run: | + platform=linux/amd64 + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push by digest + id: build + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64 + context: . + file: ./Api/Dockerfile + build-args: | + EXCLUDE_UNIT_TESTS_FROM_BUILD=true + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ env.REGISTRY_IMAGE }} + outputs: type=image,push-by-digest=true,name-canonical=true,push=true + + - name: Export digest + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + + build-arm64: + runs-on: ubuntu-24.04-arm + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + # this is needed to address this issue according to the comment https://github.com/devcontainers/ci/issues/271#issuecomment-2301764487 + # otherwise our TourmalineCore org name cannot be used in docker image names, only tourmalinecore + - name: Add Registry Image Env Var With Lowercase Organization and Repo Name + run: | + echo "REGISTRY_IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + - name: Prepare + run: | + platform=linux/arm64 + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push by digest + id: build + uses: docker/build-push-action@v6 + with: + platforms: linux/arm64 + context: . + file: ./Api/Dockerfile + build-args: | + EXCLUDE_UNIT_TESTS_FROM_BUILD=true + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ env.REGISTRY_IMAGE }} + outputs: type=image,push-by-digest=true,name-canonical=true,push=true + + - name: Export digest + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + merge: + runs-on: ubuntu-24.04 + needs: + - build-amd64 + - build-arm64 + steps: + # this is needed to address this issue according to the comment https://github.com/devcontainers/ci/issues/271#issuecomment-2301764487 + # otherwise our TourmalineCore org name cannot be used in docker image names, only tourmalinecore + - name: Add Registry Image Env Var With Lowercase Organization and Repo Name + run: | + echo "REGISTRY_IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: digests-* + merge-multiple: true + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: | + # minimal (short sha) + type=sha + # full length sha + type=sha,format=long + # set latest tag for default branch + # https://github.com/docker/metadata-action/issues/171 explains how to tag latest only on default branch + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + env: + # https://github.com/docker/metadata-action/issues/283 + # without this flag it won't tag the image using the commit SHA + # for non push events like pull_request ones it requires this :( + DOCKER_METADATA_PR_HEAD_SHA: true + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ No newline at end of file diff --git a/.github/workflows/.reusable-e2e-tests-against-prod.yml b/.github/workflows/.reusable-e2e-tests-against-prod.yml new file mode 100644 index 0000000..81a6c9d --- /dev/null +++ b/.github/workflows/.reusable-e2e-tests-against-prod.yml @@ -0,0 +1,35 @@ +name: E2E Tests Against Prod + +on: + workflow_call: + +jobs: + e2e-test-against-prod: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + + - name: Download Karate JAR + run: | + curl -L https://github.com/karatelabs/karate/releases/download/v1.5.1/karate-1.5.1.jar -o karate.jar + + - name: Run E2E Tests Against Local Env + run: | + # Learn more about '> /dev/null 2>&1': https://stackoverflow.com/a/42919998 + # In essence it merges output and error streams and doesn't show errors in the terminal to avoid leakage of secrets in the pipeline + java -jar karate.jar . > /dev/null 2>&1 + env: + "AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS }} + "AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS }} + "AUTH_SECOND_TENANT_LOGIN_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_SECOND_TENANT_LOGIN_WITH_ALL_PERMISSIONS }} + "AUTH_SECOND_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_SECOND_TENANT_PASSWORD_WITH_ALL_PERMISSIONS }} + "AUTH_LOGIN_WITHOUT_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_LOGIN_WITHOUT_PERMISSIONS }} + "AUTH_PASSWORD_WITHOUT_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_PASSWORD_WITHOUT_PERMISSIONS }} + "API_ROOT_URL": ${{ secrets.INNER_CIRCLE_PROD_AUTH_API_ROOT_URL }} + "SHOULD_USE_FAKE_EXTERNAL_DEPENDENCIES": "false" \ No newline at end of file diff --git a/.github/workflows/deploy-to-prod-from-default.yml b/.github/workflows/deploy-to-prod-from-default.yml new file mode 100644 index 0000000..6a0c8ad --- /dev/null +++ b/.github/workflows/deploy-to-prod-from-default.yml @@ -0,0 +1,46 @@ +name: Deploy to Prod + +on: + push: + branches: + - master + +jobs: + docker-build-and-push: + uses: ./.github/workflows/.reusable-docker-build-and-push.yml + + deploy-to-prod: + needs: [docker-build-and-push] + runs-on: ubuntu-24.04 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Create default global .kube/config file + run: | + cd $HOME + mkdir .kube + echo "${{ secrets.INNER_CIRCLE_PROD_KUBECONFIG }}" > .kube/config + + - name: Deploy + uses: helmfile/helmfile-action@v1.9.0 + with: + helmfile-version: 'v0.164.0' + helm-version: 'v3.18.0' + helmfile-args: > + apply --suppress-diff --namespace ${{ secrets.INNER_CIRCLE_PROD_NAMESPACE }} -f Api/ci/helmfile.yaml + --state-values-set image.tag=sha-${{ github.sha }} + --state-values-set ingress.hostname=${{ secrets.INNER_CIRCLE_PROD_HOSTNAME }} + --state-values-set extraSecretEnvVars.ConnectionStrings__DefaultConnection=${{ secrets.INNER_CIRCLE_PROD_AUTH_DB_CONNECTION_STRING }} + --state-values-set extraSecretEnvVars.AuthenticationOptions__PublicSigningKey=${{ secrets.INNER_CIRCLE_PROD_PUBLIC_SIGNING_KEY }} + --state-values-set extraSecretEnvVars.AuthenticationOptions__PrivateSigningKey=${{ secrets.INNER_CIRCLE_PROD_PRIVATE_SIGNING_KEY }} + --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__MailServiceUrl=${{ secrets.INNER_CIRCLE_PROD_MAIL_SERVICE_URL }} + --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__AuthUIServiceUrl=${{ secrets.INNER_CIRCLE_PROD_AUTH_UI_SERVICE_URL }} + --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__AccountsServiceUrl=${{ secrets.INNER_CIRCLE_PROD_ACCOUNTS_SERVICE_URL }} + --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__EmployeesServiceUrl=${{ secrets.INNER_CIRCLE_PROD_EMPLOYEES_SERVICE_URL }} + helmfile-auto-init: "false" + + run-e2e-tests: + uses: ./.github/workflows/.reusable-e2e-tests-against-prod.yml + needs: [deploy-to-prod] + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml deleted file mode 100644 index e39b85d..0000000 --- a/.github/workflows/docker-build-and-push.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Publish Docker image - -on: - push: - branches: - - master - - feature/* - # to allow to wait for a docker image to be published to proceed in another workflow - workflow_call: - -jobs: - push_to_registry: - name: Push Docker image to Git Registry - runs-on: ubuntu-22.04 - permissions: - packages: write - contents: read - attestations: write - steps: - - name: Check out the repo - uses: actions/checkout@v4 - # multi-platform build configured using this https://docs.docker.com/build/ci/github-actions/multi-platform/ - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Log in to GitHub Container Registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: ghcr.io/tourmalinecore/${{ github.event.repository.name }} - tags: | - # minimal (short sha) - type=sha - # full length sha - type=sha,format=long - # set latest tag for default branch - # https://github.com/docker/metadata-action/issues/171 explains how to tag latest only on default branch - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - - - name: Build and push Docker image - id: push - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - with: - context: . - file: ./Api/Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64,linux/arm64 \ No newline at end of file diff --git a/.github/workflows/e2e-tests-on-pull-request.yml b/.github/workflows/e2e-tests-on-pull-request.yml new file mode 100644 index 0000000..4da60f5 --- /dev/null +++ b/.github/workflows/e2e-tests-on-pull-request.yml @@ -0,0 +1,67 @@ +name: E2E Tests in PR + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + # this is needed to wait for the new docker image to be build and published to the registry + # so that we can use the image to run the service of the needed commit related version as part of local-env + # the idea is taken from here https://stackoverflow.com/a/71489231 + docker-build-and-push: + uses: ./.github/workflows/.reusable-docker-build-and-push.yml + + e2e-test-against-local-env: + runs-on: ubuntu-24.04 + needs: [docker-build-and-push] + steps: + - name: Checkout local-env + uses: actions/checkout@v4 + with: + repository: TourmalineCore/inner-circle-local-env + + - name: Deploy Local Env to Kind k8s + uses: devcontainers/ci@v0.3 + with: + cacheFrom: ghcr.io/tourmalinecore/inner-circle-local-env-devcontainer + runCmd: | + # we need to override "latest" image tag of ui inside local-env to run e2e against the current commit ui version and not against latest from master + # We tried to use yq to change the image tag, but in the values files for helmfile we have non-yaml code that yq can`t parse or ignore + # so for that reason we use Stream EDitor which can find needed string using regular expressions and change it to a new value + # The -i flag is needed to write new image tag directly to values file + sed -i "0,/tag:.*/s//tag: \"sha-${{ github.event.pull_request.head.sha }}\"/" deploy/values-accounts-api.yaml.gotmpl + # we need to override "latest" ref of service chart inside local-env to run tests against the current commit service chart version and not against latest from master + sed -i "0,/git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=.*/s//git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=${{ github.event.pull_request.head.sha }}/" deploy/helmfile.yaml + + sed -i "0,/git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/ci\/values.yaml?ref=.*/s//git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/ci\/values.yaml?ref=${{ github.event.pull_request.head.sha }}/" deploy/helmfile.yaml + kind create cluster --name inner-circle --config kind-local-config.yaml --kubeconfig ./.inner-circle-cluster-kubeconfig + # we need to properly expose KUBECONFIG as an absolute path, pwd prints current working directory path + export KUBECONFIG=$(pwd)/.inner-circle-cluster-kubeconfig + helmfile --environment local --namespace local -f deploy/helmfile.yaml apply + push: never + + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + + - name: Download Karate JAR + run: | + curl -L https://github.com/karatelabs/karate/releases/download/v1.5.1/karate-1.5.1.jar -o karate.jar + - name: Run E2E Tests Against Local Env + run: | + java -jar karate.jar . + env: + "AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS": "malfoy@tourmalinecore.com" + "AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": "Serpens1!" + "AUTH_SECOND_TENANT_LOGIN_WITH_ALL_PERMISSIONS": "chang@tourmalinecore.com" + "AUTH_SECOND_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": "Reparo1!" + "AUTH_LOGIN_WITHOUT_PERMISSIONS": "goyle@tourmalinecore.com" + "AUTH_PASSWORD_WITHOUT_PERMISSIONS": "Crucio1!" + "AUTH_API_ROOT_URL": "http://localhost:30090/api/auth" + "API_ROOT_URL": "http://localhost:30090/api/auth" + "SHOULD_USE_FAKE_EXTERNAL_DEPENDENCIES": "false" \ No newline at end of file diff --git a/.github/workflows/karate-tests-on-pull-request.yml b/.github/workflows/karate-tests-on-pull-request.yml deleted file mode 100644 index 92cc70c..0000000 --- a/.github/workflows/karate-tests-on-pull-request.yml +++ /dev/null @@ -1,101 +0,0 @@ -name: E2E Tests - -on: - push: - branches: - - feature/* - -jobs: - # this is needed to wait for the new docker image to be build and published to the registry - # so that we can use the image to run ui of the needed commit related version as part of local-env - # the idea is taken from here https://stackoverflow.com/a/71489231 - push_to_registry: - uses: ./.github/workflows/docker-build-and-push.yml - # without this it cannot login to the registry - secrets: inherit - - e2e-test-without-local-env: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 - - name: Run service via docker-compose and run Karate-tests - # Hide credentials and token from logs, get the number of failed and passed tests - # Find text with 'failed' and 'passed' in logs from karate-testing container - run: | - LOGS=$(docker compose --profile MockForPullRequest up --abort-on-container-exit) - FILTERED_LOGS=$(echo "$LOGS" | sed -E 's/"login":"[^"]*"/"login":"****"/g' \ - | sed -E 