ARN-2494 Switch to GitHub Actions (#345)

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# This is a comment.
+# Each line is a file pattern followed by one or more owners.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+*       @ministryofjustice/hmpps-assessments

.github/workflows/deploy_to_env.yml

@@ -0,0 +1,24 @@
+name: Deploy to environment
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment
+        type: choice
+        required: true
+        options:
+          - dev
+        default: 'dev'
+      image_tag:
+        description: Optional image tag to deploy. If left blank, a new image will be built, pushed and deployed
+        required: false
+        default: ''
+        type: string
+
+jobs:
+  deploy_to_env:
+    uses: ministryofjustice/hmpps-assess-risks-and-needs-github-actions/.github/workflows/deploy_to_env.yml@v1
+    with:
+      environment: ${{ inputs.environment }}
+      image_tag: ${{ inputs.image_tag }}

.github/workflows/pipeline_main.yml

@@ -0,0 +1,88 @@
+name: Main
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+
+  validate:
+    uses: ./.github/workflows/validate.yml
+
+  helm_lint:
+    name: Helm lint
+    strategy:
+      matrix:
+        environments: [ 'dev', 'preprod', 'prod' ]
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/test_helm_lint.yml@v2
+    secrets: inherit
+    with:
+      environment: ${{ matrix.environments }}
+
+  build_docker:
+    name: Build docker image
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/docker_build.yml@v2
+    with:
+      docker_registry: 'ghcr.io'
+      registry_org: 'ministryofjustice'
+      tag_latest: false
+      push: false
+      load: true
+      docker_multiplatform: false
+      upload_image_artifact: true
+      image_artifact_retention_days: 2
+
+  publish_docker:
+    name: Publish docker image
+    needs:
+      - validate
+      - build_docker
+      - helm_lint
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/docker_push.yml@v2
+    with:
+      docker_registry: 'ghcr.io'
+      registry_org: 'ministryofjustice'
+      app_version: ${{ needs.build_docker.outputs.app_version }}
+      tag_latest: true
+
+  deploy_dev:
+    name: Deploy to the development environment
+    needs:
+      - build_docker
+      - publish_docker
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2
+    secrets: inherit
+    with:
+      environment: 'dev'
+      app_version: '${{ needs.build_docker.outputs.app_version }}'
+
+  deploy_preprod:
+    name: Deploy to the preproduction environment
+    needs:
+      - build_docker
+      - deploy_dev
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2
+    secrets: inherit
+    with:
+      environment: 'preprod'
+      app_version: '${{ needs.build_docker.outputs.app_version }}'
+
+  deploy_prod:
+    name: Deploy to the production environment
+    needs:
+      - build_docker
+      - deploy_preprod
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/deploy_env.yml@v2
+    secrets: inherit
+    with:
+      environment: 'prod'
+      app_version: '${{ needs.build_docker.outputs.app_version }}'

.github/workflows/pipeline_pr.yml

@@ -0,0 +1,35 @@
+name: PR
+
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    uses: ./.github/workflows/validate.yml
+
+  helm_lint:
+    name: Helm lint
+    strategy:
+      matrix:
+        environments: ['dev', 'preprod', 'prod']
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/test_helm_lint.yml@v2
+    secrets: inherit
+    with:
+      environment: ${{ matrix.environments }}
+
+  build_docker:
+    name: Build docker image
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/docker_build.yml@v2
+    with:
+      docker_registry: 'ghcr.io'
+      registry_org: 'ministryofjustice'
+      tag_latest: false
+      push: false
+      load: true
+      docker_multiplatform: false
+      upload_image_artifact: true
+      image_artifact_retention_days: 2

.github/workflows/security_owasp.yml

@@ -0,0 +1,12 @@
+name: Security OWASP dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-owasp-check:
+    name: Project security OWASP dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_trivy.yml

@@ -0,0 +1,12 @@
+name: Security trivy dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-trivy-check:
+    name: Project security trivy dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_veracode_pipeline_scan.yml

@@ -0,0 +1,12 @@
+name: Security veracode pipeline scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "51 3 * * MON-FRI" # Every weekday at 03:51 UTC
+jobs:
+  security-veracode-pipeline-scan:
+    name: Project security veracode pipeline scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit

.github/workflows/security_veracode_policy_scan.yml

@@ -0,0 +1,12 @@
+name: Security veracode policy scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "4 3 * * 1" # Every Monday at 03:04 UTC
+jobs:
+  security-veracode-policy-check:
+    name: Project security veracode policy scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@v2 # WORKFLOW_VERSION
+    with:
+      channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }}
+    secrets: inherit