's/"password":"[^"]*"/"password":"****"/g' \ - | sed -E 's/"accessToken":[^,}]*"[^"]*"/"accessToken":"****"/g' \ - | sed -E 's/"Authorization":"[^"]*"/"Authorization":"****"/g' \ - | sed -E 's/"X-DEBUG-TOKEN":[^,}]*"[^"]*"/"X-DEBUG-TOKEN":"****"/g' \ - | sed -E 's/accessToken":\{[^}]*\}/accessToken":{"value":"****"}/g' \ - | sed -E 's/X-DEBUG-TOKEN: [^ ]*/X-DEBUG-TOKEN: ****/g') - echo "$FILTERED_LOGS" - FAILED=$(echo "$FILTERED_LOGS" | grep -oP 'failed: *\K\d+') - PASSED=$(echo "$FILTERED_LOGS" | grep -oP 'passed: *\K\d+') - echo "Failed tests: $FAILED" - echo "Passed tests: $PASSED" - if [ "$FAILED" -gt 0 ]; then - echo "Failed tests found! Failing the pipeline..." - exit 1 - fi - if [ "$PASSED" -eq 0 ]; then - echo "No tests passed! Failing the pipeline..." - exit 1 - fi - env: - TEST_AUTH_LOGIN: ${{ secrets.TEST_AUTH_LOGIN }} - TEST_AUTH_PASSWORD: ${{ secrets.TEST_AUTH_PASSWORD }} - - e2e-test-with-local-env: - name: Run karate tests in local env - runs-on: ubuntu-22.04 - needs: [push_to_registry] - steps: - - name: Checkout local-env - uses: actions/checkout@v4 - with: - repository: TourmalineCore/inner-circle-local-env - - - name: Deploy Local Env to Kind k8s - uses: devcontainers/ci@v0.3 - with: - runCmd: | - # we need to override "latest" image tag of ui inside local-env to run e2e against the current commit ui version and not against latest from master - # We tried to use yq to change the image tag, but in the values files for helmfile we have non-yaml code that yq can`t parse or ignore - # so for that reason we use Stream EDitor which can find needed string using regular expressions and change it to a new value - # The -i flag is needed to write new image tag directly to values file - sed -i "0,/tag:.*/s//tag: \"sha-${{ github.sha }}\"/" deploy/values-auth-api.yaml.gotmpl - - # we need to override "latest" ref of service chart inside local-env to run tests against the current commit service chart version and not against latest from master - sed -i "0,/git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=.*/s//git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=${{ github.sha }}/" deploy/helmfile.yaml - - sed -i "0,/git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/Api\/ci\/values.yaml?ref=.*/s//git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/Api\/ci\/values.yaml?ref=${{ github.sha }}/" deploy/helmfile.yaml - - kind create cluster --name inner-circle --config kind-local-config.yaml --kubeconfig ./.inner-circle-cluster-kubeconfig - # we need to properly expose KUBECONFIG as an absolute path, pwd prints current working directory path - export KUBECONFIG=$(pwd)/.inner-circle-cluster-kubeconfig - - helmfile --environment local --namespace local -f deploy/helmfile.yaml apply - push: never - - - name: Checkout api - uses: actions/checkout@v4 - - - name: Set up JDK 17 - uses: actions/setup-java@v3 - with: - java-version: '17' - distribution: 'temurin' - - - name: Download Karate JAR - run: | - curl -L https://github.com/karatelabs/karate/releases/download/v1.5.1/karate-1.5.1.jar -o karate.jar - - - name: Run Karate Tests - run: | - java -jar karate.jar . - env: - API_ROOT_URL: "http://localhost:30090/api" - AUTH_LOGIN: "ceo@tourmalinecore.com" - AUTH_PASSWORD: "cEoPa$$wo1d" \ No newline at end of file diff --git a/.github/workflows/prod-docker-publish.yml b/.github/workflows/prod-docker-publish.yml deleted file mode 100644 index e43a5d9..0000000 --- a/.github/workflows/prod-docker-publish.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Deploy to Prod - -on: - push: - branches: - - master - -jobs: - # this is needed to wait for the new docker image to be build and published to the registry - # so that we can use the image to run ui of the needed commit related version as part of local-env - # the idea is taken from here https://stackoverflow.com/a/71489231 - push_to_registry: - uses: ./.github/workflows/docker-build-and-push.yml - # without this it cannot login to the registry - secrets: inherit - - deploy-to-prod: - name: Deploy service to k8s for prod environment - needs: [push_to_registry] - runs-on: ubuntu-22.04 - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: Create default global .kube/config file - run: | - cd $HOME - mkdir .kube - echo "${{ secrets.DEV_KUBECONFIG }}" > .kube/config - - - name: Deploy - uses: helmfile/helmfile-action@v1.9.0 - with: - helmfile-version: 'v0.164.0' - helm-version: 'v3.18.0' - helmfile-args: > - apply --namespace dev-inner-circle -f Api/ci/helmfile.yaml - --state-values-set image.tag=sha-${{ github.sha }} - --state-values-set ingress.enabled=true - --state-values-set ingress.hostname=${{ secrets.DEV_HOST }} - --state-values-set extraSecretEnvVars.ConnectionStrings__DefaultConnection=${{ secrets.DEV_POSTGRESQL_CONNECTION_STRING }} - --state-values-set extraSecretEnvVars.AuthenticationOptions__PublicSigningKey=${{ secrets.DEV_AUTH_PUBLIC_SIGNING_KEY }} - --state-values-set extraSecretEnvVars.AuthenticationOptions__PrivateSigningKey=${{ secrets.DEV_AUTH_PRIVATE_SIGNING_KEY }} - --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__MailServiceUrl=${{ secrets.DEV_MAIL_SERVICE_URL }} - --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__AuthUIServiceUrl=${{ secrets.DEV_AUTH_UI_SERVICE_URL }} - --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__AccountsServiceUrl=${{ secrets.DEV_ACCOUNTS_SERVICE_URL }} - --state-values-set extraSecretEnvVars.InnerCircleServiceUrls__EmployeesServiceUrl=${{ secrets.DEV_EMPLOYEES_SERVICE_URL }} - helmfile-auto-init: "false" diff --git a/e2e/check-employeeId-in-token.feature b/e2e/check-employeeId-in-token.feature index 4d3cffe..4eda93d 100644 --- a/e2e/check-employeeId-in-token.feature +++ b/e2e/check-employeeId-in-token.feature @@ -9,12 +9,12 @@ Scenario: Check employeeId in token * def jsUtils = read('./js-utils.js') * def apiRootUrl = jsUtils().getEnvVariable('API_ROOT_URL') - * def authLogin = jsUtils().getEnvVariable('AUTH_LOGIN') - * def authPassword = jsUtils().getEnvVariable('AUTH_PASSWORD') + * def authLogin = jsUtils().getEnvVariable('AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS') + * def authPassword = jsUtils().getEnvVariable('AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS') # Authentication Given url apiRootUrl - And path '/auth/login' + And path '/login' And request """ { From 08ecbf895dc092c648a5845ecee34e383eb8bf3d Mon Sep 17 00:00:00 2001 From: Maxim Rychkov Date: Fri, 19 Dec 2025 14:26:34 +0500 Subject: [PATCH 2/5] fix: change path for values --- .github/workflows/e2e-tests-on-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests-on-pull-request.yml b/.github/workflows/e2e-tests-on-pull-request.yml index 4da60f5..925d4e3 100644 --- a/.github/workflows/e2e-tests-on-pull-request.yml +++ b/.github/workflows/e2e-tests-on-pull-request.yml @@ -29,7 +29,7 @@ jobs: # We tried to use yq to change the image tag, but in the values files for helmfile we have non-yaml code that yq can`t parse or ignore # so for that reason we use Stream EDitor which can find needed string using regular expressions and change it to a new value # The -i flag is needed to write new image tag directly to values file - sed -i "0,/tag:.*/s//tag: \"sha-${{ github.event.pull_request.head.sha }}\"/" deploy/values-accounts-api.yaml.gotmpl + sed -i "0,/tag:.*/s//tag: \"sha-${{ github.event.pull_request.head.sha }}\"/" deploy/values-auth-api.yaml.gotmpl # we need to override "latest" ref of service chart inside local-env to run tests against the current commit service chart version and not against latest from master sed -i "0,/git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=.*/s//git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=${{ github.event.pull_request.head.sha }}/" deploy/helmfile.yaml From e9b865477557ee2ec37924cc70157c6436ee19de Mon Sep 17 00:00:00 2001 From: Maxim Rychkov Date: Fri, 19 Dec 2025 14:38:18 +0500 Subject: [PATCH 3/5] test: deploy --- .github/workflows/deploy-to-prod-from-default.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy-to-prod-from-default.yml b/.github/workflows/deploy-to-prod-from-default.yml index 6a0c8ad..3934e89 100644 --- a/.github/workflows/deploy-to-prod-from-default.yml +++ b/.github/workflows/deploy-to-prod-from-default.yml @@ -4,6 +4,7 @@ on: push: branches: - master + - feature/** jobs: docker-build-and-push: From a0ea17ae548dd864479efd66cb7f2479c4801adf Mon Sep 17 00:00:00 2001 From: Maxim Rychkov <81160491+Yam1x@users.noreply.github.com> Date: Sat, 20 Dec 2025 19:10:04 +0500 Subject: [PATCH 4/5] fix: fix helmfile path in e2e tests --- .github/workflows/e2e-tests-on-pull-request.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e-tests-on-pull-request.yml b/.github/workflows/e2e-tests-on-pull-request.yml index 925d4e3..3c1f5dc 100644 --- a/.github/workflows/e2e-tests-on-pull-request.yml +++ b/.github/workflows/e2e-tests-on-pull-request.yml @@ -33,7 +33,7 @@ jobs: # we need to override "latest" ref of service chart inside local-env to run tests against the current commit service chart version and not against latest from master sed -i "0,/git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=.*/s//git+https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git?ref=${{ github.event.pull_request.head.sha }}/" deploy/helmfile.yaml - sed -i "0,/git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/ci\/values.yaml?ref=.*/s//git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/ci\/values.yaml?ref=${{ github.event.pull_request.head.sha }}/" deploy/helmfile.yaml + sed -i "0,/git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/Api\/ci\/values.yaml?ref=.*/s//git::https:\/\/github.com\/TourmalineCore\/${{ github.event.repository.name }}.git@\/Api\/ci\/values.yaml?ref=${{ github.event.pull_request.head.sha }}/" deploy/helmfile.yaml kind create cluster --name inner-circle --config kind-local-config.yaml --kubeconfig ./.inner-circle-cluster-kubeconfig # we need to properly expose KUBECONFIG as an absolute path, pwd prints current working directory path export KUBECONFIG=$(pwd)/.inner-circle-cluster-kubeconfig @@ -64,4 +64,4 @@ jobs: "AUTH_PASSWORD_WITHOUT_PERMISSIONS": "Crucio1!" "AUTH_API_ROOT_URL": "http://localhost:30090/api/auth" "API_ROOT_URL": "http://localhost:30090/api/auth" - "SHOULD_USE_FAKE_EXTERNAL_DEPENDENCIES": "false" \ No newline at end of file + "SHOULD_USE_FAKE_EXTERNAL_DEPENDENCIES": "false" From efaabaee89ee5481d45a026a761acbd96e0d6b0c Mon Sep 17 00:00:00 2001 From: Maxim Rychkov Date: Sat, 20 Dec 2025 21:28:13 +0500 Subject: [PATCH 5/5] cleanup: remove unused accounts in tests --- .github/workflows/.reusable-e2e-tests-against-prod.yml | 4 ---- .github/workflows/e2e-tests-on-pull-request.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/.github/workflows/.reusable-e2e-tests-against-prod.yml b/.github/workflows/.reusable-e2e-tests-against-prod.yml index 81a6c9d..07ec1cc 100644 --- a/.github/workflows/.reusable-e2e-tests-against-prod.yml +++ b/.github/workflows/.reusable-e2e-tests-against-prod.yml @@ -27,9 +27,5 @@ jobs: env: "AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS }} "AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS }} - "AUTH_SECOND_TENANT_LOGIN_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_SECOND_TENANT_LOGIN_WITH_ALL_PERMISSIONS }} - "AUTH_SECOND_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_SECOND_TENANT_PASSWORD_WITH_ALL_PERMISSIONS }} - "AUTH_LOGIN_WITHOUT_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_LOGIN_WITHOUT_PERMISSIONS }} - "AUTH_PASSWORD_WITHOUT_PERMISSIONS": ${{ secrets.INNER_CIRCLE_PROD_AUTH_PASSWORD_WITHOUT_PERMISSIONS }} "API_ROOT_URL": ${{ secrets.INNER_CIRCLE_PROD_AUTH_API_ROOT_URL }} "SHOULD_USE_FAKE_EXTERNAL_DEPENDENCIES": "false" \ No newline at end of file diff --git a/.github/workflows/e2e-tests-on-pull-request.yml b/.github/workflows/e2e-tests-on-pull-request.yml index 3c1f5dc..6c85f65 100644 --- a/.github/workflows/e2e-tests-on-pull-request.yml +++ b/.github/workflows/e2e-tests-on-pull-request.yml @@ -58,10 +58,6 @@ jobs: env: "AUTH_FIRST_TENANT_LOGIN_WITH_ALL_PERMISSIONS": "malfoy@tourmalinecore.com" "AUTH_FIRST_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": "Serpens1!" - "AUTH_SECOND_TENANT_LOGIN_WITH_ALL_PERMISSIONS": "chang@tourmalinecore.com" - "AUTH_SECOND_TENANT_PASSWORD_WITH_ALL_PERMISSIONS": "Reparo1!" - "AUTH_LOGIN_WITHOUT_PERMISSIONS": "goyle@tourmalinecore.com" - "AUTH_PASSWORD_WITHOUT_PERMISSIONS": "Crucio1!" "AUTH_API_ROOT_URL": "http://localhost:30090/api/auth" "API_ROOT_URL": "http://localhost:30090/api/auth" "SHOULD_USE_FAKE_EXTERNAL_DEPENDENCIES": "false"